From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Tue, 26 Jul 2016 21:58:44 +0000 (+0200)
Subject: crypto/x509: detect OS X version for FetchPEMRoots at run time
X-Git-Tag: go1.7rc4~1^2~7
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=4a15508c663429652d32f5363c0964152b28dd74;p=gostls13.git

crypto/x509: detect OS X version for FetchPEMRoots at run time

https://golang.org/cl/25233 was detecting the OS X release at compile
time, not run time. Detect it at run time instead.

Fixes #16473 (again)

Change-Id: I6bec4996e57aa50c52599c165aa6f1fae7423fa7
Reviewed-on: https://go-review.googlesource.com/25281
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
---

diff --git a/src/crypto/x509/root_cgo_darwin.go b/src/crypto/x509/root_cgo_darwin.go
index 83f83d8c16..a4b33c7660 100644
--- a/src/crypto/x509/root_cgo_darwin.go
+++ b/src/crypto/x509/root_cgo_darwin.go
@@ -10,6 +10,9 @@ package x509
 #cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060
 #cgo LDFLAGS: -framework CoreFoundation -framework Security
 
+#include <errno.h>
+#include <sys/sysctl.h>
+
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 
@@ -51,9 +54,20 @@ int FetchPEMRoots_MountainLion(CFDataRef *pemRoots) {
 	return 0;
 }
 
-#ifndef kCFCoreFoundationVersionNumber10_9
-#define kCFCoreFoundationVersionNumber10_9      855.11
-#endif
+// useOldCode reports whether the running machine is OS X 10.8 Mountain Lion
+// or older. We only support Mountain Lion and higher, but we'll at least try our
+// best on older machines and continue to use the old code path.
+//
+// See golang.org/issue/16473
+int useOldCode() {
+	char str[256];
+	size_t size = sizeof(str);
+	memset(str, 0, size);
+	sysctlbyname("kern.osrelease", str, &size, NULL, 0);
+	// OS X 10.8 is osrelease "12.*", 10.7 is 11.*, 10.6 is 10.*.
+	// We never supported things before that.
+	return memcmp(str, "12.", 3) == 0 || memcmp(str, "11.", 3) == 0 || memcmp(str, "10.", 3) == 0;
+}
 
 // FetchPEMRoots fetches the system's list of trusted X.509 root certificates.
 //
@@ -63,7 +77,7 @@ int FetchPEMRoots_MountainLion(CFDataRef *pemRoots) {
 // Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
 // we've consumed its content.
 int FetchPEMRoots(CFDataRef *pemRoots) {
-	if (kCFCoreFoundationVersionNumber < kCFCoreFoundationVersionNumber10_9) {
+	if (useOldCode()) {
 		return FetchPEMRoots_MountainLion(pemRoots);
 	}