qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-09-29 14:14:29 -06:00
Code Releases Activity

crypto/x509/internal/macos: handle unexpected null returns

Browse Source 
SecCreatePolicySSL returns null when called from a binary that has a
strange path. This seems to be a weirdo macos bug, but we should be
properly handling those null returns anyway. Also add handling for
SecTrustGetCertificateAtIndex.

Fixes #54590

Change-Id: I251e74f3b0bf65890a80b094b3e88718e13fd3db
Reviewed-on: https://go-review.googlesource.com/c/go/+/438135
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Roland Shoemaker 2022-10-03 09:19:32 -07:00 committed by Gopher Robot
parent 6a9aaf1f02
commit fa463cc96d
3 changed files with 18 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/crypto/x509/internal/macos/security.go
View File

@ -109,14 +109,6 @@ func SecTrustSettingsCopyTrustSettings(cert CFRef, domain SecTrustSettingsDomain
}
func x509_SecTrustSettingsCopyTrustSettings_trampoline()
//go:cgo_import_dynamic x509_SecPolicyCopyProperties SecPolicyCopyProperties "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecPolicyCopyProperties(policy CFRef) CFRef {
ret := syscall(abi.FuncPCABI0(x509_SecPolicyCopyProperties_trampoline), uintptr(policy), 0, 0, 0, 0, 0)
return CFRef(ret)
}
func x509_SecPolicyCopyProperties_trampoline()
//go:cgo_import_dynamic x509_SecTrustCreateWithCertificates SecTrustCreateWithCertificates "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustCreateWithCertificates(certs CFRef, policies CFRef) (CFRef, error) {
@ -147,14 +139,17 @@ func x509_SecCertificateCreateWithData_trampoline()
//go:cgo_import_dynamic x509_SecPolicyCreateSSL SecPolicyCreateSSL "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecPolicyCreateSSL(name string) CFRef {
func SecPolicyCreateSSL(name string) (CFRef, error) {
var hostname CFString
if name != "" {
hostname = StringToCFString(name)
defer CFRelease(CFRef(hostname))
}
ret := syscall(abi.FuncPCABI0(x509_SecPolicyCreateSSL_trampoline), 1 /* true */, uintptr(hostname), 0, 0, 0, 0)
return CFRef(ret)
if ret == 0 {
return 0, OSStatus{"SecPolicyCreateSSL", int32(ret)}
}
return CFRef(ret), nil
}
func x509_SecPolicyCreateSSL_trampoline()
@ -220,9 +215,12 @@ func x509_SecTrustGetCertificateCount_trampoline()
//go:cgo_import_dynamic x509_SecTrustGetCertificateAtIndex SecTrustGetCertificateAtIndex "/System/Library/Frameworks/Security.framework/Versions/A/Security"
func SecTrustGetCertificateAtIndex(trustObj CFRef, i int) CFRef {
func SecTrustGetCertificateAtIndex(trustObj CFRef, i int) (CFRef, error) {
ret := syscall(abi.FuncPCABI0(x509_SecTrustGetCertificateAtIndex_trampoline), uintptr(trustObj), uintptr(i), 0, 0, 0, 0)
return CFRef(ret)
if ret == 0 {
return 0, OSStatus{"SecTrustGetCertificateAtIndex", int32(ret)}
}
return CFRef(ret), nil
}
func x509_SecTrustGetCertificateAtIndex_trampoline()

2
src/crypto/x509/internal/macos/security.s
View File

@ -13,8 +13,6 @@ TEXT ·x509_SecTrustSettingsCopyCertificates_trampoline(SB),NOSPLIT,$0-0
JMP x509_SecTrustSettingsCopyCertificates(SB)
TEXT ·x509_SecTrustSettingsCopyTrustSettings_trampoline(SB),NOSPLIT,$0-0
JMP x509_SecTrustSettingsCopyTrustSettings(SB)
TEXT ·x509_SecPolicyCopyProperties_trampoline(SB),NOSPLIT,$0-0
JMP x509_SecPolicyCopyProperties(SB)
TEXT ·x509_SecTrustCreateWithCertificates_trampoline(SB),NOSPLIT,$0-0
JMP x509_SecTrustCreateWithCertificates(SB)
TEXT ·x509_SecCertificateCreateWithData_trampoline(SB),NOSPLIT,$0-0

10
src/crypto/x509/root_darwin.go
View File

@ -32,7 +32,10 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
policies := macOS.CFArrayCreateMutable()
defer macOS.ReleaseCFArray(policies)
sslPolicy := macOS.SecPolicyCreateSSL(opts.DNSName)
sslPolicy, err := macOS.SecPolicyCreateSSL(opts.DNSName)
if err != nil {
return nil, err
}
macOS.CFArrayAppendValue(policies, sslPolicy)
trustObj, err := macOS.SecTrustCreateWithCertificates(certs, policies)
@ -61,7 +64,10 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
chain := [][]*Certificate{{}}
numCerts := macOS.SecTrustGetCertificateCount(trustObj)
for i := 0; i < numCerts; i++ {
certRef := macOS.SecTrustGetCertificateAtIndex(trustObj, i)
certRef, err := macOS.SecTrustGetCertificateAtIndex(trustObj, i)
if err != nil {
return nil, err
}
cert, err := exportCertificate(certRef)
if err != nil {
return nil, err