cmd/derper, net/netcheck: add challenge/response to generate_204 endpoint

The Lufthansa in-flight wifi generates a synthetic 204 response to the DERP server's /generate_204 endpoint. This PR adds a basic challenge/response to the endpoint; something sufficiently complicated that it's unlikely to be implemented by a captive portal. We can then check for the expected response to verify whether we're being MITM'd. Follow-up to #5601 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I94a68c9a16a7be7290200eea6a549b64f02ff48f
2025-12-05 04:11:59 +00:00 · 2022-10-14 18:42:09 +02:00
parent d499afac78
commit 223126fe5b
3 changed files with 86 additions and 2 deletions
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -325,11 +325,31 @@ func main() {
 	}
 }

+const (
+	noContentChallengeHeader = "X-Tailscale-Challenge"
+	noContentResponseHeader  = "X-Tailscale-Response"
+)
+
 // For captive portal detection
 func serveNoContent(w http.ResponseWriter, r *http.Request) {
+	if challenge := r.Header.Get(noContentChallengeHeader); challenge != "" {
+		badChar := strings.IndexFunc(challenge, func(r rune) bool {
+			return !isChallengeChar(r)
+		}) != -1
+		if len(challenge) <= 64 && !badChar {
+			w.Header().Set(noContentResponseHeader, "response "+challenge)
+		}
+	}
 	w.WriteHeader(http.StatusNoContent)
 }

+func isChallengeChar(c rune) bool {
+	// Semi-randomly chosen as a limited set of valid characters
+	return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') ||
+		('0' <= c && c <= '9') ||
+		c == '.' || c == '-' || c == '_'
+}
+
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {