fetcher,winhttp: force TLS 1.2 on Win 8.0 and 7

On ancient Windows, we must opt-in to using TLS 1.2. Otherwise it only
allows for TLS 1.0. And of course there's no TLS 1.3 support there at
all.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

5 files changed, 38 insertions, 1 deletions

diff --git a/installer/fetcher/fetcher.c b/installer/fetcher/fetcher.c
index 8253b16d..7392fb59 100644
--- a/installer/fetcher/fetcher.c
+++ b/installer/fetcher/fetcher.c
@@ -114,6 +114,12 @@ static DWORD __stdcall download_thread(void *param)
 	if (!session)
 		goto out;
 	WinHttpSetOption(session, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, &enable_http2, sizeof(enable_http2)); // Don't check return value, in case of old Windows
+	if (is_win8dotzero_or_below()) {
+		DWORD enable_tls12 = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
+		if (!WinHttpSetOption(session, WINHTTP_OPTION_SECURE_PROTOCOLS, &enable_tls12, sizeof(enable_tls12)))
+			goto out;
+	}
+
 	connection = WinHttpConnect(session, L(server), port, 0);
 	if (!connection)
 		goto out;
diff --git a/installer/fetcher/systeminfo.c b/installer/fetcher/systeminfo.c
index 0132196a..3753965e 100644
--- a/installer/fetcher/systeminfo.c
+++ b/installer/fetcher/systeminfo.c
@@ -65,3 +65,10 @@ bool is_win7(void)
 	RtlGetNtVersionNumbers(&maj, &min, &build);
 	return maj == 6 && min == 1;
 }
+
+bool is_win8dotzero_or_below(void)
+{
+	DWORD maj, min, build;
+	RtlGetNtVersionNumbers(&maj, &min, &build);
+	return maj == 6 && min <= 2;
+}
diff --git a/installer/fetcher/systeminfo.h b/installer/fetcher/systeminfo.h
index 12c3444a..bcb2ab9e 100644
--- a/installer/fetcher/systeminfo.h
+++ b/installer/fetcher/systeminfo.h
@@ -11,5 +11,6 @@
 const char *architecture(void);
 const char *useragent(void);
 bool is_win7(void);
+bool is_win8dotzero_or_below(void);
 
 #endif
diff --git a/updater/winhttp/syscall_windows.go b/updater/winhttp/syscall_windows.go
index 77e733e6..90a5daea 100644
--- a/updater/winhttp/syscall_windows.go
+++ b/updater/winhttp/syscall_windows.go
@@ -256,6 +256,16 @@ const (
 	_INTERNET_SCHEME_FTP   = 3
 	_INTERNET_SCHEME_SOCKS = 4
 
+	_WINHTTP_FLAG_SECURE_PROTOCOL_SSL2   = 0x00000008
+	_WINHTTP_FLAG_SECURE_PROTOCOL_SSL3   = 0x00000020
+	_WINHTTP_FLAG_SECURE_PROTOCOL_TLS1   = 0x00000080
+	_WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 = 0x00000200
+	_WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 = 0x00000800
+	_WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3 = 0x00002000
+	_WINHTTP_FLAG_SECURE_PROTOCOL_ALL    = _WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | _WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1
+
+	_WINHTTP_PROTOCOL_FLAG_HTTP2 = 0x1
+
 	_WINHTTP_ERROR_BASE                                  = 12000
 	_ERROR_WINHTTP_OUT_OF_HANDLES                        = Error(12000 + 1)
 	_ERROR_WINHTTP_TIMEOUT                               = Error(12000 + 2)
diff --git a/updater/winhttp/winhttp.go b/updater/winhttp/winhttp.go
index ac390a4f..41fa5082 100644
--- a/updater/winhttp/winhttp.go
+++ b/updater/winhttp/winhttp.go
@@ -48,6 +48,11 @@ func isWin7() bool {
 	return maj < 6 || (maj == 6 && min <= 1)
 }
 
+func isWin8DotZeroOrBelow() bool {
+	maj, min, _ := windows.RtlGetNtVersionNumbers()
+	return maj < 6 || (maj == 6 && min <= 2)
+}
+
 func NewSession(userAgent string) (session *Session, err error) {
 	session = new(Session)
 	defer convertError(&err)
@@ -69,9 +74,17 @@ func NewSession(userAgent string) (session *Session, err error) {
 	if err != nil {
 		return
 	}
-	var enableHttp2 uint32 = 1
+	var enableHttp2 uint32 = _WINHTTP_PROTOCOL_FLAG_HTTP2
 	_ = winHttpSetOption(session.handle, _WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, unsafe.Pointer(&enableHttp2), uint32(unsafe.Sizeof(enableHttp2))) // Don't check return value, in case of old Windows
 
+	if isWin8DotZeroOrBelow() {
+		var enableTLS12 uint32 = _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2
+		err = winHttpSetOption(session.handle, _WINHTTP_OPTION_SECURE_PROTOCOLS, unsafe.Pointer(&enableTLS12), uint32(unsafe.Sizeof(enableTLS12)))
+		if err != nil {
+			return
+		}
+	}
+
 	runtime.SetFinalizer(session, func(session *Session) {
 		session.Close()
 	})