tailscale

Commit Graph

Author	SHA1	Message	Date
Anton Tolchanov	01847e0123	ipn/ipnlocal: discard node keys that have been rotated out A non-signing node can be allowed to re-sign its new node keys following key renewal/rotation (e.g. via `tailscale up --force-reauth`). To be able to do this, node's TLK is written into WrappingPubkey field of the initial SigDirect signature, signed by a signing node. The intended use of this field implies that, for each WrappingPubkey, we typically expect to have at most one active node with a signature tracing back to that key. Multiple valid signatures referring to the same WrappingPubkey can occur if a client's state has been cloned, but it's something we explicitly discourage and don't support: https://tailscale.com/s/clone This change propagates rotation details (wrapping public key, a list of previous node keys that have been rotated out) to netmap processing, and adds tracking of obsolete node keys that, when found, will get filtered out. Updates tailscale/corp#19764 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	6 days ago
Anton Tolchanov	32120932a5	cmd/tailscale/cli: print node signature in `tailscale lock status` - Add current node signature to `ipnstate.NetworkLockStatus`; - Print current node signature in a human-friendly format as part of `tailscale lock status`. Examples: ``` $ tailscale lock status Tailnet lock is ENABLED. This node is accessible under tailnet lock. Node signature: SigKind: direct Pubkey: [OTB3a] KeyID: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 WrappingPubkey: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 This node's tailnet-lock key: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 Trusted signing keys: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 1 (self) tlpub:6fa21d242a202b290de85926ba3893a6861888679a73bc3a43f49539d67c9764 1 (pre-auth key kq3NzejWoS11KTM59) ``` For a node created via a signed auth key: ``` This node is accessible under tailnet lock. Node signature: SigKind: rotation Pubkey: [e3nAO] Nested: SigKind: credential KeyID: tlpub:6fa21d242a202b290de85926ba3893a6861888679a73bc3a43f49539d67c9764 WrappingPubkey: tlpub:3623b0412cab0029cb1918806435709b5947ae03554050f20caf66629f21220a ``` For a node that rotated its key a few times: ``` This node is accessible under tailnet lock. Node signature: SigKind: rotation Pubkey: [DOzL4] Nested: SigKind: rotation Pubkey: [S/9yU] Nested: SigKind: rotation Pubkey: [9E9v4] Nested: SigKind: direct Pubkey: [3QHTJ] KeyID: tlpub:44a0e23cd53a4b8acc02f6732813d8f5ba8b35d02d48bf94c9f1724ebe31c943 WrappingPubkey: tlpub:2faa280025d3aba0884615f710d8c50590b052c01a004c2b4c2c9434702ae9d0 ``` Updates tailscale/corp#19764 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	1 week ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Joe Tsai	2e404b769d	all: use new AppendEncode methods available in Go 1.22 (#11079 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Andrew Lytvynov	1302bd1181	all: cleanup unused code, part 1 (#10661 ) Run `staticcheck` with `U1000` to find unused code. This cleans up about a half of it. I'll do the other half separately to keep PRs manageable. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Jenny Zhang	09b4914916	tka: clarify field comment Updates #cleanup Signed-off-by: Jenny Zhang <jz@tailscale.com>	6 months ago
Brad Fitzpatrick	dc7aa98b76	all: use set.Set consistently instead of map[T]struct{} I didn't clean up the more idiomatic map[T]bool with true values, at least yet. I just converted the relatively awkward struct{}-valued maps. Updates #cleanup Change-Id: I758abebd2bb1f64bc7a9d0f25c32298f4679c14f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Joe Tsai	c6fadd6d71	all: implement AppendText alongside MarshalText (#9207 ) This eventually allows encoding packages that may respect the proposed encoding.TextAppender interface. The performance gains from this is between 10-30%. Updates tailscale/corp#14379 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Tom DNetto	767e839db5	all: implement lock revoke-keys command The revoke-keys command allows nodes with tailnet lock keys to collaborate to erase the use of a compromised key, and remove trust in it. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates ENG-1848	10 months ago
Tom DNetto	bec9815f02	tka: guard against key-length panics when verifying signatures In late 2022 a subtle but crucial part of documentation was added to ed25519.Verify: It will panic if len(publicKey) is not [PublicKeySize]. `02ed0e5e67` This change catches that error so it won't lead to a panic. Signed-off-by: Tom DNetto <tom@tailscale.com> Updates https://github.com/tailscale/corp/issues/8568	11 months ago
Tom DNetto	2c782d742c	tka: allow checkpoint AUMs to change TKA state Updates https://github.com/tailscale/corp/issues/8568 Signed-off-by: Tom DNetto <tom@tailscale.com>	11 months ago
Ross Zurowski	0ed088b47b	tka: add function for generating signing deeplinks (#8385 ) This commit continues the work from #8303, providing a method for a tka.Authority to generate valid deeplinks for signing devices. We'll use this to provide the necessary deeplinks for users to sign from their mobile devices. Updates #8302 Signed-off-by: Ross Zurowski <ross@rosszurowski.com>	12 months ago
Andrea Gottardo	99f17a7135	tka: provide verify-deeplink local API endpoint (#8303 ) * tka: provide verify-deeplink local API endpoint Fixes https://github.com/tailscale/tailscale/issues/8302 Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Address code review comments Signed-off-by: Andrea Gottardo <andrea@tailscale.com> Address code review comments by Ross Signed-off-by: Andrea Gottardo <andrea@tailscale.com> * Improve error encoding, fix logic error Signed-off-by: Andrea Gottardo <andrea@tailscale.com> --------- Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	1 year ago
valscale	370b2c37e0	tka: fix go vet complaint on copy of lock value in tailchonk_test.go (#8208 ) go vet complains when we copy a lock value. Create clone function that copies everything but the lock value. Fixes #8207 Signed-off-by: Val <valerie@tailscale.com>	1 year ago
Andrew Dunham	280255acae	various: add golangci-lint, fix issues (#7905 ) This adds an initial and intentionally minimal configuration for golang-ci, fixes the issues reported, and adds a GitHub Action to check new pull requests against this linter configuration. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I8f38fbc315836a19a094d0d3e986758b9313f163	1 year ago
Tom DNetto	88c7d19d54	tka: compact TKA storage on startup Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	ff168a806e	tka: implement compaction logic Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	abc874b04e	tka: add public API on NodeKeySignature key information This is needed in the coordination server. Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Tom DNetto	907f85cd67	cmd/tailscale,tka: make KeyID return an error instead of panicking Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	8724aa254f	cmd/tailscale,tka: implement compat for TKA messages, minor UX tweaks Signed-off-by: Tom DNetto <tom@tailscale.com>	1 year ago
Tom DNetto	45042a76cd	cmd/tailscale,ipn: store disallowed TKA's in prefs, lock local-disable Take 2 of https://github.com/tailscale/tailscale/pull/6546 Builds on https://github.com/tailscale/tailscale/pull/6560 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	390d1bb871	Revert "ipn,types/persist: store disallowed TKA's in prefs, lock local-disable" This reverts commit `f1130421f0`. It was submitted with failing tests (go generate checks) Requires a lot of API changes to fix so rolling back instead of forward. Change-Id: I024e8885c0ed44675d3028a662f386dda811f2ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	f1130421f0	ipn,types/persist: store disallowed TKA's in prefs, lock local-disable Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	aeb80bf8cb	ipn/ipnlocal,tka: generate a nonce for each TKA Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	4c31183781	cmd/tailscale,ipn: minor fixes to tailscale lock commands * Fix broken add/remove key commands * Make lock status display whether the node is signed Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Adrian Dewhurst	8c09ae9032	tka, types/key: add NLPublic.KeyID This allows direct use of NLPublic with tka.Authority.KeyTrusted() and similar without using tricks like converting the return value of Verifier. Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	2 years ago
Tom DNetto	e8a11f6181	tka: make rotation signatures use nested keyID Duplicating this at each layer doesnt make any sense, and is another invariant where things could go wrong. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	8602061f32	ipn/ipnlocal,tka: Fix bugs found by integration testing * tka.State.staticValidateCheckpoint could call methods on a contained key prior to calling StaticValidate on that key * Remove broken backoff / RPC retry logic from tka methods in ipn/ipnlocal, to be fixed at a later time * Fix NetworkLockModify() which would attempt to take b.mu twice and deadlock, remove now-unused dependence on netmap * Add methods on ipnlocal.LocalBackend to be used in integration tests * Use TAILSCALE_USE_WIP_CODE as the feature flag so it can be manipulated in tests Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Tom DNetto	58ffe928af	ipn/ipnlocal, tka: Implement TKA synchronization with the control plane Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	e3beb4429f	tka: Checkpoint every 50 updates Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	e9b98dd2e1	control/controlclient,ipn/ipnlocal: wire tka enable/disable Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Eng Zer Jun	f0347e841f	refactor: move from io/ioutil to io and os packages The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Reference: https://golang.org/doc/go1.16#ioutil Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2 years ago
Tom DNetto	be95aebabd	tka: implement credential signatures (key material delegation) This will be needed to support preauth-keys with network lock in the future, so getting the core mechanics out of the way now. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	7ca17b6bdb	tka: validate key after UpdateKey before applying state Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	79905a1162	tka: make storage a parameter rather than an Authority struct member Updates #5435 Based on the discussion in #5435, we can better support transactional data models by making the underlying storage layer a parameter (which can be specialized for the request) rather than a long-lived member of Authority. Now that Authority is just an instantaneous snapshot of state, we can do things like provide idempotent methods and make it cloneable, too. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	f580f4484f	tka: move disablement logic out-of-band from AUMs It doesn't make a ton of sense for disablement to be communicated as an AUM, because any failure in the AUM or chain mechanism will mean disablement wont function. Instead, tracking of the disablement secrets remains inside the state machine, but actual disablement and communication of the disablement secret is done by the caller. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	472529af38	tka: optimize common case of processing updates built from head Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	a78f8fa701	tka: support rotating node-keys in node-key signatures Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	facafd8819	client,cmd/tailscale,ipn,tka,types: implement tka initialization flow This PR implements the client-side of initializing network-lock with the Coordination server. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	06eac9bbff	tka: Use strict decoding settings, implement Unserialize() Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
David Crawshaw	15b8665787	tka: stable text representation of AUMHash This makes debugging easier, you can pass an AUMHash to a printf and get a string that is easy to debug. Also rearrange how directories/files work in the FS store: use the first two characters of the string representation as the prefix directory, and use the entire AUMHash string as the file name. This is again to aid debugging: you can `ls` a directory and line up what prints out easily with what you get from a printf in debug code. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	2 years ago
Tom DNetto	f50043f6cb	tka,types/key: remove dependency for tailcfg & types/ packages on tka Following the pattern elsewhere, we create a new tka-specific types package for the types that need to couple between the serialized structure types, and tka. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	8cfd775885	tka,types/key: implement direct node-key signatures Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	c13fab2a67	tka: add attack-scenario unit tests, defensive checks, resolve TODOs Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	4001d0bf25	assorted: plumb tka initialization & network-lock key into tailscaled - A network-lock key is generated if it doesn't already exist, and stored in the StateStore. The public component is communicated to control during registration. - If TKA state exists on the filesystem, a tailnet key authority is initialized (but nothing is done with it for now). Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	023d4e2216	tka,types/key: implement NLPrivate glue for tailnet key authority keys Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	44a9b0170b	tka: support processing non-primary forks, scenario-driven tests Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Tom DNetto	5e61d52f91	tka: implement API surface for generating updates Based on the builder pattern. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago

1 2

57 Commits (flakes)