Merge tag 'v1.90.6' into sunos-1.90

Release 1.90.6

Author: nshalman

.github/workflows/test.yml

@@ -613,7 +613,9 @@ jobs:
     steps:
     - name: build fuzzers
       id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      # As of 21 October 2025, this repo doesn't tag releases, so this commit
+      # hash is just the tip of master.
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@1242ccb5b6352601e73c00f189ac2ae397242264
       # continue-on-error makes steps.build.conclusion be 'success' even if
       # steps.build.outcome is 'failure'. This means this step does not
       # contribute to the job's overall pass/fail evaluation.
@@ -643,7 +645,9 @@ jobs:
       # report a failure because TS_FUZZ_CURRENTLY_BROKEN is set to the wrong
       # value.
       if: steps.build.outcome == 'success'
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      # As of 21 October 2025, this repo doesn't tag releases, so this commit
+      # hash is just the tip of master.
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@1242ccb5b6352601e73c00f189ac2ae397242264
       with:
         oss-fuzz-project-name: 'tailscale'
         fuzz-seconds: 150

VERSION.txt

@@ -1 +1 @@
-1.90.3
+1.90.6

client/local/local.go

@@ -596,6 +596,19 @@ func (lc *Client) DebugResultJSON(ctx context.Context, action string) (any, erro
 	return x, nil
 }
 
+// QueryOptionalFeatures queries the optional features supported by the Tailscale daemon.
+func (lc *Client) QueryOptionalFeatures(ctx context.Context) (*apitype.OptionalFeatures, error) {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/debug-optional-features", 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error %w: %s", err, body)
+	}
+	var x apitype.OptionalFeatures
+	if err := json.Unmarshal(body, &x); err != nil {
+		return nil, err
+	}
+	return &x, nil
+}
+
 // SetDevStoreKeyValue set a statestore key/value. It's only meant for development.
 // The schema (including when keys are re-read) is not a stable interface.
 func (lc *Client) SetDevStoreKeyValue(ctx context.Context, key, value string) error {

client/tailscale/apitype/apitype.go

@@ -94,3 +94,13 @@ type DNSQueryResponse struct {
 	// Resolvers is the list of resolvers that the forwarder deemed able to resolve the query.
 	Resolvers []*dnstype.Resolver
 }
+
+// OptionalFeatures describes which optional features are enabled in the build.
+type OptionalFeatures struct {
+	// Features is the map of optional feature names to whether they are
+	// enabled.
+	//
+	// Disabled features may be absent from the map. (That is, false values
+	// are not guaranteed to be present.)
+	Features map[string]bool
+}

cmd/k8s-operator/generate/main.go

@@ -144,7 +144,7 @@ func generate(baseDir string) error {
 		if _, err := file.Write([]byte(helmConditionalEnd)); err != nil {
 			return fmt.Errorf("error writing helm if-statement end: %w", err)
 		}
-		return nil
+		return file.Close()
 	}
 	for _, crd := range []struct {
 		crdPath, templatePath string

cmd/k8s-operator/generate/main_test.go

@@ -7,26 +7,50 @@ package main
 
 import (
 	"bytes"
+	"context"
+	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"
+
+	"tailscale.com/tstest/nettest"
+	"tailscale.com/util/cibuild"
 )
 
 func Test_generate(t *testing.T) {
+	nettest.SkipIfNoNetwork(t)
+
+	ctx, cancel := context.WithTimeout(t.Context(), 10*time.Second)
+	defer cancel()
+	if _, err := net.DefaultResolver.LookupIPAddr(ctx, "get.helm.sh"); err != nil {
+		// https://github.com/helm/helm/issues/31434
+		t.Skipf("get.helm.sh seems down or unreachable; skipping test")
+	}
+
 	base, err := os.Getwd()
 	base = filepath.Join(base, "../../../")
 	if err != nil {
 		t.Fatalf("error getting current working directory: %v", err)
 	}
 	defer cleanup(base)
+
+	helmCLIPath := filepath.Join(base, "tool/helm")
+	if out, err := exec.Command(helmCLIPath, "version").CombinedOutput(); err != nil && cibuild.On() {
+		// It's not just DNS. Azure is generating bogus certs within GitHub Actions at least for
+		// helm. So try to run it and see if we can even fetch it.
+		//
+		// https://github.com/helm/helm/issues/31434
+		t.Skipf("error fetching helm; skipping test in CI: %v, %s", err, out)
+	}
+
 	if err := generate(base); err != nil {
 		t.Fatalf("CRD template generation: %v", err)
 	}
 
 	tempDir := t.TempDir()
-	helmCLIPath := filepath.Join(base, "tool/helm")
 	helmChartTemplatesPath := filepath.Join(base, "cmd/k8s-operator/deploy/chart")
 	helmPackageCmd := exec.Command(helmCLIPath, "package", helmChartTemplatesPath, "--destination", tempDir, "--version", "0.0.1")
 	helmPackageCmd.Stderr = os.Stderr

cmd/tailscale/cli/configure-jetkvm.go

@@ -48,9 +48,12 @@ func runConfigureJetKVM(ctx context.Context, args []string) error {
 	if runtime.GOOS != "linux" || distro.Get() != distro.JetKVM {
 		return errors.New("only implemented on JetKVM")
 	}
-	err := os.WriteFile("/etc/init.d/S22tailscale", bytes.TrimLeft([]byte(`
+	if err := os.MkdirAll("/userdata/init.d", 0755); err != nil {
+		return errors.New("unable to create /userdata/init.d")
+	}
+	err := os.WriteFile("/userdata/init.d/S22tailscale", bytes.TrimLeft([]byte(`
 #!/bin/sh
-# /etc/init.d/S22tailscale
+# /userdata/init.d/S22tailscale
 # Start/stop tailscaled
 
 case "$1" in

control/controlclient/direct.go

@@ -7,8 +7,6 @@ import (
 	"bytes"
 	"cmp"
 	"context"
-	"crypto"
-	"crypto/sha256"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
@@ -948,26 +946,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 		ConnectionHandleForTest: connectionHandleForTest,
 	}
 
-	// If we have a hardware attestation key, sign the node key with it and send
-	// the key & signature in the map request.
-	if buildfeatures.HasTPM {
-		if k := persist.AsStruct().AttestationKey; k != nil && !k.IsZero() {
-			hwPub := key.HardwareAttestationPublicFromPlatformKey(k)
-			request.HardwareAttestationKey = hwPub
-
-			t := c.clock.Now()
-			msg := fmt.Sprintf("%d|%s", t.Unix(), nodeKey.String())
-			digest := sha256.Sum256([]byte(msg))
-			sig, err := k.Sign(nil, digest[:], crypto.SHA256)
-			if err != nil {
-				c.logf("failed to sign node key with hardware attestation key: %v", err)
-			} else {
-				request.HardwareAttestationKeySignature = sig
-				request.HardwareAttestationKeySignatureTimestamp = t
-			}
-		}
-	}
-
 	var extraDebugFlags []string
 	if buildfeatures.HasAdvertiseRoutes && hi != nil && c.netMon != nil && !c.skipIPForwardingCheck &&
 		ipForwardingBroken(hi.RoutableIPs, c.netMon.InterfaceState()) {

feature/feature.go

@@ -13,6 +13,12 @@ var ErrUnavailable = errors.New("feature not included in this build")
 
 var in = map[string]bool{}
 
+// Registered reports the set of registered features.
+//
+// The returned map should not be modified by the caller,
+// not accessed concurrently with calls to Register.
+func Registered() map[string]bool { return in }
+
 // Register notes that the named feature is linked into the binary.
 func Register(name string) {
 	if _, ok := in[name]; ok {

feature/identityfederation/identityfederation.go

@@ -42,12 +42,12 @@ func resolveAuthKey(ctx context.Context, baseURL, clientID, idToken string, tags
 		baseURL = ipn.DefaultControlURL
 	}
 
-	ephemeral, preauth, err := parseOptionalAttributes(clientID)
+	strippedID, ephemeral, preauth, err := parseOptionalAttributes(clientID)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse optional config attributes: %w", err)
 	}
 
-	accessToken, err := exchangeJWTForToken(ctx, baseURL, clientID, idToken)
+	accessToken, err := exchangeJWTForToken(ctx, baseURL, strippedID, idToken)
 	if err != nil {
 		return "", fmt.Errorf("failed to exchange JWT for access token: %w", err)
 	}
@@ -79,15 +79,15 @@ func resolveAuthKey(ctx context.Context, baseURL, clientID, idToken string, tags
 	return authkey, nil
 }
 
-func parseOptionalAttributes(clientID string) (ephemeral bool, preauthorized bool, err error) {
-	_, attrs, found := strings.Cut(clientID, "?")
+func parseOptionalAttributes(clientID string) (strippedID string, ephemeral bool, preauthorized bool, err error) {
+	strippedID, attrs, found := strings.Cut(clientID, "?")
 	if !found {
-		return true, false, nil
+		return clientID, true, false, nil
 	}
 
 	parsed, err := url.ParseQuery(attrs)
 	if err != nil {
-		return false, false, fmt.Errorf("failed to parse optional config attributes: %w", err)
+		return "", false, false, fmt.Errorf("failed to parse optional config attributes: %w", err)
 	}
 
 	for k := range parsed {
@@ -97,11 +97,14 @@ func parseOptionalAttributes(clientID string) (ephemeral bool, preauthorized boo
 		case "preauthorized":
 			preauthorized, err = strconv.ParseBool(parsed.Get(k))
 		default:
-			return false, false, fmt.Errorf("unknown optional config attribute %q", k)
+			return "", false, false, fmt.Errorf("unknown optional config attribute %q", k)
 		}
 	}
+	if err != nil {
+		return "", false, false, err
+	}
 
-	return ephemeral, preauthorized, err
+	return strippedID, ephemeral, preauthorized, nil
 }
 
 // exchangeJWTForToken exchanges a JWT for a Tailscale access token.