archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

wgengine/wgcfg: convert to use new node key type.

Browse Source 
Updates #3206

Signed-off-by: David Anderson <danderson@tailscale.com>
pull/3204/head
David Anderson 3 years ago committed by Dave Anderson
parent a47158e14d
commit a9c78910bd
16 changed files with 127 additions and 137 deletions
Show Stats Download Patch File Download Diff File

13
types/key/node.go
Unescape Escape View File

@ -54,6 +54,19 @@ func NewNode() NodePrivate {
return ret return ret
} }
// NodePrivateFromRaw32 parses a 32-byte raw value as a NodePrivate.
//
// Deprecated: only needed to cast from legacy node private key types,
// do not add more uses unrelated to #3206.
func NodePrivateFromRaw32(raw mem.RO) NodePrivate {
if raw.Len() != 32 {
panic("input has wrong size")
}
var ret NodePrivate
raw.Copy(ret.k[:])
return ret
}
func ParseNodePrivateUntyped(raw mem.RO) (NodePrivate, error) { func ParseNodePrivateUntyped(raw mem.RO) (NodePrivate, error) {
var ret NodePrivate var ret NodePrivate
if err := parseHex(ret.k[:], raw, mem.B(nil)); err != nil { if err := parseHex(ret.k[:], raw, mem.B(nil)); err != nil {

4
util/deephash/deephash_test.go
Unescape Escape View File

@ -19,7 +19,7 @@ import (
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/dnstype" "tailscale.com/types/dnstype"
"tailscale.com/types/ipproto" "tailscale.com/types/ipproto"
"tailscale.com/types/wgkey" "tailscale.com/types/key"
"tailscale.com/util/dnsname" "tailscale.com/util/dnsname"
"tailscale.com/version" "tailscale.com/version"
"tailscale.com/wgengine/filter" "tailscale.com/wgengine/filter"
@ -138,7 +138,7 @@ func getVal() []interface{} {
Addresses: []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPFrom16([16]byte{3: 3}), 5)}, Addresses: []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPFrom16([16]byte{3: 3}), 5)},
Peers: []wgcfg.Peer{ Peers: []wgcfg.Peer{
{ {
PublicKey: wgkey.Key{}, PublicKey: key.NodePublic{},
}, },
}, },
}, },

20
wgengine/bench/wg.go
Unescape Escape View File

@ -17,9 +17,9 @@ import (
"tailscale.com/net/dns" "tailscale.com/net/dns"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/key"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/types/netmap" "tailscale.com/types/netmap"
"tailscale.com/types/wgkey"
"tailscale.com/wgengine" "tailscale.com/wgengine"
"tailscale.com/wgengine/filter" "tailscale.com/wgengine/filter"
"tailscale.com/wgengine/router" "tailscale.com/wgengine/router"
@ -28,10 +28,7 @@ import (
func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netaddr.IPPrefix) { func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netaddr.IPPrefix) {
l1 := logger.WithPrefix(logf, "e1: ") l1 := logger.WithPrefix(logf, "e1: ")
k1, err := wgkey.NewPrivate() k1 := key.NewNode()
if err != nil {
log.Fatalf("e1 NewPrivateKey: %v", err)
}
c1 := wgcfg.Config{ c1 := wgcfg.Config{
Name: "e1", Name: "e1",
@ -56,10 +53,7 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
} }
l2 := logger.WithPrefix(logf, "e2: ") l2 := logger.WithPrefix(logf, "e2: ")
k2, err := wgkey.NewPrivate() k2 := key.NewNode()
if err != nil {
log.Fatalf("e2 NewPrivateKey: %v", err)
}
c2 := wgcfg.Config{ c2 := wgcfg.Config{
Name: "e2", Name: "e2",
PrivateKey: k2, PrivateKey: k2,
@ -111,8 +105,8 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
Endpoints: eps, Endpoints: eps,
} }
e2.SetNetworkMap(&netmap.NetworkMap{ e2.SetNetworkMap(&netmap.NetworkMap{
NodeKey: tailcfg.NodeKey(k2), NodeKey: tailcfg.NodeKeyFromNodePublic(k2.Public()),
PrivateKey: wgkey.Private(k2), PrivateKey: k2.AsWGPrivate(),
Peers: []*tailcfg.Node{&n}, Peers: []*tailcfg.Node{&n},
}) })
@ -148,8 +142,8 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
Endpoints: eps, Endpoints: eps,
} }
e1.SetNetworkMap(&netmap.NetworkMap{ e1.SetNetworkMap(&netmap.NetworkMap{
NodeKey: tailcfg.NodeKey(k1), NodeKey: tailcfg.NodeKeyFromNodePublic(k1.Public()),
PrivateKey: wgkey.Private(k1), PrivateKey: k1.AsWGPrivate(),
Peers: []*tailcfg.Node{&n}, Peers: []*tailcfg.Node{&n},
}) })

9
wgengine/magicsock/magicsock_test.go
Unescape Escape View File

@ -24,6 +24,7 @@ import (
"time" "time"
"unsafe" "unsafe"
"go4.org/mem"
"golang.org/x/crypto/nacl/box" "golang.org/x/crypto/nacl/box"
"golang.zx2c4.com/wireguard/device" "golang.zx2c4.com/wireguard/device"
"golang.zx2c4.com/wireguard/tun/tuntest" "golang.zx2c4.com/wireguard/tun/tuntest"
@ -1017,11 +1018,11 @@ func testTwoDevicePing(t *testing.T, d *devices) {
m1cfg := &wgcfg.Config{ m1cfg := &wgcfg.Config{
Name: "peer1", Name: "peer1",
PrivateKey: m1.privateKey, PrivateKey: key.NodePrivateFromRaw32(mem.B(m1.privateKey[:])),
Addresses: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.1/32")}, Addresses: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.1/32")},
Peers: []wgcfg.Peer{ Peers: []wgcfg.Peer{
wgcfg.Peer{ wgcfg.Peer{
PublicKey: m2.privateKey.Public(), PublicKey: key.NodePrivateFromRaw32(mem.B(m2.privateKey[:])).Public(),
DiscoKey: m2.conn.DiscoPublicKey(), DiscoKey: m2.conn.DiscoPublicKey(),
AllowedIPs: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.2/32")}, AllowedIPs: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.2/32")},
}, },
@ -1029,11 +1030,11 @@ func testTwoDevicePing(t *testing.T, d *devices) {
} }
m2cfg := &wgcfg.Config{ m2cfg := &wgcfg.Config{
Name: "peer2", Name: "peer2",
PrivateKey: m2.privateKey, PrivateKey: key.NodePrivateFromRaw32(mem.B(m2.privateKey[:])),
Addresses: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.2/32")}, Addresses: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.2/32")},
Peers: []wgcfg.Peer{ Peers: []wgcfg.Peer{
wgcfg.Peer{ wgcfg.Peer{
PublicKey: m1.privateKey.Public(), PublicKey: key.NodePrivateFromRaw32(mem.B(m1.privateKey[:])).Public(),
DiscoKey: m1.conn.DiscoPublicKey(), DiscoKey: m1.conn.DiscoPublicKey(),
AllowedIPs: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.1/32")}, AllowedIPs: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.1/32")},
}, },

36
wgengine/userspace.go
Unescape Escape View File

@ -42,7 +42,6 @@ import (
"tailscale.com/types/key" "tailscale.com/types/key"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/types/netmap" "tailscale.com/types/netmap"
"tailscale.com/types/wgkey"
"tailscale.com/util/deephash" "tailscale.com/util/deephash"
"tailscale.com/version" "tailscale.com/version"
"tailscale.com/wgengine/filter" "tailscale.com/wgengine/filter"
@ -128,7 +127,7 @@ type userspaceEngine struct {
netMap *netmap.NetworkMap // or nil netMap *netmap.NetworkMap // or nil
closing bool // Close was called (even if we're still closing) closing bool // Close was called (even if we're still closing)
statusCallback StatusCallback statusCallback StatusCallback
peerSequence []wgkey.Key peerSequence []tailcfg.NodeKey
endpoints []tailcfg.Endpoint endpoints []tailcfg.Endpoint
pendOpen map[flowtrack.Tuple]*pendingOpenFlow // see pendopen.go pendOpen map[flowtrack.Tuple]*pendingOpenFlow // see pendopen.go
networkMapCallbacks map[*someHandle]NetworkMapCallback networkMapCallbacks map[*someHandle]NetworkMapCallback
@ -648,27 +647,28 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[tailcfg.
needRemoveStep := false needRemoveStep := false
for i := range full.Peers { for i := range full.Peers {
p := &full.Peers[i] p := &full.Peers[i]
nk := tailcfg.NodeKey(p.PublicKey) nk := p.PublicKey
tnk := tailcfg.NodeKeyFromNodePublic(nk)
if !isTrimmablePeer(p, len(full.Peers)) { if !isTrimmablePeer(p, len(full.Peers)) {
min.Peers = append(min.Peers, *p) min.Peers = append(min.Peers, *p)
if discoChanged[nk] { if discoChanged[tnk] {
needRemoveStep = true needRemoveStep = true
} }
continue continue
} }
trackNodes = append(trackNodes, nk) trackNodes = append(trackNodes, tnk)
recentlyActive := false recentlyActive := false
for _, cidr := range p.AllowedIPs { for _, cidr := range p.AllowedIPs {
trackIPs = append(trackIPs, cidr.IP()) trackIPs = append(trackIPs, cidr.IP())
recentlyActive = recentlyActive || e.isActiveSinceLocked(nk, cidr.IP(), activeCutoff) recentlyActive = recentlyActive || e.isActiveSinceLocked(tnk, cidr.IP(), activeCutoff)
} }
if recentlyActive { if recentlyActive {
min.Peers = append(min.Peers, *p) min.Peers = append(min.Peers, *p)
if discoChanged[tailcfg.NodeKey(p.PublicKey)] { if discoChanged[tnk] {
needRemoveStep = true needRemoveStep = true
} }
} else { } else {
trimmedNodes[tailcfg.NodeKey(p.PublicKey)] = true trimmedNodes[tnk] = true
} }
} }
e.lastNMinPeers = len(min.Peers) e.lastNMinPeers = len(min.Peers)
@ -687,7 +687,7 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[tailcfg.
minner.Peers = nil minner.Peers = nil
numRemove := 0 numRemove := 0
for _, p := range min.Peers { for _, p := range min.Peers {
if discoChanged[tailcfg.NodeKey(p.PublicKey)] { if discoChanged[tailcfg.NodeKeyFromNodePublic(p.PublicKey)] {
numRemove++ numRemove++
continue continue
} }
@ -807,8 +807,8 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
e.mu.Lock() e.mu.Lock()
e.peerSequence = e.peerSequence[:0] e.peerSequence = e.peerSequence[:0]
for _, p := range cfg.Peers { for _, p := range cfg.Peers {
e.peerSequence = append(e.peerSequence, wgkey.Key(p.PublicKey)) e.peerSequence = append(e.peerSequence, tailcfg.NodeKeyFromNodePublic(p.PublicKey))
peerSet[key.Public(p.PublicKey)] = struct{}{} peerSet[p.PublicKey.AsPublic()] = struct{}{}
} }
e.mu.Unlock() e.mu.Unlock()
@ -845,7 +845,7 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
prevEP := make(map[tailcfg.NodeKey]tailcfg.DiscoKey) prevEP := make(map[tailcfg.NodeKey]tailcfg.DiscoKey)
for i := range e.lastCfgFull.Peers { for i := range e.lastCfgFull.Peers {
if p := &e.lastCfgFull.Peers[i]; !p.DiscoKey.IsZero() { if p := &e.lastCfgFull.Peers[i]; !p.DiscoKey.IsZero() {
prevEP[tailcfg.NodeKey(p.PublicKey)] = p.DiscoKey prevEP[tailcfg.NodeKeyFromNodePublic(p.PublicKey)] = p.DiscoKey
} }
} }
for i := range cfg.Peers { for i := range cfg.Peers {
@ -853,7 +853,7 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
if p.DiscoKey.IsZero() { if p.DiscoKey.IsZero() {
continue continue
} }
pub := tailcfg.NodeKey(p.PublicKey) pub := tailcfg.NodeKeyFromNodePublic(p.PublicKey)
if old, ok := prevEP[pub]; ok && old != p.DiscoKey { if old, ok := prevEP[pub]; ok && old != p.DiscoKey {
discoChanged[pub] = true discoChanged[pub] = true
e.logf("wgengine: Reconfig: %s changed from %q to %q", pub.ShortString(), old, p.DiscoKey) e.logf("wgengine: Reconfig: %s changed from %q to %q", pub.ShortString(), old, p.DiscoKey)
@ -867,7 +867,7 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
// (which is needed by DERP) before wgdev gets it, as wgdev // (which is needed by DERP) before wgdev gets it, as wgdev
// will start trying to handshake, which we want to be able to // will start trying to handshake, which we want to be able to
// go over DERP. // go over DERP.
if err := e.magicConn.SetPrivateKey(wgkey.Private(cfg.PrivateKey)); err != nil { if err := e.magicConn.SetPrivateKey(cfg.PrivateKey.AsWGPrivate()); err != nil {
e.logf("wgengine: Reconfig: SetPrivateKey: %v", err) e.logf("wgengine: Reconfig: SetPrivateKey: %v", err)
} }
e.magicConn.UpdatePeers(peerSet) e.magicConn.UpdatePeers(peerSet)
@ -978,7 +978,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
errc <- err errc <- err
}() }()
pp := make(map[wgkey.Key]ipnstate.PeerStatusLite) pp := make(map[tailcfg.NodeKey]ipnstate.PeerStatusLite)
var p ipnstate.PeerStatusLite var p ipnstate.PeerStatusLite
var hst1, hst2, n int64 var hst1, hst2, n int64
@ -1012,7 +1012,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
return nil, fmt.Errorf("IpcGetOperation: invalid key in line %q", line) return nil, fmt.Errorf("IpcGetOperation: invalid key in line %q", line)
} }
if !p.NodeKey.IsZero() { if !p.NodeKey.IsZero() {
pp[wgkey.Key(p.NodeKey)] = p pp[p.NodeKey] = p
} }
p = ipnstate.PeerStatusLite{NodeKey: tailcfg.NodeKey(pk)} p = ipnstate.PeerStatusLite{NodeKey: tailcfg.NodeKey(pk)}
case "rx_bytes": case "rx_bytes":
@ -1043,7 +1043,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
} }
} }
if !p.NodeKey.IsZero() { if !p.NodeKey.IsZero() {
pp[wgkey.Key(p.NodeKey)] = p pp[p.NodeKey] = p
} }
if err := <-errc; err != nil { if err := <-errc; err != nil {
return nil, fmt.Errorf("IpcGetOperation: %v", err) return nil, fmt.Errorf("IpcGetOperation: %v", err)
@ -1464,7 +1464,7 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, isSelf bool
} }
if best.IsZero() || cidr.Bits() > best.Bits() { if best.IsZero() || cidr.Bits() > best.Bits() {
best = cidr best = cidr
bestKey = tailcfg.NodeKey(p.PublicKey) bestKey = tailcfg.NodeKeyFromNodePublic(p.PublicKey)
} }
} }
} }

14
wgengine/userspace_test.go
Unescape Escape View File

@ -18,7 +18,6 @@ import (
"tailscale.com/tstime/mono" "tailscale.com/tstime/mono"
"tailscale.com/types/key" "tailscale.com/types/key"
"tailscale.com/types/netmap" "tailscale.com/types/netmap"
"tailscale.com/types/wgkey"
"tailscale.com/wgengine/router" "tailscale.com/wgengine/router"
"tailscale.com/wgengine/wgcfg" "tailscale.com/wgengine/wgcfg"
) )
@ -105,10 +104,14 @@ func TestUserspaceEngineReconfig(t *testing.T) {
}, },
}, },
} }
nk, err := key.ParseNodePublicUntyped(mem.S(nodeHex))
if err != nil {
t.Fatal(err)
}
cfg := &wgcfg.Config{ cfg := &wgcfg.Config{
Peers: []wgcfg.Peer{ Peers: []wgcfg.Peer{
{ {
PublicKey: wgkey.Key(nkFromHex(nodeHex)), PublicKey: nk,
AllowedIPs: []netaddr.IPPrefix{ AllowedIPs: []netaddr.IPPrefix{
netaddr.IPPrefixFrom(netaddr.IPv4(100, 100, 99, 1), 32), netaddr.IPPrefixFrom(netaddr.IPv4(100, 100, 99, 1), 32),
}, },
@ -161,11 +164,14 @@ func TestUserspaceEnginePortReconfig(t *testing.T) {
t.Cleanup(ue.Close) t.Cleanup(ue.Close)
startingPort := ue.magicConn.LocalPort() startingPort := ue.magicConn.LocalPort()
nodeKey := nkFromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") nodeKey, err := key.ParseNodePublicUntyped(mem.S("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
if err != nil {
t.Fatal(err)
}
cfg := &wgcfg.Config{ cfg := &wgcfg.Config{
Peers: []wgcfg.Peer{ Peers: []wgcfg.Peer{
{ {
PublicKey: wgkey.Key(nodeKey), PublicKey: nodeKey,
AllowedIPs: []netaddr.IPPrefix{ AllowedIPs: []netaddr.IPPrefix{
netaddr.IPPrefixFrom(netaddr.IPv4(100, 100, 99, 1), 32), netaddr.IPPrefixFrom(netaddr.IPv4(100, 100, 99, 1), 32),
}, },

6
wgengine/wgcfg/clone.go
Unescape Escape View File

@ -10,7 +10,7 @@ package wgcfg
import ( import (
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/wgkey" "tailscale.com/types/key"
) )
// Clone makes a deep copy of Config. // Clone makes a deep copy of Config.
@ -33,7 +33,7 @@ func (src *Config) Clone() *Config {
// A compilation failure here means this code must be regenerated, with the command at the top of this file. // A compilation failure here means this code must be regenerated, with the command at the top of this file.
var _ConfigCloneNeedsRegeneration = Config(struct { var _ConfigCloneNeedsRegeneration = Config(struct {
Name string Name string
PrivateKey wgkey.Private PrivateKey key.NodePrivate
Addresses []netaddr.IPPrefix Addresses []netaddr.IPPrefix
MTU uint16 MTU uint16
DNS []netaddr.IP DNS []netaddr.IP
@ -54,7 +54,7 @@ func (src *Peer) Clone() *Peer {
// A compilation failure here means this code must be regenerated, with the command at the top of this file. // A compilation failure here means this code must be regenerated, with the command at the top of this file.
var _PeerCloneNeedsRegeneration = Peer(struct { var _PeerCloneNeedsRegeneration = Peer(struct {
PublicKey wgkey.Key PublicKey key.NodePublic
DiscoKey tailcfg.DiscoKey DiscoKey tailcfg.DiscoKey
AllowedIPs []netaddr.IPPrefix AllowedIPs []netaddr.IPPrefix
PersistentKeepalive uint16 PersistentKeepalive uint16

8
wgengine/wgcfg/config.go
Unescape Escape View File

@ -8,7 +8,7 @@ package wgcfg
import ( import (
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/wgkey" "tailscale.com/types/key"
) )
//go:generate go run tailscale.com/cmd/cloner -type=Config,Peer -output=clone.go //go:generate go run tailscale.com/cmd/cloner -type=Config,Peer -output=clone.go
@ -17,7 +17,7 @@ import (
// It only supports the set of things Tailscale uses. // It only supports the set of things Tailscale uses.
type Config struct { type Config struct {
Name string Name string
PrivateKey wgkey.Private PrivateKey key.NodePrivate
Addresses []netaddr.IPPrefix Addresses []netaddr.IPPrefix
MTU uint16 MTU uint16
DNS []netaddr.IP DNS []netaddr.IP
@ -25,14 +25,14 @@ type Config struct {
} }
type Peer struct { type Peer struct {
PublicKey wgkey.Key PublicKey key.NodePublic
DiscoKey tailcfg.DiscoKey // present only so we can handle restarts within wgengine, not passed to WireGuard DiscoKey tailcfg.DiscoKey // present only so we can handle restarts within wgengine, not passed to WireGuard
AllowedIPs []netaddr.IPPrefix AllowedIPs []netaddr.IPPrefix
PersistentKeepalive uint16 PersistentKeepalive uint16
} }
// PeerWithKey returns the Peer with key k and reports whether it was found. // PeerWithKey returns the Peer with key k and reports whether it was found.
func (config Config) PeerWithKey(k wgkey.Key) (Peer, bool) { func (config Config) PeerWithKey(k key.NodePublic) (Peer, bool) {
for _, p := range config.Peers { for _, p := range config.Peers {
if p.PublicKey == k { if p.PublicKey == k {
return p, true return p, true

2
wgengine/wgcfg/device.go
Unescape Escape View File

@ -29,7 +29,7 @@ func DeviceConfig(d *device.Device) (*Config, error) {
return nil, err return nil, err
} }
sort.Slice(cfg.Peers, func(i, j int) bool { sort.Slice(cfg.Peers, func(i, j int) bool {
return cfg.Peers[i].PublicKey.LessThan(&cfg.Peers[j].PublicKey) return cfg.Peers[i].PublicKey.Less(cfg.Peers[j].PublicKey)
}) })
return cfg, nil return cfg, nil
} }

23
wgengine/wgcfg/device_test.go
Unescape Escape View File

@ -20,29 +20,26 @@ import (
"golang.zx2c4.com/wireguard/tun" "golang.zx2c4.com/wireguard/tun"
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/wgkey" "tailscale.com/types/key"
) )
func TestDeviceConfig(t *testing.T) { func TestDeviceConfig(t *testing.T) {
newPrivateKey := func() (wgkey.Key, wgkey.Private) { newK := func() (key.NodePublic, key.NodePrivate) {
t.Helper() t.Helper()
pk, err := wgkey.NewPrivate() k := key.NewNode()
if err != nil { return k.Public(), k
t.Fatal(err)
}
return wgkey.Key(pk.Public()), wgkey.Private(pk)
} }
k1, pk1 := newPrivateKey() k1, pk1 := newK()
ip1 := netaddr.MustParseIPPrefix("10.0.0.1/32") ip1 := netaddr.MustParseIPPrefix("10.0.0.1/32")
k2, pk2 := newPrivateKey() k2, pk2 := newK()
ip2 := netaddr.MustParseIPPrefix("10.0.0.2/32") ip2 := netaddr.MustParseIPPrefix("10.0.0.2/32")
k3, _ := newPrivateKey() k3, _ := newK()
ip3 := netaddr.MustParseIPPrefix("10.0.0.3/32") ip3 := netaddr.MustParseIPPrefix("10.0.0.3/32")
cfg1 := &Config{ cfg1 := &Config{
PrivateKey: wgkey.Private(pk1), PrivateKey: pk1,
Peers: []Peer{{ Peers: []Peer{{
PublicKey: k2, PublicKey: k2,
AllowedIPs: []netaddr.IPPrefix{ip2}, AllowedIPs: []netaddr.IPPrefix{ip2},
@ -50,7 +47,7 @@ func TestDeviceConfig(t *testing.T) {
} }
cfg2 := &Config{ cfg2 := &Config{
PrivateKey: wgkey.Private(pk2), PrivateKey: pk2,
Peers: []Peer{{ Peers: []Peer{{
PublicKey: k1, PublicKey: k1,
AllowedIPs: []netaddr.IPPrefix{ip1}, AllowedIPs: []netaddr.IPPrefix{ip1},
@ -149,7 +146,7 @@ func TestDeviceConfig(t *testing.T) {
AllowedIPs: []netaddr.IPPrefix{ip3}, AllowedIPs: []netaddr.IPPrefix{ip3},
}) })
sort.Slice(cfg1.Peers, func(i, j int) bool { sort.Slice(cfg1.Peers, func(i, j int) bool {
return cfg1.Peers[i].PublicKey.LessThan(&cfg1.Peers[j].PublicKey) return cfg1.Peers[i].PublicKey.Less(cfg1.Peers[j].PublicKey)
}) })
origCfg, err := DeviceConfig(device1) origCfg, err := DeviceConfig(device1)

7
wgengine/wgcfg/nmcfg/nmcfg.go
Unescape Escape View File

@ -10,12 +10,13 @@ import (
"fmt" "fmt"
"strings" "strings"
"go4.org/mem"
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/net/tsaddr" "tailscale.com/net/tsaddr"
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/key"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/types/netmap" "tailscale.com/types/netmap"
"tailscale.com/types/wgkey"
"tailscale.com/wgengine/wgcfg" "tailscale.com/wgengine/wgcfg"
) )
@ -54,7 +55,7 @@ func cidrIsSubnet(node *tailcfg.Node, cidr netaddr.IPPrefix) bool {
func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) { func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, exitNode tailcfg.StableNodeID) (*wgcfg.Config, error) {
cfg := &wgcfg.Config{ cfg := &wgcfg.Config{
Name: "tailscale", Name: "tailscale",
PrivateKey: wgkey.Private(nm.PrivateKey), PrivateKey: key.NodePrivateFromRaw32(mem.B(nm.PrivateKey[:])),
Addresses: nm.Addresses, Addresses: nm.Addresses,
Peers: make([]wgcfg.Peer, 0, len(nm.Peers)), Peers: make([]wgcfg.Peer, 0, len(nm.Peers)),
} }
@ -72,7 +73,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
continue continue
} }
cfg.Peers = append(cfg.Peers, wgcfg.Peer{ cfg.Peers = append(cfg.Peers, wgcfg.Peer{
PublicKey: wgkey.Key(peer.Key), PublicKey: key.NodePublicFromRaw32(mem.B(peer.Key[:])),
DiscoKey: peer.DiscoKey, DiscoKey: peer.DiscoKey,
}) })
cpeer := &cfg.Peers[len(cfg.Peers)-1] cpeer := &cfg.Peers[len(cfg.Peers)-1]

54
wgengine/wgcfg/parser.go
Unescape Escape View File

@ -15,6 +15,7 @@ import (
"go4.org/mem" "go4.org/mem"
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/types/key"
"tailscale.com/types/wgkey" "tailscale.com/types/wgkey"
) )
@ -128,71 +129,70 @@ func parseKeyHex(s []byte, dst []byte) error {
return nil return nil
} }
func (cfg *Config) handleDeviceLine(key, value mem.RO, valueBytes []byte) error { func (cfg *Config) handleDeviceLine(k, value mem.RO, valueBytes []byte) error {
switch { switch {
case key.EqualString("private_key"): case k.EqualString("private_key"):
// wireguard-go guarantees not to send zero value; private keys are already clamped. // wireguard-go guarantees not to send zero value; private keys are already clamped.
if err := parseKeyHex(valueBytes, cfg.PrivateKey[:]); err != nil { var err error
cfg.PrivateKey, err = key.ParseNodePrivateUntyped(value)
if err != nil {
return err return err
} }
case key.EqualString("listen_port") || key.EqualString("fwmark"): case k.EqualString("listen_port") || k.EqualString("fwmark"):
// ignore // ignore
default: default:
return fmt.Errorf("unexpected IpcGetOperation key: %q", key.StringCopy()) return fmt.Errorf("unexpected IpcGetOperation key: %q", k.StringCopy())
} }
return nil return nil
} }
func (cfg *Config) handlePublicKeyLine(valueBytes []byte) (*Peer, error) { func (cfg *Config) handlePublicKeyLine(valueBytes []byte) (*Peer, error) {
p := Peer{} p := Peer{}
if err := parseKeyHex(valueBytes, p.PublicKey[:]); err != nil { var err error
p.PublicKey, err = key.ParseNodePublicUntyped(mem.B(valueBytes))
if err != nil {
return nil, err return nil, err
} }
cfg.Peers = append(cfg.Peers, p) cfg.Peers = append(cfg.Peers, p)
return &cfg.Peers[len(cfg.Peers)-1], nil return &cfg.Peers[len(cfg.Peers)-1], nil
} }
func (cfg *Config) handlePeerLine(peer *Peer, key, value mem.RO, valueBytes []byte) error { func (cfg *Config) handlePeerLine(peer *Peer, k, value mem.RO, valueBytes []byte) error {
switch { switch {
case key.EqualString("endpoint"): case k.EqualString("endpoint"):
// TODO: our key types are all over the place, and this nk, err := key.ParseNodePublicUntyped(value)
// particular one can't parse a mem.RO or a []byte without
// allocating. We don't reconfigure wireguard often though, so
// this is okay.
s := value.StringCopy()
k, err := wgkey.ParseHex(s)
if err != nil { if err != nil {
return fmt.Errorf("invalid endpoint %q for peer %q, expected a hex public key", s, peer.PublicKey.ShortString()) return fmt.Errorf("invalid endpoint %q for peer %q, expected a hex public key", value.StringCopy(), peer.PublicKey.ShortString())
} }
if k != peer.PublicKey { if nk != peer.PublicKey {
return fmt.Errorf("unexpected endpoint %q for peer %q, expected the peer's public key", s, peer.PublicKey.ShortString()) return fmt.Errorf("unexpected endpoint %q for peer %q, expected the peer's public key", value.StringCopy(), peer.PublicKey.ShortString())
} }
case key.EqualString("persistent_keepalive_interval"): case k.EqualString("persistent_keepalive_interval"):
n, err := mem.ParseUint(value, 10, 16) n, err := mem.ParseUint(value, 10, 16)
if err != nil { if err != nil {
return err return err
} }
peer.PersistentKeepalive = uint16(n) peer.PersistentKeepalive = uint16(n)
case key.EqualString("allowed_ip"): case k.EqualString("allowed_ip"):
ipp := netaddr.IPPrefix{} ipp := netaddr.IPPrefix{}
err := ipp.UnmarshalText(valueBytes) err := ipp.UnmarshalText(valueBytes)
if err != nil { if err != nil {
return err return err
} }
peer.AllowedIPs = append(peer.AllowedIPs, ipp) peer.AllowedIPs = append(peer.AllowedIPs, ipp)
case key.EqualString("protocol_version"): case k.EqualString("protocol_version"):
if !value.EqualString("1") { if !value.EqualString("1") {
return fmt.Errorf("invalid protocol version: %q", value.StringCopy()) return fmt.Errorf("invalid protocol version: %q", value.StringCopy())
} }
case key.EqualString("replace_allowed_ips") || case k.EqualString("replace_allowed_ips") ||
key.EqualString("preshared_key") || k.EqualString("preshared_key") ||
key.EqualString("last_handshake_time_sec") || k.EqualString("last_handshake_time_sec") ||
key.EqualString("last_handshake_time_nsec") || k.EqualString("last_handshake_time_nsec") ||
key.EqualString("tx_bytes") || k.EqualString("tx_bytes") ||
key.EqualString("rx_bytes"): k.EqualString("rx_bytes"):
// ignore // ignore
default: default:
return fmt.Errorf("unexpected IpcGetOperation key: %q", key.StringCopy()) return fmt.Errorf("unexpected IpcGetOperation key: %q", k.StringCopy())
} }
return nil return nil
} }

15
wgengine/wgcfg/parser_test.go
Unescape Escape View File

@ -13,7 +13,7 @@ import (
"testing" "testing"
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/types/wgkey" "tailscale.com/types/key"
) )
func noError(t *testing.T, err error) bool { func noError(t *testing.T, err error) bool {
@ -61,15 +61,12 @@ func TestParseEndpoint(t *testing.T) {
} }
func BenchmarkFromUAPI(b *testing.B) { func BenchmarkFromUAPI(b *testing.B) {
newPrivateKey := func() (wgkey.Key, wgkey.Private) { newK := func() (key.NodePublic, key.NodePrivate) {
b.Helper() b.Helper()
pk, err := wgkey.NewPrivate() k := key.NewNode()
if err != nil { return k.Public(), k
b.Fatal(err)
}
return wgkey.Key(pk.Public()), wgkey.Private(pk)
} }
k1, pk1 := newPrivateKey() k1, pk1 := newK()
ip1 := netaddr.MustParseIPPrefix("10.0.0.1/32") ip1 := netaddr.MustParseIPPrefix("10.0.0.1/32")
peer := Peer{ peer := Peer{
@ -77,7 +74,7 @@ func BenchmarkFromUAPI(b *testing.B) {
AllowedIPs: []netaddr.IPPrefix{ip1}, AllowedIPs: []netaddr.IPPrefix{ip1},
} }
cfg1 := &Config{ cfg1 := &Config{
PrivateKey: wgkey.Private(pk1), PrivateKey: pk1,
Peers: []Peer{peer, peer, peer, peer}, Peers: []Peer{peer, peer, peer, peer},
} }

12
wgengine/wgcfg/writer.go
Unescape Escape View File

@ -10,7 +10,7 @@ import (
"strconv" "strconv"
"inet.af/netaddr" "inet.af/netaddr"
"tailscale.com/types/wgkey" "tailscale.com/types/key"
) )
// ToUAPI writes cfg in UAPI format to w. // ToUAPI writes cfg in UAPI format to w.
@ -32,15 +32,15 @@ func (cfg *Config) ToUAPI(w io.Writer, prev *Config) error {
set(key, strconv.FormatUint(uint64(value), 10)) set(key, strconv.FormatUint(uint64(value), 10))
} }
setPeer := func(peer Peer) { setPeer := func(peer Peer) {
set("public_key", peer.PublicKey.HexString()) set("public_key", peer.PublicKey.UntypedHexString())
} }
// Device config. // Device config.
if prev.PrivateKey != cfg.PrivateKey { if !prev.PrivateKey.Equal(cfg.PrivateKey) {
set("private_key", cfg.PrivateKey.HexString()) set("private_key", cfg.PrivateKey.UntypedHexString())
} }
old := make(map[wgkey.Key]Peer) old := make(map[key.NodePublic]Peer)
for _, p := range prev.Peers { for _, p := range prev.Peers {
old[p.PublicKey] = p old[p.PublicKey] = p
} }
@ -55,7 +55,7 @@ func (cfg *Config) ToUAPI(w io.Writer, prev *Config) error {
// to WireGuard, because doing so generates a bit more work in // to WireGuard, because doing so generates a bit more work in
// calling magicsock's ParseEndpoint for effectively a no-op. // calling magicsock's ParseEndpoint for effectively a no-op.
if !wasPresent { if !wasPresent {
set("endpoint", p.PublicKey.HexString()) set("endpoint", p.PublicKey.UntypedHexString())
} }
// TODO: replace_allowed_ips is expensive. // TODO: replace_allowed_ips is expensive.

32
wgengine/wglog/wglog.go
Unescape Escape View File

@ -12,8 +12,8 @@ import (
"sync/atomic" "sync/atomic"
"golang.zx2c4.com/wireguard/device" "golang.zx2c4.com/wireguard/device"
"tailscale.com/types/key"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/types/wgkey"
"tailscale.com/wgengine/wgcfg" "tailscale.com/wgengine/wgcfg"
) )
@ -21,9 +21,9 @@ import (
// It can be modified at run time to adjust to new wireguard-go configurations. // It can be modified at run time to adjust to new wireguard-go configurations.
type Logger struct { type Logger struct {
DeviceLogger *device.Logger DeviceLogger *device.Logger
replace atomic.Value // of map[string]string replace atomic.Value // of map[string]string
mu sync.Mutex // protects strs mu sync.Mutex // protects strs
strs map[wgkey.Key]*strCache // cached strs used to populate replace strs map[key.NodePublic]*strCache // cached strs used to populate replace
} }
// strCache holds a wireguard-go and a Tailscale style peer string. // strCache holds a wireguard-go and a Tailscale style peer string.
@ -84,7 +84,7 @@ func NewLogger(logf logger.Logf) *Logger {
Verbosef: logger.WithPrefix(wrapper, "[v2] "), Verbosef: logger.WithPrefix(wrapper, "[v2] "),
Errorf: wrapper, Errorf: wrapper,
} }
ret.strs = make(map[wgkey.Key]*strCache) ret.strs = make(map[key.NodePublic]*strCache)
return ret return ret
} }
@ -98,7 +98,7 @@ func (x *Logger) SetPeers(peers []wgcfg.Peer) {
for _, peer := range peers { for _, peer := range peers {
c, ok := x.strs[peer.PublicKey] // look up cached strs c, ok := x.strs[peer.PublicKey] // look up cached strs
if !ok { if !ok {
wg := wireguardGoString(peer.PublicKey) wg := peer.PublicKey.WireGuardGoString()
ts := peer.PublicKey.ShortString() ts := peer.PublicKey.ShortString()
c = &strCache{wg: wg, ts: ts} c = &strCache{wg: wg, ts: ts}
x.strs[peer.PublicKey] = c x.strs[peer.PublicKey] = c
@ -117,23 +117,3 @@ func (x *Logger) SetPeers(peers []wgcfg.Peer) {
} }
x.replace.Store(replace) x.replace.Store(replace)
} }
// wireguardGoString prints k in the same format used by wireguard-go.
func wireguardGoString(k wgkey.Key) string {
src := k
b64 := func(input byte) byte {
return input + 'A' + byte(((25-int(input))>>8)&6) - byte(((51-int(input))>>8)&75) - byte(((61-int(input))>>8)&15) + byte(((62-int(input))>>8)&3)
}
b := []byte("peer(____…____)")
const first = len("peer(")
const second = len("peer(____…")
b[first+0] = b64((src[0] >> 2) & 63)
b[first+1] = b64(((src[0] << 4) | (src[1] >> 4)) & 63)
b[first+2] = b64(((src[1] << 2) | (src[2] >> 6)) & 63)
b[first+3] = b64(src[2] & 63)
b[second+0] = b64(src[29] & 63)
b[second+1] = b64((src[30] >> 2) & 63)
b[second+2] = b64(((src[30] << 4) | (src[31] >> 4)) & 63)
b[second+3] = b64((src[31] << 2) & 63)
return string(b)
}

9
wgengine/wglog/wglog_test.go
Unescape Escape View File

@ -8,8 +8,9 @@ import (
"fmt" "fmt"
"testing" "testing"
"go4.org/mem"
"tailscale.com/types/key"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/types/wgkey"
"tailscale.com/wgengine/wgcfg" "tailscale.com/wgengine/wgcfg"
"tailscale.com/wgengine/wglog" "tailscale.com/wgengine/wglog"
) )
@ -41,7 +42,7 @@ func TestLogger(t *testing.T) {
} }
x := wglog.NewLogger(logf) x := wglog.NewLogger(logf)
key, err := wgkey.ParseHex("20c4c1ae54e1fd37cab6e9a532ca20646aff496796cc41d4519560e5e82bee53") key, err := key.ParseNodePublicUntyped(mem.S("20c4c1ae54e1fd37cab6e9a532ca20646aff496796cc41d4519560e5e82bee53"))
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -92,9 +93,9 @@ func genPeers(n int) []wgcfg.Peer {
} }
peers := make([]wgcfg.Peer, n) peers := make([]wgcfg.Peer, n)
for i := range peers { for i := range peers {
var k wgkey.Key var k [32]byte
k[n] = byte(n) k[n] = byte(n)
peers[i].PublicKey = k peers[i].PublicKey = key.NodePublicFromRaw32(mem.B(k[:]))
} }
return peers return peers
} }

Write Preview
Loading…
Cancel
Save