diff options
| author | Anton Tolchanov <anton@tailscale.com> | 2024-05-09 07:23:03 +0100 |
|---|---|---|
| committer | Anton Tolchanov <1687799+knyar@users.noreply.github.com> | 2024-06-03 10:56:09 +0100 |
| commit | 01847e0123dee3b7a6f9645155da69270f01155e (patch) | |
| tree | 3541d8375c502f188c728f6737e4b0ea94773a76 /control/controlknobs | |
| parent | 42cfbf427c671265d3c1fc47408b7961aa7eaec4 (diff) | |
| download | tailscale-01847e0123dee3b7a6f9645155da69270f01155e.tar.xz tailscale-01847e0123dee3b7a6f9645155da69270f01155e.zip | |
ipn/ipnlocal: discard node keys that have been rotated out
A non-signing node can be allowed to re-sign its new node keys following
key renewal/rotation (e.g. via `tailscale up --force-reauth`). To be
able to do this, node's TLK is written into WrappingPubkey field of the
initial SigDirect signature, signed by a signing node.
The intended use of this field implies that, for each WrappingPubkey, we
typically expect to have at most one active node with a signature
tracing back to that key. Multiple valid signatures referring to the
same WrappingPubkey can occur if a client's state has been cloned, but
it's something we explicitly discourage and don't support:
https://tailscale.com/s/clone
This change propagates rotation details (wrapping public key, a list
of previous node keys that have been rotated out) to netmap processing,
and adds tracking of obsolete node keys that, when found, will get
filtered out.
Updates tailscale/corp#19764
Signed-off-by: Anton Tolchanov <anton@tailscale.com>
Diffstat (limited to 'control/controlknobs')
0 files changed, 0 insertions, 0 deletions
