control/controlclient, tailcfg: add Node.Expired field, set for expired nodes

Nodes that are expired, taking into account the time delta calculated from MapResponse.ControlTime have the newly-added Expired boolean set. For additional defense-in-depth, also replicate what control does and clear the Endpoints and DERP fields, and additionally set the node key to a bogus value. Updates #6932 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ia2bd6b56064416feee28aef5699ca7090940662a
2025-10-09 16:11:23 +00:00 · 2023-01-10 12:55:43 -05:00
parent 22ebb25e83
commit 1e67947cfa
8 changed files with 246 additions and 13 deletions
--- a/types/key/node.go
+++ b/types/key/node.go
@@ -193,6 +193,23 @@ func NodePublicFromRaw32(raw mem.RO) NodePublic {
 	return ret
 }

+// badOldPrefix is a nodekey/discokey prefix that, when base64'd, serializes
+// with a "bad01" ("bad ol'", ~"bad old") prefix. It's used for expired node
+// keys so when we debug a customer issue, the "bad01" can jump out to us. See:
+//
+//	https://github.com/tailscale/tailscale/issues/6932
+var badOldPrefix = []byte{109, 167, 116, 213, 215, 116}
+
+// NodePublicWithBadOldPrefix returns a copy of k with its leading public key
+// bytes mutated such that it base64's to a ShortString of [bad01] ("bad ol'"
+// [expired node key]).
+func NodePublicWithBadOldPrefix(k NodePublic) NodePublic {
+	var buf [32]byte
+	k.AppendTo(buf[:0])
+	copy(buf[:], badOldPrefix)
+	return NodePublicFromRaw32(mem.B(buf[:]))
+}
+
 // IsZero reports whether k is the zero value.
 func (k NodePublic) IsZero() bool {
 	return k == NodePublic{}