wgengine/magicsock: change API to not permit disco key changes

Generate the disco key ourselves and give out the public half instead.

Fixes #525

ipn/local.go

@@ -361,9 +361,7 @@ func (b *LocalBackend) Start(opts Options) error {
 
 	var discoPublic tailcfg.DiscoKey
 	if controlclient.Debug.Disco {
-		discoPrivate := key.NewPrivate()
+		discoPublic = b.e.DiscoPublicKey()
-		b.e.SetDiscoPrivateKey(discoPrivate)
-		discoPublic = tailcfg.DiscoKey(discoPrivate.Public())
 	}
 
 	var err error

wgengine/magicsock/magicsock.go

@@ -504,19 +504,18 @@ func (c *Conn) SetNetInfoCallback(fn func(*tailcfg.NetInfo)) {
 	}
 }
 
-// SetDiscoPrivateKey sets the discovery key.
+// DiscoPublicKey returns the discovery public key.
-func (c *Conn) SetDiscoPrivateKey(k key.Private) {
+func (c *Conn) DiscoPublicKey() tailcfg.DiscoKey {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	if !c.discoPrivate.IsZero() && c.discoPrivate != k {
+	if c.discoPrivate.IsZero() {
-		// TODO: support changing a key at runtime; need to
+		priv := key.NewPrivate()
-		// clear a bunch of maps at least
+		c.discoPrivate = priv
-		panic("unsupported")
+		c.discoPublic = tailcfg.DiscoKey(priv.Public())
-	}
+		c.discoShort = c.discoPublic.ShortString()
-	c.discoPrivate = k
+		c.logf("magicsock: disco key = %v", c.discoShort)
-	c.discoPublic = tailcfg.DiscoKey(k.Public())
+	}
-	c.discoShort = c.discoPublic.ShortString()
+	return c.discoPublic
-	c.logf("magicsock: set disco key = %v", c.discoShort)
 }
 
 // c.mu must NOT be held.

wgengine/magicsock/magicsock_test.go

@@ -855,12 +855,11 @@ func initAddrSet(as *AddrSet) {
 }
 
 func TestDiscoMessage(t *testing.T) {
-	peer1Priv := key.NewPrivate()
-	peer1Pub := peer1Priv.Public()
-
 	c := newConn()
 	c.logf = t.Logf
-	c.SetDiscoPrivateKey(key.NewPrivate())
+
+	peer1Pub := c.DiscoPublicKey()
+	peer1Priv := c.discoPrivate
 	c.endpointOfDisco = map[tailcfg.DiscoKey]*discoEndpoint{
 		tailcfg.DiscoKey(peer1Pub): &discoEndpoint{
 			// ...

wgengine/userspace.go

@@ -827,8 +827,8 @@ func (e *userspaceEngine) SetNetworkMap(nm *controlclient.NetworkMap) {
 	e.magicConn.SetNetworkMap(nm)
 }
 
-func (e *userspaceEngine) SetDiscoPrivateKey(k key.Private) {
+func (e *userspaceEngine) DiscoPublicKey() tailcfg.DiscoKey {
-	e.magicConn.SetDiscoPrivateKey(k)
+	return e.magicConn.DiscoPublicKey()
 }
 
 func (e *userspaceEngine) UpdateStatus(sb *ipnstate.StatusBuilder) {

wgengine/watchdog.go

@@ -14,7 +14,6 @@ import (
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tsdns"
@@ -101,8 +100,9 @@ func (e *watchdogEngine) SetDERPMap(m *tailcfg.DERPMap) {
 func (e *watchdogEngine) SetNetworkMap(nm *controlclient.NetworkMap) {
 	e.watchdog("SetNetworkMap", func() { e.wrap.SetNetworkMap(nm) })
 }
-func (e *watchdogEngine) SetDiscoPrivateKey(k key.Private) {
+func (e *watchdogEngine) DiscoPublicKey() (k tailcfg.DiscoKey) {
-	e.watchdog("SetDiscoPrivateKey", func() { e.wrap.SetDiscoPrivateKey(k) })
+	e.watchdog("DiscoPublicKey", func() { k = e.wrap.DiscoPublicKey() })
+	return k
 }
 func (e *watchdogEngine) Close() {
 	e.watchdog("Close", e.wrap.Close)

wgengine/wgengine.go

@@ -12,7 +12,6 @@ import (
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tsdns"
@@ -117,9 +116,9 @@ type Engine interface {
 	// new NetInfo summary is available.
 	SetNetInfoCallback(NetInfoCallback)
 
-	// SetDiscoPrivateKey sets the private key used for path discovery
+	// DiscoPublicKey gets the public key used for path discovery
 	// messages.
-	SetDiscoPrivateKey(key.Private)
+	DiscoPublicKey() tailcfg.DiscoKey
 
 	// UpdateStatus populates the network state using the provided
 	// status builder.