Update dependencies

vendor/tailscale.com/ipn/localapi/cert.go

@@ -0,0 +1,62 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ios && !android && !js
+
+package localapi
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"tailscale.com/ipn/ipnlocal"
+)
+
+func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite && !h.PermitCert {
+		http.Error(w, "cert access denied", http.StatusForbidden)
+		return
+	}
+	domain, ok := strings.CutPrefix(r.URL.Path, "/localapi/v0/cert/")
+	if !ok {
+		http.Error(w, "internal handler config wired wrong", 500)
+		return
+	}
+	var minValidity time.Duration
+	if minValidityStr := r.URL.Query().Get("min_validity"); minValidityStr != "" {
+		var err error
+		minValidity, err = time.ParseDuration(minValidityStr)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("invalid validity parameter: %v", err), http.StatusBadRequest)
+			return
+		}
+	}
+	pair, err := h.b.GetCertPEMWithValidity(r.Context(), domain, minValidity)
+	if err != nil {
+		// TODO(bradfitz): 500 is a little lazy here. The errors returned from
+		// GetCertPEM (and everywhere) should carry info info to get whether
+		// they're 400 vs 403 vs 500 at minimum. And then we should have helpers
+		// (in tsweb probably) to return an error that looks at the error value
+		// to determine the HTTP status code.
+		http.Error(w, fmt.Sprint(err), 500)
+		return
+	}
+	serveKeyPair(w, r, pair)
+}
+
+func serveKeyPair(w http.ResponseWriter, r *http.Request, p *ipnlocal.TLSCertKeyPair) {
+	w.Header().Set("Content-Type", "text/plain")
+	switch r.URL.Query().Get("type") {
+	case "", "crt", "cert":
+		w.Write(p.CertPEM)
+	case "key":
+		w.Write(p.KeyPEM)
+	case "pair":
+		w.Write(p.KeyPEM)
+		w.Write(p.CertPEM)
+	default:
+		http.Error(w, `invalid type; want "cert" (default), "key", or "pair"`, 400)
+	}
+}

vendor/tailscale.com/ipn/localapi/debugderp.go

@@ -0,0 +1,304 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package localapi
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"net/netip"
+	"strconv"
+	"time"
+
+	"tailscale.com/derp/derphttp"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/netaddr"
+	"tailscale.com/net/netns"
+	"tailscale.com/net/stun"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/types/nettype"
+)
+
+func (h *Handler) serveDebugDERPRegion(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != "POST" {
+		http.Error(w, "POST required", http.StatusMethodNotAllowed)
+		return
+	}
+	var st ipnstate.DebugDERPRegionReport
+	defer func() {
+		j, _ := json.Marshal(st)
+		w.Header().Set("Content-Type", "application/json")
+		w.Write(j)
+	}()
+
+	dm := h.b.DERPMap()
+	if dm == nil {
+		st.Errors = append(st.Errors, "no DERP map (not connected?)")
+		return
+	}
+	regStr := r.FormValue("region")
+	var reg *tailcfg.DERPRegion
+	if id, err := strconv.Atoi(regStr); err == nil {
+		reg = dm.Regions[id]
+	} else {
+		for _, r := range dm.Regions {
+			if r.RegionCode == regStr {
+				reg = r
+				break
+			}
+		}
+	}
+	if reg == nil {
+		st.Errors = append(st.Errors, fmt.Sprintf("no such region %q in DERP map", regStr))
+		return
+	}
+	st.Info = append(st.Info, fmt.Sprintf("Region %v == %q", reg.RegionID, reg.RegionCode))
+	if len(dm.Regions) == 1 {
+		st.Warnings = append(st.Warnings, "Having only a single DERP region (i.e. removing the default Tailscale-provided regions) is a single point of failure and could hamper connectivity")
+	}
+
+	if reg.Avoid {
+		st.Warnings = append(st.Warnings, "Region is marked with Avoid bit")
+	}
+	if len(reg.Nodes) == 0 {
+		st.Errors = append(st.Errors, "Region has no nodes defined")
+		return
+	}
+
+	ctx := r.Context()
+
+	var (
+		dialer net.Dialer
+		client *http.Client = http.DefaultClient
+	)
+	checkConn := func(derpNode *tailcfg.DERPNode) bool {
+		port := firstNonzero(derpNode.DERPPort, 443)
+
+		var (
+			hasIPv4 bool
+			hasIPv6 bool
+		)
+
+		// Check IPv4 first
+		addr := net.JoinHostPort(firstNonzero(derpNode.IPv4, derpNode.HostName), strconv.Itoa(port))
+		conn, err := dialer.DialContext(ctx, "tcp4", addr)
+		if err != nil {
+			st.Errors = append(st.Errors, fmt.Sprintf("Error connecting to node %q @ %q over IPv4: %v", derpNode.HostName, addr, err))
+		} else {
+			defer conn.Close()
+
+			// Upgrade to TLS and verify that works properly.
+			tlsConn := tls.Client(conn, &tls.Config{
+				ServerName: firstNonzero(derpNode.CertName, derpNode.HostName),
+			})
+			if err := tlsConn.HandshakeContext(ctx); err != nil {
+				st.Errors = append(st.Errors, fmt.Sprintf("Error upgrading connection to node %q @ %q to TLS over IPv4: %v", derpNode.HostName, addr, err))
+			} else {
+				hasIPv4 = true
+			}
+		}
+
+		// Check IPv6
+		addr = net.JoinHostPort(firstNonzero(derpNode.IPv6, derpNode.HostName), strconv.Itoa(port))
+		conn, err = dialer.DialContext(ctx, "tcp6", addr)
+		if err != nil {
+			st.Errors = append(st.Errors, fmt.Sprintf("Error connecting to node %q @ %q over IPv6: %v", derpNode.HostName, addr, err))
+		} else {
+			defer conn.Close()
+
+			// Upgrade to TLS and verify that works properly.
+			tlsConn := tls.Client(conn, &tls.Config{
+				ServerName: firstNonzero(derpNode.CertName, derpNode.HostName),
+				// TODO(andrew-d): we should print more
+				// detailed failure information on if/why TLS
+				// verification fails
+			})
+			if err := tlsConn.HandshakeContext(ctx); err != nil {
+				st.Errors = append(st.Errors, fmt.Sprintf("Error upgrading connection to node %q @ %q to TLS over IPv6: %v", derpNode.HostName, addr, err))
+			} else {
+				hasIPv6 = true
+			}
+		}
+
+		// If we only have an IPv6 conn, then warn; we want both.
+		if hasIPv6 && !hasIPv4 {
+			st.Warnings = append(st.Warnings, fmt.Sprintf("Node %q only has IPv6 connectivity, not IPv4", derpNode.HostName))
+		} else if hasIPv6 && hasIPv4 {
+			st.Info = append(st.Info, fmt.Sprintf("Node %q has working IPv4 and IPv6 connectivity", derpNode.HostName))
+		}
+
+		return hasIPv4 || hasIPv6
+	}
+
+	checkSTUN4 := func(derpNode *tailcfg.DERPNode) {
+		u4, err := nettype.MakePacketListenerWithNetIP(netns.Listener(h.logf, h.b.NetMon())).ListenPacket(ctx, "udp4", ":0")
+		if err != nil {
+			st.Errors = append(st.Errors, fmt.Sprintf("Error creating IPv4 STUN listener: %v", err))
+			return
+		}
+		defer u4.Close()
+
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		var addr netip.Addr
+		if derpNode.IPv4 != "" {
+			addr, err = netip.ParseAddr(derpNode.IPv4)
+			if err != nil {
+				// Error printed elsewhere
+				return
+			}
+		} else {
+			addrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip4", derpNode.HostName)
+			if err != nil {
+				st.Errors = append(st.Errors, fmt.Sprintf("Error resolving node %q IPv4 addresses: %v", derpNode.HostName, err))
+				return
+			}
+			addr = addrs[0]
+		}
+
+		addrPort := netip.AddrPortFrom(addr, uint16(firstNonzero(derpNode.STUNPort, 3478)))
+
+		txID := stun.NewTxID()
+		req := stun.Request(txID)
+
+		done := make(chan struct{})
+		defer close(done)
+
+		go func() {
+			select {
+			case <-ctx.Done():
+			case <-done:
+			}
+			u4.Close()
+		}()
+
+		gotResponse := make(chan netip.AddrPort, 1)
+		go func() {
+			defer u4.Close()
+
+			var buf [64 << 10]byte
+			for {
+				n, addr, err := u4.ReadFromUDPAddrPort(buf[:])
+				if err != nil {
+					return
+				}
+				pkt := buf[:n]
+				if !stun.Is(pkt) {
+					continue
+				}
+				ap := netaddr.Unmap(addr)
+				if !ap.IsValid() {
+					continue
+				}
+				tx, addrPort, err := stun.ParseResponse(pkt)
+				if err != nil {
+					continue
+				}
+				if tx == txID {
+					gotResponse <- addrPort
+					return
+				}
+			}
+		}()
+
+		_, err = u4.WriteToUDPAddrPort(req, addrPort)
+		if err != nil {
+			st.Errors = append(st.Errors, fmt.Sprintf("Error sending IPv4 STUN packet to %v (%q): %v", addrPort, derpNode.HostName, err))
+			return
+		}
+
+		select {
+		case resp := <-gotResponse:
+			st.Info = append(st.Info, fmt.Sprintf("Node %q returned IPv4 STUN response: %v", derpNode.HostName, resp))
+		case <-ctx.Done():
+			st.Warnings = append(st.Warnings, fmt.Sprintf("Node %q did not return a IPv4 STUN response", derpNode.HostName))
+		}
+	}
+
+	// Start by checking whether we can establish a HTTP connection
+	for _, derpNode := range reg.Nodes {
+		connSuccess := checkConn(derpNode)
+
+		// Verify that the /generate_204 endpoint works
+		captivePortalURL := "http://" + derpNode.HostName + "/generate_204"
+		resp, err := client.Get(captivePortalURL)
+		if err != nil {
+			st.Warnings = append(st.Warnings, fmt.Sprintf("Error making request to the captive portal check %q; is port 80 blocked?", captivePortalURL))
+		} else {
+			resp.Body.Close()
+		}
+
+		if !connSuccess {
+			continue
+		}
+
+		fakePrivKey := key.NewNode()
+
+		// Next, repeatedly get the server key to see if the node is
+		// behind a load balancer (incorrectly).
+		serverPubKeys := make(map[key.NodePublic]bool)
+		for i := range 5 {
+			func() {
+				rc := derphttp.NewRegionClient(fakePrivKey, h.logf, h.b.NetMon(), func() *tailcfg.DERPRegion {
+					return &tailcfg.DERPRegion{
+						RegionID:   reg.RegionID,
+						RegionCode: reg.RegionCode,
+						RegionName: reg.RegionName,
+						Nodes:      []*tailcfg.DERPNode{derpNode},
+					}
+				})
+				if err := rc.Connect(ctx); err != nil {
+					st.Errors = append(st.Errors, fmt.Sprintf("Error connecting to node %q @ try %d: %v", derpNode.HostName, i, err))
+					return
+				}
+
+				if len(serverPubKeys) == 0 {
+					st.Info = append(st.Info, fmt.Sprintf("Successfully established a DERP connection with node %q", derpNode.HostName))
+				}
+				serverPubKeys[rc.ServerPublicKey()] = true
+			}()
+		}
+		if len(serverPubKeys) > 1 {
+			st.Errors = append(st.Errors, fmt.Sprintf("Received multiple server public keys (%d); is the DERP server behind a load balancer?", len(serverPubKeys)))
+		}
+
+		// Send a STUN query to this node to verify whether or not it
+		// correctly returns an IP address.
+		checkSTUN4(derpNode)
+	}
+
+	// TODO(bradfitz): finish:
+	// * try to DERP auth with new public key.
+	// * if rejected, add Info that it's likely the DERP server authz is on,
+	//   try with LocalBackend's node key instead.
+	// * if they have more then one node, try to relay a packet between them
+	//   and see if it works (like cmd/derpprobe). But if server authz is on,
+	//   we won't be able to, so just warn. Say to turn that off, try again,
+	//   then turn it back on. TODO(bradfitz): maybe add a debug frame to DERP
+	//   protocol to say how many peers it's meshed with. Should match count
+	//   in DERPRegion. Or maybe even list all their server pub keys that it's peered
+	//   with.
+	// * If their certificate is bad, either expired or just wrongly
+	//   issued in the first place, tell them specifically that the
+	// 	 cert is bad not just that the connection failed.
+}
+
+func firstNonzero[T comparable](items ...T) T {
+	var zero T
+	for _, item := range items {
+		if item != zero {
+			return item
+		}
+	}
+	return zero
+}

vendor/tailscale.com/ipn/localapi/disabled_stubs.go

@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build ios || android || js
+
+package localapi
+
+import (
+	"net/http"
+	"runtime"
+)
+
+func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
+	http.Error(w, "disabled on "+runtime.GOOS, http.StatusNotFound)
+}

vendor/tailscale.com/ipn/localapi/pprof.go

@@ -0,0 +1,28 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ios && !android && !js
+
+// We don't include it on mobile where we're more memory constrained and
+// there's no CLI to get at the results anyway.
+
+package localapi
+
+import (
+	"net/http"
+	"net/http/pprof"
+)
+
+func init() {
+	servePprofFunc = servePprof
+}
+
+func servePprof(w http.ResponseWriter, r *http.Request) {
+	name := r.FormValue("name")
+	switch name {
+	case "profile":
+		pprof.Profile(w, r)
+	default:
+		pprof.Handler(name).ServeHTTP(w, r)
+	}
+}