Commit Graph

11 Commits (51f421946feec707b7abfca69e1333ab1655ba9d)

Author SHA1 Message Date
Brad Fitzpatrick 39f2fe29f7 tempfork/registry: work around issue with Tailscale's redo build system
Updates tailscale/corp#293
5 years ago
Brad Fitzpatrick e441d3218e tempfork/registry: add golang.org/x/sys/windows/registry + CL 236681
Temporary fork of golang.org/x/sys/windows/registry with:

   windows/registry: add Key.WaitChange wrapper around RegNotifyChangeKeyValue
   https://go-review.googlesource.com/c/sys/+/236681
5 years ago
Brad Fitzpatrick 9bbcdba2b3 tempfork/internal/testenv: remove
It was for our x509 fork and no longer needed. (x509 changes
went into our Go fork instead)
5 years ago
Brad Fitzpatrick 58e83d8f66 tempfork/x509: moved to tailscale/go's crypto/x509 instead 5 years ago
Brad Fitzpatrick d427fc023e tempfork/x509: remove the bundle tag in our fork
We want to be able to omit from only one (not both)
5 years ago
Brad Fitzpatrick 28c632c97b tempfork/x509: store certs for iOS compressed in binary, parse lazily 5 years ago
Brad Fitzpatrick 8fd8fc9c7d tempfork/x509: fix build on darwin and windows
These fixes were originally in the updates to CL 229917 after
Trybots failed there.
See https://go-review.googlesource.com/c/go/+/229917/1..3
5 years ago
Brad Fitzpatrick bfc1261ab6 crypto/x509: keep smaller root cert representation in memory until needed
(from patchset 1, c12c890c64dd6372b3893af1e6f5ab11802c9e81, of
https://go-review.googlesource.com/c/go/+/230025/1, with merges fixes
due to parent commit's differents from its ps1..ps3)

Instead of parsing the PEM files and then storing the *Certificate
values forever, still parse them to see if they're valid and pick out
some fields, but then only store the decoded pem.Block.Bytes until
that cert is first needed.

Saves about 500K of memory on my (Debian stable) machine after doing a
tls.Dial or calling x509.SystemCertPool.

A more aggressive version of this is still possible: we can not keep
the pem.Block.Bytes in memory either, and re-read them from disk when
necessary. But dealing with files disappearing and even large
multi-cert PEM files changing (with offsets sliding around) made this
conservative version attractive. It doesn't change the
slurp-roots-on-startup semantics. It just does so with less memory
retained.

Change-Id: I3aea333f4749ae3b0026042ec3ff7ac015c72204
5 years ago
Brad Fitzpatrick f5993f2440 crypto/x509: add support for CertPool to load certs lazily
(from patchset 1, 7cdc3c3e7427c9ef69e19224d6036c09c5ea1723, of
https://go-review.googlesource.com/c/go/+/229917/1)

This will allow building CertPools that consume less memory. (Most
certs are never accessed. Different users/programs access different
ones, but not many.)

This CL only adds the new internal mechanism (and uses it for the
old AddCert) but does not modify any existing root pool behavior.
(That is, the default Unix roots are still all slurped into memory as
of this CL)

Change-Id: Ib3a42e4050627b5e34413c595d8ced839c7bfa14
5 years ago
Numerous Gophers 3bab226299 Add fork of Go 1.15-dev's crypto/x509
Snapshotted from Go commit 619c7a48a38b28b521591b490fd14ccb7ea5e821
(https://go-review.googlesource.com/c/go/+/229762,
"crypto/x509: add x509omitbundledroots build tag to not embed roots")

With 975c01342a25899962969833d8b2873dc8856a4f
(https://go-review.googlesource.com/c/go/+/220721) removed, because it
depends on other stuff in Go std that doesn't yet exist in a Go
release.

Also, add a subset fork of Go's internal/testenv, for use by x509's tests.
5 years ago
Earl Lee a8d8b8719a Move Linux client & common packages into a public repo. 5 years ago