From 6e91f872af6c833aa60eed97d1d3dd516a0163f2 Mon Sep 17 00:00:00 2001 From: Aaron Klotz Date: Thu, 17 Mar 2022 13:34:38 -0600 Subject: [PATCH] net/tshttpproxy: ensure we pass the correct flags to WinHttpOpen on Win7 and Win8.0 The best flag to use on Win7 and Win8.0 is deprecated in Win8.1, so we resolve the flag depending on OS version info. Fixes https://github.com/tailscale/tailscale/issues/4201 Signed-off-by: Aaron Klotz --- cmd/tailscale/depaware.txt | 3 +- cmd/tailscaled/depaware.txt | 48 +++++++++++++------------- net/tshttpproxy/tshttpproxy_windows.go | 27 ++++++++++++++- 3 files changed, 52 insertions(+), 26 deletions(-) diff --git a/cmd/tailscale/depaware.txt b/cmd/tailscale/depaware.txt index f814c8cf1..16ac6c224 100644 --- a/cmd/tailscale/depaware.txt +++ b/cmd/tailscale/depaware.txt @@ -37,7 +37,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep tailscale.com from tailscale.com/version tailscale.com/atomicfile from tailscale.com/ipn+ tailscale.com/client/tailscale from tailscale.com/cmd/tailscale/cli+ - tailscale.com/client/tailscale/apitype from tailscale.com/client/tailscale+ + tailscale.com/client/tailscale/apitype from tailscale.com/cmd/tailscale/cli+ tailscale.com/cmd/tailscale/cli from tailscale.com/cmd/tailscale tailscale.com/control/controlknobs from tailscale.com/net/portmapper tailscale.com/derp from tailscale.com/derp/derphttp @@ -82,6 +82,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep tailscale.com/types/structs from tailscale.com/ipn+ tailscale.com/types/views from tailscale.com/tailcfg+ tailscale.com/util/clientmetric from tailscale.com/net/netcheck+ + W tailscale.com/util/cmpver from tailscale.com/net/tshttpproxy tailscale.com/util/dnsname from tailscale.com/cmd/tailscale/cli+ W tailscale.com/util/endian from tailscale.com/net/netns tailscale.com/util/groupmember from tailscale.com/cmd/tailscale/cli diff --git a/cmd/tailscaled/depaware.txt b/cmd/tailscaled/depaware.txt index 2d6578031..d8142048d 100644 --- a/cmd/tailscaled/depaware.txt +++ b/cmd/tailscaled/depaware.txt @@ -73,7 +73,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de L github.com/insomniacslk/dhcp/rfc1035label from github.com/insomniacslk/dhcp/dhcpv4 L github.com/jmespath/go-jmespath from github.com/aws/aws-sdk-go-v2/service/ssm L github.com/josharian/native from github.com/mdlayher/netlink+ - L 💣 github.com/jsimonetti/rtnetlink from tailscale.com/wgengine/monitor+ + L 💣 github.com/jsimonetti/rtnetlink from tailscale.com/net/interfaces+ L github.com/jsimonetti/rtnetlink/internal/unix from github.com/jsimonetti/rtnetlink github.com/klauspost/compress from github.com/klauspost/compress/zstd L github.com/klauspost/compress/flate from nhooyr.io/websocket @@ -172,7 +172,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de tailscale.com/client/tailscale/apitype from tailscale.com/client/tailscale+ tailscale.com/cmd/tailscaled/childproc from tailscale.com/cmd/tailscaled+ tailscale.com/control/controlbase from tailscale.com/control/controlclient+ - tailscale.com/control/controlclient from tailscale.com/ipn/ipnlocal+ + tailscale.com/control/controlclient from tailscale.com/cmd/tailscaled+ tailscale.com/control/controlhttp from tailscale.com/control/controlclient tailscale.com/control/controlknobs from tailscale.com/control/controlclient+ tailscale.com/derp from tailscale.com/derp/derphttp+ @@ -196,19 +196,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de tailscale.com/log/filelogger from tailscale.com/logpolicy tailscale.com/log/logheap from tailscale.com/control/controlclient tailscale.com/logpolicy from tailscale.com/cmd/tailscaled+ - tailscale.com/logtail from tailscale.com/logpolicy+ + tailscale.com/logtail from tailscale.com/cmd/tailscaled+ tailscale.com/logtail/backoff from tailscale.com/cmd/tailscaled+ tailscale.com/logtail/filch from tailscale.com/logpolicy 💣 tailscale.com/metrics from tailscale.com/derp+ tailscale.com/net/dns from tailscale.com/cmd/tailscaled+ tailscale.com/net/dns/resolvconffile from tailscale.com/net/dns+ - tailscale.com/net/dns/resolver from tailscale.com/net/dns+ + tailscale.com/net/dns/resolver from tailscale.com/ipn/ipnlocal+ tailscale.com/net/dnscache from tailscale.com/control/controlclient+ tailscale.com/net/dnsfallback from tailscale.com/control/controlclient+ tailscale.com/net/flowtrack from tailscale.com/net/packet+ 💣 tailscale.com/net/interfaces from tailscale.com/cmd/tailscaled+ tailscale.com/net/netcheck from tailscale.com/wgengine/magicsock - tailscale.com/net/neterror from tailscale.com/net/netcheck+ + tailscale.com/net/neterror from tailscale.com/net/dns/resolver+ tailscale.com/net/netknob from tailscale.com/logpolicy+ tailscale.com/net/netns from tailscale.com/cmd/tailscaled+ 💣 tailscale.com/net/netstat from tailscale.com/ipn/ipnserver @@ -219,7 +219,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de tailscale.com/net/socks5 from tailscale.com/cmd/tailscaled tailscale.com/net/stun from tailscale.com/net/netcheck+ tailscale.com/net/tlsdial from tailscale.com/control/controlclient+ - tailscale.com/net/tsaddr from tailscale.com/ipn/ipnlocal+ + tailscale.com/net/tsaddr from tailscale.com/ipn+ tailscale.com/net/tsdial from tailscale.com/cmd/tailscaled+ 💣 tailscale.com/net/tshttpproxy from tailscale.com/cmd/tailscaled+ tailscale.com/net/tstun from tailscale.com/cmd/tailscaled+ @@ -248,9 +248,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de tailscale.com/types/persist from tailscale.com/control/controlclient+ tailscale.com/types/preftype from tailscale.com/ipn+ tailscale.com/types/structs from tailscale.com/control/controlclient+ - tailscale.com/types/views from tailscale.com/tailcfg+ - tailscale.com/util/clientmetric from tailscale.com/ipn/localapi+ - L tailscale.com/util/cmpver from tailscale.com/net/dns + tailscale.com/types/views from tailscale.com/ipn/ipnlocal+ + tailscale.com/util/clientmetric from tailscale.com/cmd/tailscaled+ + LW tailscale.com/util/cmpver from tailscale.com/net/dns+ 💣 tailscale.com/util/deephash from tailscale.com/ipn/ipnlocal+ tailscale.com/util/dnsname from tailscale.com/hostinfo+ LW tailscale.com/util/endian from tailscale.com/net/dns+ @@ -270,7 +270,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de W tailscale.com/wf from tailscale.com/cmd/tailscaled tailscale.com/wgengine from tailscale.com/cmd/tailscaled+ tailscale.com/wgengine/filter from tailscale.com/control/controlclient+ - tailscale.com/wgengine/magicsock from tailscale.com/wgengine+ + tailscale.com/wgengine/magicsock from tailscale.com/ipn/ipnlocal+ tailscale.com/wgengine/monitor from tailscale.com/cmd/tailscaled+ tailscale.com/wgengine/netstack from tailscale.com/cmd/tailscaled tailscale.com/wgengine/router from tailscale.com/cmd/tailscaled+ @@ -294,20 +294,20 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de golang.org/x/crypto/poly1305 from golang.zx2c4.com/wireguard/device golang.org/x/crypto/salsa20/salsa from golang.org/x/crypto/nacl/box+ LD golang.org/x/crypto/ssh from github.com/tailscale/ssh+ - golang.org/x/net/bpf from github.com/mdlayher/netlink+ + golang.org/x/net/bpf from github.com/mdlayher/genetlink+ golang.org/x/net/dns/dnsmessage from net+ - golang.org/x/net/http/httpguts from net/http+ + golang.org/x/net/http/httpguts from golang.org/x/net/http2+ golang.org/x/net/http/httpproxy from net/http golang.org/x/net/http2 from golang.org/x/net/http2/h2c+ golang.org/x/net/http2/h2c from tailscale.com/ipn/ipnlocal - golang.org/x/net/http2/hpack from net/http+ + golang.org/x/net/http2/hpack from golang.org/x/net/http2+ golang.org/x/net/idna from golang.org/x/net/http/httpguts+ golang.org/x/net/ipv4 from golang.zx2c4.com/wireguard/device golang.org/x/net/ipv6 from golang.zx2c4.com/wireguard/device+ golang.org/x/net/proxy from tailscale.com/net/netns D golang.org/x/net/route from net+ - golang.org/x/sync/errgroup from github.com/tailscale/goupnp/httpu+ - golang.org/x/sync/singleflight from tailscale.com/net/dnscache+ + golang.org/x/sync/errgroup from github.com/mdlayher/socket+ + golang.org/x/sync/singleflight from tailscale.com/control/controlclient+ golang.org/x/sys/cpu from golang.org/x/crypto/blake2b+ LD golang.org/x/sys/unix from github.com/insomniacslk/dhcp/interfaces+ W golang.org/x/sys/windows from github.com/go-ole/go-ole+ @@ -323,7 +323,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de bufio from compress/flate+ bytes from bufio+ compress/flate from compress/gzip+ - compress/gzip from internal/profile+ + compress/gzip from golang.org/x/net/http2+ container/heap from gvisor.dev/gvisor/pkg/tcpip/transport/tcp container/list from crypto/tls+ context from crypto/tls+ @@ -344,10 +344,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de crypto/sha256 from crypto/tls+ crypto/sha512 from crypto/ecdsa+ crypto/subtle from crypto/aes+ - crypto/tls from github.com/tcnksm/go-httpstat+ + crypto/tls from github.com/aws/aws-sdk-go-v2/aws/transport/http+ crypto/x509 from crypto/tls+ crypto/x509/pkix from crypto/x509+ - embed from tailscale.com/net/dns+ + embed from crypto/elliptic+ encoding from encoding/json+ encoding/asn1 from crypto/x509+ encoding/base64 from encoding/json+ @@ -355,7 +355,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de encoding/hex from crypto/x509+ encoding/json from expvar+ encoding/pem from crypto/tls+ - encoding/xml from github.com/tailscale/goupnp+ + encoding/xml from github.com/aws/aws-sdk-go-v2/aws/protocol/xml+ errors from bufio+ expvar from tailscale.com/derp+ flag from tailscale.com/cmd/tailscaled+ @@ -380,20 +380,20 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de net from crypto/tls+ net/http from expvar+ net/http/httptrace from github.com/tcnksm/go-httpstat+ - net/http/httputil from tailscale.com/cmd/tailscaled+ + net/http/httputil from github.com/aws/smithy-go/transport/http+ net/http/internal from net/http+ net/http/pprof from tailscale.com/cmd/tailscaled+ - net/netip from net+ - net/textproto from golang.org/x/net/http/httpguts+ + net/netip from golang.zx2c4.com/wireguard/conn+ + net/textproto from github.com/aws/aws-sdk-go-v2/aws/signer/v4+ net/url from crypto/x509+ os from crypto/rand+ - os/exec from github.com/coreos/go-iptables/iptables+ + os/exec from github.com/aws/aws-sdk-go-v2/credentials/processcreds+ os/signal from tailscale.com/cmd/tailscaled+ os/user from github.com/godbus/dbus/v5+ path from github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds+ path/filepath from crypto/x509+ reflect from crypto/x509+ - regexp from github.com/coreos/go-iptables/iptables+ + regexp from github.com/aws/aws-sdk-go-v2/internal/endpoints/v2+ regexp/syntax from regexp runtime/debug from github.com/klauspost/compress/zstd+ runtime/pprof from net/http/pprof+ diff --git a/net/tshttpproxy/tshttpproxy_windows.go b/net/tshttpproxy/tshttpproxy_windows.go index 5f68ba81e..d647f153b 100644 --- a/net/tshttpproxy/tshttpproxy_windows.go +++ b/net/tshttpproxy/tshttpproxy_windows.go @@ -14,13 +14,16 @@ import ( "runtime" "strings" "sync" + "sync/atomic" "syscall" "time" "unsafe" "github.com/alexbrainman/sspi/negotiate" "golang.org/x/sys/windows" + "tailscale.com/hostinfo" "tailscale.com/types/logger" + "tailscale.com/util/cmpver" ) var ( @@ -146,6 +149,7 @@ func proxyFromWinHTTP(ctx context.Context, urlStr string) (proxy *url.URL, err e var userAgent = windows.StringToUTF16Ptr("Tailscale") const ( + winHTTP_ACCESS_TYPE_DEFAULT_PROXY = 0 winHTTP_ACCESS_TYPE_AUTOMATIC_PROXY = 4 winHTTP_AUTOPROXY_ALLOW_AUTOCONFIG = 0x00000100 winHTTP_AUTOPROXY_AUTO_DETECT = 1 @@ -153,13 +157,34 @@ const ( winHTTP_AUTO_DETECT_TYPE_DNS_A = 0x00000002 ) +// Windows 8.1 is actually Windows 6.3 under the hood. Yay, marketing! +const win8dot1Ver = "6.3" + +// accessType is the flag we must pass to WinHttpOpen for proxy resolution +// depending on whether or not we're running Windows < 8.1 +var accessType atomic.Value // of uint32 + +func getAccessFlag() uint32 { + if flag, ok := accessType.Load().(uint32); ok { + return flag + } + var flag uint32 + if cmpver.Compare(hostinfo.GetOSVersion(), win8dot1Ver) < 0 { + flag = winHTTP_ACCESS_TYPE_DEFAULT_PROXY + } else { + flag = winHTTP_ACCESS_TYPE_AUTOMATIC_PROXY + } + accessType.Store(flag) + return flag +} + func winHTTPOpen() (winHTTPInternet, error) { if err := httpOpenProc.Find(); err != nil { return 0, err } r, _, err := httpOpenProc.Call( uintptr(unsafe.Pointer(userAgent)), - winHTTP_ACCESS_TYPE_AUTOMATIC_PROXY, + uintptr(getAccessFlag()), 0, /* WINHTTP_NO_PROXY_NAME */ 0, /* WINHTTP_NO_PROXY_BYPASS */ 0)