Update dependencies

2025-04-09 01:00:12 +01:00
parent f0641ffd6e
commit 5a9cfc022c
882 changed files with 68930 additions and 24201 deletions
--- a/vendor/tailscale.com/net/tlsdial/blockblame/blockblame.go
+++ b/vendor/tailscale.com/net/tlsdial/blockblame/blockblame.go
@@ -0,0 +1,104 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package blockblame blames specific firewall manufacturers for blocking Tailscale,
+// by analyzing the SSL certificate presented when attempting to connect to a remote
+// server.
+package blockblame
+
+import (
+	"crypto/x509"
+	"strings"
+)
+
+// VerifyCertificate checks if the given certificate c is issued by a firewall manufacturer
+// that is known to block Tailscale connections. It returns true and the Manufacturer of
+// the equipment if it is, or false and nil if it is not.
+func VerifyCertificate(c *x509.Certificate) (m *Manufacturer, ok bool) {
+	for _, m := range Manufacturers {
+		if m.match != nil && m.match(c) {
+			return m, true
+		}
+	}
+	return nil, false
+}
+
+// Manufacturer represents a firewall manufacturer that may be blocking Tailscale.
+type Manufacturer struct {
+	// Name is the name of the firewall manufacturer to be
+	// mentioned in health warning messages, e.g. "Fortinet".
+	Name string
+	// match is a function that returns true if the given certificate looks like it might
+	// be issued by this manufacturer.
+	match matchFunc
+}
+
+var Manufacturers = []*Manufacturer{
+	{
+		Name:  "Aruba Networks",
+		match: issuerContains("Aruba"),
+	},
+	{
+		Name:  "Cisco",
+		match: issuerContains("Cisco"),
+	},
+	{
+		Name: "Fortinet",
+		match: matchAny(
+			issuerContains("Fortinet"),
+			certEmail("support@fortinet.com"),
+		),
+	},
+	{
+		Name:  "Huawei",
+		match: certEmail("mobile@huawei.com"),
+	},
+	{
+		Name: "Palo Alto Networks",
+		match: matchAny(
+			issuerContains("Palo Alto Networks"),
+			issuerContains("PAN-FW"),
+		),
+	},
+	{
+		Name:  "Sophos",
+		match: issuerContains("Sophos"),
+	},
+	{
+		Name: "Ubiquiti",
+		match: matchAny(
+			issuerContains("UniFi"),
+			issuerContains("Ubiquiti"),
+		),
+	},
+}
+
+type matchFunc func(*x509.Certificate) bool
+
+func issuerContains(s string) matchFunc {
+	return func(c *x509.Certificate) bool {
+		return strings.Contains(strings.ToLower(c.Issuer.String()), strings.ToLower(s))
+	}
+}
+
+func certEmail(v string) matchFunc {
+	return func(c *x509.Certificate) bool {
+		for _, email := range c.EmailAddresses {
+			if strings.Contains(strings.ToLower(email), strings.ToLower(v)) {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func matchAny(fs ...matchFunc) matchFunc {
+	return func(c *x509.Certificate) bool {
+		for _, f := range fs {
+			if f(c) {
+				return true
+			}
+		}
+		return false
+	}
+}
--- a/vendor/tailscale.com/net/tlsdial/tlsdial.go
+++ b/vendor/tailscale.com/net/tlsdial/tlsdial.go
@@ -12,6 +12,7 @@ package tlsdial
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -27,6 +28,8 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
+	"tailscale.com/net/bakedroots"
+	"tailscale.com/net/tlsdial/blockblame"
 )

 var counterFallbackOK int32 // atomic
@@ -44,6 +47,16 @@ var debug = envknob.RegisterBool("TS_DEBUG_TLS_DIAL")
 // Headscale, etc.
 var tlsdialWarningPrinted sync.Map // map[string]bool

+var mitmBlockWarnable = health.Register(&health.Warnable{
+	Code:  "blockblame-mitm-detected",
+	Title: "Network may be blocking Tailscale",
+	Text: func(args health.Args) string {
+		return fmt.Sprintf("Network equipment from %q may be blocking Tailscale traffic on this network. Connect to another network, or contact your network administrator for assistance.", args["manufacturer"])
+	},
+	Severity:            health.SeverityMedium,
+	ImpactsConnectivity: true,
+})
+
 // Config returns a tls.Config for connecting to a server.
 // If base is non-nil, it's cloned as the base config before
 // being configured and returned.
@@ -78,20 +91,37 @@ func Config(host string, ht *health.Tracker, base *tls.Config) *tls.Config {
 	// (with the baked-in fallback root) in the VerifyConnection hook.
 	conf.InsecureSkipVerify = true
 	conf.VerifyConnection = func(cs tls.ConnectionState) (retErr error) {
-		if host == "log.tailscale.io" && hostinfo.IsNATLabGuestVM() {
-			// Allow log.tailscale.io TLS MITM for integration tests when
+		if host == "log.tailscale.com" && hostinfo.IsNATLabGuestVM() {
+			// Allow log.tailscale.com TLS MITM for integration tests when
 			// the client's running within a NATLab VM.
 			return nil
 		}

 		// Perform some health checks on this certificate before we do
 		// any verification.
+		var cert *x509.Certificate
 		var selfSignedIssuer string
-		if certs := cs.PeerCertificates; len(certs) > 0 && certIsSelfSigned(certs[0]) {
-			selfSignedIssuer = certs[0].Issuer.String()
+		if certs := cs.PeerCertificates; len(certs) > 0 {
+			cert = certs[0]
+			if certIsSelfSigned(cert) {
+				selfSignedIssuer = cert.Issuer.String()
+			}
 		}
 		if ht != nil {
 			defer func() {
+				if retErr != nil && cert != nil {
+					// Is it a MITM SSL certificate from a well-known network appliance manufacturer?
+					// Show a dedicated warning.
+					m, ok := blockblame.VerifyCertificate(cert)
+					if ok {
+						log.Printf("tlsdial: server cert for %q looks like %q equipment (could be blocking Tailscale)", host, m.Name)
+						ht.SetUnhealthy(mitmBlockWarnable, health.Args{"manufacturer": m.Name})
+					} else {
+						ht.SetHealthy(mitmBlockWarnable)
+					}
+				} else {
+					ht.SetHealthy(mitmBlockWarnable)
+				}
 				if retErr != nil && selfSignedIssuer != "" {
 					// Self-signed certs are never valid.
 					//
@@ -126,7 +156,7 @@ func Config(host string, ht *health.Tracker, base *tls.Config) *tls.Config {
 		// Always verify with our baked-in Let's Encrypt certificate,
 		// so we can log an informational message. This is useful for
 		// detecting SSL MiTM.
-		opts.Roots = bakedInRoots()
+		opts.Roots = bakedroots.Get()
 		_, bakedErr := cs.PeerCertificates[0].Verify(opts)
 		if debug() {
 			log.Printf("tlsdial(bake %q): %v", host, bakedErr)
@@ -205,7 +235,7 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 		if errSys == nil {
 			return nil
 		}
-		opts.Roots = bakedInRoots()
+		opts.Roots = bakedroots.Get()
 		_, err := certs[0].Verify(opts)
 		if debug() {
 			log.Printf("tlsdial(bake %q/%q): %v", c.ServerName, certDNSName, err)
@@ -217,6 +247,46 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 	}
 }

+// SetConfigExpectedCertHash configures c's VerifyPeerCertificate function
+// to require that exactly 1 cert is presented, and that the hex of its SHA256 hash
+// is equal to wantFullCertSHA256Hex and that it's a valid cert for c.ServerName.
+func SetConfigExpectedCertHash(c *tls.Config, wantFullCertSHA256Hex string) {
+	if c.VerifyPeerCertificate != nil {
+		panic("refusing to override tls.Config.VerifyPeerCertificate")
+	}
+	// Set InsecureSkipVerify to prevent crypto/tls from doing its
+	// own cert verification, but do the same work that it'd do
+	// (but using certDNSName) in the VerifyPeerCertificate hook.
+	c.InsecureSkipVerify = true
+	c.VerifyConnection = nil
+	c.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
+		if len(rawCerts) == 0 {
+			return errors.New("no certs presented")
+		}
+		if len(rawCerts) > 1 {
+			return errors.New("unexpected multiple certs presented")
+		}
+		if fmt.Sprintf("%02x", sha256.Sum256(rawCerts[0])) != wantFullCertSHA256Hex {
+			return fmt.Errorf("cert hash does not match expected cert hash")
+		}
+		cert, err := x509.ParseCertificate(rawCerts[0])
+		if err != nil {
+			return fmt.Errorf("ParseCertificate: %w", err)
+		}
+		if err := cert.VerifyHostname(c.ServerName); err != nil {
+			return fmt.Errorf("cert does not match server name %q: %w", c.ServerName, err)
+		}
+		now := time.Now()
+		if now.After(cert.NotAfter) {
+			return fmt.Errorf("cert expired %v", cert.NotAfter)
+		}
+		if now.Before(cert.NotBefore) {
+			return fmt.Errorf("cert not yet valid until %v; is your clock correct?", cert.NotBefore)
+		}
+		return nil
+	}
+}
+
 // NewTransport returns a new HTTP transport that verifies TLS certs using this
 // package, including its baked-in LetsEncrypt fallback roots.
 func NewTransport() *http.Transport {
@@ -232,84 +302,3 @@ func NewTransport() *http.Transport {
 		},
 	}
 }
-
-/*
-letsEncryptX1 is the LetsEncrypt X1 root:
-
-Certificate:
-
-	Data:
-	    Version: 3 (0x2)
-	    Serial Number:
-	        82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
-	    Signature Algorithm: sha256WithRSAEncryption
-	    Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
-	    Validity
-	        Not Before: Jun  4 11:04:38 2015 GMT
-	        Not After : Jun  4 11:04:38 2035 GMT
-	    Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
-	    Subject Public Key Info:
-	        Public Key Algorithm: rsaEncryption
-	            RSA Public-Key: (4096 bit)
-
-We bake it into the binary as a fallback verification root,
-in case the system we're running on doesn't have it.
-(Tailscale runs on some ancient devices.)
-
-To test that this code is working on Debian/Ubuntu:
-
-$ sudo mv /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt{,.old}
-$ sudo update-ca-certificates
-
-Then restart tailscaled. To also test dnsfallback's use of it, nuke
-your /etc/resolv.conf and it should still start & run fine.
-*/
-const letsEncryptX1 = `
-----BEGIN CERTIFICATE-----
-MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
-WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
-ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
-MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
-h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
-0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
-A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
-T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
-B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
-B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
-KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
-OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
-jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
-qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
-rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
-hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
-ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
-3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
-NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
-ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
-TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
-jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
-oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
-4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
-mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
-emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
-`
-
-var bakedInRootsOnce struct {
-	sync.Once
-	p *x509.CertPool
-}
-
-func bakedInRoots() *x509.CertPool {
-	bakedInRootsOnce.Do(func() {
-		p := x509.NewCertPool()
-		if !p.AppendCertsFromPEM([]byte(letsEncryptX1)) {
-			panic("bogus PEM")
-		}
-		bakedInRootsOnce.p = p
-	})
-	return bakedInRootsOnce.p
-}