wgengine/wgcfg: convert to use new node key type.

Updates #3206

Signed-off-by: David Anderson <danderson@tailscale.com>

types/key/node.go

@@ -54,6 +54,19 @@ func NewNode() NodePrivate {
 	return ret
 }
 
+// NodePrivateFromRaw32 parses a 32-byte raw value as a NodePrivate.
+//
+// Deprecated: only needed to cast from legacy node private key types,
+// do not add more uses unrelated to #3206.
+func NodePrivateFromRaw32(raw mem.RO) NodePrivate {
+	if raw.Len() != 32 {
+		panic("input has wrong size")
+	}
+	var ret NodePrivate
+	raw.Copy(ret.k[:])
+	return ret
+}
+
 func ParseNodePrivateUntyped(raw mem.RO) (NodePrivate, error) {
 	var ret NodePrivate
 	if err := parseHex(ret.k[:], raw, mem.B(nil)); err != nil {

util/deephash/deephash_test.go

@@ -19,7 +19,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/ipproto"
-	"tailscale.com/types/wgkey"
+	"tailscale.com/types/key"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/version"
 	"tailscale.com/wgengine/filter"
@@ -138,7 +138,7 @@ func getVal() []interface{} {
 			Addresses: []netaddr.IPPrefix{netaddr.IPPrefixFrom(netaddr.IPFrom16([16]byte{3: 3}), 5)},
 			Peers: []wgcfg.Peer{
 				{
-					PublicKey: wgkey.Key{},
+					PublicKey: key.NodePublic{},
 				},
 			},
 		},

wgengine/bench/wg.go

@@ -17,9 +17,9 @@ import (
 
 	"tailscale.com/net/dns"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
-	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -28,10 +28,7 @@ import (
 
 func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netaddr.IPPrefix) {
 	l1 := logger.WithPrefix(logf, "e1: ")
-	k1, err := wgkey.NewPrivate()
-	if err != nil {
-		log.Fatalf("e1 NewPrivateKey: %v", err)
-	}
+	k1 := key.NewNode()
 
 	c1 := wgcfg.Config{
 		Name:       "e1",
@@ -56,10 +53,7 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
 	}
 
 	l2 := logger.WithPrefix(logf, "e2: ")
-	k2, err := wgkey.NewPrivate()
-	if err != nil {
-		log.Fatalf("e2 NewPrivateKey: %v", err)
-	}
+	k2 := key.NewNode()
 	c2 := wgcfg.Config{
 		Name:       "e2",
 		PrivateKey: k2,
@@ -111,8 +105,8 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
 			Endpoints:  eps,
 		}
 		e2.SetNetworkMap(&netmap.NetworkMap{
-			NodeKey:    tailcfg.NodeKey(k2),
-			PrivateKey: wgkey.Private(k2),
+			NodeKey:    tailcfg.NodeKeyFromNodePublic(k2.Public()),
+			PrivateKey: k2.AsWGPrivate(),
 			Peers:      []*tailcfg.Node{&n},
 		})
 
@@ -148,8 +142,8 @@ func setupWGTest(b *testing.B, logf logger.Logf, traf *TrafficGen, a1, a2 netadd
 			Endpoints:  eps,
 		}
 		e1.SetNetworkMap(&netmap.NetworkMap{
-			NodeKey:    tailcfg.NodeKey(k1),
-			PrivateKey: wgkey.Private(k1),
+			NodeKey:    tailcfg.NodeKeyFromNodePublic(k1.Public()),
+			PrivateKey: k1.AsWGPrivate(),
 			Peers:      []*tailcfg.Node{&n},
 		})
 

wgengine/magicsock/magicsock_test.go

@@ -24,6 +24,7 @@ import (
 	"time"
 	"unsafe"
 
+	"go4.org/mem"
 	"golang.org/x/crypto/nacl/box"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/tuntest"
@@ -1017,23 +1018,23 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 
 	m1cfg := &wgcfg.Config{
 		Name:       "peer1",
-		PrivateKey: m1.privateKey,
+		PrivateKey: key.NodePrivateFromRaw32(mem.B(m1.privateKey[:])),
 		Addresses:  []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.1/32")},
 		Peers: []wgcfg.Peer{
 			wgcfg.Peer{
-				PublicKey:  m2.privateKey.Public(),
+				PublicKey:  key.NodePrivateFromRaw32(mem.B(m2.privateKey[:])).Public(),
 				DiscoKey:   m2.conn.DiscoPublicKey(),
 				AllowedIPs: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.2/32")},
 			},
 		},
 	}
 	m2cfg := &wgcfg.Config{
 		Name:       "peer2",
-		PrivateKey: m2.privateKey,
+		PrivateKey: key.NodePrivateFromRaw32(mem.B(m2.privateKey[:])),
 		Addresses:  []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.2/32")},
 		Peers: []wgcfg.Peer{
 			wgcfg.Peer{
-				PublicKey:  m1.privateKey.Public(),
+				PublicKey:  key.NodePrivateFromRaw32(mem.B(m1.privateKey[:])).Public(),
 				DiscoKey:   m1.conn.DiscoPublicKey(),
 				AllowedIPs: []netaddr.IPPrefix{netaddr.MustParseIPPrefix("1.0.0.1/32")},
 			},

wgengine/userspace.go

@@ -42,7 +42,6 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
-	"tailscale.com/types/wgkey"
 	"tailscale.com/util/deephash"
 	"tailscale.com/version"
 	"tailscale.com/wgengine/filter"
@@ -128,7 +127,7 @@ type userspaceEngine struct {
 	netMap              *netmap.NetworkMap // or nil
 	closing             bool               // Close was called (even if we're still closing)
 	statusCallback      StatusCallback
-	peerSequence        []wgkey.Key
+	peerSequence        []tailcfg.NodeKey
 	endpoints           []tailcfg.Endpoint
 	pendOpen            map[flowtrack.Tuple]*pendingOpenFlow // see pendopen.go
 	networkMapCallbacks map[*someHandle]NetworkMapCallback
@@ -648,27 +647,28 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[tailcfg.
 	needRemoveStep := false
 	for i := range full.Peers {
 		p := &full.Peers[i]
-		nk := tailcfg.NodeKey(p.PublicKey)
+		nk := p.PublicKey
+		tnk := tailcfg.NodeKeyFromNodePublic(nk)
 		if !isTrimmablePeer(p, len(full.Peers)) {
 			min.Peers = append(min.Peers, *p)
-			if discoChanged[nk] {
+			if discoChanged[tnk] {
 				needRemoveStep = true
 			}
 			continue
 		}
-		trackNodes = append(trackNodes, nk)
+		trackNodes = append(trackNodes, tnk)
 		recentlyActive := false
 		for _, cidr := range p.AllowedIPs {
 			trackIPs = append(trackIPs, cidr.IP())
-			recentlyActive = recentlyActive || e.isActiveSinceLocked(nk, cidr.IP(), activeCutoff)
+			recentlyActive = recentlyActive || e.isActiveSinceLocked(tnk, cidr.IP(), activeCutoff)
 		}
 		if recentlyActive {
 			min.Peers = append(min.Peers, *p)
-			if discoChanged[tailcfg.NodeKey(p.PublicKey)] {
+			if discoChanged[tnk] {
 				needRemoveStep = true
 			}
 		} else {
-			trimmedNodes[tailcfg.NodeKey(p.PublicKey)] = true
+			trimmedNodes[tnk] = true
 		}
 	}
 	e.lastNMinPeers = len(min.Peers)
@@ -687,7 +687,7 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[tailcfg.
 		minner.Peers = nil
 		numRemove := 0
 		for _, p := range min.Peers {
-			if discoChanged[tailcfg.NodeKey(p.PublicKey)] {
+			if discoChanged[tailcfg.NodeKeyFromNodePublic(p.PublicKey)] {
 				numRemove++
 				continue
 			}
@@ -807,8 +807,8 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
 	e.mu.Lock()
 	e.peerSequence = e.peerSequence[:0]
 	for _, p := range cfg.Peers {
-		e.peerSequence = append(e.peerSequence, wgkey.Key(p.PublicKey))
-		peerSet[key.Public(p.PublicKey)] = struct{}{}
+		e.peerSequence = append(e.peerSequence, tailcfg.NodeKeyFromNodePublic(p.PublicKey))
+		peerSet[p.PublicKey.AsPublic()] = struct{}{}
 	}
 	e.mu.Unlock()
 
@@ -845,15 +845,15 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
 		prevEP := make(map[tailcfg.NodeKey]tailcfg.DiscoKey)
 		for i := range e.lastCfgFull.Peers {
 			if p := &e.lastCfgFull.Peers[i]; !p.DiscoKey.IsZero() {
-				prevEP[tailcfg.NodeKey(p.PublicKey)] = p.DiscoKey
+				prevEP[tailcfg.NodeKeyFromNodePublic(p.PublicKey)] = p.DiscoKey
 			}
 		}
 		for i := range cfg.Peers {
 			p := &cfg.Peers[i]
 			if p.DiscoKey.IsZero() {
 				continue
 			}
-			pub := tailcfg.NodeKey(p.PublicKey)
+			pub := tailcfg.NodeKeyFromNodePublic(p.PublicKey)
 			if old, ok := prevEP[pub]; ok && old != p.DiscoKey {
 				discoChanged[pub] = true
 				e.logf("wgengine: Reconfig: %s changed from %q to %q", pub.ShortString(), old, p.DiscoKey)
@@ -867,7 +867,7 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
 	// (which is needed by DERP) before wgdev gets it, as wgdev
 	// will start trying to handshake, which we want to be able to
 	// go over DERP.
-	if err := e.magicConn.SetPrivateKey(wgkey.Private(cfg.PrivateKey)); err != nil {
+	if err := e.magicConn.SetPrivateKey(cfg.PrivateKey.AsWGPrivate()); err != nil {
 		e.logf("wgengine: Reconfig: SetPrivateKey: %v", err)
 	}
 	e.magicConn.UpdatePeers(peerSet)
@@ -978,7 +978,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 		errc <- err
 	}()
 
-	pp := make(map[wgkey.Key]ipnstate.PeerStatusLite)
+	pp := make(map[tailcfg.NodeKey]ipnstate.PeerStatusLite)
 	var p ipnstate.PeerStatusLite
 
 	var hst1, hst2, n int64
@@ -1012,7 +1012,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 				return nil, fmt.Errorf("IpcGetOperation: invalid key in line %q", line)
 			}
 			if !p.NodeKey.IsZero() {
-				pp[wgkey.Key(p.NodeKey)] = p
+				pp[p.NodeKey] = p
 			}
 			p = ipnstate.PeerStatusLite{NodeKey: tailcfg.NodeKey(pk)}
 		case "rx_bytes":
@@ -1043,7 +1043,7 @@ func (e *userspaceEngine) getStatus() (*Status, error) {
 		}
 	}
 	if !p.NodeKey.IsZero() {
-		pp[wgkey.Key(p.NodeKey)] = p
+		pp[p.NodeKey] = p
 	}
 	if err := <-errc; err != nil {
 		return nil, fmt.Errorf("IpcGetOperation: %v", err)
@@ -1464,7 +1464,7 @@ func (e *userspaceEngine) peerForIP(ip netaddr.IP) (n *tailcfg.Node, isSelf bool
 			}
 			if best.IsZero() || cidr.Bits() > best.Bits() {
 				best = cidr
-				bestKey = tailcfg.NodeKey(p.PublicKey)
+				bestKey = tailcfg.NodeKeyFromNodePublic(p.PublicKey)
 			}
 		}
 	}

wgengine/userspace_test.go

@@ -18,7 +18,6 @@ import (
 	"tailscale.com/tstime/mono"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
-	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/wgcfg"
 )
@@ -105,10 +104,14 @@ func TestUserspaceEngineReconfig(t *testing.T) {
 				},
 			},
 		}
+		nk, err := key.ParseNodePublicUntyped(mem.S(nodeHex))
+		if err != nil {
+			t.Fatal(err)
+		}
 		cfg := &wgcfg.Config{
 			Peers: []wgcfg.Peer{
 				{
-					PublicKey: wgkey.Key(nkFromHex(nodeHex)),
+					PublicKey: nk,
 					AllowedIPs: []netaddr.IPPrefix{
 						netaddr.IPPrefixFrom(netaddr.IPv4(100, 100, 99, 1), 32),
 					},
@@ -161,11 +164,14 @@ func TestUserspaceEnginePortReconfig(t *testing.T) {
 	t.Cleanup(ue.Close)
 
 	startingPort := ue.magicConn.LocalPort()
-	nodeKey := nkFromHex("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
+	nodeKey, err := key.ParseNodePublicUntyped(mem.S("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
+	if err != nil {
+		t.Fatal(err)
+	}
 	cfg := &wgcfg.Config{
 		Peers: []wgcfg.Peer{
 			{
-				PublicKey: wgkey.Key(nodeKey),
+				PublicKey: nodeKey,
 				AllowedIPs: []netaddr.IPPrefix{
 					netaddr.IPPrefixFrom(netaddr.IPv4(100, 100, 99, 1), 32),
 				},

wgengine/wgcfg/config.go

@@ -8,7 +8,7 @@ package wgcfg
 import (
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/wgkey"
+	"tailscale.com/types/key"
 )
 
 //go:generate go run tailscale.com/cmd/cloner -type=Config,Peer -output=clone.go
@@ -17,22 +17,22 @@ import (
 // It only supports the set of things Tailscale uses.
 type Config struct {
 	Name       string
-	PrivateKey wgkey.Private
+	PrivateKey key.NodePrivate
 	Addresses  []netaddr.IPPrefix
 	MTU        uint16
 	DNS        []netaddr.IP
 	Peers      []Peer
 }
 
 type Peer struct {
-	PublicKey           wgkey.Key
+	PublicKey           key.NodePublic
 	DiscoKey            tailcfg.DiscoKey // present only so we can handle restarts within wgengine, not passed to WireGuard
 	AllowedIPs          []netaddr.IPPrefix
 	PersistentKeepalive uint16
 }
 
 // PeerWithKey returns the Peer with key k and reports whether it was found.
-func (config Config) PeerWithKey(k wgkey.Key) (Peer, bool) {
+func (config Config) PeerWithKey(k key.NodePublic) (Peer, bool) {
 	for _, p := range config.Peers {
 		if p.PublicKey == k {
 			return p, true

wgengine/wgcfg/device.go

@@ -29,7 +29,7 @@ func DeviceConfig(d *device.Device) (*Config, error) {
 		return nil, err
 	}
 	sort.Slice(cfg.Peers, func(i, j int) bool {
-		return cfg.Peers[i].PublicKey.LessThan(&cfg.Peers[j].PublicKey)
+		return cfg.Peers[i].PublicKey.Less(cfg.Peers[j].PublicKey)
 	})
 	return cfg, nil
 }