Ticket #65178: patch-bypass-sectrustevaluatewitherror.diff

src/crypto/x509/internal/macos/security.go

@@ -10 +10 @@
         "errors"
         "internal/abi"
         "strconv"
+        "strings"
+        syscallpkg "syscall"
         "unsafe"
 )
 
@@ -87 +89 @@
 
 const errSecNoTrustSettings = -25263
 
+var missingSecTrustEvaluateWithError = false
+
+func init() {
+        v, _ := syscallpkg.Sysctl("kern.osrelease")
+        missingSecTrustEvaluateWithError = strings.HasPrefix(v, "11.") ||
+                strings.HasPrefix(v, "12.") ||
+                strings.HasPrefix(v, "13.") ||
+                strings.HasPrefix(v, "14.") ||
+                strings.HasPrefix(v, "15.") ||
+                strings.HasPrefix(v, "16.")
+}
+
 //go:cgo_import_dynamic x509_SecTrustSettingsCopyCertificates SecTrustSettingsCopyCertificates "/System/Library/Frameworks/Security.framework/Versions/A/Security"
 
 func SecTrustSettingsCopyCertificates(domain SecTrustSettingsDomain) (certArray CFRef, err error) {
@@ -174 +188 @@
 
 //go:cgo_import_dynamic x509_SecTrustEvaluate SecTrustEvaluate "/System/Library/Frameworks/Security.framework/Versions/A/Security"
 
-func SecTrustEvaluate(trustObj CFRef) (CFRef, error) {
-        var result CFRef
+func SecTrustEvaluate(trustObj CFRef) (SecTrustResultType, error) {
+        var result SecTrustResultType = SecTrustResultInvalid
         ret := syscall(abi.FuncPCABI0(x509_SecTrustEvaluate_trampoline), uintptr(trustObj), uintptr(unsafe.Pointer(&result)), 0, 0, 0, 0)
         if int32(ret) != 0 {
                 return 0, OSStatus{"SecTrustEvaluate", int32(ret)}
         }
-        return CFRef(result), nil
+        return result, nil
 }
 func x509_SecTrustEvaluate_trampoline()
 
@@ -200 +214 @@
 //go:cgo_import_dynamic x509_SecTrustEvaluateWithError SecTrustEvaluateWithError "/System/Library/Frameworks/Security.framework/Versions/A/Security"
 
 func SecTrustEvaluateWithError(trustObj CFRef) (int, error) {
+        if missingSecTrustEvaluateWithError {
+                result, err := SecTrustEvaluate(trustObj)
+                if err != nil {
+                        return err
+                }
+                switch result {
+                case SecTrustResultUnspecified, SecTrustResultProceed:
+                        return nil
+                case SecTrustResultRecoverableTrustFailure:
+                        return errors.New("x509: macOS certificate verification result: recoverable trust failure")
+                case SecTrustResultFatalTrustFailure:
+                        return errors.New("x509: macOS certificate verification result: fatal trust failure")
+                case SecTrustResultOtherError:
+                        return errors.New("x509: macOS certificate verification result: other error")
+                case SecTrustResultInvalid:
+                        return errors.New("x509: macOS certificate verification result: invalid")
+                case SecTrustResultDeny:
+                        return errors.New("x509: macOS certificate verification result: denied")
+                case SecTrustResultConfirm:
+                        return errors.New("x509: macOS certificate verification result: confirmation required")
+                default:
+                        return errors.New("x509: macOS certificate verification result unknown")
+                }
+        }
         var errRef CFRef
         ret := syscall(abi.FuncPCABI0(x509_SecTrustEvaluateWithError_trampoline), uintptr(trustObj), uintptr(unsafe.Pointer(&errRef)), 0, 0, 0, 0)
         if int32(ret) != 1 {