summaryrefslogtreecommitdiffhomepage
path: root/control/controlhttp/controlhttpserver/controlhttpserver.go
diff options
context:
space:
mode:
authorSimon Law <sfllaw@tailscale.com>2025-05-22 12:14:16 -0700
committerGitHub <noreply@github.com>2025-05-22 12:14:16 -0700
commit3ee4c60ff0257d11842523c1c59492345030dce2 (patch)
tree33c1e9b904c98ffadc5ec2480ad811a86a5996d9 /control/controlhttp/controlhttpserver/controlhttpserver.go
parentaa8bc23c496821dfa00771c9604fc4a71ead7d4c (diff)
downloadtailscale-3ee4c60ff0257d11842523c1c59492345030dce2.tar.xz
tailscale-3ee4c60ff0257d11842523c1c59492345030dce2.zip
cmd/derper: fix mesh auth for DERP servers (#16061)
To authenticate mesh keys, the DERP servers used a simple == comparison, which is susceptible to a side channel timing attack. By extracting the mesh key for a DERP server, an attacker could DoS it by forcing disconnects using derp.Client.ClosePeer. They could also enumerate the public Wireguard keys, IP addresses and ports for nodes connected to that DERP server. DERP servers configured without mesh keys deny all such requests. This patch also extracts the mesh key logic into key.DERPMesh, to prevent this from happening again. Security bulletin: https://tailscale.com/security-bulletins#ts-2025-003 Fixes tailscale/corp#28720 Signed-off-by: Simon Law <sfllaw@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions