Skip to content

Instantly share code, notes, and snippets.

@leonklingele

leonklingele/0001-Revert-runtime-use-clock_gettime-instead-of-gettimeo.patch

Last active December 17, 2021 09:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save leonklingele/a35293bb1ae9baa8cb35c284a43a9ce7 to your computer and use it in GitHub Desktop.
Save leonklingele/a35293bb1ae9baa8cb35c284a43a9ce7 to your computer and use it in GitHub Desktop.
Download ZIP
go1.17.5 for 10.11.6 El Capitan
Raw
0001-Revert-runtime-use-clock_gettime-instead-of-gettimeo.patch
From ac3f94f342abc50b57285d749229308926ba7324 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Wed, 15 Dec 2021 11:32:24 +0100
Subject: [PATCH 1/5] Revert "runtime: use clock_gettime instead of
gettimeofday on darwin"
This reverts commit ae76f6e96216f352cc5021a4c8a7d879c4cb6873.
---
src/runtime/sys_darwin.go | 2 +-
src/runtime/sys_darwin_amd64.s | 8 +++-----
src/runtime/sys_darwin_arm64.s | 8 +++-----
3 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/src/runtime/sys_darwin.go b/src/runtime/sys_darwin.go
index 83450fd64d..a27bf6293d 100644
--- a/src/runtime/sys_darwin.go
+++ b/src/runtime/sys_darwin.go
@@ -510,7 +510,7 @@ func setNonblock(fd int32) {
//go:cgo_import_dynamic libc_mach_timebase_info mach_timebase_info "/usr/lib/libSystem.B.dylib"
//go:cgo_import_dynamic libc_mach_absolute_time mach_absolute_time "/usr/lib/libSystem.B.dylib"
-//go:cgo_import_dynamic libc_clock_gettime clock_gettime "/usr/lib/libSystem.B.dylib"
+//go:cgo_import_dynamic libc_gettimeofday gettimeofday "/usr/lib/libSystem.B.dylib"
//go:cgo_import_dynamic libc_sigaction sigaction "/usr/lib/libSystem.B.dylib"
//go:cgo_import_dynamic libc_pthread_sigmask pthread_sigmask "/usr/lib/libSystem.B.dylib"
//go:cgo_import_dynamic libc_sigaltstack sigaltstack "/usr/lib/libSystem.B.dylib"
diff --git a/src/runtime/sys_darwin_amd64.s b/src/runtime/sys_darwin_amd64.s
index 3bd027f982..da6ee4f418 100644
--- a/src/runtime/sys_darwin_amd64.s
+++ b/src/runtime/sys_darwin_amd64.s
@@ -11,8 +11,6 @@
#include "textflag.h"
#include "cgo/abi_amd64.h"
-#define CLOCK_REALTIME 0
-
// Exit the entire program (like C exit)
TEXT runtime·exit_trampoline(SB),NOSPLIT,$0
PUSHQ BP
@@ -143,9 +141,9 @@ initialized:
TEXT runtime·walltime_trampoline(SB),NOSPLIT,$0
PUSHQ BP // make a frame; keep stack aligned
MOVQ SP, BP
- MOVQ DI, SI // arg 2 timespec
- MOVL $CLOCK_REALTIME, DI // arg 1 clock_id
- CALL libc_clock_gettime(SB)
+ // DI already has *timeval
+ XORL SI, SI // no timezone needed
+ CALL libc_gettimeofday(SB)
POPQ BP
RET
diff --git a/src/runtime/sys_darwin_arm64.s b/src/runtime/sys_darwin_arm64.s
index 96d2ed1076..b2690f4c37 100644
--- a/src/runtime/sys_darwin_arm64.s
+++ b/src/runtime/sys_darwin_arm64.s
@@ -10,8 +10,6 @@
#include "go_tls.h"
#include "textflag.h"
-#define CLOCK_REALTIME 0
-
TEXT notok<>(SB),NOSPLIT,$0
MOVD $0, R8
MOVD R8, (R8)
@@ -134,9 +132,9 @@ TEXT runtime·setitimer_trampoline(SB),NOSPLIT,$0
RET
TEXT runtime·walltime_trampoline(SB),NOSPLIT,$0
- MOVD R0, R1 // arg 2 timespec
- MOVW $CLOCK_REALTIME, R0 // arg 1 clock_id
- BL libc_clock_gettime(SB)
+ // R0 already has *timeval
+ MOVD $0, R1 // no timezone needed
+ BL libc_gettimeofday(SB)
RET
GLOBL timebase<>(SB),NOPTR,$(machTimebaseInfo__size)
--
2.34.1
Raw
0002-crypto-rand-internal-syscall-unix-don-t-use-getentro.patch
From d9d2c4e8164b3fe804bb7e8fb913d71a4ad2f356 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Wed, 15 Dec 2021 11:38:50 +0100
Subject: [PATCH 2/5] crypto/rand, internal/syscall/unix: don't use getentropy
on darwin
---
src/crypto/rand/rand_getentropy.go | 4 ++--
src/internal/syscall/unix/getentropy_darwin.go | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/crypto/rand/rand_getentropy.go b/src/crypto/rand/rand_getentropy.go
index dd725372ad..5b895100b9 100644
--- a/src/crypto/rand/rand_getentropy.go
+++ b/src/crypto/rand/rand_getentropy.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build (darwin && !ios) || openbsd
-// +build darwin,!ios openbsd
+//go:build (!darwin && !ios) || openbsd
+// +build !darwin,!ios openbsd
package rand
diff --git a/src/internal/syscall/unix/getentropy_darwin.go b/src/internal/syscall/unix/getentropy_darwin.go
index c75006bf8b..2fd5eba7fd 100644
--- a/src/internal/syscall/unix/getentropy_darwin.go
+++ b/src/internal/syscall/unix/getentropy_darwin.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build darwin && !ios
-// +build darwin,!ios
+//go:build !darwin && !ios
+// +build !darwin,!ios
package unix
--
2.34.1
Raw
0003-Revert-crypto-x509-verification-with-system-and-cust.patch
From fb409a41bc1302e6a554bfe1d04faa90c2efee7a Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Wed, 15 Dec 2021 12:00:22 +0100
Subject: [PATCH 3/5] Revert "crypto/x509: verification with system and custom
roots"
This reverts commit 3544082f75fd3d2df7af237ed9aef3ddd499ab9c.
---
src/crypto/x509/root_darwin.go | 114 +--------------------------------
1 file changed, 2 insertions(+), 112 deletions(-)
diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go
index 05593bb105..63f77d4f9a 100644
--- a/src/crypto/x509/root_darwin.go
+++ b/src/crypto/x509/root_darwin.go
@@ -125,116 +125,6 @@ func exportCertificate(cert macOS.CFRef) (*Certificate, error) {
return ParseCertificate(der)
}
-// isRootCertificate reports whether Subject and Issuer match.
-func isRootCertificate(cert *Certificate) bool {
- return bytes.Equal(cert.RawSubject, cert.RawIssuer)
-}
-
-// sslTrustSettingsResult obtains the final kSecTrustSettingsResult value for a
-// certificate in the user or admin domain, combining usage constraints for the
-// SSL SecTrustSettingsPolicy,
-//
-// It ignores SecTrustSettingsKeyUsage and kSecTrustSettingsAllowedError, and
-// doesn't support kSecTrustSettingsDefaultRootCertSetting.
-//
-// https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting
-func sslTrustSettingsResult(cert macOS.CFRef) (macOS.SecTrustSettingsResult, error) {
- // In Apple's implementation user trust settings override admin trust settings
- // (which themselves override system trust settings). If SecTrustSettingsCopyTrustSettings
- // fails, or returns a NULL trust settings, when looking for the user trust
- // settings then fallback to checking the admin trust settings.
- //
- // See Security-59306.41.2/trust/headers/SecTrustSettings.h for a description of
- // the trust settings overrides, and SecLegacyAnchorSourceCopyUsageConstraints in
- // Security-59306.41.2/trust/trustd/SecCertificateSource.c for a concrete example
- // of how Apple applies the override in the case of NULL trust settings, or non
- // success errors.
- trustSettings, err := macOS.SecTrustSettingsCopyTrustSettings(cert, macOS.SecTrustSettingsDomainUser)
- if err != nil || trustSettings == 0 {
- if debugDarwinRoots && err != macOS.ErrNoTrustSettings {
- fmt.Fprintf(os.Stderr, "crypto/x509: SecTrustSettingsCopyTrustSettings for SecTrustSettingsDomainUser failed: %s\n", err)
- }
- trustSettings, err = macOS.SecTrustSettingsCopyTrustSettings(cert, macOS.SecTrustSettingsDomainAdmin)
- }
- if err != nil || trustSettings == 0 {
- // If there are neither user nor admin trust settings for a certificate returned
- // from SecTrustSettingsCopyCertificates Apple returns kSecTrustSettingsResultInvalid,
- // as this method is intended to return certificates _which have trust settings_.
- // The most likely case for this being triggered is that the existing trust settings
- // are invalid and cannot be properly parsed. In this case SecTrustSettingsCopyTrustSettings
- // returns errSecInvalidTrustSettings. The existing cgo implementation returns
- // kSecTrustSettingsResultUnspecified in this case, which mostly matches the Apple
- // implementation because we don't do anything with certificates marked with this
- // result.
- //
- // See SecPVCGetTrustSettingsResult in Security-59306.41.2/trust/trustd/SecPolicyServer.c
- if debugDarwinRoots && err != macOS.ErrNoTrustSettings {
- fmt.Fprintf(os.Stderr, "crypto/x509: SecTrustSettingsCopyTrustSettings for SecTrustSettingsDomainAdmin failed: %s\n", err)
- }
- return macOS.SecTrustSettingsResultUnspecified, nil
- }
- defer macOS.CFRelease(trustSettings)
-
- // "An empty trust settings array means 'always trust this certificate' with an
- // overall trust setting for the certificate of kSecTrustSettingsResultTrustRoot."
- if macOS.CFArrayGetCount(trustSettings) == 0 {
- return macOS.SecTrustSettingsResultTrustRoot, nil
- }
-
- isSSLPolicy := func(policyRef macOS.CFRef) bool {
- properties := macOS.SecPolicyCopyProperties(policyRef)
- defer macOS.CFRelease(properties)
- if v, ok := macOS.CFDictionaryGetValueIfPresent(properties, macOS.SecPolicyOid); ok {
- return macOS.CFEqual(v, macOS.CFRef(macOS.SecPolicyAppleSSL))
- }
- return false
- }
-
- for i := 0; i < macOS.CFArrayGetCount(trustSettings); i++ {
- tSetting := macOS.CFArrayGetValueAtIndex(trustSettings, i)
-
- // First, check if this trust setting is constrained to a non-SSL policy.
- if policyRef, ok := macOS.CFDictionaryGetValueIfPresent(tSetting, macOS.SecTrustSettingsPolicy); ok {
- if !isSSLPolicy(policyRef) {
- continue
- }
- }
-
- // Then check if it is restricted to a hostname, so not a root.
- if _, ok := macOS.CFDictionaryGetValueIfPresent(tSetting, macOS.SecTrustSettingsPolicyString); ok {
- continue
- }
-
- cfNum, ok := macOS.CFDictionaryGetValueIfPresent(tSetting, macOS.SecTrustSettingsResultKey)
- // "If this key is not present, a default value of kSecTrustSettingsResultTrustRoot is assumed."
- if !ok {
- return macOS.SecTrustSettingsResultTrustRoot, nil
- }
- result, err := macOS.CFNumberGetValue(cfNum)
- if err != nil {
- return 0, err
- }
-
- // If multiple dictionaries match, we are supposed to "OR" them,
- // the semantics of which are not clear. Since TrustRoot and TrustAsRoot
- // are mutually exclusive, Deny should probably override, and Invalid and
- // Unspecified be overridden, approximate this by stopping at the first
- // TrustRoot, TrustAsRoot or Deny.
- switch r := macOS.SecTrustSettingsResult(result); r {
- case macOS.SecTrustSettingsResultTrustRoot,
- macOS.SecTrustSettingsResultTrustAsRoot,
- macOS.SecTrustSettingsResultDeny:
- return r, nil
- }
- }
-
- // If trust settings are present, but none of them match the policy...
- // the docs don't tell us what to do.
- //
- // "Trust settings for a given use apply if any of the dictionaries in the
- // certificate’s trust settings array satisfies the specified use." suggests
- // that it's as if there were no trust settings at all, so we should maybe
- // fallback to the admin trust settings? TODO(golang.org/issue/38888).
-
- return macOS.SecTrustSettingsResultUnspecified, nil
+func loadSystemRoots() (*CertPool, error) {
+ return nil, nil
}
--
2.34.1
Raw
0004-Revert-crypto-x509-use-the-platform-verifier-on-iOS.patch
From e8b5bf1c686069c918cdaa35a3e2d5e2b1228571 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Wed, 15 Dec 2021 12:00:30 +0100
Subject: [PATCH 4/5] Revert "crypto/x509: use the platform verifier on iOS"
This reverts commit b74f2efc47bbfcc4aa301ebda1033948d8b6b63e.
---
src/cmd/dist/test.go | 13 -------------
src/crypto/x509/root_ios_gen.go | 4 ++--
2 files changed, 2 insertions(+), 15 deletions(-)
diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
index f40fa926df..a104b5c8f3 100644
--- a/src/cmd/dist/test.go
+++ b/src/cmd/dist/test.go
@@ -491,19 +491,6 @@ func (t *tester) registerTests() {
})
}
- // Test go/... cmd/gofmt with type parameters enabled.
- if !t.compileOnly {
- t.tests = append(t.tests, distTest{
- name: "tyepparams",
- heading: "go/... and cmd/gofmt tests with tag typeparams",
- fn: func(dt *distTest) error {
- t.addCmd(dt, "src", t.goTest(), t.timeout(300), "-tags=typeparams", "go/...")
- t.addCmd(dt, "src", t.goTest(), t.timeout(300), "-tags=typeparams", "cmd/gofmt")
- return nil
- },
- })
- }
-
if t.iOS() && !t.compileOnly {
t.tests = append(t.tests, distTest{
name: "x509omitbundledroots",
diff --git a/src/crypto/x509/root_ios_gen.go b/src/crypto/x509/root_ios_gen.go
index 05bd672d5d..3c98de5bb6 100644
--- a/src/crypto/x509/root_ios_gen.go
+++ b/src/crypto/x509/root_ios_gen.go
@@ -164,8 +164,8 @@ func main() {
const header = `// Code generated by root_ios_gen.go -version %s; DO NOT EDIT.
// Update the version in root.go and regenerate with "go generate".
-// +build ios
-// +build !x509omitbundledroots
+//go:build ios && !x509omitbundledroots
+// +build ios,!x509omitbundledroots
package x509
--
2.34.1
Raw
0005-Revert-crypto-x509-use-platform-verifier-on-darwin.patch
From 3626de0837be712f9db8f6fdc2427acaae5058c4 Mon Sep 17 00:00:00 2001
From: Leon Klingele <git@leonklingele.de>
Date: Wed, 15 Dec 2021 12:00:36 +0100
Subject: [PATCH 5/5] Revert "crypto/x509: use platform verifier on darwin"
This reverts commit feb024f4153395e5bbb2a51bb3d1ddc4f5b0d2dc.
---
src/crypto/x509/root_darwin.go | 114 ++++++++++++++++++++++++++++++++-
1 file changed, 112 insertions(+), 2 deletions(-)
diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go
index 63f77d4f9a..05593bb105 100644
--- a/src/crypto/x509/root_darwin.go
+++ b/src/crypto/x509/root_darwin.go
@@ -125,6 +125,116 @@ func exportCertificate(cert macOS.CFRef) (*Certificate, error) {
return ParseCertificate(der)
}
-func loadSystemRoots() (*CertPool, error) {
- return nil, nil
+// isRootCertificate reports whether Subject and Issuer match.
+func isRootCertificate(cert *Certificate) bool {
+ return bytes.Equal(cert.RawSubject, cert.RawIssuer)
+}
+
+// sslTrustSettingsResult obtains the final kSecTrustSettingsResult value for a
+// certificate in the user or admin domain, combining usage constraints for the
+// SSL SecTrustSettingsPolicy,
+//
+// It ignores SecTrustSettingsKeyUsage and kSecTrustSettingsAllowedError, and
+// doesn't support kSecTrustSettingsDefaultRootCertSetting.
+//
+// https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting
+func sslTrustSettingsResult(cert macOS.CFRef) (macOS.SecTrustSettingsResult, error) {
+ // In Apple's implementation user trust settings override admin trust settings
+ // (which themselves override system trust settings). If SecTrustSettingsCopyTrustSettings
+ // fails, or returns a NULL trust settings, when looking for the user trust
+ // settings then fallback to checking the admin trust settings.
+ //
+ // See Security-59306.41.2/trust/headers/SecTrustSettings.h for a description of
+ // the trust settings overrides, and SecLegacyAnchorSourceCopyUsageConstraints in
+ // Security-59306.41.2/trust/trustd/SecCertificateSource.c for a concrete example
+ // of how Apple applies the override in the case of NULL trust settings, or non
+ // success errors.
+ trustSettings, err := macOS.SecTrustSettingsCopyTrustSettings(cert, macOS.SecTrustSettingsDomainUser)
+ if err != nil || trustSettings == 0 {
+ if debugDarwinRoots && err != macOS.ErrNoTrustSettings {
+ fmt.Fprintf(os.Stderr, "crypto/x509: SecTrustSettingsCopyTrustSettings for SecTrustSettingsDomainUser failed: %s\n", err)
+ }
+ trustSettings, err = macOS.SecTrustSettingsCopyTrustSettings(cert, macOS.SecTrustSettingsDomainAdmin)
+ }
+ if err != nil || trustSettings == 0 {
+ // If there are neither user nor admin trust settings for a certificate returned
+ // from SecTrustSettingsCopyCertificates Apple returns kSecTrustSettingsResultInvalid,
+ // as this method is intended to return certificates _which have trust settings_.
+ // The most likely case for this being triggered is that the existing trust settings
+ // are invalid and cannot be properly parsed. In this case SecTrustSettingsCopyTrustSettings
+ // returns errSecInvalidTrustSettings. The existing cgo implementation returns
+ // kSecTrustSettingsResultUnspecified in this case, which mostly matches the Apple
+ // implementation because we don't do anything with certificates marked with this
+ // result.
+ //
+ // See SecPVCGetTrustSettingsResult in Security-59306.41.2/trust/trustd/SecPolicyServer.c
+ if debugDarwinRoots && err != macOS.ErrNoTrustSettings {
+ fmt.Fprintf(os.Stderr, "crypto/x509: SecTrustSettingsCopyTrustSettings for SecTrustSettingsDomainAdmin failed: %s\n", err)
+ }
+ return macOS.SecTrustSettingsResultUnspecified, nil
+ }
+ defer macOS.CFRelease(trustSettings)
+
+ // "An empty trust settings array means 'always trust this certificate' with an
+ // overall trust setting for the certificate of kSecTrustSettingsResultTrustRoot."
+ if macOS.CFArrayGetCount(trustSettings) == 0 {
+ return macOS.SecTrustSettingsResultTrustRoot, nil
+ }
+
+ isSSLPolicy := func(policyRef macOS.CFRef) bool {
+ properties := macOS.SecPolicyCopyProperties(policyRef)
+ defer macOS.CFRelease(properties)
+ if v, ok := macOS.CFDictionaryGetValueIfPresent(properties, macOS.SecPolicyOid); ok {
+ return macOS.CFEqual(v, macOS.CFRef(macOS.SecPolicyAppleSSL))
+ }
+ return false
+ }
+
+ for i := 0; i < macOS.CFArrayGetCount(trustSettings); i++ {
+ tSetting := macOS.CFArrayGetValueAtIndex(trustSettings, i)
+
+ // First, check if this trust setting is constrained to a non-SSL policy.
+ if policyRef, ok := macOS.CFDictionaryGetValueIfPresent(tSetting, macOS.SecTrustSettingsPolicy); ok {
+ if !isSSLPolicy(policyRef) {
+ continue
+ }
+ }
+
+ // Then check if it is restricted to a hostname, so not a root.
+ if _, ok := macOS.CFDictionaryGetValueIfPresent(tSetting, macOS.SecTrustSettingsPolicyString); ok {
+ continue
+ }
+
+ cfNum, ok := macOS.CFDictionaryGetValueIfPresent(tSetting, macOS.SecTrustSettingsResultKey)
+ // "If this key is not present, a default value of kSecTrustSettingsResultTrustRoot is assumed."
+ if !ok {
+ return macOS.SecTrustSettingsResultTrustRoot, nil
+ }
+ result, err := macOS.CFNumberGetValue(cfNum)
+ if err != nil {
+ return 0, err
+ }
+
+ // If multiple dictionaries match, we are supposed to "OR" them,
+ // the semantics of which are not clear. Since TrustRoot and TrustAsRoot
+ // are mutually exclusive, Deny should probably override, and Invalid and
+ // Unspecified be overridden, approximate this by stopping at the first
+ // TrustRoot, TrustAsRoot or Deny.
+ switch r := macOS.SecTrustSettingsResult(result); r {
+ case macOS.SecTrustSettingsResultTrustRoot,
+ macOS.SecTrustSettingsResultTrustAsRoot,
+ macOS.SecTrustSettingsResultDeny:
+ return r, nil
+ }
+ }
+
+ // If trust settings are present, but none of them match the policy...
+ // the docs don't tell us what to do.
+ //
+ // "Trust settings for a given use apply if any of the dictionaries in the
+ // certificate’s trust settings array satisfies the specified use." suggests
+ // that it's as if there were no trust settings at all, so we should maybe
+ // fallback to the admin trust settings? TODO(golang.org/issue/38888).
+
+ return macOS.SecTrustSettingsResultUnspecified, nil
}
--
2.34.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment