disco,types,wgengine: implement Knock,KnockReply disco messages

EXTREME WIP, DO NOT SUBMIT

Updates #1227

.github/workflows/docker-file-build.yml

@@ -10,6 +10,6 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v1
     - name: "Build Docker image"
       run: docker build .

Dockerfile.base

@@ -2,4 +2,4 @@
 # SPDX-License-Identifier: BSD-3-Clause
 
 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables

VERSION.txt

@@ -1 +1 @@
-1.45.0
+1.43.0

api.md

@@ -1222,11 +1222,6 @@ The remaining three methods operate on auth keys and API access tokens.
 
   // expirySeconds (int) is the duration in seconds a new key is valid.
   "expirySeconds": 86400
-
-  // description (string) is an optional short phrase that describes what
-  // this key is used for. It can be a maximum of 50 alphanumeric characters.
-  // Hyphens and underscores are also allowed.
-  "description": "short description of key purpose"
 }
 ```
 
@@ -1313,9 +1308,6 @@ Note the following about required vs. optional values:
   Specifies the duration in seconds until the key should expire.
   Defaults to 90 days if not supplied.
 
-- **`description`:** Optional in `POST` body.
-  A short string specifying the purpose of the key. Can be a maximum of 50 alphanumeric characters. Hyphens and spaces are also allowed.
-
 ### Request example
 
 ``` jsonc
@@ -1333,8 +1325,7 @@ curl "https://api.tailscale.com/api/v2/tailnet/example.com/keys" \
       }
     }
   },
-  "expirySeconds": 86400,
-  "description": "dev access"
+  "expirySeconds": 86400
 }'
 ```
 
@@ -1360,8 +1351,7 @@ It holds the capabilities specified in the request and can no longer be retrieve
         "tags": [ "tag:example" ]
       }
     }
-  },
-  "description": "dev access"
+  }
 }
 ```
 
@@ -1413,8 +1403,7 @@ The response is a JSON object with information about the key supplied.
         ]
       }
     }
-  },
-  "description": "dev access"
+  }
 }
 ```
 

cmd/derper/depaware.txt

@@ -230,7 +230,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         io/fs                                                        from crypto/x509+
         io/ioutil                                                    from github.com/mitchellh/go-ps+
         log                                                          from expvar+
-        log/internal                                                 from log
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+

cmd/tailscale/cli/funnel.go

@@ -30,10 +30,10 @@ func newFunnelCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "funnel",
 		ShortHelp: "Turn on/off Funnel service",
-		ShortUsage: strings.Join([]string{
-			"funnel <serve-port> {on|off}",
-			"funnel status [--json]",
-		}, "\n  "),
+		ShortUsage: strings.TrimSpace(`
+funnel <serve-port> {on|off}
+  funnel status [--json]
+`),
 		LongHelp: strings.Join([]string{
 			"Funnel allows you to publish a 'tailscale serve'",
 			"server publicly, open to the entire internet.",

cmd/tailscale/cli/serve.go

@@ -35,14 +35,13 @@ func newServeCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "serve",
 		ShortHelp: "Serve content and local servers",
-		ShortUsage: strings.Join([]string{
-			"serve http:<port> <mount-point> <source> [off]",
-			"serve https:<port> <mount-point> <source> [off]",
-			"serve tcp:<port> tcp://localhost:<local-port> [off]",
-			"serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]",
-			"serve status [--json]",
-			"serve reset",
-		}, "\n  "),
+		ShortUsage: strings.TrimSpace(`
+serve https:<port> <mount-point> <source> [off]
+  serve tcp:<port> tcp://localhost:<local-port> [off]
+  serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
+  serve status [--json]
+  serve reset
+`),
 		LongHelp: strings.TrimSpace(`
 *** BETA; all of this is subject to change ***
 
@@ -59,8 +58,8 @@ EXAMPLES
   - To proxy requests to a web server at 127.0.0.1:3000:
     $ tailscale serve https:443 / http://127.0.0.1:3000
 
-    Or, using the default port (443):
-    $ tailscale serve https / http://127.0.0.1:3000
+	Or, using the default port:
+	$ tailscale serve https / http://127.0.0.1:3000
 
   - To serve a single file or a directory of files:
     $ tailscale serve https / /home/alice/blog/index.html
@@ -69,12 +68,6 @@ EXAMPLES
   - To serve simple static text:
     $ tailscale serve https:8080 / text:"Hello, world!"
 
-  - To serve over HTTP (tailnet only):
-    $ tailscale serve http:80 / http://127.0.0.1:3000
-
-    Or, using the default port (80):
-    $ tailscale serve http / http://127.0.0.1:3000
-
   - To forward incoming TCP connections on port 2222 to a local TCP server on
     port 22 (e.g. to run OpenSSH in parallel with Tailscale SSH):
     $ tailscale serve tcp:2222 tcp://localhost:22
@@ -182,7 +175,6 @@ func (e *serveEnv) getLocalClientStatus(ctx context.Context) (*ipnstate.Status,
 // serve config types like proxy, path, and text.
 //
 // Examples:
-// - tailscale serve http / http://localhost:3000
 // - tailscale serve https / http://localhost:3000
 // - tailscale serve https /images/ /var/www/images/
 // - tailscale serve https:10000 /motd.txt text:"Hello, world!"
@@ -207,14 +199,19 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.lc.SetServeConfig(ctx, sc)
 	}
 
+	parsePort := func(portStr string) (uint16, error) {
+		port64, err := strconv.ParseUint(portStr, 10, 16)
+		if err != nil {
+			return 0, err
+		}
+		return uint16(port64), nil
+	}
+
 	srcType, srcPortStr, found := strings.Cut(args[0], ":")
 	if !found {
 		if srcType == "https" && srcPortStr == "" {
 			// Default https port to 443.
 			srcPortStr = "443"
-		} else if srcType == "http" && srcPortStr == "" {
-			// Default http port to 80.
-			srcPortStr = "80"
 		} else {
 			return flag.ErrHelp
 		}
@@ -222,18 +219,18 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 
 	turnOff := "off" == args[len(args)-1]
 
-	if len(args) < 2 || ((srcType == "https" || srcType == "http") && !turnOff && len(args) < 3) {
+	if len(args) < 2 || (srcType == "https" && !turnOff && len(args) < 3) {
 		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
 		return flag.ErrHelp
 	}
 
-	srcPort, err := parseServePort(srcPortStr)
+	srcPort, err := parsePort(srcPortStr)
 	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", srcPortStr, err)
+		return err
 	}
 
 	switch srcType {
-	case "https", "http":
+	case "https":
 		mount, err := cleanMountPoint(args[1])
 		if err != nil {
 			return err
@@ -241,8 +238,7 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		if turnOff {
 			return e.handleWebServeRemove(ctx, srcPort, mount)
 		}
-		useTLS := srcType == "https"
-		return e.handleWebServe(ctx, srcPort, useTLS, mount, args[2])
+		return e.handleWebServe(ctx, srcPort, mount, args[2])
 	case "tcp", "tls-terminated-tcp":
 		if turnOff {
 			return e.handleTCPServeRemove(ctx, srcPort)
@@ -250,20 +246,20 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.handleTCPServe(ctx, srcType, srcPort, args[1])
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid serve type %q\n", srcType)
-		fmt.Fprint(os.Stderr, "must be one of: http:<port>, https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
+		fmt.Fprint(os.Stderr, "must be one of: https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
 		return flag.ErrHelp
 	}
 }
 
-// handleWebServe handles the "tailscale serve (http/https):..." subcommand. It
-// configures the serve config to forward HTTPS connections to the given source.
+// handleWebServe handles the "tailscale serve https:..." subcommand.
+// It configures the serve config to forward HTTPS connections to the
+// given source.
 //
 // Examples:
-//   - tailscale serve http / http://localhost:3000
 //   - tailscale serve https / http://localhost:3000
 //   - tailscale serve https:8443 /files/ /home/alice/shared-files/
 //   - tailscale serve https:10000 /motd.txt text:"Hello, world!"
-func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bool, mount, source string) error {
+func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, source string) error {
 	h := new(ipn.HTTPHandler)
 
 	ts, _, _ := strings.Cut(source, ":")
@@ -322,7 +318,7 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 		return flag.ErrHelp
 	}
 
-	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
+	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: true})
 
 	if _, ok := sc.Web[hp]; !ok {
 		mak.Set(&sc.Web, hp, new(ipn.WebServerConfig))
@@ -630,10 +626,7 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		printf("\n")
 	}
 	for hp := range sc.Web {
-		err := e.printWebStatusTree(sc, hp)
-		if err != nil {
-			return err
-		}
+		printWebStatusTree(sc, hp)
 		printf("\n")
 	}
 	printFunnelWarning(sc)
@@ -672,37 +665,20 @@ func printTCPStatusTree(ctx context.Context, sc *ipn.ServeConfig, st *ipnstate.S
 	return nil
 }
 
-func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) error {
-	// No-op if no serve config
+func printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) {
 	if sc == nil {
-		return nil
+		return
 	}
 	fStatus := "tailnet only"
 	if sc.AllowFunnel[hp] {
 		fStatus = "Funnel on"
 	}
 	host, portStr, _ := net.SplitHostPort(string(hp))
-
-	port, err := parseServePort(portStr)
-	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", portStr, err)
+	if portStr == "443" {
+		printf("https://%s (%s)\n", host, fStatus)
+	} else {
+		printf("https://%s:%s (%s)\n", host, portStr, fStatus)
 	}
-
-	scheme := "https"
-	if sc.IsServingHTTP(port) {
-		scheme = "http"
-	}
-
-	portPart := ":" + portStr
-	if scheme == "http" && portStr == "80" ||
-		scheme == "https" && portStr == "443" {
-		portPart = ""
-	}
-	if scheme == "http" {
-		hostname, _, _ := strings.Cut("host", ".")
-		printf("%s://%s%s (%s)\n", scheme, hostname, portPart, fStatus)
-	}
-	printf("%s://%s%s (%s)\n", scheme, host, portPart, fStatus)
 	srvTypeAndDesc := func(h *ipn.HTTPHandler) (string, string) {
 		switch {
 		case h.Path != "":
@@ -729,8 +705,6 @@ func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) erro
 		t, d := srvTypeAndDesc(h)
 		printf("%s %s%s %-5s %s\n", "|--", m, strings.Repeat(" ", maxLen-len(m)), t, d)
 	}
-
-	return nil
 }
 
 func elipticallyTruncate(s string, max int) string {
@@ -751,16 +725,3 @@ func (e *serveEnv) runServeReset(ctx context.Context, args []string) error {
 	sc := new(ipn.ServeConfig)
 	return e.lc.SetServeConfig(ctx, sc)
 }
-
-// parseServePort parses a port number from a string and returns it as a
-// uint16. It returns an error if the port number is invalid or zero.
-func parseServePort(s string) (uint16, error) {
-	p, err := strconv.ParseUint(s, 10, 16)
-	if err != nil {
-		return 0, err
-	}
-	if p == 0 {
-		return 0, errors.New("port number must be non-zero")
-	}
-	return uint16(p), nil
-}

cmd/tailscale/cli/serve_test.go

@@ -89,59 +89,6 @@ func TestServeConfigMutations(t *testing.T) {
 		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 
-	// https
-	add(step{reset: true})
-	add(step{ // allow omitting port (default to 80)
-		command: cmd("http / http://localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // support non Funnel port
-		command: cmd("http:9999 /abc http://localhost:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 9999: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("http:9999 /abc off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("http:8080 /abc http://127.0.0.1:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 8080: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8080": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-
 	// https
 	add(step{reset: true})
 	add(step{

cmd/tailscale/depaware.txt

@@ -231,7 +231,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         io/fs                                                        from crypto/x509+
         io/ioutil                                                    from golang.org/x/sys/cpu+
         log                                                          from expvar+
-        log/internal                                                 from log
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+

cmd/tailscaled/depaware.txt

@@ -449,7 +449,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         io/fs                                                        from crypto/x509+
         io/ioutil                                                    from github.com/godbus/dbus/v5+
         log                                                          from expvar+
-        log/internal                                                 from log
   LD    log/syslog                                                   from tailscale.com/ssh/tailssh
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+

control/controlclient/debug.go

@@ -20,7 +20,7 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {
 
 	zbuf := new(bytes.Buffer)
 	zw := gzip.NewWriter(zbuf)
-	zw.Write(goroutines.ScrubbedGoroutineDump(true))
+	zw.Write(goroutines.ScrubbedGoroutineDump())
 	zw.Close()
 
 	req, err := http.NewRequestWithContext(ctx, "PUT", targetURL, zbuf)

disco/disco.go

@@ -27,6 +27,7 @@ import (
 	"net/netip"
 
 	"go4.org/mem"
+	"golang.org/x/crypto/nacl/box"
 	"tailscale.com/types/key"
 )
 
@@ -44,6 +45,8 @@ const (
 	TypePing        = MessageType(0x01)
 	TypePong        = MessageType(0x02)
 	TypeCallMeMaybe = MessageType(0x03)
+	TypeKnock       = MessageType(0x04)
+	TypeKnockReply  = MessageType(0x05)
 )
 
 const v0 = byte(0)
@@ -83,6 +86,10 @@ func Parse(p []byte) (Message, error) {
 		return parsePong(ver, p)
 	case TypeCallMeMaybe:
 		return parseCallMeMaybe(ver, p)
+	case TypeKnock:
+		return parseKnock(ver, p)
+	case TypeKnockReply:
+		return parseKnockReply(ver, p)
 	default:
 		return nil, fmt.Errorf("unknown message type 0x%02x", byte(t))
 	}
@@ -240,6 +247,54 @@ func parsePong(ver uint8, p []byte) (m *Pong, err error) {
 	return m, nil
 }
 
+type Knock struct {
+	// SealedNonce is the random client-generated per-knock nonce,
+	// which is NaCL-box sealed to the node key of the destination.
+	// The unencrypted nonce is 8 bytes.
+	SealedNonce [box.AnonymousOverhead + 8]byte
+}
+
+func (m *Knock) AppendMarshal(b []byte) []byte {
+	dataLen := box.AnonymousOverhead + 8
+	ret, d := appendMsgHeader(b, TypeKnock, v0, dataLen)
+	copy(d, m.SealedNonce[:])
+	return ret
+}
+
+func parseKnock(ver uint8, p []byte) (m *Knock, err error) {
+	if len(p) < (box.AnonymousOverhead + 8) {
+		return nil, errShort
+	}
+	m = new(Knock)
+	p = p[copy(m.SealedNonce[:], p):]
+	// Deliberately lax on longer-than-expected messages, for future
+	// compatibility.
+	return m, nil
+}
+
+type KnockReply struct {
+	// Nonce is the nonce value from the Knock request.
+	Nonce [8]byte
+}
+
+func (m *KnockReply) AppendMarshal(b []byte) []byte {
+	dataLen := 8
+	ret, d := appendMsgHeader(b, TypeKnockReply, v0, dataLen)
+	copy(d, m.Nonce[:])
+	return ret
+}
+
+func parseKnockReply(ver uint8, p []byte) (m *KnockReply, err error) {
+	if len(p) < 8 {
+		return nil, errShort
+	}
+	m = new(KnockReply)
+	p = p[copy(m.Nonce[:], p):]
+	// Deliberately lax on longer-than-expected messages, for future
+	// compatibility.
+	return m, nil
+}
+
 // MessageSummary returns a short summary of m for logging purposes.
 func MessageSummary(m Message) string {
 	switch m := m.(type) {
@@ -249,6 +304,10 @@ func MessageSummary(m Message) string {
 		return fmt.Sprintf("pong tx=%x", m.TxID[:6])
 	case *CallMeMaybe:
 		return "call-me-maybe"
+	case *Knock:
+		return fmt.Sprintf("knock")
+	case *KnockReply:
+		return fmt.Sprintf("knock reply nonce=%x", m.Nonce[:])
 	default:
 		return fmt.Sprintf("%#v", m)
 	}

disco/disco_test.go

@@ -4,6 +4,7 @@
 package disco
 
 import (
+	"bytes"
 	"fmt"
 	"net/netip"
 	"reflect"
@@ -66,6 +67,20 @@ func TestMarshalAndParse(t *testing.T) {
 			},
 			want: "03 00 00 00 00 00 00 00 00 00 00 00 ff ff 01 02 03 04 02 37 20 01 00 00 00 00 00 00 00 00 00 00 00 00 34 56 03 15",
 		},
+		{
+			name: "knock",
+			m: &Knock{
+				SealedNonce: [16 + 32 + 8]byte(bytes.Repeat([]byte{1, 2}, 28)),
+			},
+			want: "04 00 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01 02",
+		},
+		{
+			name: "knock_reply",
+			m: &KnockReply{
+				Nonce: [8]byte{1, 2, 3, 4, 5, 6, 7, 8},
+			},
+			want: "05 00 01 02 03 04 05 06 07 08",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

flake.nix

@@ -115,4 +115,4 @@
   in
     flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-fgCrmtJs1svFz0Xn7iwLNrbBNlcO6V0yqGPMY0+V1VQ=
+# nix-direnv cache busting line: sha256-t5Jjie8DFQVchpylCv3uNty8rOhV4PGIvYN4y6ko5v0=

go.mod

@@ -48,7 +48,7 @@ require (
 	github.com/mdlayher/genetlink v1.3.2
 	github.com/mdlayher/netlink v1.7.2
 	github.com/mdlayher/sdnotify v1.0.0
-	github.com/miekg/dns v1.1.55
+	github.com/miekg/dns v1.1.54
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/peterbourgon/ff/v3 v3.3.0
 	github.com/pkg/errors v0.9.1

go.mod.sri

@@ -1 +1 @@
-sha256-fgCrmtJs1svFz0Xn7iwLNrbBNlcO6V0yqGPMY0+V1VQ=
+sha256-t5Jjie8DFQVchpylCv3uNty8rOhV4PGIvYN4y6ko5v0=

go.sum

@@ -767,8 +767,8 @@ github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8Ku
 github.com/mgechev/revive v1.3.1 h1:OlQkcH40IB2cGuprTPcjB0iIUddgVZgGmDX3IAMR8D4=
 github.com/mgechev/revive v1.3.1/go.mod h1:YlD6TTWl2B8A103R9KWJSPVI9DrEf+oqr15q21Ld+5I=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
-github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI=
+github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=

go.toolchain.branch

@@ -1 +1 @@
-tailscale.go1.21
+tailscale.go1.20

go.toolchain.rev

@@ -1 +1 @@
-492f6d9d792fa6e4caa388e4d7bab46b48d07ad5
+40dc4d834a5fde9872bcf470be50069f56c3e3b3

hostinfo/hostinfo.go

@@ -7,10 +7,8 @@ package hostinfo
 
 import (
 	"bufio"
-	"bytes"
 	"io"
 	"os"
-	"os/exec"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -436,12 +434,3 @@ func etcAptSourceFileIsDisabled(r io.Reader) bool {
 	}
 	return disabled
 }
-
-// IsSELinuxEnforcing reports whether SELinux is in "Enforcing" mode.
-func IsSELinuxEnforcing() bool {
-	if runtime.GOOS != "linux" {
-		return false
-	}
-	out, _ := exec.Command("getenforce").Output()
-	return string(bytes.TrimSpace(out)) == "Enforcing"
-}

ipn/ipn_clone.go

@@ -103,7 +103,6 @@ func (src *TCPPortHandler) Clone() *TCPPortHandler {
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _TCPPortHandlerCloneNeedsRegeneration = TCPPortHandler(struct {
 	HTTPS        bool
-	HTTP         bool
 	TCPForward   string
 	TerminateTLS string
 }{})

ipn/ipn_view.go

@@ -228,14 +228,12 @@ func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error {
 }
 
 func (v TCPPortHandlerView) HTTPS() bool          { return v.ж.HTTPS }
-func (v TCPPortHandlerView) HTTP() bool           { return v.ж.HTTP }
 func (v TCPPortHandlerView) TCPForward() string   { return v.ж.TCPForward }
 func (v TCPPortHandlerView) TerminateTLS() string { return v.ж.TerminateTLS }
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _TCPPortHandlerViewNeedsRegeneration = TCPPortHandler(struct {
 	HTTPS        bool
-	HTTP         bool
 	TCPForward   string
 	TerminateTLS string
 }{})

ipn/ipnlocal/c2n.go

@@ -49,7 +49,7 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		}
 	case "/debug/goroutines":
 		w.Header().Set("Content-Type", "text/plain")
-		w.Write(goroutines.ScrubbedGoroutineDump(true))
+		w.Write(goroutines.ScrubbedGoroutineDump())
 	case "/debug/prefs":
 		writeJSON(b.Prefs())
 	case "/debug/metrics":

ipn/ipnlocal/local.go

@@ -4,6 +4,7 @@
 package ipnlocal
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"encoding/json"
@@ -17,6 +18,7 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
+	"os/exec"
 	"os/user"
 	"path/filepath"
 	"runtime"
@@ -2581,7 +2583,7 @@ func (b *LocalBackend) checkSSHPrefsLocked(p *ipn.Prefs) error {
 		if distro.Get() == distro.QNAP && !envknob.UseWIPCode() {
 			return errors.New("The Tailscale SSH server does not run on QNAP.")
 		}
-		b.updateSELinuxHealthWarning()
+		checkSELinux()
 		// otherwise okay
 	case "darwin":
 		// okay only in tailscaled mode for now.
@@ -4129,10 +4131,6 @@ func (b *LocalBackend) setServeProxyHandlersLocked() {
 	b.serveConfig.Web().Range(func(_ ipn.HostPort, conf ipn.WebServerConfigView) (cont bool) {
 		conf.Handlers().Range(func(_ string, h ipn.HTTPHandlerView) (cont bool) {
 			backend := h.Proxy()
-			if backend == "" {
-				// Only create proxy handlers for servers with a proxy backend.
-				return true
-			}
 			mak.Set(&backends, backend, true)
 			if _, ok := b.serveProxyHandlers.Load(backend); ok {
 				return true
@@ -4707,8 +4705,12 @@ func (b *LocalBackend) sshServerOrInit() (_ SSHServer, err error) {
 
 var warnSSHSELinux = health.NewWarnable()
 
-func (b *LocalBackend) updateSELinuxHealthWarning() {
-	if hostinfo.IsSELinuxEnforcing() {
+func checkSELinux() {
+	if runtime.GOOS != "linux" {
+		return
+	}
+	out, _ := exec.Command("getenforce").Output()
+	if string(bytes.TrimSpace(out)) == "Enforcing" {
 		warnSSHSELinux.Set(errors.New("SELinux is enabled; Tailscale SSH may not work. See https://tailscale.com/s/ssh-selinux"))
 	} else {
 		warnSSHSELinux.Set(nil)
@@ -4720,7 +4722,7 @@ func (b *LocalBackend) handleSSHConn(c net.Conn) (err error) {
 	if err != nil {
 		return err
 	}
-	b.updateSELinuxHealthWarning()
+	checkSELinux()
 	return s.HandleSSHConn(c)
 }
 

ipn/ipnlocal/network-lock.go

@@ -158,9 +158,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
 		return nil
 	}
 
-	if b.tka != nil || nm.TKAEnabled {
-		b.logf("tkaSyncIfNeeded: enabled=%v, head=%v", nm.TKAEnabled, nm.TKAHead)
-	}
+	b.logf("tkaSyncIfNeeded: enabled=%v, head=%v", nm.TKAEnabled, nm.TKAHead)
 
 	ourNodeKey := prefs.Persist().PublicNodeKey()
 
@@ -199,7 +197,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
 				health.SetTKAHealth(nil)
 			}
 		} else {
-			return fmt.Errorf("[bug] unreachable invariant of wantEnabled w/ isEnabled")
+			return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")
 		}
 	}
 

ipn/ipnlocal/serve.go

@@ -332,8 +332,11 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 		return nil
 	}
 
-	if tcph.HTTPS() || tcph.HTTP() {
+	if tcph.HTTPS() {
 		hs := &http.Server{
+			TLSConfig: &tls.Config{
+				GetCertificate: b.getTLSServeCertForPort(dport),
+			},
 			Handler: http.HandlerFunc(b.serveWebHandler),
 			BaseContext: func(_ net.Listener) context.Context {
 				return context.WithValue(context.Background(), serveHTTPContextKey{}, &serveHTTPContext{
@@ -342,17 +345,8 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 				})
 			},
 		}
-		if tcph.HTTPS() {
-			hs.TLSConfig = &tls.Config{
-				GetCertificate: b.getTLSServeCertForPort(dport),
-			}
-			return func(c net.Conn) error {
-				return hs.ServeTLS(netutil.NewOneConnListener(c, nil), "", "")
-			}
-		}
-
 		return func(c net.Conn) error {
-			return hs.Serve(netutil.NewOneConnListener(c, nil))
+			return hs.ServeTLS(netutil.NewOneConnListener(c, nil), "", "")
 		}
 	}
 
@@ -412,14 +406,8 @@ func getServeHTTPContext(r *http.Request) (c *serveHTTPContext, ok bool) {
 func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView, at string, ok bool) {
 	var z ipn.HTTPHandlerView // zero value
 
-	hostname := r.Host
 	if r.TLS == nil {
-		tcd := "." + b.Status().CurrentTailnet.MagicDNSSuffix
-		if !strings.HasSuffix(hostname, tcd) {
-			hostname += tcd
-		}
-	} else {
-		hostname = r.TLS.ServerName
+		return z, "", false
 	}
 
 	sctx, ok := getServeHTTPContext(r)
@@ -427,7 +415,7 @@ func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView,
 		b.logf("[unexpected] localbackend: no serveHTTPContext in request")
 		return z, "", false
 	}
-	wsc, ok := b.webServerConfig(hostname, sctx.DestPort)
+	wsc, ok := b.webServerConfig(r.TLS.ServerName, sctx.DestPort)
 	if !ok {
 		return z, "", false
 	}
@@ -484,9 +472,7 @@ func (b *LocalBackend) proxyHandlerForBackend(backend string) (*httputil.Reverse
 
 func addProxyForwardedHeaders(r *httputil.ProxyRequest) {
 	r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
-	if r.In.TLS != nil {
-		r.Out.Header.Set("X-Forwarded-Proto", "https")
-	}
+	r.Out.Header.Set("X-Forwarded-Proto", "https")
 	if c, ok := getServeHTTPContext(r.Out); ok {
 		r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
 	}
@@ -496,7 +482,6 @@ func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
 	// Clear any incoming values squatting in the headers.
 	r.Out.Header.Del("Tailscale-User-Login")
 	r.Out.Header.Del("Tailscale-User-Name")
-	r.Out.Header.Del("Tailscale-Headers-Info")
 
 	c, ok := getServeHTTPContext(r.Out)
 	if !ok {
@@ -513,7 +498,6 @@ func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
 	}
 	r.Out.Header.Set("Tailscale-User-Login", user.LoginName)
 	r.Out.Header.Set("Tailscale-User-Name", user.DisplayName)
-	r.Out.Header.Set("Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers")
 }
 
 func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
@@ -648,8 +632,8 @@ func allNumeric(s string) bool {
 	return s != ""
 }
 
-func (b *LocalBackend) webServerConfig(hostname string, port uint16) (c ipn.WebServerConfigView, ok bool) {
-	key := ipn.HostPort(fmt.Sprintf("%s:%v", hostname, port))
+func (b *LocalBackend) webServerConfig(sniName string, port uint16) (c ipn.WebServerConfigView, ok bool) {
+	key := ipn.HostPort(fmt.Sprintf("%s:%v", sniName, port))
 
 	b.mu.Lock()
 	defer b.mu.Unlock()

ipn/ipnlocal/serve_test.go

@@ -253,7 +253,6 @@ func TestServeHTTPProxy(t *testing.T) {
 				{"X-Forwarded-For", "100.150.151.152"},
 				{"Tailscale-User-Login", "someone@example.com"},
 				{"Tailscale-User-Name", "Some One"},
-				{"Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers"},
 			},
 		},
 		{
@@ -264,7 +263,6 @@ func TestServeHTTPProxy(t *testing.T) {
 				{"X-Forwarded-For", "100.150.151.153"},
 				{"Tailscale-User-Login", ""},
 				{"Tailscale-User-Name", ""},
-				{"Tailscale-Headers-Info", ""},
 			},
 		},
 		{
@@ -275,7 +273,6 @@ func TestServeHTTPProxy(t *testing.T) {
 				{"X-Forwarded-For", "100.160.161.162"},
 				{"Tailscale-User-Login", ""},
 				{"Tailscale-User-Name", ""},
-				{"Tailscale-Headers-Info", ""},
 			},
 		},
 	}

ipn/serve.go

@@ -76,12 +76,6 @@ type TCPPortHandler struct {
 	// It is mutually exclusive with TCPForward.
 	HTTPS bool `json:",omitempty"`
 
-	// HTTP, if true, means that tailscaled should handle this connection as an
-	// HTTP request as configured by ServeConfig.Web.
-	//
-	// It is mutually exclusive with TCPForward.
-	HTTP bool `json:",omitempty"`
-
 	// TCPForward is the IP:port to forward TCP connections to.
 	// Whether or not TLS is terminated by tailscaled depends on
 	// TerminateTLS.
@@ -109,7 +103,7 @@ type HTTPHandler struct {
 	// temporary ones? Error codes? Redirects?
 }
 
-// WebHandlerExists reports whether if the ServeConfig Web handler exists for
+// WebHandlerExists checks if the ServeConfig Web handler exists for
 // the given host:port and mount point.
 func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool {
 	h := sc.GetWebHandler(hp, mount)
@@ -134,8 +128,9 @@ func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler {
 	return sc.TCP[port]
 }
 
-// IsTCPForwardingAny reports whether ServeConfig is currently forwarding in
-// TCPForward mode on any port. This is exclusive of Web/HTTPS serving.
+// IsTCPForwardingAny checks if ServeConfig is currently forwarding
+// in TCPForward mode on any port.
+// This is exclusive of Web/HTTPS serving.
 func (sc *ServeConfig) IsTCPForwardingAny() bool {
 	if sc == nil || len(sc.TCP) == 0 {
 		return false
@@ -148,47 +143,34 @@ func (sc *ServeConfig) IsTCPForwardingAny() bool {
 	return false
 }
 
-// IsTCPForwardingOnPort reports whether if ServeConfig is currently forwarding
-// in TCPForward mode on the given port. This is exclusive of Web/HTTPS serving.
+// IsTCPForwardingOnPort checks if ServeConfig is currently forwarding
+// in TCPForward mode on the given port.
+// This is exclusive of Web/HTTPS serving.
 func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool {
 	if sc == nil || sc.TCP[port] == nil {
 		return false
 	}
-	return !sc.IsServingWeb(port)
+	return !sc.TCP[port].HTTPS
 }
 
-// IsServingWeb reports whether if ServeConfig is currently serving Web
-// (HTTP/HTTPS) on the given port. This is exclusive of TCPForwarding.
+// IsServingWeb checks if ServeConfig is currently serving
+// Web/HTTPS on the given port.
+// This is exclusive of TCPForwarding.
 func (sc *ServeConfig) IsServingWeb(port uint16) bool {
-	return sc.IsServingHTTP(port) || sc.IsServingHTTPS(port)
-}
-
-// IsServingHTTPS reports whether if ServeConfig is currently serving HTTPS on
-// the given port. This is exclusive of HTTP and TCPForwarding.
-func (sc *ServeConfig) IsServingHTTPS(port uint16) bool {
 	if sc == nil || sc.TCP[port] == nil {
 		return false
 	}
 	return sc.TCP[port].HTTPS
 }
 
-// IsServingHTTP reports whether if ServeConfig is currently serving HTTP on the
-// given port. This is exclusive of HTTPS and TCPForwarding.
-func (sc *ServeConfig) IsServingHTTP(port uint16) bool {
-	if sc == nil || sc.TCP[port] == nil {
-		return false
-	}
-	return sc.TCP[port].HTTP
-}
-
-// IsFunnelOn reports whether if ServeConfig is currently allowing funnel
-// traffic for any host:port.
+// IsFunnelOn checks if ServeConfig is currently allowing
+// funnel traffic for any host:port.
 //
 // View version of ServeConfig.IsFunnelOn.
 func (v ServeConfigView) IsFunnelOn() bool { return v.ж.IsFunnelOn() }
 
-// IsFunnelOn reports whether if ServeConfig is currently allowing funnel
-// traffic for any host:port.
+// IsFunnelOn checks if ServeConfig is currently allowing
+// funnel traffic for any host:port.
 func (sc *ServeConfig) IsFunnelOn() bool {
 	if sc == nil {
 		return false

licenses/android.md

@@ -73,10 +73,10 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/47ecfdc1:LICENSE))
  - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/334a2380:shiny/LICENSE))
  - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.7.0:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.10.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.9.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.2.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/5059a07a:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.8.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.8.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.7.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.9.0:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/7b0a1988a28f/LICENSE))

net/dns/recursive/recursive.go

@@ -582,8 +582,12 @@ func (r *Resolver) queryNameserverProto(
 		}
 
 		// Send the DNS request to the current nameserver.
+		//
+		// TODO(andrew): use ExchangeWithConnContext after this upstream PR is
+		// merged:
+		//    https://github.com/miekg/dns/pull/1459
 		r.depthlogf(depth, "asking %s over %s about %q (type: %v)", nameserverStr, protocol, name, qtype)
-		resp, _, err = c.ExchangeWithConnContext(ctx, m, conn)
+		resp, _, err = c.ExchangeWithConn(m, conn)
 	}
 	if err != nil {
 		return nil, err

prober/derp.go

@@ -188,9 +188,6 @@ func (d *derpProber) updateMap(ctx context.Context) error {
 			if existing, ok := d.nodes[n.HostName]; ok {
 				return fmt.Errorf("derpmap has duplicate nodes: %+v and %+v", existing, n)
 			}
-			// Allow the prober to monitor nodes marked as
-			// STUN only in the default map
-			n.STUNOnly = false
 			d.nodes[n.HostName] = n
 		}
 	}

release/dist/synology/files/config

@@ -2,6 +2,7 @@
 	".url": {
 		"SYNO.SDS.Tailscale": {
 			"type": "url",
+			"version": "1.8.3",
 			"title": "Tailscale",
 			"icon": "PACKAGE_ICON_256.PNG",
 			"url": "webman/3rdparty/Tailscale/",

release/dist/synology/pkgs.go

@@ -176,7 +176,7 @@ func (m *synologyBuilds) buildInnerPackage(b *dist.Build, dsmVersion int, goenv
 			static(fmt.Sprintf("logrotate-dsm%d", dsmVersion), "conf/logrotate.conf", 0644),
 			dir("ui"),
 			static("PACKAGE_ICON_256.PNG", "ui/PACKAGE_ICON_256.PNG", 0644),
-			static("config", "ui/config", 0644),
+			static("config", "ui/config", 0644), // TODO: this has "1.8.3" hard-coded in it; why? what is it? bug?
 			static("index.cgi", "ui/index.cgi", 0755))
 		if err != nil {
 			return nil, err

shell.nix

@@ -16,4 +16,4 @@
 ) {
   src =  ./.;
 }).shellNix
-# nix-direnv cache busting line: sha256-fgCrmtJs1svFz0Xn7iwLNrbBNlcO6V0yqGPMY0+V1VQ=
+# nix-direnv cache busting line: sha256-t5Jjie8DFQVchpylCv3uNty8rOhV4PGIvYN4y6ko5v0=

ssh/tailssh/incubator.go

@@ -34,7 +34,6 @@ import (
 	"golang.org/x/exp/slices"
 	"golang.org/x/sys/unix"
 	"tailscale.com/cmd/tailscaled/childproc"
-	"tailscale.com/hostinfo"
 	"tailscale.com/tempfork/gliderlabs/ssh"
 	"tailscale.com/types/logger"
 	"tailscale.com/version/distro"
@@ -121,18 +120,10 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) {
 		if isShell {
 			incubatorArgs = append(incubatorArgs, "--shell")
 		}
-		// Only the macOS version of the login command supports executing a
-		// command, all other versions only support launching a shell
-		// without taking any arguments.
-		shouldUseLoginCmd := isShell || runtime.GOOS == "darwin"
-		if hostinfo.IsSELinuxEnforcing() {
-			// If we're running on a SELinux-enabled system, the login
-			// command will be unable to set the correct context for the
-			// shell. Fall back to using the incubator to launch the shell.
-			// See http://github.com/tailscale/tailscale/issues/4908.
-			shouldUseLoginCmd = false
-		}
-		if shouldUseLoginCmd {
+		if isShell || runtime.GOOS == "darwin" {
+			// Only the macOS version of the login command supports executing a
+			// command, all other versions only support launching a shell
+			// without taking any arguments.
 			if lp, err := exec.LookPath("login"); err == nil {
 				incubatorArgs = append(incubatorArgs, "--login-cmd="+lp)
 			}
@@ -476,10 +467,10 @@ func (ss *sshSession) launchProcess() error {
 	}
 	go resizeWindow(ptyDup /* arbitrary fd */, winCh)
 
-	ss.wrStdin = pty
-	ss.rdStdout = os.NewFile(uintptr(ptyDup), pty.Name())
-	ss.rdStderr = nil // not available for pty
-	ss.childPipes = []io.Closer{tty}
+	ss.tty = tty
+	ss.stdin = pty
+	ss.stdout = os.NewFile(uintptr(ptyDup), pty.Name())
+	ss.stderr = nil // not available for pty
 
 	return nil
 }
@@ -658,29 +649,40 @@ func (ss *sshSession) startWithPTY() (ptyFile, tty *os.File, err error) {
 
 // startWithStdPipes starts cmd with os.Pipe for Stdin, Stdout and Stderr.
 func (ss *sshSession) startWithStdPipes() (err error) {
-	var rdStdin, wrStdout, wrStderr io.ReadWriteCloser
+	var stdin io.WriteCloser
+	var stdout, stderr io.ReadCloser
 	defer func() {
 		if err != nil {
-			closeAll(rdStdin, ss.wrStdin, ss.rdStdout, wrStdout, ss.rdStderr, wrStderr)
+			for _, c := range []io.Closer{stdin, stdout, stderr} {
+				if c != nil {
+					c.Close()
+				}
+			}
 		}
 	}()
-	if ss.cmd == nil {
+	cmd := ss.cmd
+	if cmd == nil {
 		return errors.New("nil cmd")
 	}
-	if rdStdin, ss.wrStdin, err = os.Pipe(); err != nil {
+	stdin, err = cmd.StdinPipe()
+	if err != nil {
 		return err
 	}
-	if ss.rdStdout, wrStdout, err = os.Pipe(); err != nil {
+	stdout, err = cmd.StdoutPipe()
+	if err != nil {
 		return err
 	}
-	if ss.rdStderr, wrStderr, err = os.Pipe(); err != nil {
+	stderr, err = cmd.StderrPipe()
+	if err != nil {
 		return err
 	}
-	ss.cmd.Stdin = rdStdin
-	ss.cmd.Stdout = wrStdout
-	ss.cmd.Stderr = wrStderr
-	ss.childPipes = []io.Closer{rdStdin, wrStdout, wrStderr}
-	return ss.cmd.Start()
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	ss.stdin = stdin
+	ss.stdout = stdout
+	ss.stderr = stderr
+	return nil
 }
 
 func envForUser(u *userMeta) []string {

ssh/tailssh/tailssh.go

@@ -823,16 +823,12 @@ type sshSession struct {
 	agentListener net.Listener // non-nil if agent-forwarding requested+allowed
 
 	// initialized by launchProcess:
-	cmd      *exec.Cmd
-	wrStdin  io.WriteCloser
-	rdStdout io.ReadCloser
-	rdStderr io.ReadCloser // rdStderr is nil for pty sessions
-	ptyReq   *ssh.Pty      // non-nil for pty sessions
-
-	// childPipes is a list of pipes that need to be closed when the process exits.
-	// For pty sessions, this is the tty fd.
-	// For non-pty sessions, this is the stdin, stdout, stderr fds.
-	childPipes []io.Closer
+	cmd    *exec.Cmd
+	stdin  io.WriteCloser
+	stdout io.ReadCloser
+	stderr io.Reader // nil for pty sessions
+	ptyReq *ssh.Pty  // non-nil for pty sessions
+	tty    *os.File  // non-nil for pty sessions, must be closed after process exits
 
 	// We use this sync.Once to ensure that we only terminate the process once,
 	// either it exits itself or is terminated
@@ -1111,22 +1107,21 @@ func (ss *sshSession) run() {
 
 	var processDone atomic.Bool
 	go func() {
-		defer ss.wrStdin.Close()
-		if _, err := io.Copy(rec.writer("i", ss.wrStdin), ss); err != nil {
+		defer ss.stdin.Close()
+		if _, err := io.Copy(rec.writer("i", ss.stdin), ss); err != nil {
 			logf("stdin copy: %v", err)
 			ss.cancelCtx(err)
 		}
 	}()
-	outputDone := make(chan struct{})
 	var openOutputStreams atomic.Int32
-	if ss.rdStderr != nil {
+	if ss.stderr != nil {
 		openOutputStreams.Store(2)
 	} else {
 		openOutputStreams.Store(1)
 	}
 	go func() {
-		defer ss.rdStdout.Close()
-		_, err := io.Copy(rec.writer("o", ss), ss.rdStdout)
+		defer ss.stdout.Close()
+		_, err := io.Copy(rec.writer("o", ss), ss.stdout)
 		if err != nil && !errors.Is(err, io.EOF) {
 			isErrBecauseProcessExited := processDone.Load() && errors.Is(err, syscall.EIO)
 			if !isErrBecauseProcessExited {
@@ -1136,41 +1131,32 @@ func (ss *sshSession) run() {
 		}
 		if openOutputStreams.Add(-1) == 0 {
 			ss.CloseWrite()
-			close(outputDone)
 		}
 	}()
-	// rdStderr is nil for ptys.
-	if ss.rdStderr != nil {
+	// stderr is nil for ptys.
+	if ss.stderr != nil {
 		go func() {
-			defer ss.rdStderr.Close()
-			_, err := io.Copy(ss.Stderr(), ss.rdStderr)
+			_, err := io.Copy(ss.Stderr(), ss.stderr)
 			if err != nil {
 				logf("stderr copy: %v", err)
 			}
 			if openOutputStreams.Add(-1) == 0 {
 				ss.CloseWrite()
-				close(outputDone)
 			}
 		}()
 	}
 
+	if ss.tty != nil {
+		// If running a tty session, close the tty when the session is done.
+		defer ss.tty.Close()
+	}
 	err = ss.cmd.Wait()
 	processDone.Store(true)
-
 	// This will either make the SSH Termination goroutine be a no-op,
 	// or itself will be a no-op because the process was killed by the
 	// aforementioned goroutine.
 	ss.exitOnce.Do(func() {})
 
-	// Close the process-side of all pipes to signal the asynchronous
-	// io.Copy routines reading/writing from the pipes to terminate.
-	// Block for the io.Copy to finish before calling ss.Exit below.
-	closeAll(ss.childPipes...)
-	select {
-	case <-outputDone:
-	case <-ss.ctx.Done():
-	}
-
 	if err == nil {
 		ss.logf("Session complete")
 		ss.Exit(0)
@@ -1908,11 +1894,3 @@ type SSHTerminationError interface {
 	error
 	SSHTerminationMessage() string
 }
-
-func closeAll(cs ...io.Closer) {
-	for _, c := range cs {
-		if c != nil {
-			c.Close()
-		}
-	}
-}

ssh/tailssh/tailssh_test.go

@@ -25,7 +25,6 @@ import (
 	"os/user"
 	"reflect"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -948,19 +947,6 @@ func TestSSH(t *testing.T) {
 		// "foo\n" and "bar\n", not "\n" and "bar\n".
 	})
 
-	t.Run("large_file", func(t *testing.T) {
-		const wantSize = 1e6
-		var outBuf bytes.Buffer
-		cmd := execSSH("head", "-c", strconv.Itoa(wantSize), "/dev/zero")
-		cmd.Stdout = &outBuf
-		if err := cmd.Run(); err != nil {
-			t.Fatal(err)
-		}
-		if gotSize := outBuf.Len(); gotSize != wantSize {
-			t.Fatalf("got %d, want %d", gotSize, int(wantSize))
-		}
-	})
-
 	t.Run("stdin", func(t *testing.T) {
 		if cibuild.On() {
 			t.Skip("Skipping for now; see https://github.com/tailscale/tailscale/issues/4051")

syncs/shardedmap.go

@@ -1,111 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package syncs
-
-import (
-	"sync"
-
-	"golang.org/x/sys/cpu"
-)
-
-// ShardedMap is a synchronized map[K]V, internally sharded by a user-defined
-// K-sharding function.
-//
-// The zero value is not safe for use; use NewShardedMap.
-type ShardedMap[K comparable, V any] struct {
-	shardFunc func(K) int
-	shards    []mapShard[K, V]
-}
-
-type mapShard[K comparable, V any] struct {
-	mu sync.Mutex
-	m  map[K]V
-	_  cpu.CacheLinePad // avoid false sharing of neighboring shards' mutexes
-}
-
-// NewShardedMap returns a new ShardedMap with the given number of shards and
-// sharding function.
-//
-// The shard func must return a integer in the range [0, shards) purely
-// deterministically based on the provided K.
-func NewShardedMap[K comparable, V any](shards int, shard func(K) int) *ShardedMap[K, V] {
-	m := &ShardedMap[K, V]{
-		shardFunc: shard,
-		shards:    make([]mapShard[K, V], shards),
-	}
-	for i := range m.shards {
-		m.shards[i].m = make(map[K]V)
-	}
-	return m
-}
-
-func (m *ShardedMap[K, V]) shard(key K) *mapShard[K, V] {
-	return &m.shards[m.shardFunc(key)]
-}
-
-// GetOk returns m[key] and whether it was present.
-func (m *ShardedMap[K, V]) GetOk(key K) (value V, ok bool) {
-	shard := m.shard(key)
-	shard.mu.Lock()
-	defer shard.mu.Unlock()
-	value, ok = shard.m[key]
-	return
-}
-
-// Get returns m[key] or the zero value of V if key is not present.
-func (m *ShardedMap[K, V]) Get(key K) (value V) {
-	value, _ = m.GetOk(key)
-	return
-}
-
-// Set sets m[key] = value.
-//
-// It reports whether the map grew in size (that is, whether key was not already
-// present in m).
-func (m *ShardedMap[K, V]) Set(key K, value V) (grew bool) {
-	shard := m.shard(key)
-	shard.mu.Lock()
-	defer shard.mu.Unlock()
-	s0 := len(shard.m)
-	shard.m[key] = value
-	return len(shard.m) > s0
-}
-
-// Delete removes key from m.
-//
-// It reports whether the map size shrunk (that is, whether key was present in
-// the map).
-func (m *ShardedMap[K, V]) Delete(key K) (shrunk bool) {
-	shard := m.shard(key)
-	shard.mu.Lock()
-	defer shard.mu.Unlock()
-	s0 := len(shard.m)
-	delete(shard.m, key)
-	return len(shard.m) < s0
-}
-
-// Contains reports whether m contains key.
-func (m *ShardedMap[K, V]) Contains(key K) bool {
-	shard := m.shard(key)
-	shard.mu.Lock()
-	defer shard.mu.Unlock()
-	_, ok := shard.m[key]
-	return ok
-}
-
-// Len returns the number of elements in m.
-//
-// It does so by locking shards one at a time, so it's not particularly cheap,
-// nor does it give a consistent snapshot of the map. It's mostly intended for
-// metrics or testing.
-func (m *ShardedMap[K, V]) Len() int {
-	n := 0
-	for i := range m.shards {
-		shard := &m.shards[i]
-		shard.mu.Lock()
-		n += len(shard.m)
-		shard.mu.Unlock()
-	}
-	return n
-}

syncs/shardedmap_test.go

@@ -1,44 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package syncs
-
-import "testing"
-
-func TestShardedMap(t *testing.T) {
-	m := NewShardedMap[int, string](16, func(i int) int { return i % 16 })
-
-	if m.Contains(1) {
-		t.Errorf("got contains; want !contains")
-	}
-	if !m.Set(1, "one") {
-		t.Errorf("got !set; want set")
-	}
-	if m.Set(1, "one") {
-		t.Errorf("got set; want !set")
-	}
-	if !m.Contains(1) {
-		t.Errorf("got !contains; want contains")
-	}
-	if g, w := m.Get(1), "one"; g != w {
-		t.Errorf("got %q; want %q", g, w)
-	}
-	if _, ok := m.GetOk(1); !ok {
-		t.Errorf("got ok; want !ok")
-	}
-	if _, ok := m.GetOk(2); ok {
-		t.Errorf("got ok; want !ok")
-	}
-	if g, w := m.Len(), 1; g != w {
-		t.Errorf("got Len %v; want %v", g, w)
-	}
-	if m.Delete(2) {
-		t.Errorf("got deleted; want !deleted")
-	}
-	if !m.Delete(1) {
-		t.Errorf("got !deleted; want deleted")
-	}
-	if g, w := m.Len(), 0; g != w {
-		t.Errorf("got Len %v; want %v", g, w)
-	}
-}

tailcfg/tailcfg.go

@@ -3,7 +3,7 @@
 
 package tailcfg
 
-//go:generate go run tailscale.com/cmd/viewer --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan,Location --clonefunc
+//go:generate go run tailscale.com/cmd/viewer --type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan --clonefunc
 
 import (
 	"bytes"
@@ -531,24 +531,6 @@ type Service struct {
 	// TODO(apenwarr): add "tags" here for each service?
 }
 
-// Location represents geographical location data about a
-// Tailscale host. Location is optional and only set if
-// explicitly declared by a node.
-type Location struct {
-	Country     string `json:",omitempty"` // User friendly country name, with proper capitalization ("Canada")
-	CountryCode string `json:",omitempty"` // ISO 3166-1 alpha-2 in upper case ("CA")
-	City        string `json:",omitempty"` // User friendly city name, with proper capitalization ("Squamish")
-	CityCode    string `json:",omitempty"` // TODO(charlotte): document
-
-	// Priority determines the priority an exit node is given when the
-	// location data between two or more nodes is tied.
-	// A higher value indicates that the exit node is more preferable
-	// for use.
-	// A value of 0 means the exit node does not have a priority
-	// preference. A negative int is not allowed.
-	Priority int `json:",omitempty"`
-}
-
 // Hostinfo contains a summary of a Tailscale host.
 //
 // Because it contains pointers (slices), this type should not be used
@@ -603,11 +585,6 @@ type Hostinfo struct {
 	Userspace       opt.Bool       `json:",omitempty"` // if the client is running in userspace (netstack) mode
 	UserspaceRouter opt.Bool       `json:",omitempty"` // if the client's subnet router is running in userspace (netstack) mode
 
-	// Location represents geographical location data about a
-	// Tailscale host. Location is optional and only set if
-	// explicitly declared by a node.
-	Location *Location `json:",omitempty"`
-
 	// NOTE: any new fields containing pointers in this type
 	//       require changes to Hostinfo.Equal.
 }

tailcfg/tailcfg_clone.go

@@ -119,10 +119,6 @@ func (src *Hostinfo) Clone() *Hostinfo {
 	dst.Services = append(src.Services[:0:0], src.Services...)
 	dst.NetInfo = src.NetInfo.Clone()
 	dst.SSH_HostKeys = append(src.SSH_HostKeys[:0:0], src.SSH_HostKeys...)
-	if dst.Location != nil {
-		dst.Location = new(Location)
-		*dst.Location = *src.Location
-	}
 	return dst
 }
 
@@ -161,7 +157,6 @@ var _HostinfoCloneNeedsRegeneration = Hostinfo(struct {
 	Cloud           string
 	Userspace       opt.Bool
 	UserspaceRouter opt.Bool
-	Location        *Location
 }{})
 
 // Clone makes a deep copy of NetInfo.
@@ -463,29 +458,9 @@ var _ControlDialPlanCloneNeedsRegeneration = ControlDialPlan(struct {
 	Candidates []ControlIPCandidate
 }{})
 
-// Clone makes a deep copy of Location.
-// The result aliases no memory with the original.
-func (src *Location) Clone() *Location {
-	if src == nil {
-		return nil
-	}
-	dst := new(Location)
-	*dst = *src
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _LocationCloneNeedsRegeneration = Location(struct {
-	Country     string
-	CountryCode string
-	City        string
-	CityCode    string
-	Priority    int
-}{})
-
 // Clone duplicates src into dst and reports whether it succeeded.
 // To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,
-// where T is one of User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan,Location.
+// where T is one of User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan.
 func Clone(dst, src any) bool {
 	switch src := src.(type) {
 	case *User:
@@ -614,15 +589,6 @@ func Clone(dst, src any) bool {
 			*dst = src.Clone()
 			return true
 		}
-	case *Location:
-		switch dst := dst.(type) {
-		case *Location:
-			*dst = *src.Clone()
-			return true
-		case **Location:
-			*dst = src.Clone()
-			return true
-		}
 	}
 	return false
 }

tailcfg/tailcfg_test.go

@@ -65,7 +65,6 @@ func TestHostinfoEqual(t *testing.T) {
 		"Cloud",
 		"Userspace",
 		"UserspaceRouter",
-		"Location",
 	}
 	if have := fieldsOf(reflect.TypeOf(Hostinfo{})); !reflect.DeepEqual(have, hiHandles) {
 		t.Errorf("Hostinfo.Equal check might be out of sync\nfields: %q\nhandled: %q\n",

tailcfg/tailcfg_view.go

@@ -20,7 +20,7 @@ import (
 	"tailscale.com/types/views"
 )
 
-//go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan,Location
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type=User,Node,Hostinfo,NetInfo,Login,DNSConfig,RegisterResponse,DERPRegion,DERPMap,DERPNode,SSHRule,SSHAction,SSHPrincipal,ControlDialPlan
 
 // View returns a readonly view of User.
 func (p *User) View() UserView {
@@ -303,15 +303,7 @@ func (v HostinfoView) SSH_HostKeys() views.Slice[string] { return views.SliceOf(
 func (v HostinfoView) Cloud() string                     { return v.ж.Cloud }
 func (v HostinfoView) Userspace() opt.Bool               { return v.ж.Userspace }
 func (v HostinfoView) UserspaceRouter() opt.Bool         { return v.ж.UserspaceRouter }
-func (v HostinfoView) Location() *Location {
-	if v.ж.Location == nil {
-		return nil
-	}
-	x := *v.ж.Location
-	return &x
-}
-
-func (v HostinfoView) Equal(v2 HostinfoView) bool { return v.ж.Equal(v2.ж) }
+func (v HostinfoView) Equal(v2 HostinfoView) bool        { return v.ж.Equal(v2.ж) }
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _HostinfoViewNeedsRegeneration = Hostinfo(struct {
@@ -348,7 +340,6 @@ var _HostinfoViewNeedsRegeneration = Hostinfo(struct {
 	Cloud           string
 	Userspace       opt.Bool
 	UserspaceRouter opt.Bool
-	Location        *Location
 }{})
 
 // View returns a readonly view of NetInfo.
@@ -1086,63 +1077,3 @@ func (v ControlDialPlanView) Candidates() views.Slice[ControlIPCandidate] {
 var _ControlDialPlanViewNeedsRegeneration = ControlDialPlan(struct {
 	Candidates []ControlIPCandidate
 }{})
-
-// View returns a readonly view of Location.
-func (p *Location) View() LocationView {
-	return LocationView{ж: p}
-}
-
-// LocationView provides a read-only view over Location.
-//
-// Its methods should only be called if `Valid()` returns true.
-type LocationView struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *Location
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v LocationView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v LocationView) AsStruct() *Location {
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v LocationView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *LocationView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x Location
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж = &x
-	return nil
-}
-
-func (v LocationView) Country() string     { return v.ж.Country }
-func (v LocationView) CountryCode() string { return v.ж.CountryCode }
-func (v LocationView) City() string        { return v.ж.City }
-func (v LocationView) CityCode() string    { return v.ж.CityCode }
-func (v LocationView) Priority() int       { return v.ж.Priority }
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _LocationViewNeedsRegeneration = Location(struct {
-	Country     string
-	CountryCode string
-	City        string
-	CityCode    string
-	Priority    int
-}{})

tka/deeplink.go

@@ -18,68 +18,6 @@ const (
 	DeeplinkCommandSign        = "sign-device"
 )
 
-// generateHMAC computes a SHA-256 HMAC for the concatenation of components,
-// using the Authority stateID as secret.
-func (a *Authority) generateHMAC(params NewDeeplinkParams) []byte {
-	stateID, _ := a.StateIDs()
-
-	key := make([]byte, 8)
-	binary.LittleEndian.PutUint64(key, stateID)
-	mac := hmac.New(sha256.New, key)
-	mac.Write([]byte(params.NodeKey))
-	mac.Write([]byte(params.TLPub))
-	mac.Write([]byte(params.DeviceName))
-	mac.Write([]byte(params.OSName))
-	mac.Write([]byte(params.LoginName))
-	return mac.Sum(nil)
-}
-
-type NewDeeplinkParams struct {
-	NodeKey    string
-	TLPub      string
-	DeviceName string
-	OSName     string
-	LoginName  string
-}
-
-// NewDeeplink creates a signed deeplink using the authority's stateID as a
-// secret. This deeplink can then be validated by ValidateDeeplink.
-func (a *Authority) NewDeeplink(params NewDeeplinkParams) (string, error) {
-	if params.NodeKey == "" || !strings.HasPrefix(params.NodeKey, "nodekey:") {
-		return "", fmt.Errorf("invalid node key %q", params.NodeKey)
-	}
-	if params.TLPub == "" || !strings.HasPrefix(params.TLPub, "tlpub:") {
-		return "", fmt.Errorf("invalid tlpub %q", params.TLPub)
-	}
-	if params.DeviceName == "" {
-		return "", fmt.Errorf("invalid device name %q", params.DeviceName)
-	}
-	if params.OSName == "" {
-		return "", fmt.Errorf("invalid os name %q", params.OSName)
-	}
-	if params.LoginName == "" {
-		return "", fmt.Errorf("invalid login name %q", params.LoginName)
-	}
-
-	u := url.URL{
-		Scheme: DeeplinkTailscaleURLScheme,
-		Host:   DeeplinkCommandSign,
-		Path:   "/v1/",
-	}
-	v := url.Values{}
-	v.Set("nk", params.NodeKey)
-	v.Set("tp", params.TLPub)
-	v.Set("dn", params.DeviceName)
-	v.Set("os", params.OSName)
-	v.Set("em", params.LoginName)
-
-	hmac := a.generateHMAC(params)
-	v.Set("hm", hex.EncodeToString(hmac))
-
-	u.RawQuery = v.Encode()
-	return u.String(), nil
-}
-
 type DeeplinkValidationResult struct {
 	IsValid      bool
 	Error        string
@@ -91,6 +29,18 @@ type DeeplinkValidationResult struct {
 	EmailAddress string
 }
 
+// GenerateHMAC computes a SHA-256 HMAC for the concatenation of components, using
+// stateID as secret.
+func generateHMAC(stateID uint64, components []string) []byte {
+	key := make([]byte, 8)
+	binary.LittleEndian.PutUint64(key, stateID)
+	mac := hmac.New(sha256.New, key)
+	for _, component := range components {
+		mac.Write([]byte(component))
+	}
+	return mac.Sum(nil)
+}
+
 // ValidateDeeplink validates a device signing deeplink using the authority's stateID.
 // The input urlString follows this structure:
 //
@@ -190,13 +140,9 @@ func (a *Authority) ValidateDeeplink(urlString string) DeeplinkValidationResult
 		}
 	}
 
-	computedHMAC := a.generateHMAC(NewDeeplinkParams{
-		NodeKey:    nodeKey,
-		TLPub:      tlPub,
-		DeviceName: deviceName,
-		OSName:     osName,
-		LoginName:  emailAddress,
-	})
+	components := []string{nodeKey, tlPub, deviceName, osName, emailAddress}
+	stateID1, _ := a.StateIDs()
+	computedHMAC := generateHMAC(stateID1, components)
 
 	hmacHexBytes, err := hex.DecodeString(hmacString)
 	if err != nil {

tka/deeplink_test.go

@@ -1,52 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tka
-
-import (
-	"testing"
-)
-
-func TestGenerateDeeplink(t *testing.T) {
-	pub, _ := testingKey25519(t, 1)
-	key := Key{Kind: Key25519, Public: pub, Votes: 2}
-	c := newTestchain(t, `
-        G1 -> L1
-
-        G1.template = genesis
-    `,
-		optTemplate("genesis", AUM{MessageKind: AUMCheckpoint, State: &State{
-			Keys:               []Key{key},
-			DisablementSecrets: [][]byte{DisablementKDF([]byte{1, 2, 3})},
-		}}),
-	)
-	a, _ := Open(c.Chonk())
-
-	nodeKey := "nodekey:1234567890"
-	tlPub := "tlpub:1234567890"
-	deviceName := "Example Device"
-	osName := "iOS"
-	loginName := "insecure@example.com"
-
-	deeplink, err := a.NewDeeplink(NewDeeplinkParams{
-		NodeKey:    nodeKey,
-		TLPub:      tlPub,
-		DeviceName: deviceName,
-		OSName:     osName,
-		LoginName:  loginName,
-	})
-	if err != nil {
-		t.Errorf("deeplink generation failed: %v", err)
-	}
-
-	res := a.ValidateDeeplink(deeplink)
-	if !res.IsValid {
-		t.Errorf("deeplink validation failed: %s", res.Error)
-	}
-	if res.NodeKey != nodeKey {
-		t.Errorf("node key mismatch: %s != %s", res.NodeKey, nodeKey)
-	}
-	if res.TLPub != tlPub {
-		t.Errorf("tlpub mismatch: %s != %s", res.TLPub, tlPub)
-	}
-}

tool/gocross/gocross-wrapper.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -6,9 +6,9 @@
 # transparently builds gocross using a "bootstrap" Go toolchain, and
 # then invokes gocross.
 
-set -euo pipefail
+set -eu
 
-if [[ "${CI:-}" == "true" ]]; then
+if [ "${CI:-}" = "true" ]; then
     set -x
 fi
 
@@ -17,7 +17,7 @@ fi
 # accidentally mutate the input environment that will get passed to gocross at
 # the bottom of this script.
 (
-repo_root="${BASH_SOURCE%/*}/../.."
+repo_root="$(dirname $0)/../.."
 
 # Figuring out if gocross needs a rebuild, as well as the rebuild itself, need
 # to happen with CWD inside this repo. Since we're in a subshell entirely
@@ -28,21 +28,16 @@ cd "$repo_root"
 
 toolchain="$HOME/.cache/tailscale-go"
 
-if [[ -d "$toolchain" ]]; then
+if [ -d "$toolchain" ]; then
     # A toolchain exists, but is it recent enough to compile gocross? If not,
     # wipe it out so that the next if block fetches a usable one.
     want_go_minor=$(grep -E '^go ' "go.mod" | cut -f2 -d'.')
-    have_go_minor=$(head -1 "$toolchain/VERSION" | cut -f2 -d'.')
-    # Shortly before stable releases, we run release candidate
-    # toolchains, which have a non-numeric suffix on the version
-    # number. Remove the rc qualifier, we just care about the minor
-    # version.
-    have_go_minor="${have_go_minor%rc*}"
-    if [[ -z "$have_go_minor" || "$have_go_minor" -lt "$want_go_minor" ]]; then
+    have_go_minor=$(cut -f2 -d'.' <$toolchain/VERSION)
+    if [ -z "$have_go_minor" -o "$have_go_minor" -lt "$want_go_minor" ]; then
         rm -rf "$toolchain" "$toolchain.extracted"
     fi
 fi
-if [[ ! -d "$toolchain" ]]; then
+if [ ! -d "$toolchain" ]; then
     mkdir -p "$HOME/.cache"
 
     # We need any Go toolchain to build gocross, but the toolchain also has to
@@ -61,10 +56,10 @@ if [[ ! -d "$toolchain" ]]; then
         # (we do not build tailscale-go for other targets).
         HOST_OS=$(uname -s | tr A-Z a-z)
         HOST_ARCH="$(uname -m)"
-        if [[ "$HOST_ARCH" == "aarch64" ]]; then
+        if [ "$HOST_ARCH" = "aarch64" ]; then
             # Go uses the name "arm64".
             HOST_ARCH="arm64"
-        elif [[ "$HOST_ARCH" == "x86_64" ]]; then
+        elif [ "$HOST_ARCH" = "x86_64" ]; then
             # Go uses the name "amd64".
             HOST_ARCH="amd64"
         fi
@@ -88,13 +83,13 @@ fi
 gocross_path="gocross"
 gocross_ok=0
 wantver="$(git rev-parse HEAD)"
-if [[ -x "$gocross_path" ]]; then
+if [ -x "$gocross_path" ]; then
 	gotver="$($gocross_path gocross-version 2>/dev/null || echo '')"
-	if [[ "$gotver" == "$wantver" ]]; then
+	if [ "$gotver" = "$wantver" ]; then
 		gocross_ok=1
 	fi
 fi
-if [[ "$gocross_ok" == "0" ]]; then
+if [ "$gocross_ok" = "0" ]; then
     unset GOOS
     unset GOARCH
     unset GO111MODULE
@@ -104,4 +99,4 @@ if [[ "$gocross_ok" == "0" ]]; then
 fi
 ) # End of the subshell execution.
 
-exec "${BASH_SOURCE%/*}/../../gocross" "$@"
+exec "$(dirname $0)/../../gocross" "$@"

tsnet/tsnet.go

@@ -80,7 +80,7 @@ type Server struct {
 	// If nil, a new FileStore is initialized at `Dir/tailscaled.state`.
 	// See tailscale.com/ipn/store for supported stores.
 	//
-	// Logs will automatically be uploaded to log.tailscale.io,
+	// Logs will automatically be uploaded to uploaded to log.tailscale.io,
 	// where the configuration file for logging will be saved at
 	// `Dir/tailscaled.log.conf`.
 	Store ipn.StateStore

types/key/node.go

@@ -142,6 +142,26 @@ func (k NodePrivate) OpenFrom(p NodePublic, ciphertext []byte) (cleartext []byte
 	return box.Open(nil, ciphertext[len(nonce):], nonce, &p.k, &k.k)
 }
 
+// SealAnonymous seals the cleartext to the node key k.
+func (k NodePublic) SealAnonymous(cleartext []byte) (ciphertext []byte, err error) {
+	if k.IsZero() {
+		panic("can't seal with zero keys")
+	}
+	return box.SealAnonymous(nil, cleartext, &k.k, nil)
+}
+
+// OpenAnonymous opens the anonymous NaCl box ciphertext, which must be a value
+// created by SealAnonymous, and returns the inner cleartext if ciphertext is
+// a valid box to k.
+func (k NodePrivate) OpenAnonymous(ciphertext []byte) (cleartext []byte, ok bool) {
+	if k.IsZero() {
+		panic("can't open with zero keys")
+	}
+
+	p := k.Public()
+	return box.OpenAnonymous(nil, ciphertext, &p.k, &k.k)
+}
+
 func (k NodePrivate) UntypedHexString() string {
 	return hex.EncodeToString(k.k[:])
 }

types/views/views.go

@@ -75,15 +75,6 @@ func (v SliceView[T, V]) Len() int { return len(v.ж) }
 // At returns a View of the element at index `i` of the slice.
 func (v SliceView[T, V]) At(i int) V { return v.ж[i].View() }
 
-// SliceFrom returns v[i:].
-func (v SliceView[T, V]) SliceFrom(i int) SliceView[T, V] { return SliceView[T, V]{v.ж[i:]} }
-
-// SliceTo returns v[:i]
-func (v SliceView[T, V]) SliceTo(i int) SliceView[T, V] { return SliceView[T, V]{v.ж[:i]} }
-
-// Slice returns v[i:j]
-func (v SliceView[T, V]) Slice(i, j int) SliceView[T, V] { return SliceView[T, V]{v.ж[i:j]} }
-
 // AppendTo appends the underlying slice values to dst.
 func (v SliceView[T, V]) AppendTo(dst []V) []V {
 	for _, x := range v.ж {
@@ -131,15 +122,6 @@ func (v Slice[T]) Len() int { return len(v.ж) }
 // At returns the element at index `i` of the slice.
 func (v Slice[T]) At(i int) T { return v.ж[i] }
 
-// SliceFrom returns v[i:].
-func (v Slice[T]) SliceFrom(i int) Slice[T] { return Slice[T]{v.ж[i:]} }
-
-// SliceTo returns v[:i]
-func (v Slice[T]) SliceTo(i int) Slice[T] { return Slice[T]{v.ж[:i]} }
-
-// Slice returns v[i:j]
-func (v Slice[T]) Slice(i, j int) Slice[T] { return Slice[T]{v.ж[i:j]} }
-
 // AppendTo appends the underlying slice values to dst.
 func (v Slice[T]) AppendTo(dst []T) []T {
 	return append(dst, v.ж...)

types/views/views_test.go

@@ -128,13 +128,4 @@ func TestViewUtils(t *testing.T) {
 	c.Check(SliceEqualAnyOrder(v, SliceOf([]string{"bar", "foo"})), qt.Equals, true)
 	c.Check(SliceEqualAnyOrder(v, SliceOf([]string{"foo"})), qt.Equals, false)
 	c.Check(SliceEqualAnyOrder(SliceOf([]string{"a", "a", "b"}), SliceOf([]string{"a", "b", "b"})), qt.Equals, false)
-
-	c.Check(SliceEqualAnyOrder(
-		SliceOf([]string{"a", "b", "c"}).SliceFrom(1),
-		SliceOf([]string{"b", "c"})),
-		qt.Equals, true)
-	c.Check(SliceEqualAnyOrder(
-		SliceOf([]string{"a", "b", "c"}).Slice(1, 2),
-		SliceOf([]string{"b", "c"}).SliceTo(1)),
-		qt.Equals, true)
 }

util/goroutines/goroutines.go

@@ -11,16 +11,15 @@ import (
 	"strconv"
 )
 
-// ScrubbedGoroutineDump returns either the current goroutine's stack or all
-// goroutines' stacks, but with the actual values of arguments scrubbed out,
-// lest it contain some private key material.
-func ScrubbedGoroutineDump(all bool) []byte {
+// ScrubbedGoroutineDump returns the list of all current goroutines, but with the actual
+// values of arguments scrubbed out, lest it contain some private key material.
+func ScrubbedGoroutineDump() []byte {
 	var buf []byte
 	// Grab stacks multiple times into increasingly larger buffer sizes
 	// to minimize the risk that we blow past our iOS memory limit.
 	for size := 1 << 10; size <= 1<<20; size += 1 << 10 {
 		buf = make([]byte, size)
-		buf = buf[:runtime.Stack(buf, all)]
+		buf = buf[:runtime.Stack(buf, true)]
 		if len(buf) < size {
 			// It fit.
 			break

util/goroutines/goroutines_test.go

@@ -6,7 +6,7 @@ package goroutines
 import "testing"
 
 func TestScrubbedGoroutineDump(t *testing.T) {
-	t.Logf("Got:\n%s\n", ScrubbedGoroutineDump(true))
+	t.Logf("Got:\n%s\n", ScrubbedGoroutineDump())
 }
 
 func TestScrubHex(t *testing.T) {

wgengine/magicsock/magicsock.go

@@ -2306,6 +2306,25 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netip.AddrPort, derpNodeSrc ke
 			ep.publicKey.ShortString(), derpStr(src.String()),
 			len(dm.MyNumber))
 		go ep.handleCallMeMaybe(dm)
+	case *disco.Knock:
+		metricRecvDiscoKnock.Add(1)
+		if isDERP {
+			metricRecvDiscoKnockBadDisco.Add(1)
+			c.logf("[unexpected] Knock packets should only come via LAN")
+			return
+		}
+		c.handleKnockLocked(dm, src, di)
+	case *disco.KnockReply:
+		metricRecvDiscoKnockReply.Add(1)
+		if isDERP {
+			metricRecvDiscoKnockReplyBadDisco.Add(1)
+			c.logf("[unexpected] Knock reply packets should only come via LAN")
+			return
+		}
+		c.logf("magicsock: disco: got knock reply %v from %v", dm, src)
+		c.peerMap.forEachEndpointWithDiscoKey(sender, func(ep *endpoint) (keepGoing bool) {
+			return !ep.handleKnockReplyLocked(dm, src, di)
+		})
 	}
 	return
 }
@@ -2348,6 +2367,114 @@ func (c *Conn) unambiguousNodeKeyOfPingLocked(dm *disco.Ping, dk key.DiscoPublic
 	return nk, false
 }
 
+// handleKnockReplyLocked handles a DISCO Knock Reply message. If the nonce is
+// correct, the callback for the pending knock is invoked.
+//
+// True is returned if this endpoint handled the nonce.
+//
+// di is the discoInfo of the source of the knock packet.
+func (de *endpoint) handleKnockReplyLocked(dm *disco.KnockReply, src netip.AddrPort, di *discoInfo) bool {
+	de.mu.Lock()
+	defer de.mu.Unlock()
+
+	if de.pendingKnock == nil || !bytes.Equal(dm.Nonce[:], de.pendingKnock.nonce[:]) {
+		return false
+	}
+
+	// From this point on, nonce is correct
+	cb := de.pendingKnock.cb
+	de.pendingKnock = nil
+	go cb(nil)
+	return true
+}
+
+// handleKnockLocked handles a DISCO Knock message. If the recieved packet
+// is in order, a response is sent containing the unwrapped nonce.
+//
+// di is the discoInfo of the source of the knock packet.
+func (c *Conn) handleKnockLocked(dm *disco.Knock, src netip.AddrPort, di *discoInfo) {
+	// TODO(tom): Filter to LAN-only sources
+
+	nonceBytes, ok := c.privateKey.OpenAnonymous(dm.SealedNonce[:])
+	if !ok {
+		metricRecvDiscoKnockBadSeal.Add(1)
+		c.logf("magicsock: disco: dropping bad knock from %v", src)
+		return
+	}
+
+	var nonce [8]byte
+	copy(nonce[:], nonceBytes)
+
+	c.peerMap.forEachEndpointWithDiscoKey(di.discoKey, func(ep *endpoint) (keepGoing bool) {
+		go c.sendDiscoMessage(src, ep.publicKey, di.discoKey, &disco.KnockReply{
+			Nonce: nonce,
+		}, discoVerboseLog)
+		return true
+	})
+}
+
+// Knock handles a request to knock a specific peer.
+func (c *Conn) Knock(addr netip.AddrPort, peer *tailcfg.Node, cb func(error)) {
+	if runtime.GOOS == "js" {
+		cb(errors.New("no direct over tsconnect"))
+		return
+	}
+
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.privateKey.IsZero() {
+		cb(errNetworkDown)
+		return
+	}
+
+	ep, ok := c.peerMap.endpointForNodeKey(peer.Key)
+	if !ok {
+		cb(errors.New("unknown peer"))
+		return
+	}
+	ep.knock(addr, cb)
+}
+
+func (de *endpoint) knock(addr netip.AddrPort, cb func(error)) {
+	de.mu.Lock()
+	defer de.mu.Unlock()
+
+	if de.expired {
+		cb(errExpired)
+		return
+	}
+	epDisco := de.disco.Load()
+	if epDisco == nil {
+		cb(errors.New("no disco key"))
+		return
+	}
+
+	var nonce [8]byte
+	if _, err := crand.Read(nonce[:]); err != nil {
+		panic(err) // worth dying for
+	}
+	sealed, err := de.publicKey.SealAnonymous(nonce[:])
+	if err != nil {
+		cb(err)
+		return
+	}
+
+	if de.pendingKnock != nil {
+		de.pendingKnock.cb(errors.New("superceded"))
+	}
+	de.pendingKnock = &pendingKnock{addr, cb, nonce}
+
+	go func() {
+		knock := disco.Knock{}
+		copy(knock.SealedNonce[:], sealed)
+		sent, _ := de.c.sendDiscoMessage(addr, de.publicKey, epDisco.key, &knock, discoVerboseLog)
+		if !sent {
+			panic("not sent")
+		}
+	}()
+	de.noteActiveLocked()
+}
+
 // di is the discoInfo of the source of the ping.
 // derpNodeSrc is non-zero if the ping arrived via DERP.
 func (c *Conn) handlePingLocked(dm *disco.Ping, src netip.AddrPort, di *discoInfo, derpNodeSrc key.NodePublic) {
@@ -4141,6 +4268,8 @@ type endpoint struct {
 
 	pendingCLIPings []pendingCLIPing // any outstanding "tailscale ping" commands running
 
+	pendingKnock *pendingKnock // any outstanding knock challenge, if any
+
 	// The following fields are related to the new "silent disco"
 	// implementation that's a WIP as of 2022-10-20.
 	// See #540 for background.
@@ -4156,6 +4285,12 @@ type pendingCLIPing struct {
 	cb  func(*ipnstate.PingResult)
 }
 
+type pendingKnock struct {
+	addr  netip.AddrPort
+	cb    func(error)
+	nonce [8]byte
+}
+
 const (
 	// sessionActiveTimeout is how long since the last activity we
 	// try to keep an established endpoint peering alive.
@@ -5269,6 +5404,7 @@ func (de *endpoint) stopAndReset() {
 		de.heartBeatTimer = nil
 	}
 	de.pendingCLIPings = nil
+	de.pendingKnock = nil
 }
 
 // resetLocked clears all the endpoint's p2p state, reverting it to a
@@ -5468,6 +5604,11 @@ var (
 	metricRecvDiscoCallMeMaybe         = clientmetric.NewCounter("magicsock_disco_recv_callmemaybe")
 	metricRecvDiscoCallMeMaybeBadNode  = clientmetric.NewCounter("magicsock_disco_recv_callmemaybe_bad_node")
 	metricRecvDiscoCallMeMaybeBadDisco = clientmetric.NewCounter("magicsock_disco_recv_callmemaybe_bad_disco")
+	metricRecvDiscoKnock               = clientmetric.NewCounter("magicsock_disco_recv_knock")
+	metricRecvDiscoKnockBadDisco       = clientmetric.NewCounter("magicsock_disco_recv_knock_bad_disco")
+	metricRecvDiscoKnockBadSeal        = clientmetric.NewCounter("magicsock_disco_recv_knock_bad_seal")
+	metricRecvDiscoKnockReply          = clientmetric.NewCounter("magicsock_disco_recv_knock_reply")
+	metricRecvDiscoKnockReplyBadDisco  = clientmetric.NewCounter("magicsock_disco_recv_knock_reply_bad_disco")
 	metricRecvDiscoDERPPeerNotHere     = clientmetric.NewCounter("magicsock_disco_recv_derp_peer_not_here")
 	metricRecvDiscoDERPPeerGoneUnknown = clientmetric.NewCounter("magicsock_disco_recv_derp_peer_gone_unknown")
 	// metricDERPHomeChange is how many times our DERP home region DI has

wgengine/magicsock/magicsock_linux.go

@@ -303,11 +303,11 @@ func trySetSocketBuffer(pconn nettype.PacketConn, logf logger.Logf) {
 			rc.Control(func(fd uintptr) {
 				errRcv = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_RCVBUFFORCE, socketBufferSize)
 				if errRcv != nil {
-					logf("magicsock: [warning] failed to force-set UDP read buffer size to %d: %v; using kernel default values (impacts throughput only)", socketBufferSize, errRcv)
+					logf("magicsock: failed to force-set UDP read buffer size to %d: %v", socketBufferSize, errRcv)
 				}
 				errSnd = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_SNDBUFFORCE, socketBufferSize)
 				if errSnd != nil {
-					logf("magicsock: [warning] failed to force-set UDP write buffer size to %d: %v; using kernel default values (impacts throughput only)", socketBufferSize, errSnd)
+					logf("magicsock: failed to force-set UDP write buffer size to %d: %v", socketBufferSize, errSnd)
 				}
 			})
 		}

wgengine/magicsock/magicsock_test.go

@@ -2908,3 +2908,64 @@ func TestAddrForSendLockedForWireGuardOnly(t *testing.T) {
 		}
 	}
 }
+
+func TestDiscoKnock(t *testing.T) {
+	mstun := &natlab.Machine{Name: "stun"}
+	m1 := &natlab.Machine{Name: "m1"}
+	m2 := &natlab.Machine{Name: "m2"}
+	inet := natlab.NewInternet()
+	sif := mstun.Attach("eth0", inet)
+	m1if := m1.Attach("eth0", inet)
+	m2if := m2.Attach("eth0", inet)
+
+	d := &devices{
+		m1:     m1,
+		m1IP:   m1if.V4(),
+		m2:     m2,
+		m2IP:   m2if.V4(),
+		stun:   mstun,
+		stunIP: sif.V4(),
+	}
+
+	logf, closeLogf := logger.LogfCloser(t.Logf)
+	defer closeLogf()
+
+	derpMap, cleanup := runDERPAndStun(t, logf, d.stun, d.stunIP)
+	defer cleanup()
+
+	ms1 := newMagicStack(t, logger.WithPrefix(logf, "conn1: "), d.m1, derpMap)
+	defer ms1.Close()
+	ms2 := newMagicStack(t, logger.WithPrefix(logf, "conn2: "), d.m2, derpMap)
+	defer ms2.Close()
+
+	cleanup = meshStacks(t.Logf, nil, ms1, ms2)
+	defer cleanup()
+
+	// Wait for both peers to know about each other.
+	for {
+		if s1 := ms1.Status(); len(s1.Peer) != 1 {
+			time.Sleep(10 * time.Millisecond)
+			continue
+		}
+		if s2 := ms2.Status(); len(s2.Peer) != 1 {
+			time.Sleep(10 * time.Millisecond)
+			continue
+		}
+		break
+	}
+
+	cbErr := make(chan error, 1)
+	ms1.conn.Knock(netip.AddrPortFrom(m2if.V4(), ms2.conn.pconn4.LocalAddr().AddrPort().Port()), &tailcfg.Node{Key: ms2.privateKey.Public()}, func(err error) {
+		cbErr <- err
+	})
+
+	select {
+	case err := <-cbErr:
+		if err != nil {
+			t.Errorf("Knock failed: %v", err)
+		}
+
+	case <-time.After(2 * time.Second):
+		t.Error("timeout waiting for knock callback")
+	}
+}

words/scales.txt

@@ -27,7 +27,6 @@ alligator
 butterfly
 iguana
 pineapplefish
-pinecone
 anaconda
 puffin
 cardassian