Update dependencies

vendor/tailscale.com/safesocket/pipe_windows.go

@@ -0,0 +1,157 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package safesocket
+
+//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go pipe_windows.go
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"runtime"
+	"time"
+
+	"github.com/tailscale/go-winio"
+	"golang.org/x/sys/windows"
+)
+
+func connect(ctx context.Context, path string) (net.Conn, error) {
+	ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	defer cancel()
+	// We use the identification impersonation level so that tailscaled may
+	// obtain information about our token for access control purposes.
+	return winio.DialPipeAccessImpLevel(ctx, path, windows.GENERIC_READ|windows.GENERIC_WRITE, winio.PipeImpLevelIdentification)
+}
+
+// windowsSDDL is the Security Descriptor set on the namedpipe.
+// It provides read/write access to all users and the local system.
+// It is a var for testing, do not change this value.
+var windowsSDDL = "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"
+
+func listen(path string) (net.Listener, error) {
+	lc, err := winio.ListenPipe(
+		path,
+		&winio.PipeConfig{
+			SecurityDescriptor: windowsSDDL,
+			InputBufferSize:    256 * 1024,
+			OutputBufferSize:   256 * 1024,
+		},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("namedpipe.Listen: %w", err)
+	}
+	return &winIOPipeListener{Listener: lc}, nil
+}
+
+// WindowsClientConn is an implementation of net.Conn that permits retrieval of
+// the Windows access token associated with the connection's client. The
+// embedded net.Conn must be a go-winio PipeConn.
+type WindowsClientConn struct {
+	winioPipeConn
+	token windows.Token
+}
+
+// winioPipeConn is a subset of the interface implemented by the go-winio's
+// unexported *win32pipe type, as returned by go-winio's ListenPipe
+// net.Listener's Accept method. This type is used in places where we really are
+// assuming that specific unexported type and its Fd method.
+type winioPipeConn interface {
+	net.Conn
+	// Fd returns the Windows handle associated with the connection.
+	Fd() uintptr
+}
+
+func resolvePipeHandle(pc winioPipeConn) windows.Handle {
+	return windows.Handle(pc.Fd())
+}
+
+func (conn *WindowsClientConn) handle() windows.Handle {
+	return resolvePipeHandle(conn.winioPipeConn)
+}
+
+// ClientPID returns the pid of conn's client, or else an error.
+func (conn *WindowsClientConn) ClientPID() (int, error) {
+	var pid uint32
+	if err := getNamedPipeClientProcessId(conn.handle(), &pid); err != nil {
+		return -1, fmt.Errorf("GetNamedPipeClientProcessId: %w", err)
+	}
+	return int(pid), nil
+}
+
+// Token returns the Windows access token of the client user.
+func (conn *WindowsClientConn) Token() windows.Token {
+	return conn.token
+}
+
+func (conn *WindowsClientConn) Close() error {
+	if conn.token != 0 {
+		conn.token.Close()
+		conn.token = 0
+	}
+	return conn.winioPipeConn.Close()
+}
+
+// winIOPipeListener is a net.Listener that wraps a go-winio PipeListener and
+// returns net.Conn values of type *WindowsClientConn with the associated
+// windows.Token.
+type winIOPipeListener struct {
+	net.Listener // must be from winio.ListenPipe
+}
+
+func (lw *winIOPipeListener) Accept() (net.Conn, error) {
+	conn, err := lw.Listener.Accept()
+	if err != nil {
+		return nil, err
+	}
+
+	pipeConn, ok := conn.(winioPipeConn)
+	if !ok {
+		conn.Close()
+		return nil, fmt.Errorf("unexpected type %T from winio.ListenPipe listener (itself a %T)", conn, lw.Listener)
+	}
+
+	token, err := clientUserAccessToken(pipeConn)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+
+	return &WindowsClientConn{
+		winioPipeConn: pipeConn,
+		token:         token,
+	}, nil
+}
+
+func clientUserAccessToken(pc winioPipeConn) (windows.Token, error) {
+	h := resolvePipeHandle(pc)
+	if h == 0 {
+		return 0, fmt.Errorf("clientUserAccessToken failed to get handle from pipeConn %T", pc)
+	}
+
+	// Impersonation touches thread-local state, so we need to lock until the
+	// client access token has been extracted.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	if err := impersonateNamedPipeClient(h); err != nil {
+		return 0, err
+	}
+	defer func() {
+		// Revert the current thread's impersonation.
+		if err := windows.RevertToSelf(); err != nil {
+			panic(fmt.Errorf("could not revert impersonation: %w", err))
+		}
+	}()
+
+	// Extract the client's access token from the thread-local state.
+	var token windows.Token
+	if err := windows.OpenThreadToken(windows.CurrentThread(), windows.TOKEN_DUPLICATE|windows.TOKEN_QUERY, true, &token); err != nil {
+		return 0, err
+	}
+
+	return token, nil
+}
+
+//sys getNamedPipeClientProcessId(h windows.Handle, clientPid *uint32) (err error) [int32(failretval)==0] = kernel32.GetNamedPipeClientProcessId
+//sys impersonateNamedPipeClient(h windows.Handle) (err error) [int32(failretval)==0] = advapi32.ImpersonateNamedPipeClient

vendor/tailscale.com/safesocket/safesocket.go

@@ -0,0 +1,113 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package safesocket creates either a Unix socket, if possible, or
+// otherwise a localhost TCP connection.
+package safesocket
+
+import (
+	"context"
+	"errors"
+	"net"
+	"runtime"
+	"time"
+)
+
+type closeable interface {
+	CloseRead() error
+	CloseWrite() error
+}
+
+// ConnCloseRead calls c's CloseRead method. c is expected to be
+// either a UnixConn or TCPConn as returned from this package.
+func ConnCloseRead(c net.Conn) error {
+	return c.(closeable).CloseRead()
+}
+
+// ConnCloseWrite calls c's CloseWrite method. c is expected to be
+// either a UnixConn or TCPConn as returned from this package.
+func ConnCloseWrite(c net.Conn) error {
+	return c.(closeable).CloseWrite()
+}
+
+var processStartTime = time.Now()
+var tailscaledProcExists = func() bool { return false } // set by safesocket_ps.go
+
+// tailscaledStillStarting reports whether tailscaled is probably
+// still starting up. That is, it reports whether the caller should
+// keep retrying to connect.
+func tailscaledStillStarting() bool {
+	d := time.Since(processStartTime)
+	if d < 2*time.Second {
+		// Without even checking the process table, assume
+		// that for the first two seconds that tailscaled is
+		// probably still starting.  That is, assume they're
+		// running "tailscaled & tailscale up ...." and make
+		// the tailscale client block for a bit for tailscaled
+		// to start accepting on the socket.
+		return true
+	}
+	if d > 5*time.Second {
+		return false
+	}
+	return tailscaledProcExists()
+}
+
+// ConnectContext connects to tailscaled using a unix socket or named pipe.
+func ConnectContext(ctx context.Context, path string) (net.Conn, error) {
+	for {
+		c, err := connect(ctx, path)
+		if err != nil && tailscaledStillStarting() {
+			if ctx.Err() != nil {
+				return nil, ctx.Err()
+			}
+			time.Sleep(250 * time.Millisecond)
+			continue
+		}
+		return c, err
+	}
+}
+
+// Connect connects to tailscaled using a unix socket or named pipe.
+// Deprecated: use ConnectContext instead.
+func Connect(path string) (net.Conn, error) {
+	return ConnectContext(context.Background(), path)
+}
+
+// Listen returns a listener either on Unix socket path (on Unix), or
+// the NamedPipe path (on Windows).
+func Listen(path string) (net.Listener, error) {
+	return listen(path)
+}
+
+var (
+	ErrTokenNotFound = errors.New("no token found")
+	ErrNoTokenOnOS   = errors.New("no token on " + runtime.GOOS)
+)
+
+var localTCPPortAndToken func() (port int, token string, err error)
+
+// LocalTCPPortAndToken returns the port number and auth token to connect to
+// the local Tailscale daemon. It's currently only applicable on macOS
+// when tailscaled is being run in the Mac Sandbox from the App Store version
+// of Tailscale.
+func LocalTCPPortAndToken() (port int, token string, err error) {
+	if localTCPPortAndToken == nil {
+		return 0, "", ErrNoTokenOnOS
+	}
+	return localTCPPortAndToken()
+}
+
+// PlatformUsesPeerCreds reports whether the current platform uses peer credentials
+// to authenticate connections.
+func PlatformUsesPeerCreds() bool { return GOOSUsesPeerCreds(runtime.GOOS) }
+
+// GOOSUsesPeerCreds is like PlatformUsesPeerCreds but takes a
+// runtime.GOOS value instead of using the current one.
+func GOOSUsesPeerCreds(goos string) bool {
+	switch goos {
+	case "linux", "darwin", "freebsd":
+		return true
+	}
+	return false
+}

vendor/tailscale.com/safesocket/safesocket_darwin.go

@@ -0,0 +1,160 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package safesocket
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"tailscale.com/version"
+)
+
+func init() {
+	localTCPPortAndToken = localTCPPortAndTokenDarwin
+}
+
+// localTCPPortAndTokenMacsys returns the localhost TCP port number and auth token
+// from /Library/Tailscale.
+//
+// In that case the files are:
+//
+//	/Library/Tailscale/ipnport => $port (symlink with localhost port number target)
+//	/Library/Tailscale/sameuserproof-$port is a file with auth
+func localTCPPortAndTokenMacsys() (port int, token string, err error) {
+
+	const dir = "/Library/Tailscale"
+	portStr, err := os.Readlink(filepath.Join(dir, "ipnport"))
+	if err != nil {
+		return 0, "", err
+	}
+	port, err = strconv.Atoi(portStr)
+	if err != nil {
+		return 0, "", err
+	}
+	authb, err := os.ReadFile(filepath.Join(dir, "sameuserproof-"+portStr))
+	if err != nil {
+		return 0, "", err
+	}
+	auth := strings.TrimSpace(string(authb))
+	if auth == "" {
+		return 0, "", errors.New("empty auth token in sameuserproof file")
+	}
+
+	// The above files exist forever after the first run of
+	// /Applications/Tailscale.app, so check we can connect to avoid returning a
+	// port nothing is listening on. Connect to "127.0.0.1" rather than
+	// "localhost" due to #7851.
+	conn, err := net.DialTimeout("tcp", "127.0.0.1:"+portStr, time.Second)
+	if err != nil {
+		return 0, "", err
+	}
+	conn.Close()
+
+	return port, auth, nil
+}
+
+var warnAboutRootOnce sync.Once
+
+func localTCPPortAndTokenDarwin() (port int, token string, err error) {
+	// There are two ways this binary can be run: as the Mac App Store sandboxed binary,
+	// or a normal binary that somebody built or download and are being run from outside
+	// the sandbox. Detect which way we're running and then figure out how to connect
+	// to the local daemon.
+
+	if dir := os.Getenv("TS_MACOS_CLI_SHARED_DIR"); dir != "" {
+		// First see if we're running as the non-AppStore "macsys" variant.
+		if version.IsMacSys() {
+			if port, token, err := localTCPPortAndTokenMacsys(); err == nil {
+				return port, token, nil
+			}
+		}
+
+		// The current binary (this process) is sandboxed. The user is
+		// running the CLI via /Applications/Tailscale.app/Contents/MacOS/Tailscale
+		// which sets the TS_MACOS_CLI_SHARED_DIR environment variable.
+		fis, err := os.ReadDir(dir)
+		if err != nil {
+			return 0, "", err
+		}
+		for _, fi := range fis {
+			name := filepath.Base(fi.Name())
+			// Look for name like "sameuserproof-61577-2ae2ec9e0aa2005784f1"
+			// to extract out the port number and token.
+			if strings.HasPrefix(name, "sameuserproof-") {
+				f := strings.SplitN(name, "-", 3)
+				if len(f) == 3 {
+					if port, err := strconv.Atoi(f[1]); err == nil {
+						return port, f[2], nil
+					}
+				}
+			}
+		}
+		if os.Geteuid() == 0 {
+			// Log a warning as the clue to the user, in case the error
+			// message is swallowed. Only do this once since we may retry
+			// multiple times to connect, and don't want to spam.
+			warnAboutRootOnce.Do(func() {
+				fmt.Fprintf(os.Stderr, "Warning: The CLI is running as root from within a sandboxed binary. It cannot reach the local tailscaled, please try again as a regular user.\n")
+			})
+		}
+		return 0, "", fmt.Errorf("failed to find sandboxed sameuserproof-* file in TS_MACOS_CLI_SHARED_DIR %q", dir)
+	}
+
+	// The current process is running outside the sandbox, so use
+	// lsof to find the IPNExtension (the Mac App Store variant).
+
+	cmd := exec.Command("lsof",
+		"-n",                             // numeric sockets; don't do DNS lookups, etc
+		"-a",                             // logical AND remaining options
+		fmt.Sprintf("-u%d", os.Getuid()), // process of same user only
+		"-c", "IPNExtension",             // starting with IPNExtension
+		"-F", // machine-readable output
+	)
+	out, err := cmd.Output()
+	if err != nil {
+		// Before returning an error, see if we're running the
+		// macsys variant at the normal location.
+		if port, token, err := localTCPPortAndTokenMacsys(); err == nil {
+			return port, token, nil
+		}
+
+		return 0, "", fmt.Errorf("failed to run '%s' looking for IPNExtension: %w", cmd, err)
+	}
+	bs := bufio.NewScanner(bytes.NewReader(out))
+	subStr := []byte(".tailscale.ipn.macos/sameuserproof-")
+	for bs.Scan() {
+		line := bs.Bytes()
+		i := bytes.Index(line, subStr)
+		if i == -1 {
+			continue
+		}
+		f := strings.SplitN(string(line[i+len(subStr):]), "-", 2)
+		if len(f) != 2 {
+			continue
+		}
+		portStr, token := f[0], f[1]
+		port, err := strconv.Atoi(portStr)
+		if err != nil {
+			return 0, "", fmt.Errorf("invalid port %q found in lsof", portStr)
+		}
+		return port, token, nil
+	}
+
+	// Before returning an error, see if we're running the
+	// macsys variant at the normal location.
+	if port, token, err := localTCPPortAndTokenMacsys(); err == nil {
+		return port, token, nil
+	}
+	return 0, "", ErrTokenNotFound
+}

vendor/tailscale.com/safesocket/safesocket_js.go

@@ -0,0 +1,21 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package safesocket
+
+import (
+	"context"
+	"net"
+
+	"github.com/akutz/memconn"
+)
+
+const memName = "Tailscale-IPN"
+
+func listen(path string) (net.Listener, error) {
+	return memconn.Listen("memu", memName)
+}
+
+func connect(ctx context.Context, _ string) (net.Conn, error) {
+	return memconn.DialContext(ctx, "memu", memName)
+}

vendor/tailscale.com/safesocket/safesocket_plan9.go

@@ -0,0 +1,125 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build plan9
+
+package safesocket
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"syscall"
+	"time"
+
+	"golang.org/x/sys/plan9"
+)
+
+// Plan 9's devsrv srv(3) is a server registry  and
+// it is conventionally bound to "/srv" in the default
+// namespace. It is "a one level directory for holding
+// already open channels to services". Post one end of
+// a pipe to "/srv/tailscale.sock" and use the other
+// end for communication with a requestor. Plan 9 pipes
+// are bidirectional.
+
+type plan9SrvAddr string
+
+func (sl plan9SrvAddr) Network() string {
+	return "/srv"
+}
+
+func (sl plan9SrvAddr) String() string {
+	return string(sl)
+}
+
+// There is no net.FileListener for Plan 9 at this time
+type plan9SrvListener struct {
+	name string
+	srvf *os.File
+	file *os.File
+}
+
+func (sl *plan9SrvListener) Accept() (net.Conn, error) {
+	// sl.file is the server end of the pipe that's
+	// connected to /srv/tailscale.sock
+	return plan9FileConn{name: sl.name, file: sl.file}, nil
+}
+
+func (sl *plan9SrvListener) Close() error {
+	sl.file.Close()
+	return sl.srvf.Close()
+}
+
+func (sl *plan9SrvListener) Addr() net.Addr {
+	return plan9SrvAddr(sl.name)
+}
+
+type plan9FileConn struct {
+	name string
+	file *os.File
+}
+
+func (fc plan9FileConn) Read(b []byte) (n int, err error) {
+	return fc.file.Read(b)
+}
+func (fc plan9FileConn) Write(b []byte) (n int, err error) {
+	return fc.file.Write(b)
+}
+func (fc plan9FileConn) Close() error {
+	return fc.file.Close()
+}
+func (fc plan9FileConn) LocalAddr() net.Addr {
+	return plan9SrvAddr(fc.name)
+}
+func (fc plan9FileConn) RemoteAddr() net.Addr {
+	return plan9SrvAddr(fc.name)
+}
+func (fc plan9FileConn) SetDeadline(t time.Time) error {
+	return syscall.EPLAN9
+}
+func (fc plan9FileConn) SetReadDeadline(t time.Time) error {
+	return syscall.EPLAN9
+}
+func (fc plan9FileConn) SetWriteDeadline(t time.Time) error {
+	return syscall.EPLAN9
+}
+
+func connect(_ context.Context, path string) (net.Conn, error) {
+	f, err := os.OpenFile(path, os.O_RDWR, 0666)
+	if err != nil {
+		return nil, err
+	}
+
+	return plan9FileConn{name: path, file: f}, nil
+}
+
+// Create an entry in /srv, open a pipe, write the
+// client end to the entry and return the server
+// end of the pipe to the caller. When the server
+// end of the pipe is closed, /srv name associated
+// with it will be removed (controlled by ORCLOSE flag)
+func listen(path string) (net.Listener, error) {
+	const O_RCLOSE = 64 // remove on close; should be in plan9 package
+	var pip [2]int
+
+	err := plan9.Pipe(pip[:])
+	if err != nil {
+		return nil, err
+	}
+	defer plan9.Close(pip[1])
+
+	srvfd, err := plan9.Create(path, plan9.O_WRONLY|plan9.O_CLOEXEC|O_RCLOSE, 0600)
+	if err != nil {
+		return nil, err
+	}
+	srv := os.NewFile(uintptr(srvfd), path)
+
+	_, err = fmt.Fprintf(srv, "%d", pip[1])
+	if err != nil {
+		return nil, err
+	}
+
+	return &plan9SrvListener{name: path, srvf: srv, file: os.NewFile(uintptr(pip[0]), path)}, nil
+}

vendor/tailscale.com/safesocket/safesocket_ps.go

@@ -0,0 +1,34 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux || windows || (darwin && !ios) || freebsd
+
+package safesocket
+
+import (
+	"strings"
+
+	ps "github.com/mitchellh/go-ps"
+)
+
+func init() {
+	tailscaledProcExists = func() bool {
+		procs, err := ps.Processes()
+		if err != nil {
+			return false
+		}
+		for _, proc := range procs {
+			name := proc.Executable()
+			const tailscaled = "tailscaled"
+			if len(name) < len(tailscaled) {
+				continue
+			}
+			// Do case insensitive comparison for Windows,
+			// notably, and ignore any ".exe" suffix.
+			if strings.EqualFold(name[:len(tailscaled)], tailscaled) {
+				return true
+			}
+		}
+		return false
+	}
+}

vendor/tailscale.com/safesocket/unixsocket.go

@@ -0,0 +1,91 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !windows && !js && !plan9
+
+package safesocket
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+)
+
+func connect(ctx context.Context, path string) (net.Conn, error) {
+	var std net.Dialer
+	return std.DialContext(ctx, "unix", path)
+}
+
+func listen(path string) (net.Listener, error) {
+	// Unix sockets hang around in the filesystem even after nobody
+	// is listening on them. (Which is really unfortunate but long-
+	// entrenched semantics.) Try connecting first; if it works, then
+	// the socket is still live, so let's not replace it. If it doesn't
+	// work, then replace it.
+	//
+	// Note that there's a race condition between these two steps. A
+	// "proper" daemon usually uses a dance involving pidfiles to first
+	// ensure that no other instances of itself are running, but that's
+	// beyond the scope of our simple socket library.
+	c, err := net.Dial("unix", path)
+	if err == nil {
+		c.Close()
+		if tailscaledRunningUnderLaunchd() {
+			return nil, fmt.Errorf("%v: address already in use; tailscaled already running under launchd (to stop, run: $ sudo launchctl stop com.tailscale.tailscaled)", path)
+		}
+		return nil, fmt.Errorf("%v: address already in use", path)
+	}
+	_ = os.Remove(path)
+
+	perm := socketPermissionsForOS()
+
+	sockDir := filepath.Dir(path)
+	if _, err := os.Stat(sockDir); os.IsNotExist(err) {
+		os.MkdirAll(sockDir, 0755) // best effort
+
+		// If we're on a platform where we want the socket
+		// world-readable, open up the permissions on the
+		// just-created directory too, in case a umask ate
+		// it. This primarily affects running tailscaled by
+		// hand as root in a shell, as there is no umask when
+		// running under systemd.
+		if perm == 0666 {
+			if fi, err := os.Stat(sockDir); err == nil && fi.Mode()&0077 == 0 {
+				if err := os.Chmod(sockDir, 0755); err != nil {
+					log.Print(err)
+				}
+			}
+		}
+	}
+	pipe, err := net.Listen("unix", path)
+	if err != nil {
+		return nil, err
+	}
+	os.Chmod(path, perm)
+	return pipe, err
+}
+
+func tailscaledRunningUnderLaunchd() bool {
+	if runtime.GOOS != "darwin" {
+		return false
+	}
+	plist, err := exec.Command("launchctl", "list", "com.tailscale.tailscaled").Output()
+	_ = plist // parse it? https://github.com/DHowett/go-plist if we need something.
+	running := err == nil
+	return running
+}
+
+// socketPermissionsForOS returns the permissions to use for the
+// tailscaled.sock.
+func socketPermissionsForOS() os.FileMode {
+	if PlatformUsesPeerCreds() {
+		return 0666
+	}
+	// Otherwise, root only.
+	return 0600
+}

vendor/tailscale.com/safesocket/zsyscall_windows.go

@@ -0,0 +1,62 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package safesocket
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
+	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+
+	procImpersonateNamedPipeClient  = modadvapi32.NewProc("ImpersonateNamedPipeClient")
+	procGetNamedPipeClientProcessId = modkernel32.NewProc("GetNamedPipeClientProcessId")
+)
+
+func impersonateNamedPipeClient(h windows.Handle) (err error) {
+	r1, _, e1 := syscall.Syscall(procImpersonateNamedPipeClient.Addr(), 1, uintptr(h), 0, 0)
+	if int32(r1) == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func getNamedPipeClientProcessId(h windows.Handle, clientPid *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procGetNamedPipeClientProcessId.Addr(), 2, uintptr(h), uintptr(unsafe.Pointer(clientPid)), 0)
+	if int32(r1) == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}