From 172d72a060b3bc908e4d8f5e3db0dd7f42b1e0d3 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Mon, 27 Apr 2020 08:13:37 -0700 Subject: [PATCH] Revert "net/tlsdial: add memory-optimized TLS cert verification path for iOS" This reverts commit 6fcbd4c4d476bd461c9bd2e52df6e3b7964a6452. Decided to put it in tailscale/go's crypto/x509 instead. --- control/controlclient/direct.go | 5 --- net/tlsdial/tlsdial.go | 6 ---- net/tlsdial/verify_darwin_arm64.go | 58 ------------------------------ 3 files changed, 69 deletions(-) delete mode 100644 net/tlsdial/verify_darwin_arm64.go diff --git a/control/controlclient/direct.go b/control/controlclient/direct.go index 5a83e3067..2c6b9ff56 100644 --- a/control/controlclient/direct.go +++ b/control/controlclient/direct.go @@ -16,7 +16,6 @@ "io/ioutil" "log" "net/http" - "net/url" "os" "reflect" "strconv" @@ -116,10 +115,6 @@ func NewDirect(opts Options) (*Direct, error) { return nil, errors.New("controlclient.New: no server URL specified") } opts.ServerURL = strings.TrimRight(opts.ServerURL, "/") - serverURL, err := url.Parse(opts.ServerURL) - if err != nil { - return nil, err - } if opts.TimeNow == nil { opts.TimeNow = time.Now } diff --git a/net/tlsdial/tlsdial.go b/net/tlsdial/tlsdial.go index b8012ad85..c7d6e26fb 100644 --- a/net/tlsdial/tlsdial.go +++ b/net/tlsdial/tlsdial.go @@ -8,8 +8,6 @@ import "crypto/tls" -var platformModifyConf func(*tls.Config) - // Config returns a tls.Config for dialing the given host. // If base is non-nil, it's cloned as the base config before // being configured and returned. @@ -22,9 +20,5 @@ func Config(host string, base *tls.Config) *tls.Config { } conf.ServerName = host - if platformModifyConf != nil { - platformModifyConf(conf) - } - return conf } diff --git a/net/tlsdial/verify_darwin_arm64.go b/net/tlsdial/verify_darwin_arm64.go deleted file mode 100644 index 2c349c1fd..000000000 --- a/net/tlsdial/verify_darwin_arm64.go +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// +build darwin,arm64,usex509fork - -package tlsdial - -import ( - "crypto/tls" - "errors" - "time" - - "crypto/x509" - - x509fork "tailscale.com/tempfork/x509" -) - -func init() { - platformModifyConf = useX509Fork -} - -func useX509Fork(conf *tls.Config) { - // Modify conf to use our fork of crypto/x509 instead. - - // This prevents crypto/tls from using the standard library's - // x509. We will then be responsible for the rest. - conf.InsecureSkipVerify = true - - // Do what crypto/tls would've done for us: - conf.VerifyPeerCertificate = func(rawCerts [][]byte, _verifiedChains [][]*x509.Certificate) error { - if conf.ServerName == "" { - return errors.New("no tls.Config.ServerName set") - } - if len(rawCerts) == 0 { - // Shouldn't happen, but. - return errors.New("no rawCerts from server") - } - certs := make([]*x509fork.Certificate, len(rawCerts)) - for i, asn1Data := range rawCerts { - cert, err := x509fork.ParseCertificate(asn1Data) - if err != nil { - return err - } - certs[i] = cert - } - opts := x509fork.VerifyOptions{ - CurrentTime: time.Now(), - DNSName: conf.ServerName, - Intermediates: x509fork.NewCertPool(), - } - for _, cert := range certs[1:] { - opts.Intermediates.AddCert(cert) - } - _, err := certs[0].Verify(opts) - return err - } -}