mirrors/tailscale
1
0
Fork 0
Code Issues Pull Requests Projects Wiki Activity

control/controlclient,ipn/ipnlocal: wire tka enable/disable

Browse Source 
Signed-off-by: Tom DNetto <tom@tailscale.com>
This commit is contained in:
Tom DNetto
2022-09-06 16:34:16 -07:00
committed by Tom
parent b9b0bf65a0
commit e9b98dd2e1
16 changed files with 469 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tka/state.go
View File

@ -93,7 +93,13 @@ const disablementLength = 32
var disablementSalt = []byte("tailscale network-lock disablement salt")
func disablementKDF(secret []byte) []byte {
// DisablementKDF computes a public value which can be stored in a
// key authority, but cannot be reversed to find the input secret.
//
// When the output of this function is stored in tka state (i.e. in
// tka.State.DisablementSecrets) a call to Authority.ValidDisablement()
// with the input of this function as the argument will return true.
func DisablementKDF(secret []byte) []byte {
// time = 4 (3 recommended, booped to 4 to compensate for less memory)
// memory = 16 (32 recommended)
// threads = 4
@ -103,7 +109,7 @@ func disablementKDF(secret []byte) []byte {
// checkDisablement returns true for a valid disablement secret.
func (s State) checkDisablement(secret []byte) bool {
derived := disablementKDF(secret)
derived := DisablementKDF(secret)
for _, candidate := range s.DisablementSecrets {
if bytes.Equal(derived, candidate) {
return true