win: confirm that KB2921916 installer workaround works #1051
Comments
|
we don't use an MSI yet so we can't really bundle an MSU from what I understand? Should we also host that file and detect at runtime if it's necessary? We can try to fetch+install it before loading wintun. |
|
WireGuard does something similar: https://git.zx2c4.com/wireguard-windows/tree/installer/customactions.c#n145 |
|
https://download.wireguard.com/windows-toolchain/distfiles/Windows6.1-KB2921916-x64.msu for x64 and If you do detection, I'd recommend the hacky As far as bundling the MSU goes - you can do this from nsis. You probably want to do something like:
See https://ss64.com/nt/wusa.html for other options. There's no need to do this with MSI, and probably MSI would take the same approach as invoking wusa.exe anyway. Alternatively, if you do this at runtime in the app instead of at install time from nsis, and you want to auto-fetch, please mirror those files on your own servers. |
|
I think #1051 perhaps eliminated the need for this? |
|
Did you mean https://github.com/tailscale/corp/issues/1101 ? |
|
Uh...yes. :)
ᐧ
…On Thu, Jan 14, 2021 at 1:37 AM Brad Fitzpatrick ***@***.***> wrote:
Did you mean tailscale/corp#1101
<tailscale/corp#1101> ?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1051 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAFA4FE4DYWXXMFT7OWAWTSZ2GI5ANCNFSM4VEVG2ZA>
.
--
Avery Pennarun // CEO @ Tailscale
|
|
Care to share details? That link is private. |
|
@zx2c4, the core of that change is that at the end of the install (where it's running with elevated privileges), it calls: // InstallWintunDriver loads wintun.dll to force it to install its
// kernel driver, which can take a long time (especially on Windows
// 7). We want to do it early (at install time), so the service starts
// up quicker later, to avoid the GUI timing out trying to connect to
// it.
func InstallWintunDriver() error {
pool, err := wintunPool()
if err != nil {
return fmt.Errorf("MakePool: %w", err)
}
adapter, _, err := pool.CreateAdapter("Tailscale Installer", nil)
if err != nil {
return fmt.Errorf("CreateAdapter: %w", err)
}
_, err = adapter.Delete(false)
if err != nil {
return fmt.Errorf("Adapter.Delete: %w", err)
}
return nil
}The change was primarily about eliminating the race between the driver install from the service and the GUI waiting to connect to the service. By doing it at install time, by the time the server + GUI start later, the driver's already been installed and the service starts up much more quickly. But I'm not sure how that helps this issue? Isn't KB2921916 really just some hacky fix (that Microsoft later abandoned as not a good idea?) that disables some verification? The fact that Microsoft never included KB2921916 in subsequent roll-up patch releases seems like a red flag. Or is @apenwarr saying that after the UAC elevation, the driver install works without KB2921916 somehow? |
|
That's not going to be robust when the driver gets removed from the store and readded by other things later. KB2921916 isn't hacky at all. It changes the code from: char hash[20];
assert(GetCertHash(thing, hash, sizeof(hash)));to size_t hash_size = GetSizeOfHash(thing);
char *hash = malloc(hash_size);
assert(GetCertHash(thing, hash, hash_size));The old code failed when sha2 was used, because 20 bytes is too small. The new code is the proper fix. The patch isn't hacky at all and works extremely well. I reverse engineered every byte of the change of the binary and I can't find any bugs with the new code or any idea why it'd be a problem. KB2921916 is gone from Microsoft's site because they pulled all the KBs when they sunsetted Windows 7. |
Ah, thanks for the explanation!
Weird.
We still do the Empirically it makes the Windows 7 install experience much better. |
Except if the driver gets removed, pool.CreateAdapter will reinstall it, and then you'll run into the sha2 issue again and installation will fail. |
|
Sorry, I still don't understand how the It's possible you and @apenwarr are having a separate conversation over my head. |
|
Alright, here's what's up: On Windows 10, the driver is signed by Microsoft, and the certificate is already included in Windows, so everything works well and there's nothing to do. On Windows 7 and Windows 8, the driver is signed with an authenticode certificate. In order to install a driver with an authenticode signature, one must first add the certificate to the system certificate store. After that, installing a driver into the driver store works well, and silently without any popups or UI required. Except on Windows 7, due to that 20-byte sha1-hardcoding bug I mentioned above, it can't actually deal with the sha2 signature. So it falls back to assuming that the driver is signed with an unknown certificate, and prompts the user, "hey are you sure you want to install this?" And, since Windows services don't have UI access, this translates into a failure. Calling that function in the installer appears to work because it moves that UI prompt to install time, rather than service time. But if the driver is ever removed, then pool.CreateAdapter being called by the service will install it again, in which case, the service won't have UI access and the operation will fail. The correct solution is to install that KB, which fixes the root cause of the issue and allows the installation of the certificate into the trusted certificate store to work as intended. |
|
The problem with Microsoft hotfixes is that they are explicitly intended to
be used only as an interim solution until the "real" fix gets properly
tested and bundled into an actual OS patch. Clearly that isn't going to
happen with Windows 7, so it's less risky than usual, but it still makes me
nervous. Force-installing OS hotfixes onto people's computers makes me even
more nervous than recommending them.
You are correct that my suggested solution would stop working if someone
ever uninstalled the driver. But if they do that, it seems like they're
trying to break their system, so perhaps we should let it be broken. They
can fix it by reinstalling the app.
Note that there is a difference between Windows 7 not understanding
authenticode (which is a pain) and it thinking your driver is completely
unsigned. There's an old-style signing method that works with Windows 7.
Before wintun.dll, we bundled two copies of wintun.sys, one signed with the
new-style Windows 10 thing and one signed with the old-style Windows 7/8
thing, and installed the right one. It still popped up a prompt on Windows
7, but the prompt was: "This driver is signed by Tailscale, do you want to
use it anyway?" It's kind of a silly question, but it's how the OS was
intended to work, so I'm not sure we should be interfering with it. When
we tried to include both certs on the same driver, Windows 7 would claim it
was entirely unsigned, which was scary for users (and I think prevented
installing on Windows 7-64bit or something) so we couldn't do that.
ᐧ
…On Thu, Jan 14, 2021 at 12:03 PM Jason A. Donenfeld < ***@***.***> wrote:
Alright, here's what's up:
On Windows 10, the driver is signed by Microsoft, and the certificate is
already included in Windows, so everything works well and there's nothing
to do.
On Windows 7 and Windows 8, the driver is signed with an authenticode
certificate. In order to install a driver with an authenticode signature,
one must first add the certificate to the system certificate store. After
that, installing a driver into the driver store works well, and silently
without any popups or UI required.
Except on Windows 7, due to that 20-byte sha1-hardcoding bug I mentioned
above, it can't actually deal with the sha2 signature. So it falls back to
assuming that the driver is signed with an unknown certificate, and prompts
the user, "hey are you sure you want to install this?" And, since Windows
services don't have UI access, this translates into a failure.
Calling that function in the installer appears to work because it moves
that UI prompt to install time, rather than service time. But if the driver
is ever removed, then pool.CreateAdapter being called by the service will
install it again, in which case, the service won't have UI access and the
operation will fail.
The correct solution is to install that KB, which fixes the root cause of
the issue and allows the installation of the certificate into the trusted
certificate store to work as intended.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1051 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAFA4BAUY7C6H54VB7WDRLSZ4PXXANCNFSM4VEVG2ZA>
.
--
Avery Pennarun // CEO @ Tailscale
|
Yes, and this is what wintun.dll does. The issue is simply that the dialog box cannot be shown from a non-interactive service. |
I'm pretty sure you're underestimating how common of a flow that winds up being. Maybe I'm wrong, but keep this in mind should you get unusual bug reports down the line. On the other hand, perhaps win7 usage won't be high enough to warrant a real solution. |
Whatever your impression of Microsoft's policies is, all I can say is that I've reverse engineered every byte of that hotfix and cannot think of a more straight forward way of fixing the bug. |
|
That's all fair. Anyway, it seems like our approach shouldn't
negatively affect any other apps that use wintun.dll, and we will
certainly keep a close eye on bug reports caused by this problem.
What is the recommended policy for apps removing wintun on uninstall,
anyway? We used to remove our wintun.sys driver on uninstall, but
since multiple apps might be using wintun.dll, there is no way to know
that's a good idea; it doesn't seem right to remove it and break some
other running wintun app.
…On Tue, Jan 19, 2021 at 9:28 PM Jason A. Donenfeld ***@***.***> wrote:
The problem with Microsoft hotfixes is that they are explicitly intended to be used only as an interim solution until the "real" fix gets properly tested and bundled into an actual OS patch.
Whatever your impression of Microsoft's policies is, all I can say is that I've reverse engineered every byte of that hotfix and cannot think of a more straight forward way of fixing the bug.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
Avery Pennarun // CEO @ Tailscale
|
|
Okay, that makes sense. But then why would we worry about someone
uninstalling wintun.sys from underneath us? It seems it's intentionally
designed to not ever do that. Just defensive programming?
ᐧ
…On Tue, Jan 19, 2021 at 10:00 PM Jason A. Donenfeld < ***@***.***> wrote:
#1055 (comment)
<#1055 (comment)>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1051 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAFA4CYOC5YZWVOHKM47OLS2ZBL5ANCNFSM4VEVG2ZA>
.
--
Avery Pennarun // CEO @ Tailscale
|
|
It is designed to intentionally do that, actually. You can poke around in the code and look if you care. Or just take my word for it that that trick you're using will break under certain realistic circumstances. Given the small userbase of win7, maybe it doesn't matter. But I think I've spent enough time here assisting with closed-source proprietary software to add more, so I'd encourage you to just be attentive to bug reports if you still want to go this route, and hopefully the win7 market share keeps dwindling. |
DentonGentry
added
L2 Few
apenwarr
changed the title
|
We tested this when we launched the new version of wintun. On win7 a dialog appears telling users where to go to get the KB. |
|
That's not what this bug is about. There's a workaround in NSIS that should prevent the need for the kb altogether. It worked, once, but we have to recheck it because it might have been broken. |
|
Can you point me at the code? I'm not aware of any workaround, and it certainly didn't work when we released 1.4. That's why we added the dialog that points users at https://github.com/tailscale/tailscale/wiki/Win7. |
|
NSIS calls tailscale-ipn.exe /install, which calls doInstall(): See very long boring thread above for various disagreements about whether this is the right or the wrong solution. But nevertheless, it's there, and I'd like to confirm that it works as "expected" (ie. it's okay directly after installing Tailscale on Windows 7, but bets are off if some other app fiddles with wintun after that.) |
|
I just installed a Win7 32bit VM, the IE8 testing VM from Microsoft. I had to install Chrome to be able to authenticate, as IE8 wouldn't let me click the button, but Tailscale 1.9.177 came up without an error and no dialog box to install KB2921916. I can connect to other nodes on my Tailnet from the Win7 VM. |
|
That’s good news. I had a glitch with my win7 last month and want to test
it again here too. Chances are it was a different bug at the time, just
want to be extra sure.
On Wed, Jun 16, 2021 at 17:15 Denton Gentry ***@***.***> wrote:
I just installed a Win7 32bit VM, the IE8 testing VM from Microsoft. I had
to install Chrome to be able to authenticate, as IE8 wouldn't let me click
the button, but Tailscale 1.9.177 came up without an error and no dialog
box to install KB2921916.
I can connect to other nodes on my Tailnet from the Win7 VM.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#1051 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAFA4C27ZU4HO36PFK3JTLTTEH6PANCNFSM4VEVG2ZA>
.
--
Avery Pennarun // CEO @ Tailscale
|
|
Finally had a chance to methodically retest this with tailscale v1.9.205. Looks like all is well, and I didn't need to install the hotfix. Phew. |
The latest wintun requires installing: https://download.wireguard.com/windows-toolchain/distfiles/Windows6.1-KB2921916-x64.msu. Without it we see the error:
Windows Update does not automatically install this update as Win7 is EOL.
The text was updated successfully, but these errors were encountered: