diff options
| author | Simon Law <sfllaw@tailscale.com> | 2025-05-22 12:14:16 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-05-22 12:14:16 -0700 |
| commit | 3ee4c60ff0257d11842523c1c59492345030dce2 (patch) | |
| tree | 33c1e9b904c98ffadc5ec2480ad811a86a5996d9 /control/controlhttp/controlhttpserver/controlhttpserver.go | |
| parent | aa8bc23c496821dfa00771c9604fc4a71ead7d4c (diff) | |
| download | tailscale-3ee4c60ff0257d11842523c1c59492345030dce2.tar.xz tailscale-3ee4c60ff0257d11842523c1c59492345030dce2.zip | |
cmd/derper: fix mesh auth for DERP servers (#16061)
To authenticate mesh keys, the DERP servers used a simple == comparison,
which is susceptible to a side channel timing attack.
By extracting the mesh key for a DERP server, an attacker could DoS it
by forcing disconnects using derp.Client.ClosePeer. They could also
enumerate the public Wireguard keys, IP addresses and ports for nodes
connected to that DERP server.
DERP servers configured without mesh keys deny all such requests.
This patch also extracts the mesh key logic into key.DERPMesh, to
prevent this from happening again.
Security bulletin: https://tailscale.com/security-bulletins#ts-2025-003
Fixes tailscale/corp#28720
Signed-off-by: Simon Law <sfllaw@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions
