mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 13:05:46 +00:00
net/tlsdial: add memory-optimized TLS cert verification path for iOS
Behind a build tag for now.
This commit is contained in:
parent
b6fa5a69be
commit
6fcbd4c4d4
@ -16,6 +16,7 @@
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"reflect"
|
||||
"strconv"
|
||||
@ -114,6 +115,10 @@ func NewDirect(opts Options) (*Direct, error) {
|
||||
return nil, errors.New("controlclient.New: no server URL specified")
|
||||
}
|
||||
opts.ServerURL = strings.TrimRight(opts.ServerURL, "/")
|
||||
serverURL, err := url.Parse(opts.ServerURL)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if opts.TimeNow == nil {
|
||||
opts.TimeNow = time.Now
|
||||
}
|
||||
@ -125,7 +130,7 @@ func NewDirect(opts Options) (*Direct, error) {
|
||||
|
||||
tr := http.DefaultTransport.(*http.Transport).Clone()
|
||||
tr.ForceAttemptHTTP2 = true
|
||||
tr.TLSClientConfig = tlsdial.Config("", tr.TLSClientConfig)
|
||||
tr.TLSClientConfig = tlsdial.Config(serverURL.Host, tr.TLSClientConfig)
|
||||
httpc := &http.Client{Transport: tr}
|
||||
|
||||
c := &Direct{
|
||||
|
@ -8,6 +8,8 @@
|
||||
|
||||
import "crypto/tls"
|
||||
|
||||
var platformModifyConf func(*tls.Config)
|
||||
|
||||
// Config returns a tls.Config for dialing the given host.
|
||||
// If base is non-nil, it's cloned as the base config before
|
||||
// being configured and returned.
|
||||
@ -20,5 +22,9 @@ func Config(host string, base *tls.Config) *tls.Config {
|
||||
}
|
||||
conf.ServerName = host
|
||||
|
||||
if platformModifyConf != nil {
|
||||
platformModifyConf(conf)
|
||||
}
|
||||
|
||||
return conf
|
||||
}
|
||||
|
58
net/tlsdial/verify_darwin_arm64.go
Normal file
58
net/tlsdial/verify_darwin_arm64.go
Normal file
@ -0,0 +1,58 @@
|
||||
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build darwin,arm64,usex509fork
|
||||
|
||||
package tlsdial
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"errors"
|
||||
"time"
|
||||
|
||||
"crypto/x509"
|
||||
|
||||
x509fork "tailscale.com/tempfork/x509"
|
||||
)
|
||||
|
||||
func init() {
|
||||
platformModifyConf = useX509Fork
|
||||
}
|
||||
|
||||
func useX509Fork(conf *tls.Config) {
|
||||
// Modify conf to use our fork of crypto/x509 instead.
|
||||
|
||||
// This prevents crypto/tls from using the standard library's
|
||||
// x509. We will then be responsible for the rest.
|
||||
conf.InsecureSkipVerify = true
|
||||
|
||||
// Do what crypto/tls would've done for us:
|
||||
conf.VerifyPeerCertificate = func(rawCerts [][]byte, _verifiedChains [][]*x509.Certificate) error {
|
||||
if conf.ServerName == "" {
|
||||
return errors.New("no tls.Config.ServerName set")
|
||||
}
|
||||
if len(rawCerts) == 0 {
|
||||
// Shouldn't happen, but.
|
||||
return errors.New("no rawCerts from server")
|
||||
}
|
||||
certs := make([]*x509fork.Certificate, len(rawCerts))
|
||||
for i, asn1Data := range rawCerts {
|
||||
cert, err := x509fork.ParseCertificate(asn1Data)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
certs[i] = cert
|
||||
}
|
||||
opts := x509fork.VerifyOptions{
|
||||
CurrentTime: time.Now(),
|
||||
DNSName: conf.ServerName,
|
||||
Intermediates: x509fork.NewCertPool(),
|
||||
}
|
||||
for _, cert := range certs[1:] {
|
||||
opts.Intermediates.AddCert(cert)
|
||||
}
|
||||
_, err := certs[0].Verify(opts)
|
||||
return err
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user