Commit Graph

33 Commits (main)

Author SHA1 Message Date
Brad Fitzpatrick e8551d6b40 all: use Go 1.21 slices, maps instead of x/exp/{slices,maps}
Updates #8419

Signed-off-by: Brad Fitzpatrick <>
1 month ago
Brad Fitzpatrick cb53846717 tempfork/heap: add copy of Go's container/heap but using generics
From Go commit 0a48e5cbfabd679e, then with some generics sprinkled

Updates tailscale/corp#7354

Signed-off-by: Brad Fitzpatrick <>
3 months ago
Maisem Ali d1d5d52b2c net/tstun/table: add initial RoutingTable implementation
It is based on `*tempfork/device.AllowedIPs`.

Updates tailscale/corp#8020

Signed-off-by: Maisem Ali <>
6 months ago
Maisem Ali 2522b0615f tempfork/device: add a temp fork of
This will allow us to reuse the AllowedIPs for NAT decisions in a follow on commit.

The files `allowedips_*.go` are as-is, `peer.go` only keeps the `Peer` declaration with a
single element required for AllowedIPs.

Upstream commit

Updates tailscale/corp#8020

Signed-off-by: Maisem Ali <>
6 months ago
Brad Fitzpatrick da8def8e13 all: remove old +build tags
The //go:build syntax was introduced in Go 1.17:

gofmt has kept the +build and go:build lines in sync since
then, but enough time has passed. Time to remove them.

Done with:

    perl -i -npe 's,^// \+build.*\n,,' $(git grep -l -F '+build')

Signed-off-by: Brad Fitzpatrick <>
11 months ago
Maisem Ali 4de1601ef4 ssh/tailssh: add support for sending multiple banners
Signed-off-by: Maisem Ali <>
12 months ago
Maisem Ali f16b77de5d ssh/tailssh: do the full auth flow during ssh auth
Fixes #5091

Signed-off-by: Maisem Ali <>
12 months ago
Eng Zer Jun f0347e841f refactor: move from io/ioutil to io and os packages
The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Signed-off-by: Eng Zer Jun <>
1 year ago
Brad Fitzpatrick 116f55ff66 all: gofmt for Go 1.19
Updates #5210

Change-Id: Ib02cd5e43d0a8db60c1f09755a8ac7b140b670be
Signed-off-by: Brad Fitzpatrick <>
1 year ago
Maisem Ali 2b8b887d55 ssh/tailssh: send banner messages during auth, move more to conn
(VSCode Live Share between Brad & Maisem!)

Updates #3802

Change-Id: Id8edca4481b0811debfdf56d4ccb1a46f71dd6d3
Co-Authored-By: Brad Fitzpatrick <>
Signed-off-by: Maisem Ali <>
1 year ago
Maisem Ali 14d077fc3a ssh/tailssh: terminate ssh auth early if no policy can match
Also bump

Updates #3802

Signed-off-by: Maisem Ali <>
1 year ago
Brad Fitzpatrick 3d180c0376 go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback
Prep for evaluating SSHPolicy earlier to decide whether certs are
required, which requires knowing the target SSH user.

Updates #3802

Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36
Signed-off-by: Brad Fitzpatrick <>
2 years ago
Brad Fitzpatrick 5a44f9f5b5 tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh
While we rearrange/upstream things.

gliderlabs/ssh is forked into tempfork from our prior fork
at be8b7add40

x/crypto/ssh OTOH is forked at because it was gnarlier
to vendor with various internal packages, etc.
Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d).

Updates #3802

Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f
Signed-off-by: Brad Fitzpatrick <>
2 years ago
Maisem Ali baf8854f9a tempfork/wireguard-windows: remove the old windows firewall code now that we are no
longer relying on it.

Signed-off-by: Maisem Ali <>
2 years ago
Josh Bleecher Snyder a5da4ed981 all: gofmt with Go 1.17
This adds "//go:build" lines and tidies up existing "// +build" lines.

Signed-off-by: Josh Bleecher Snyder <>
2 years ago
Josh Bleecher Snyder 41d06bdf86 tempfork/wireguard-windows: remove unnecessary build tag
The _windows.go suffix suffices.
This allows go:generate to run without creating a diff.

Signed-off-by: Josh Bleecher Snyder <>
2 years ago
David Anderson ac3de93d5c tempfork/wireguard-windows/firewall: add.
This is a fork of wireguard-windows's firewall package, with
the firewall rules adjusted to better line up with tailscale's

The package was taken from commit 3cc76ed5f222ec82748ef3bd8c41d4b059e28cdb
in our fork of wireguard-go.

Signed-off-by: David Anderson <>
3 years ago
Josh Bleecher Snyder a6cad71fb2 go.mod: upgrade staticcheck to 0.1.0
Also run go.mod and fix some staticcheck warnings.

Signed-off-by: Josh Bleecher Snyder <>
3 years ago
Brad Fitzpatrick 8f76548fd9 tempfork/osexec: remove old fork of os/exec
This package was a temporary fork of os/exec to fix an EINTR loop
bug that was fixed upstream for Go 1.15 in
(, in

8c1db77a92 (diff-72072cbd53a7240debad8aa506ff7ec795f9cfac7322e779f9bac29a4d0d0bd4)
3 years ago
Brad Fitzpatrick 5b338bf011 tempfork/registry: delete
It's unused.
3 years ago
Josh Bleecher Snyder 585a0d8997 all: use testing.T.TempDir
Bit of Friday cleanup.

Signed-off-by: Josh Bleecher Snyder <>
3 years ago
Brad Fitzpatrick f26b409bd5 tempfork: add lite fork of net/http/pprof w/o html/template or reflect 3 years ago
Brad Fitzpatrick 39f2fe29f7 tempfork/registry: work around issue with Tailscale's redo build system
Updates tailscale/corp#293
3 years ago
Brad Fitzpatrick e441d3218e tempfork/registry: add + CL 236681
Temporary fork of with:

   windows/registry: add Key.WaitChange wrapper around RegNotifyChangeKeyValue
3 years ago
Brad Fitzpatrick 9bbcdba2b3 tempfork/internal/testenv: remove
It was for our x509 fork and no longer needed. (x509 changes
went into our Go fork instead)
3 years ago
Brad Fitzpatrick 58e83d8f66 tempfork/x509: moved to tailscale/go's crypto/x509 instead 3 years ago
Brad Fitzpatrick d427fc023e tempfork/x509: remove the bundle tag in our fork
We want to be able to omit from only one (not both)
3 years ago
Brad Fitzpatrick 28c632c97b tempfork/x509: store certs for iOS compressed in binary, parse lazily 3 years ago
Brad Fitzpatrick 8fd8fc9c7d tempfork/x509: fix build on darwin and windows
These fixes were originally in the updates to CL 229917 after
Trybots failed there.
3 years ago
Brad Fitzpatrick bfc1261ab6 crypto/x509: keep smaller root cert representation in memory until needed
(from patchset 1, c12c890c64dd6372b3893af1e6f5ab11802c9e81, of, with merges fixes
due to parent commit's differents from its ps1..ps3)

Instead of parsing the PEM files and then storing the *Certificate
values forever, still parse them to see if they're valid and pick out
some fields, but then only store the decoded pem.Block.Bytes until
that cert is first needed.

Saves about 500K of memory on my (Debian stable) machine after doing a
tls.Dial or calling x509.SystemCertPool.

A more aggressive version of this is still possible: we can not keep
the pem.Block.Bytes in memory either, and re-read them from disk when
necessary. But dealing with files disappearing and even large
multi-cert PEM files changing (with offsets sliding around) made this
conservative version attractive. It doesn't change the
slurp-roots-on-startup semantics. It just does so with less memory

Change-Id: I3aea333f4749ae3b0026042ec3ff7ac015c72204
3 years ago
Brad Fitzpatrick f5993f2440 crypto/x509: add support for CertPool to load certs lazily
(from patchset 1, 7cdc3c3e7427c9ef69e19224d6036c09c5ea1723, of

This will allow building CertPools that consume less memory. (Most
certs are never accessed. Different users/programs access different
ones, but not many.)

This CL only adds the new internal mechanism (and uses it for the
old AddCert) but does not modify any existing root pool behavior.
(That is, the default Unix roots are still all slurped into memory as
of this CL)

Change-Id: Ib3a42e4050627b5e34413c595d8ced839c7bfa14
3 years ago
Numerous Gophers 3bab226299 Add fork of Go 1.15-dev's crypto/x509
Snapshotted from Go commit 619c7a48a38b28b521591b490fd14ccb7ea5e821
"crypto/x509: add x509omitbundledroots build tag to not embed roots")

With 975c01342a25899962969833d8b2873dc8856a4f
( removed, because it
depends on other stuff in Go std that doesn't yet exist in a Go

Also, add a subset fork of Go's internal/testenv, for use by x509's tests.
3 years ago
Earl Lee a8d8b8719a Move Linux client & common packages into a public repo. 4 years ago