tailscale/control
Anton Tolchanov 01847e0123 ipn/ipnlocal: discard node keys that have been rotated out
A non-signing node can be allowed to re-sign its new node keys following
key renewal/rotation (e.g. via `tailscale up --force-reauth`). To be
able to do this, node's TLK is written into WrappingPubkey field of the
initial SigDirect signature, signed by a signing node.

The intended use of this field implies that, for each WrappingPubkey, we
typically expect to have at most one active node with a signature
tracing back to that key. Multiple valid signatures referring to the
same WrappingPubkey can occur if a client's state has been cloned, but
it's something we explicitly discourage and don't support:
https://tailscale.com/s/clone

This change propagates rotation details (wrapping public key, a list
of previous node keys that have been rotated out) to netmap processing,
and adds tracking of obsolete node keys that, when found, will get
filtered out.

Updates tailscale/corp#19764

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2024-06-03 10:56:09 +01:00
..
controlbase all: use Go 1.22 range-over-int 2024-04-16 15:32:38 -07:00
controlclient ipn/ipnlocal: discard node keys that have been rotated out 2024-06-03 10:56:09 +01:00
controlhttp net/netns, net/dns/resolver, etc: make netmon required in most places 2024-04-27 12:17:45 -07:00
controlknobs net/dns/resolver, control/controlknobs, tailcfg: use UserDial instead of SystemDial to dial DNS servers 2024-05-06 17:29:24 -05:00