Update dependencies

vendor/tailscale.com/control/controlhttp/client.go

@@ -38,6 +38,7 @@ import (
 	"time"
 
 	"tailscale.com/control/controlbase"
+	"tailscale.com/control/controlhttp/controlhttpcommon"
 	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/net/dnscache"
@@ -95,6 +96,9 @@ func (a *Dialer) httpsFallbackDelay() time.Duration {
 var _ = envknob.RegisterBool("TS_USE_CONTROL_DIAL_PLAN") // to record at init time whether it's in use
 
 func (a *Dialer) dial(ctx context.Context) (*ClientConn, error) {
+
+	a.logPort80Failure.Store(true)
+
 	// If we don't have a dial plan, just fall back to dialing the single
 	// host we know about.
 	useDialPlan := envknob.BoolDefaultTrue("TS_USE_CONTROL_DIAL_PLAN")
@@ -277,7 +281,9 @@ func (d *Dialer) forceNoise443() bool {
 		// This heuristic works around networks where port 80 is MITMed and
 		// appears to work for a bit post-Upgrade but then gets closed,
 		// such as seen in https://github.com/tailscale/tailscale/issues/13597.
-		d.logf("controlhttp: forcing port 443 dial due to recent noise dial")
+		if d.logPort80Failure.CompareAndSwap(true, false) {
+			d.logf("controlhttp: forcing port 443 dial due to recent noise dial")
+		}
 		return true
 	}
 
@@ -571,9 +577,9 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, optAddr netip.Ad
 		Method: "POST",
 		URL:    u,
 		Header: http.Header{
-			"Upgrade":           []string{upgradeHeaderValue},
-			"Connection":        []string{"upgrade"},
-			handshakeHeaderName: []string{base64.StdEncoding.EncodeToString(init)},
+			"Upgrade":                             []string{controlhttpcommon.UpgradeHeaderValue},
+			"Connection":                          []string{"upgrade"},
+			controlhttpcommon.HandshakeHeaderName: []string{base64.StdEncoding.EncodeToString(init)},
 		},
 	}
 	req = req.WithContext(ctx)
@@ -597,7 +603,7 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, optAddr netip.Ad
 		return nil, fmt.Errorf("httptrace didn't provide a connection")
 	}
 
-	if next := resp.Header.Get("Upgrade"); next != upgradeHeaderValue {
+	if next := resp.Header.Get("Upgrade"); next != controlhttpcommon.UpgradeHeaderValue {
 		resp.Body.Close()
 		return nil, fmt.Errorf("server switched to unexpected protocol %q", next)
 	}

vendor/tailscale.com/control/controlhttp/client_js.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/coder/websocket"
 	"tailscale.com/control/controlbase"
+	"tailscale.com/control/controlhttp/controlhttpcommon"
 	"tailscale.com/net/wsconn"
 )
 
@@ -42,11 +43,11 @@ func (d *Dialer) Dial(ctx context.Context) (*ClientConn, error) {
 		// Can't set HTTP headers on the websocket request, so we have to to send
 		// the handshake via an HTTP header.
 		RawQuery: url.Values{
-			handshakeHeaderName: []string{base64.StdEncoding.EncodeToString(init)},
+			controlhttpcommon.HandshakeHeaderName: []string{base64.StdEncoding.EncodeToString(init)},
 		}.Encode(),
 	}
 	wsConn, _, err := websocket.Dial(ctx, wsURL.String(), &websocket.DialOptions{
-		Subprotocols: []string{upgradeHeaderValue},
+		Subprotocols: []string{controlhttpcommon.UpgradeHeaderValue},
 	})
 	if err != nil {
 		return nil, err

vendor/tailscale.com/control/controlhttp/constants.go

@@ -6,6 +6,7 @@ package controlhttp
 import (
 	"net/http"
 	"net/url"
+	"sync/atomic"
 	"time"
 
 	"tailscale.com/health"
@@ -18,15 +19,6 @@ import (
 )
 
 const (
-	// upgradeHeader is the value of the Upgrade HTTP header used to
-	// indicate the Tailscale control protocol.
-	upgradeHeaderValue = "tailscale-control-protocol"
-
-	// handshakeHeaderName is the HTTP request header that can
-	// optionally contain base64-encoded initial handshake
-	// payload, to save an RTT.
-	handshakeHeaderName = "X-Tailscale-Handshake"
-
 	// serverUpgradePath is where the server-side HTTP handler to
 	// to do the protocol switch is located.
 	serverUpgradePath = "/ts2021"
@@ -85,6 +77,8 @@ type Dialer struct {
 	// dropped.
 	Logf logger.Logf
 
+	// NetMon is the [netmon.Monitor] to use for this Dialer. It must be
+	// non-nil.
 	NetMon *netmon.Monitor
 
 	// HealthTracker, if non-nil, is the health tracker to use.
@@ -97,6 +91,11 @@ type Dialer struct {
 
 	proxyFunc func(*http.Request) (*url.URL, error) // or nil
 
+	// logPort80Failure is whether we should log about port 80 interceptions
+	// and forcing a port 443 dial. We do this only once per "dial" method
+	// which can result in many concurrent racing dialHost calls.
+	logPort80Failure atomic.Bool
+
 	// For tests only
 	drainFinished        chan struct{}
 	omitCertErrorLogging bool

vendor/tailscale.com/control/controlhttp/controlhttpcommon/controlhttpcommon.go

@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package controlhttpcommon contains common constants for used
+// by the controlhttp client and controlhttpserver packages.
+package controlhttpcommon
+
+// UpgradeHeader is the value of the Upgrade HTTP header used to
+// indicate the Tailscale control protocol.
+const UpgradeHeaderValue = "tailscale-control-protocol"
+
+// handshakeHeaderName is the HTTP request header that can
+// optionally contain base64-encoded initial handshake
+// payload, to save an RTT.
+const HandshakeHeaderName = "X-Tailscale-Handshake"

vendor/tailscale.com/control/controlhttp/server.go

@@ -1,217 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !ios
-
-package controlhttp
-
-import (
-	"context"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/coder/websocket"
-	"tailscale.com/control/controlbase"
-	"tailscale.com/net/netutil"
-	"tailscale.com/net/wsconn"
-	"tailscale.com/types/key"
-)
-
-// AcceptHTTP upgrades the HTTP request given by w and r into a Tailscale
-// control protocol base transport connection.
-//
-// AcceptHTTP always writes an HTTP response to w. The caller must not attempt
-// their own response after calling AcceptHTTP.
-//
-// earlyWrite optionally specifies a func to write to the noise connection
-// (encrypted). It receives the negotiated version and a writer to write to, if
-// desired.
-func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate, earlyWrite func(protocolVersion int, w io.Writer) error) (*controlbase.Conn, error) {
-	return acceptHTTP(ctx, w, r, private, earlyWrite)
-}
-
-func acceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate, earlyWrite func(protocolVersion int, w io.Writer) error) (_ *controlbase.Conn, retErr error) {
-	next := strings.ToLower(r.Header.Get("Upgrade"))
-	if next == "" {
-		http.Error(w, "missing next protocol", http.StatusBadRequest)
-		return nil, errors.New("no next protocol in HTTP request")
-	}
-	if next == "websocket" {
-		return acceptWebsocket(ctx, w, r, private)
-	}
-	if next != upgradeHeaderValue {
-		http.Error(w, "unknown next protocol", http.StatusBadRequest)
-		return nil, fmt.Errorf("client requested unhandled next protocol %q", next)
-	}
-
-	initB64 := r.Header.Get(handshakeHeaderName)
-	if initB64 == "" {
-		http.Error(w, "missing Tailscale handshake header", http.StatusBadRequest)
-		return nil, errors.New("no tailscale handshake header in HTTP request")
-	}
-	init, err := base64.StdEncoding.DecodeString(initB64)
-	if err != nil {
-		http.Error(w, "invalid tailscale handshake header", http.StatusBadRequest)
-		return nil, fmt.Errorf("decoding base64 handshake header: %v", err)
-	}
-
-	hijacker, ok := w.(http.Hijacker)
-	if !ok {
-		http.Error(w, "make request over HTTP/1", http.StatusBadRequest)
-		return nil, errors.New("can't hijack client connection")
-	}
-
-	w.Header().Set("Upgrade", upgradeHeaderValue)
-	w.Header().Set("Connection", "upgrade")
-	w.WriteHeader(http.StatusSwitchingProtocols)
-
-	conn, brw, err := hijacker.Hijack()
-	if err != nil {
-		return nil, fmt.Errorf("hijacking client connection: %w", err)
-	}
-
-	defer func() {
-		if retErr != nil {
-			conn.Close()
-		}
-	}()
-
-	if err := brw.Flush(); err != nil {
-		return nil, fmt.Errorf("flushing hijacked HTTP buffer: %w", err)
-	}
-	conn = netutil.NewDrainBufConn(conn, brw.Reader)
-
-	cwc := newWriteCorkingConn(conn)
-
-	nc, err := controlbase.Server(ctx, cwc, private, init)
-	if err != nil {
-		return nil, fmt.Errorf("noise handshake failed: %w", err)
-	}
-
-	if earlyWrite != nil {
-		if deadline, ok := ctx.Deadline(); ok {
-			if err := conn.SetDeadline(deadline); err != nil {
-				return nil, fmt.Errorf("setting conn deadline: %w", err)
-			}
-			defer conn.SetDeadline(time.Time{})
-		}
-		if err := earlyWrite(nc.ProtocolVersion(), nc); err != nil {
-			return nil, err
-		}
-	}
-
-	if err := cwc.uncork(); err != nil {
-		return nil, err
-	}
-
-	return nc, nil
-}
-
-// acceptWebsocket upgrades a WebSocket connection (from a client that cannot
-// speak HTTP) to a Tailscale control protocol base transport connection.
-func acceptWebsocket(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate) (*controlbase.Conn, error) {
-	c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
-		Subprotocols:   []string{upgradeHeaderValue},
-		OriginPatterns: []string{"*"},
-		// Disable compression because we transmit Noise messages that are not
-		// compressible.
-		// Additionally, Safari has a broken implementation of compression
-		// (see https://github.com/nhooyr/websocket/issues/218) that makes
-		// enabling it actively harmful.
-		CompressionMode: websocket.CompressionDisabled,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("Could not accept WebSocket connection %v", err)
-	}
-	if c.Subprotocol() != upgradeHeaderValue {
-		c.Close(websocket.StatusPolicyViolation, "client must speak the control subprotocol")
-		return nil, fmt.Errorf("Unexpected subprotocol %q", c.Subprotocol())
-	}
-	if err := r.ParseForm(); err != nil {
-		c.Close(websocket.StatusPolicyViolation, "Could not parse parameters")
-		return nil, fmt.Errorf("parse query parameters: %v", err)
-	}
-	initB64 := r.Form.Get(handshakeHeaderName)
-	if initB64 == "" {
-		c.Close(websocket.StatusPolicyViolation, "missing Tailscale handshake parameter")
-		return nil, errors.New("no tailscale handshake parameter in HTTP request")
-	}
-	init, err := base64.StdEncoding.DecodeString(initB64)
-	if err != nil {
-		c.Close(websocket.StatusPolicyViolation, "invalid tailscale handshake parameter")
-		return nil, fmt.Errorf("decoding base64 handshake parameter: %v", err)
-	}
-
-	conn := wsconn.NetConn(ctx, c, websocket.MessageBinary, r.RemoteAddr)
-	nc, err := controlbase.Server(ctx, conn, private, init)
-	if err != nil {
-		conn.Close()
-		return nil, fmt.Errorf("noise handshake failed: %w", err)
-	}
-
-	return nc, nil
-}
-
-// corkConn is a net.Conn wrapper that initially buffers all writes until uncork
-// is called. If the conn is corked and a Read occurs, the Read will flush any
-// buffered (corked) write.
-//
-// Until uncorked, Read/Write/uncork may be not called concurrently.
-//
-// Deadlines still work, but a corked write ignores deadlines until a Read or
-// uncork goes to do that Write.
-//
-// Use newWriteCorkingConn to create one.
-type corkConn struct {
-	net.Conn
-	corked bool
-	buf    []byte // corked data
-}
-
-func newWriteCorkingConn(c net.Conn) *corkConn {
-	return &corkConn{Conn: c, corked: true}
-}
-
-func (c *corkConn) Write(b []byte) (int, error) {
-	if c.corked {
-		c.buf = append(c.buf, b...)
-		return len(b), nil
-	}
-	return c.Conn.Write(b)
-}
-
-func (c *corkConn) Read(b []byte) (int, error) {
-	if c.corked {
-		if err := c.flush(); err != nil {
-			return 0, err
-		}
-	}
-	return c.Conn.Read(b)
-}
-
-// uncork flushes any buffered data and uncorks the connection so future Writes
-// don't buffer. It may not be called concurrently with reads or writes and
-// may only be called once.
-func (c *corkConn) uncork() error {
-	if !c.corked {
-		panic("usage error; uncork called twice") // worth panicking to catch misuse
-	}
-	err := c.flush()
-	c.corked = false
-	return err
-}
-
-func (c *corkConn) flush() error {
-	if len(c.buf) == 0 {
-		return nil
-	}
-	_, err := c.Conn.Write(c.buf)
-	c.buf = nil
-	return err
-}