Skip to content

Commit

Permalink
reject unsupported capability versions
Browse files Browse the repository at this point in the history 
Signed-off-by: Kristoffer Dalby <[email protected]>
  • Loading branch information
@kradalby
kradalby committed Nov 19, 2023
1 parent 4a3430e commit faec183
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 13 deletions.
24 changes: 24 additions & 0 deletions hscontrol/auth_noise.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package hscontrol

import (
"encoding/json"
"errors"
"io"
"net/http"

Expand All @@ -21,6 +22,29 @@ func (ns *noiseServer) NoiseRegistrationHandler(
return
}

capVer, err := parseCabailityVersion(req)
if err != nil && !errors.Is(err, ErrNoCapabilityVersion) {
log.Error().
Caller().
Err(err).
Msg("failed to parse capVer")
http.Error(writer, "Internal error", http.StatusInternalServerError)

return
}

// Reject unsupported versions
if capVer < MinimumCapVersion {
log.Info().
Caller().
Int("min_version", int(MinimumCapVersion)).
Int("client_version", int(capVer)).
Msg("unsupported client connected")
http.Error(writer, "Internal error", http.StatusBadRequest)

return
}

log.Trace().
Any("headers", req.Header).
Caller().
Expand Down
1 change: 1 addition & 0 deletions hscontrol/poll.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ func (h *Headscale) handlePoll(
Str("node_key", node.NodeKey).
Str("node", node.Hostname).
Strs("endpoints", node.Endpoints).
Int("cap_ver", int(capVer)).
Msg("Received endpoint update")

now := time.Now().UTC()
Expand Down
40 changes: 27 additions & 13 deletions hscontrol/poll_noise.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ import (
"tailscale.com/types/key"
)

const (
MinimumCapVersion tailcfg.CapabilityVersion = 36
)

// NoisePollNetMapHandler takes care of /machine/:id/map using the Noise protocol
//
// This is the busiest endpoint, as it keeps the HTTP long poll that updates
Expand All @@ -34,6 +38,29 @@ func (ns *noiseServer) NoisePollNetMapHandler(
Caller().
Msg("Headers")

capVer, err := parseCabailityVersion(req)
if err != nil && !errors.Is(err, ErrNoCapabilityVersion) {
log.Error().
Caller().
Err(err).
Msg("failed to parse capVer")
http.Error(writer, "Internal error", http.StatusInternalServerError)

return
}

// Reject unsupported versions
if capVer < MinimumCapVersion {
log.Info().
Caller().
Int("min_version", int(MinimumCapVersion)).
Int("client_version", int(capVer)).
Msg("unsupported client connected")
http.Error(writer, "Internal error", http.StatusBadRequest)

return
}

body, _ := io.ReadAll(req.Body)

mapRequest := tailcfg.MapRequest{}
Expand Down Expand Up @@ -75,18 +102,5 @@ func (ns *noiseServer) NoisePollNetMapHandler(
Str("node", node.Hostname).
Msg("A node sending a MapRequest with Noise protocol")

capVer, err := parseCabailityVersion(req)
if err != nil && !errors.Is(err, ErrNoCapabilityVersion) {
log.Error().
Caller().
Err(err).
Msg("failed to parse capVer")
http.Error(writer, "Internal error", http.StatusInternalServerError)

return
}

// TODO(kradalby): since we are now passing capVer, we could arguably stop passing
// isNoise, and rather have a isNoise function that takes capVer
ns.headscale.handlePoll(writer, req.Context(), node, mapRequest, capVer)
}

0 comments on commit faec183

Please sign in to comment.