tka: validate key after UpdateKey before applying state

Signed-off-by: Tom DNetto <tom@tailscale.com>
2025-10-09 08:01:31 +00:00 · 2022-08-30 11:30:09 -07:00
parent e945d87d76
commit 7ca17b6bdb
2 changed files with 10 additions and 2 deletions
--- a/tka/state_test.go
+++ b/tka/state_test.go
@@ -181,6 +181,7 @@ func TestApplyUpdatesChain(t *testing.T) {
 }

 func TestApplyUpdateErrors(t *testing.T) {
+	tooLargeVotes := uint(99999)
 	tcs := []struct {
 		Name    string
 		Updates []AUM
@@ -205,6 +206,12 @@ func TestApplyUpdateErrors(t *testing.T) {
 			State{},
 			ErrNoSuchKey,
 		},
+		{
+			"UpdateKey now fails validation",
+			[]AUM{{MessageKind: AUMUpdateKey, KeyID: []byte{1}, Votes: &tooLargeVotes}},
+			State{Keys: []Key{{Kind: Key25519, Public: []byte{1}}}},
+			errors.New("updated key fails validation: excessive key weight: 99999 > 4096"),
+		},
 		{
 			"Bad lastAUMHash",
 			[]AUM{