Revert "net/tlsdial: add memory-optimized TLS cert verification path for iOS"

This reverts commit 6fcbd4c4d4. Decided to put it in tailscale/go's crypto/x509 instead.
5 years ago · 172d72a060
parent 5d67365cc9
commit 172d72a060
3 changed files with 0 additions and 69 deletions
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@ -16,7 +16,6 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
 	"net/url"
 	"os"
 	"reflect"
 	"strconv"
@ -116,10 +115,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		return nil, errors.New("controlclient.New: no server URL specified")
 	}
 	opts.ServerURL = strings.TrimRight(opts.ServerURL, "/")
 	serverURL, err := url.Parse(opts.ServerURL)
 	if err != nil {
 		return nil, err
 	}
 	if opts.TimeNow == nil {
 		opts.TimeNow = time.Now
 	}
--- a/net/tlsdial/tlsdial.go
+++ b/net/tlsdial/tlsdial.go
@ -8,8 +8,6 @@ package tlsdial
 import "crypto/tls"
 var platformModifyConf func(*tls.Config)
 // Config returns a tls.Config for dialing the given host.
 // If base is non-nil, it's cloned as the base config before
 // being configured and returned.
@ -22,9 +20,5 @@ func Config(host string, base *tls.Config) *tls.Config {
 	}
 	conf.ServerName = host
 	if platformModifyConf != nil {
 		platformModifyConf(conf)
 	}
 	return conf
 }
--- a/net/tlsdial/verify_darwin_arm64.go
+++ b/net/tlsdial/verify_darwin_arm64.go
@ -1,58 +0,0 @@
 // Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // +build darwin,arm64,usex509fork
 package tlsdial
 import (
 	"crypto/tls"
 	"errors"
 	"time"
 	"crypto/x509"
 	x509fork "tailscale.com/tempfork/x509"
 )
 func init() {
 	platformModifyConf = useX509Fork
 }
 func useX509Fork(conf *tls.Config) {
 	// Modify conf to use our fork of crypto/x509 instead.
 	// This prevents crypto/tls from using the standard library's
 	// x509. We will then be responsible for the rest.
 	conf.InsecureSkipVerify = true
 	// Do what crypto/tls would've done for us:
 	conf.VerifyPeerCertificate = func(rawCerts [][]byte, _verifiedChains [][]*x509.Certificate) error {
 		if conf.ServerName == "" {
 			return errors.New("no tls.Config.ServerName set")
 		}
 		if len(rawCerts) == 0 {
 			// Shouldn't happen, but.
 			return errors.New("no rawCerts from server")
 		}
 		certs := make([]*x509fork.Certificate, len(rawCerts))
 		for i, asn1Data := range rawCerts {
 			cert, err := x509fork.ParseCertificate(asn1Data)
 			if err != nil {
 				return err
 			}
 			certs[i] = cert
 		}
 		opts := x509fork.VerifyOptions{
 			CurrentTime:   time.Now(),
 			DNSName:       conf.ServerName,
 			Intermediates: x509fork.NewCertPool(),
 		}
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}
 		_, err := certs[0].Verify(opts)
 		return err
 	}
 }