diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-10-29 15:15:51 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-10-29 21:09:26 +0200 |
commit | 203494e8761132334b366a38a1463992c8b1e8a1 (patch) | |
tree | 4e66cc7a6c11dc4a0d840263c201fbc419ded3ed | |
parent | services: mark win7 code the same as elsewhere (diff) | |
download | wireguard-windows-203494e8761132334b366a38a1463992c8b1e8a1.tar.xz wireguard-windows-203494e8761132334b366a38a1463992c8b1e8a1.zip |
fetcher,winhttp: force TLS 1.2 on Win 8.0 and 7
On ancient Windows, we must opt-in to using TLS 1.2. Otherwise it only
allows for TLS 1.0. And of course there's no TLS 1.3 support there at
all.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r-- | installer/fetcher/fetcher.c | 6 | ||||
-rw-r--r-- | installer/fetcher/systeminfo.c | 7 | ||||
-rw-r--r-- | installer/fetcher/systeminfo.h | 1 | ||||
-rw-r--r-- | updater/winhttp/syscall_windows.go | 10 | ||||
-rw-r--r-- | updater/winhttp/winhttp.go | 15 |
5 files changed, 38 insertions, 1 deletions
diff --git a/installer/fetcher/fetcher.c b/installer/fetcher/fetcher.c index 8253b16d..7392fb59 100644 --- a/installer/fetcher/fetcher.c +++ b/installer/fetcher/fetcher.c @@ -114,6 +114,12 @@ static DWORD __stdcall download_thread(void *param) if (!session) goto out; WinHttpSetOption(session, WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, &enable_http2, sizeof(enable_http2)); // Don't check return value, in case of old Windows + if (is_win8dotzero_or_below()) { + DWORD enable_tls12 = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2; + if (!WinHttpSetOption(session, WINHTTP_OPTION_SECURE_PROTOCOLS, &enable_tls12, sizeof(enable_tls12))) + goto out; + } + connection = WinHttpConnect(session, L(server), port, 0); if (!connection) goto out; diff --git a/installer/fetcher/systeminfo.c b/installer/fetcher/systeminfo.c index 0132196a..3753965e 100644 --- a/installer/fetcher/systeminfo.c +++ b/installer/fetcher/systeminfo.c @@ -65,3 +65,10 @@ bool is_win7(void) RtlGetNtVersionNumbers(&maj, &min, &build); return maj == 6 && min == 1; } + +bool is_win8dotzero_or_below(void) +{ + DWORD maj, min, build; + RtlGetNtVersionNumbers(&maj, &min, &build); + return maj == 6 && min <= 2; +} diff --git a/installer/fetcher/systeminfo.h b/installer/fetcher/systeminfo.h index 12c3444a..bcb2ab9e 100644 --- a/installer/fetcher/systeminfo.h +++ b/installer/fetcher/systeminfo.h @@ -11,5 +11,6 @@ const char *architecture(void); const char *useragent(void); bool is_win7(void); +bool is_win8dotzero_or_below(void); #endif diff --git a/updater/winhttp/syscall_windows.go b/updater/winhttp/syscall_windows.go index 77e733e6..90a5daea 100644 --- a/updater/winhttp/syscall_windows.go +++ b/updater/winhttp/syscall_windows.go @@ -256,6 +256,16 @@ const ( _INTERNET_SCHEME_FTP = 3 _INTERNET_SCHEME_SOCKS = 4 + _WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 = 0x00000008 + _WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 = 0x00000020 + _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 = 0x00000080 + _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 = 0x00000200 + _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 = 0x00000800 + _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3 = 0x00002000 + _WINHTTP_FLAG_SECURE_PROTOCOL_ALL = _WINHTTP_FLAG_SECURE_PROTOCOL_SSL2 | _WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 + + _WINHTTP_PROTOCOL_FLAG_HTTP2 = 0x1 + _WINHTTP_ERROR_BASE = 12000 _ERROR_WINHTTP_OUT_OF_HANDLES = Error(12000 + 1) _ERROR_WINHTTP_TIMEOUT = Error(12000 + 2) diff --git a/updater/winhttp/winhttp.go b/updater/winhttp/winhttp.go index ac390a4f..41fa5082 100644 --- a/updater/winhttp/winhttp.go +++ b/updater/winhttp/winhttp.go @@ -48,6 +48,11 @@ func isWin7() bool { return maj < 6 || (maj == 6 && min <= 1) } +func isWin8DotZeroOrBelow() bool { + maj, min, _ := windows.RtlGetNtVersionNumbers() + return maj < 6 || (maj == 6 && min <= 2) +} + func NewSession(userAgent string) (session *Session, err error) { session = new(Session) defer convertError(&err) @@ -69,9 +74,17 @@ func NewSession(userAgent string) (session *Session, err error) { if err != nil { return } - var enableHttp2 uint32 = 1 + var enableHttp2 uint32 = _WINHTTP_PROTOCOL_FLAG_HTTP2 _ = winHttpSetOption(session.handle, _WINHTTP_OPTION_ENABLE_HTTP_PROTOCOL, unsafe.Pointer(&enableHttp2), uint32(unsafe.Sizeof(enableHttp2))) // Don't check return value, in case of old Windows + if isWin8DotZeroOrBelow() { + var enableTLS12 uint32 = _WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 + err = winHttpSetOption(session.handle, _WINHTTP_OPTION_SECURE_PROTOCOLS, unsafe.Pointer(&enableTLS12), uint32(unsafe.Sizeof(enableTLS12))) + if err != nil { + return + } + } + runtime.SetFinalizer(session, func(session *Session) { session.Close() }) |