From 05cc2f510b9508bf32d29929ba3419650d115c8c Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 29 Oct 2021 13:43:19 -0700 Subject: [PATCH] types/key: new types for disco keys. Needed for #3206 to remove final uses of key.{Public,Private}. Signed-off-by: David Anderson --- types/key/disco.go | 170 ++++++++++++++++++++++++++++++++++++++++ types/key/disco_test.go | 80 +++++++++++++++++++ 2 files changed, 250 insertions(+) create mode 100644 types/key/disco.go create mode 100644 types/key/disco_test.go diff --git a/types/key/disco.go b/types/key/disco.go new file mode 100644 index 000000000..08d975922 --- /dev/null +++ b/types/key/disco.go @@ -0,0 +1,170 @@ +// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package key + +import ( + "crypto/subtle" + + "go4.org/mem" + "golang.org/x/crypto/curve25519" + "golang.org/x/crypto/nacl/box" + "tailscale.com/types/structs" +) + +const ( + // discoPublicHexPrefix is the prefix used to identify a + // hex-encoded disco public key. + // + // This prefix is used in the control protocol, so cannot be + // changed. + discoPublicHexPrefix = "discokey:" +) + +// DiscoPrivate is a disco key, used for peer-to-peer path discovery. +type DiscoPrivate struct { + _ structs.Incomparable // because == isn't constant-time + k [32]byte +} + +// NewDisco creates and returns a new disco private key. +func NewDisco() DiscoPrivate { + var ret DiscoPrivate + rand(ret.k[:]) + // Key used for nacl seal/open, so needs to be clamped. + clamp25519Private(ret.k[:]) + return ret +} + +// IsZero reports whether k is the zero value. +func (k DiscoPrivate) IsZero() bool { + return k.Equal(DiscoPrivate{}) +} + +// Equal reports whether k and other are the same key. +func (k DiscoPrivate) Equal(other DiscoPrivate) bool { + return subtle.ConstantTimeCompare(k.k[:], other.k[:]) == 1 +} + +// Public returns the DiscoPublic for k. +// Panics if DiscoPrivate is zero. +func (k DiscoPrivate) Public() DiscoPublic { + if k.IsZero() { + panic("can't take the public key of a zero DiscoPrivate") + } + var ret DiscoPublic + curve25519.ScalarBaseMult(&ret.k, &k.k) + return ret +} + +// Shared returns the DiscoShared for communication betweek k and p. +func (k DiscoPrivate) Shared(p DiscoPublic) DiscoShared { + if k.IsZero() || p.IsZero() { + panic("can't compute shared secret with zero keys") + } + var ret DiscoShared + box.Precompute(&ret.k, &p.k, &k.k) + return ret +} + +// DiscoPublic is the public portion of a DiscoPrivate. +type DiscoPublic struct { + k [32]byte +} + +// DiscoPublicFromRaw32 parses a 32-byte raw value as a DiscoPublic. +// +// This should be used only when deserializing a DiscoPublic from a +// binary protocol. +func DiscoPublicFromRaw32(raw mem.RO) DiscoPublic { + if raw.Len() != 32 { + panic("input has wrong size") + } + var ret DiscoPublic + raw.Copy(ret.k[:]) + return ret +} + +// IsZero reports whether k is the zero value. +func (k DiscoPublic) IsZero() bool { + return k == DiscoPublic{} +} + +// ShortString returns the Tailscale conventional debug representation +// of a public key: the first five base64 digits of the key, in square +// brackets. +func (k DiscoPublic) ShortString() string { + return debug32(k.k) +} + +// AppendTo appends k, serialized as a 32-byte binary value, to +// buf. Returns the new slice. +func (k DiscoPublic) AppendTo(buf []byte) []byte { + return append(buf, k.k[:]...) +} + +// RawLen returns the length of k when to the format handled by +// ReadRawWithoutAllocating and WriteRawWithoutAllocating. +func (k DiscoPublic) RawLen() int { + return 32 +} + +// String returns the output of MarshalText as a string. +func (k DiscoPublic) String() string { + bs, err := k.MarshalText() + if err != nil { + panic(err) + } + return string(bs) +} + +// MarshalText implements encoding.TextMarshaler. +func (k DiscoPublic) MarshalText() ([]byte, error) { + return toHex(k.k[:], discoPublicHexPrefix), nil +} + +// MarshalText implements encoding.TextUnmarshaler. +func (k *DiscoPublic) UnmarshalText(b []byte) error { + return parseHex(k.k[:], mem.B(b), mem.S(discoPublicHexPrefix)) +} + +type DiscoShared struct { + _ structs.Incomparable // because == isn't constant-time + k [32]byte +} + +// Equal reports whether k and other are the same key. +func (k DiscoShared) Equal(other DiscoShared) bool { + return subtle.ConstantTimeCompare(k.k[:], other.k[:]) == 1 +} + +func (k DiscoShared) IsZero() bool { + return k.Equal(DiscoShared{}) +} + +// Seal wraps cleartext into a NaCl box (see +// golang.org/x/crypto/nacl), using k as the shared secret and a +// random nonce. +func (k DiscoShared) Seal(cleartext []byte) (ciphertext []byte) { + if k.IsZero() { + panic("can't seal with zero key") + } + var nonce [24]byte + rand(nonce[:]) + return box.SealAfterPrecomputation(nonce[:], cleartext, &nonce, &k.k) +} + +// Open opens the NaCl box ciphertext, which must be a value created +// by Seal, and returns the inner cleartext if ciphertext is a valid +// box using shared secret k. +func (k DiscoShared) Open(ciphertext []byte) (cleartext []byte, ok bool) { + if k.IsZero() { + panic("can't open with zero key") + } + if len(ciphertext) < 24 { + return nil, false + } + nonce := (*[24]byte)(ciphertext) + return box.OpenAfterPrecomputation(nil, ciphertext[24:], nonce, &k.k) +} diff --git a/types/key/disco_test.go b/types/key/disco_test.go new file mode 100644 index 000000000..f328b6b92 --- /dev/null +++ b/types/key/disco_test.go @@ -0,0 +1,80 @@ +package key + +import ( + "bytes" + "encoding/json" + "testing" +) + +func TestDiscoKey(t *testing.T) { + k := NewDisco() + if k.IsZero() { + t.Fatal("DiscoPrivate should not be zero") + } + + p := k.Public() + if p.IsZero() { + t.Fatal("DiscoPublic should not be zero") + } + + bs, err := p.MarshalText() + if err != nil { + t.Fatal(err) + } + if !bytes.HasPrefix(bs, []byte("discokey:")) { + t.Fatalf("serialization of public discokey %s has wrong prefix", p) + } + + z := DiscoPublic{} + if !z.IsZero() { + t.Fatal("IsZero(DiscoPublic{}) is false") + } + if s := z.ShortString(); s != "" { + t.Fatalf("DiscoPublic{}.ShortString() is %q, want \"\"", s) + } +} + +func TestDiscoSerialization(t *testing.T) { + serialized := `{ + "Pub":"discokey:50d20b455ecf12bc453f83c2cfdb2a24925d06cf2598dcaa54e91af82ce9f765" + }` + + pub := DiscoPublic{ + k: [32]uint8{ + 0x50, 0xd2, 0xb, 0x45, 0x5e, 0xcf, 0x12, 0xbc, 0x45, 0x3f, 0x83, + 0xc2, 0xcf, 0xdb, 0x2a, 0x24, 0x92, 0x5d, 0x6, 0xcf, 0x25, 0x98, + 0xdc, 0xaa, 0x54, 0xe9, 0x1a, 0xf8, 0x2c, 0xe9, 0xf7, 0x65, + }, + } + + type key struct { + Pub DiscoPublic + } + + var a key + if err := json.Unmarshal([]byte(serialized), &a); err != nil { + t.Fatal(err) + } + if a.Pub != pub { + t.Errorf("wrong deserialization of public key, got %#v want %#v", a.Pub, pub) + } + + bs, err := json.MarshalIndent(a, "", " ") + if err != nil { + t.Fatal(err) + } + + var b bytes.Buffer + json.Indent(&b, []byte(serialized), "", " ") + if got, want := string(bs), b.String(); got != want { + t.Error("json serialization doesn't roundtrip") + } +} + +func TestDiscoShared(t *testing.T) { + k1, k2 := NewDisco(), NewDisco() + s1, s2 := k1.Shared(k2.Public()), k2.Shared(k1.Public()) + if !s1.Equal(s2) { + t.Error("k1.Shared(k2) != k2.Shared(k1)") + } +}