You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Anton Tolchanov 01847e0123 ipn/ipnlocal: discard node keys that have been rotated out ... A non-signing node can be allowed to re-sign its new node keys following key renewal/rotation (e.g. via `tailscale up --force-reauth`). To be able to do this, node's TLK is written into WrappingPubkey field of the initial SigDirect signature, signed by a signing node. The intended use of this field implies that, for each WrappingPubkey, we typically expect to have at most one active node with a signature tracing back to that key. Multiple valid signatures referring to the same WrappingPubkey can occur if a client's state has been cloned, but it's something we explicitly discourage and don't support: https://tailscale.com/s/clone This change propagates rotation details (wrapping public key, a list of previous node keys that have been rotated out) to netmap processing, and adds tracking of obsolete node keys that, when found, will get filtered out. Updates tailscale/corp#19764 Signed-off-by: Anton Tolchanov <anton@tailscale.com>		2 years ago
..
testdata	ipn/ipnlocal: fix the path for writing cert files (#7203)	3 years ago
breaktcp_darwin.go	cmd/tailscale: add debug commands to break connections	3 years ago
breaktcp_linux.go	cmd/tailscale: add debug commands to break connections	3 years ago
c2n.go	ipn/ipnlocal: support c2n updates with old systemd versions (#12296)	2 years ago
c2n_pprof.go	ipn/ipnlocal: add c2n /debug/pprof/allocs endpoint	2 years ago
c2n_test.go	util/cmpx: delete now that we're using Go 1.22	2 years ago
cert.go	ipn/ipnlocal: remove ancient transition mechanism for https certs	2 years ago
cert_js.go	ipn/ipnlocal: add c2n method to check on TLS cert fetch status	2 years ago
cert_test.go	all: use Go 1.21 slices, maps instead of x/exp/{slices,maps}	3 years ago
dnsconfig_test.go	util/cmpx: delete now that we're using Go 1.22	2 years ago
drive.go	ipn/ipnlocal: reuse transport across Taildrive remotes	2 years ago
expiry.go	ssh/tailssh: use control server time instead of local time	2 years ago
expiry_test.go	types/netmap, all: make NetworkMap.SelfNode a tailcfg.NodeView	3 years ago
local.go	ipn/ipnlocal: allowed suggested exit nodes policy (#12240)	2 years ago
local_test.go	ipn/ipnlocal: allowed suggested exit nodes policy (#12240)	2 years ago
loglines_test.go	ipn/ipnlocal, all: plumb health trackers in tests	2 years ago
network-lock.go	ipn/ipnlocal: discard node keys that have been rotated out	2 years ago
network-lock_test.go	ipn/ipnlocal: discard node keys that have been rotated out	2 years ago
peerapi.go	net/{interfaces,netmon}, all: merge net/interfaces package into net/netmon	2 years ago
peerapi_h2c.go	all: update copyright and license headers	3 years ago
peerapi_macios_ext.go	net/netmon, add: add netmon.State type alias of interfaces.State	2 years ago
peerapi_test.go	ipn/ipnlocal, all: plumb health trackers in tests	2 years ago
profiles.go	various: disable stateful filtering by default (#12197)	2 years ago
profiles_notwindows.go	ipn/ipnlocal: fix profile duplication	3 years ago
profiles_test.go	various: disable stateful filtering by default (#12197)	2 years ago
profiles_windows.go	ipn/ipnlocal: set default NoStatefulFiltering in ipn.NewPrefs (#12031)	2 years ago
serve.go	all: use Go 1.22 range-over-int	2 years ago
serve_test.go	ipn/ipnlocal, all: plumb health trackers in tests	2 years ago
ssh.go	ipnlocal: log failure to get ssh host keys	2 years ago
ssh_stub.go	ipnlocal: log failure to get ssh host keys	2 years ago
ssh_test.go	ipn/ipnlocal: plumb health.Tracker into profileManager constructor	2 years ago
state_test.go	control/controlclient: delete unused Client.Login Oauth2Token field	2 years ago
taildrop.go	ipn/localapi: add support for multipart POST to file-put	2 years ago
web_client.go	all: remove LenIter, use Go 1.22 range-over-int instead	2 years ago
web_client_stub.go	ipn/ipnlocal: add mutex to webClient struct	2 years ago