justan0th3rstud3nt
/
garble
mirror of https://github.com/burrowers/garble
1
0
Fork 0
Code Issues 1 Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
release-v0.12
ci-test
literalRecheck
v0.12.1
v0.12.0
v0.11.0
v0.10.1
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.0
v0.7.2
v0.7.1
v0.7.0
v0.6.0
v0.5.1
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1a0b028db7'
${ noResults }
garble/main.go

2061 lines
60 KiB
Go
Raw Normal View History Unescape Escape

set up an AUTHORS file to attribute copyright Many files were missing copyright, so also add a short script to add the missing lines with the current year, and run it. The AUTHORS file is also self-explanatory. Contributors can add themselves there, or we can simply update it from time to time via git-shortlog. Since we have two scripts now, set up a directory for them.
4 years ago
// Copyright (c) 2019, The Garble Authors.
// See LICENSE for licensing information.
initial commit
5 years ago
package main
import (
make selection of packages configurable via GOPRIVATE Carefully select a default that will do the right thing when inside a module, as well as when building ad-hoc packages. This means we no longer need to look at the compiler's -std flag, which is nice. Also replace foo.com/ with test/, as per golang/go#37641. Fixes #7.
4 years ago
"bytes"
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
"crypto/rand"
start hashing identifiers
5 years ago
"encoding/base64"
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
"encoding/binary"
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
"encoding/gob"
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
"encoding/json"
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
"errors"
initial commit
5 years ago
"flag"
"fmt"
start hashing identifiers
5 years ago
"go/ast"
garbling imported packages starts being supported
5 years ago
"go/importer"
start hashing identifiers
5 years ago
"go/parser"
"go/token"
garbling imported packages starts being supported
5 years ago
"go/types"
start hashing identifiers
5 years ago
"io"
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
"io/fs"
add a bit more docs
5 years ago
"log"
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
mathrand "math/rand"
initial commit
5 years ago
"os"
"os/exec"
"path/filepath"
drop support for Go 1.16.x We can now use pruned module graphs in go.mod files, and we no longer need to worry about runtime/internal/sys. Note that I had to update testdata/mod slightly, as the new pruned module graphs algorithm downloads an extra go.mod file. This change also paves the way towards future Go 1.18 support. Thanks to lu4p for cleaning up two TODOs as well. Co-Authored-By: lu4p <lu4p@pm.me>
3 years ago
"regexp"
make the tool work on Windows, enable tests The tests required a few last tweaks to work on Windows.
5 years ago
"runtime"
add a "version" command (#220) Mimicking "go version", this tells the user garble's own version. The code is exactly the same that is used for another tool written in Go, shfmt. It uses runtime/debug to fetch the module version embedded in binaries built by Go. For example: $ go get mvdan.cc/sh/v3/cmd/shfmt@latest $ shfmt -version v3.2.2 $ go get mvdan.cc/sh/v3/cmd/shfmt@master $ shfmt -version v3.3.0-0.dev.0.20210203135509-56c9918c980d Note that this will not work for a plain "go build" or "go install" after a "git clone", since in that case the Go tool can't know garble's own version via go.mod - since it's the current main module: $ go build $ ./garble version (devel) For the use case of the power user building from source directly, they are probably clever enough to tell us what git commit they are on, so this is not a big problem right now. It will also get better once golang/go#37475 is fixed in the future. Until then, if we need to do "release" builds locally, we can embed an explicit version into the binary via ldflags: $ go build -ldflags=-X=main.version=v1.2.3 $ ./garble version v1.2.3 Fixes #217.
3 years ago
"runtime/debug"
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
"strconv"
start enforcing the link flags -w -s
5 years ago
"strings"
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
"time"
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
"unicode"
"unicode/utf8"
update dependency versions, drop Go 1.14 Most notably, x/mod now includes the GOPRIVATE pattern-matching API we were copying before, so we can use it directly. Also bump the Go version requirement to 1.15, in preparation for the import path obfuscation PR, and don't let the gotip job fail the entire workflow.
4 years ago
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
"golang.org/x/mod/modfile"
follow-up patches to the 'go version' checking (#139) Give the func a name that tells what the return value means. Add missing newlines to printfs, use consistent quoting, and replace "%s" with %q. Document the Go 1.15 date. Finally, fix the imports via goimports.
4 years ago
"golang.org/x/mod/semver"
"golang.org/x/tools/go/ast/astutil"
Use XOR instead of AES for literal obfuscation. Implement a literal obfuscator interface, to allow the easy addition of new encodings. Add literal obfuscation for byte literals. Choose a random obfuscator on literal obfuscation, useful when multiple obfuscators are implemented. Fixes #62
4 years ago
"mvdan.cc/garble/internal/literals"
initial commit
5 years ago
)
add a "version" command (#220) Mimicking "go version", this tells the user garble's own version. The code is exactly the same that is used for another tool written in Go, shfmt. It uses runtime/debug to fetch the module version embedded in binaries built by Go. For example: $ go get mvdan.cc/sh/v3/cmd/shfmt@latest $ shfmt -version v3.2.2 $ go get mvdan.cc/sh/v3/cmd/shfmt@master $ shfmt -version v3.3.0-0.dev.0.20210203135509-56c9918c980d Note that this will not work for a plain "go build" or "go install" after a "git clone", since in that case the Go tool can't know garble's own version via go.mod - since it's the current main module: $ go build $ ./garble version (devel) For the use case of the power user building from source directly, they are probably clever enough to tell us what git commit they are on, so this is not a big problem right now. It will also get better once golang/go#37475 is fixed in the future. Until then, if we need to do "release" builds locally, we can embed an explicit version into the binary via ldflags: $ go build -ldflags=-X=main.version=v1.2.3 $ ./garble version v1.2.3 Fixes #217.
3 years ago
var (
flagSet = flag.NewFlagSet("garble", flag.ContinueOnError)
version = "(devel)" // to match the default from runtime/debug
)
initial commit
5 years ago
allow easy inpection of garbled code Fixes #17.
4 years ago
var (
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
flagLiterals bool
flagTiny bool
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
flagDebug bool
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
flagDebugDir string
flagSeed seedFlag
allow easy inpection of garbled code Fixes #17.
4 years ago
)
add basic literal obfuscation, starting with strings Fixes #16.
4 years ago
func init() {
flagSet.Usage = usage
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
flagSet.BoolVar(&flagLiterals, "literals", false, "Obfuscate literals such as strings")
flagSet.BoolVar(&flagTiny, "tiny", false, "Optimize for binary size, losing some ability to reverse the process")
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
flagSet.BoolVar(&flagDebug, "debug", false, "Print debug logs to stderr")
use "obfuscate" instead of "garble" in some more places Mainly comments. "garble" refers to the tool, but the verb and adjective is more intuitive as "obfuscate" and "obfuscated" instead of "garble" and "garbled".
3 years ago
flagSet.StringVar(&flagDebugDir, "debugdir", "", "Write the obfuscated source to a directory, e.g. -debugdir=out")
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
flagSet.Var(&flagSeed, "seed", "Provide a base64-encoded seed, e.g. -seed=o9WDTZ4CN4w\nFor a random seed, provide -seed=random")
}
give a useful error for "garble build -tiny" We've had confused users a handful of times by now. And it's reasonable to expect flags to be after the command, as that's how flags work for cmd/go itself. I don't think we want to mix our flags with Go's, or start accepting flags in either place. Both seem like worse solutions long-term, as they can add confusion. However, we can quickly give a useful hint when a flag is misplaced. That should get new users unblocked without asking for help. We use a regular expression for this purpose, because it doesn't seem like a FlagSet supports what we need; to detect whether an argument is one of our flags, without actually applying its value to the flagset. Our flagset would also error on Go's flags, which we don't want.
3 years ago
var rxGarbleFlag = regexp.MustCompile(`-(literals|tiny|debug|debugdir|seed)($|=)`)
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
type seedFlag struct {
random bool
bytes []byte
}
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
func (f seedFlag) present() bool { return len(f.bytes) > 0 }
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
func (f seedFlag) String() string {
return base64.RawStdEncoding.EncodeToString(f.bytes)
}
func (f *seedFlag) Set(s string) error {
if s == "random" {
f.bytes = make([]byte, 16) // random 128 bit seed
if _, err := rand.Read(f.bytes); err != nil {
return fmt.Errorf("error generating random seed: %v", err)
}
} else {
// We expect unpadded base64, but to be nice, accept padded
// strings too.
s = strings.TrimRight(s, "=")
seed, err := base64.RawStdEncoding.DecodeString(s)
if err != nil {
return fmt.Errorf("error decoding seed: %v", err)
}
if len(seed) < 8 {
return fmt.Errorf("-seed needs at least 8 bytes, have %d", len(seed))
}
f.bytes = seed
}
return nil
add basic literal obfuscation, starting with strings Fixes #16.
4 years ago
}
initial commit
5 years ago
func usage() {
fmt.Fprintf(os.Stderr, `
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
Garble obfuscates Go code by wrapping the Go toolchain.
initial commit
5 years ago
make the positioning of Go flags clearer in the help text We did say "garble flags before the command" towards the end, but let's also make that clearer at the top. For #342.
3 years ago
garble [garble flags] command [go flags] [go arguments]
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
document "garble reverse" Fixes #5.
3 years ago
For example, to build an obfuscated program:
garble build ./cmd/foo
give a usage example for combining flags Users are still filing bugs about this, presumably because the docs aren't clear enough. Fixes #372.
3 years ago
Similarly, to combine garble flags and Go build flags:
garble -literals build -tags=purego ./cmd/foo
document "garble reverse" Fixes #5.
3 years ago
The following commands are supported:
always require one argument for "reverse" The "reverse" command had many levels of optional arguments: garble [garble flags] reverse [build flags] [package] [files] This was pretty confusing, and could easily lead to people running the command incorrectly: # note that output.txt isn't a Go package! garble reverse output.txt Moreover, it made the handling of Go build flags pretty confusing. Should the command below work? garble reverse -tags=mytag It also made it easy to not notice that one must supply the main package to properly reverse some text that it produced, like a panic message. With the package path being implicit, one could mistakenly provide the wrong package by running garble in a directory containing a different package. See #394.
3 years ago
build replace "go build"
test replace "go test"
version print Garble version
reverse de-obfuscate output such as stack traces
To learn more about a command, run "garble help <command>".
fix and re-enable "garble test" (#268) With the many refactors building up to v0.1.0, we broke "garble test" as we no longer dealt with test packages well. Luckily, now that we can depend on TOOLEXEC_IMPORTPATH, we can support the test command again, as we can always figure out what package we're currently compiling, without having to track a "main" package. Note that one major pitfall there is test packages, where TOOLEXEC_IMPORTPATH does not agree with ImportPath from "go list -json". However, we can still work around that with a bit of glue code, which is also copiously documented. The second change necessary is to consider test packages private depending on whether their non-test package is private or not. This can be done via the ForTest field in "go list -json". The third change is to obfuscate "_testmain.go" files, which are the code-generated main functions which actually run tests. We used to not need to obfuscate them, since test function names are never obfuscated and we used to not obfuscate import paths at compilation time. Now we do rewrite import paths, so we must do that for "_testmain.go" too. The fourth change is to re-enable test.txt, and expand it with more sanity checks and edge cases. Finally, document "garble test" again. Fixes #241.
3 years ago
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
garble accepts the following flags before a command:
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
initial commit
5 years ago
`[1:])
flagSet.PrintDefaults()
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
fmt.Fprintf(os.Stderr, `
all: fix links after moving repository (#131) A couple of places still linked to the personal repo.
4 years ago
For more information, see https://github.com/burrowers/garble.
all: update the docs a bit Rework the features section in the README, leaving optional features at the end of the list. Simplify the caveats list, too; the build cache and exported field/method bits only need one point each. Overall, the section was far too wordy for little reason. Also redo the help text a bit. There's now a line to briefly introduce the tool, as well as a link to the README with all the details. Finally, the flags have shorter and more consistent help strings. While at it, remove two unused global vars as spotted by staticcheck.
4 years ago
`[1:])
initial commit
5 years ago
}
func main() { os.Exit(main1()) }
start hashing identifiers
5 years ago
var (
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
fset = token.NewFileSet()
sharedTempDir = os.Getenv("GARBLE_SHARED")
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
parentWorkDir = os.Getenv("GARBLE_PARENT_WORK")
start hashing identifiers
5 years ago
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
// origImporter is a go/types importer which uses the original versions
// of packages, without any obfuscation. This is helpful to make
// decisions on how to obfuscate our input code.
wrap types.Importer to canonicalize import paths The docs for go/importer.ForCompiler say: The lookup function is called each time the resulting importer needs to resolve an import path. In this mode the importer can only be invoked with canonical import paths (not relative or absolute ones); it is assumed that the translation to canonical import paths is being done by the client of the importer. We use a lookup func for two reasons: first, to support modules, and second, to be able to use our information from "go list -json -export". However, go/types does not canonicalize import paths before calling ImportFrom. This is somewhat understandable; it doesn't know whether an importer was created with a lookup func, and ImportFrom only requires the input path to be canonicalized in that scenario. When the lookup func is nil, the importer canonicalizes by itself via go/build.Import. Before this change, the added crossbuild test would fail: > garble build net/http [stderr] # vendor/golang.org/x/crypto/chacha20 typecheck error: /usr/lib/go/src/vendor/golang.org/x/crypto/chacha20/chacha_generic.go:10:2: could not import crypto/cipher (can't find import: "crypto/cipher") # vendor/golang.org/x/text/secure/bidirule typecheck error: /usr/lib/go/src/vendor/golang.org/x/text/secure/bidirule/bidirule.go:12:2: could not import errors (can't find import: "errors") # vendor/golang.org/x/crypto/cryptobyte typecheck error: /usr/lib/go/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go:8:16: could not import encoding/asn1 (can't find import: "encoding/asn1") # vendor/golang.org/x/text/unicode/norm typecheck error: /usr/lib/go/src/vendor/golang.org/x/text/unicode/norm/composition.go:7:8: could not import unicode/utf8 (can't find import: "unicode/utf8") This is because we'd fall back to importer.Default, which only knows how to find packages in $GOROOT/pkg. Those are missing for cross-builds, unsurprisingly, as those built archives end up in the build cache. After this change, we properly support importing std-vendored packages, so we can get rid of the importer.Default workaround. And, by extension, cross-builds now work as well. Note that, in the added test script, the full build of the binary fails, as there seems to be some sort of linker problem: > garble build [stderr] # test/main d9rqJyxo.uoqIiDs5: relocation target runtime.os9A16A3 not defined We leave that as a TODO for now, as this change is subtle enough as it is.
3 years ago
origImporter = importerWithMap(importer.ForCompiler(fset, "gc", func(path string) (io.ReadCloser, error) {
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
pkg, err := listPackage(path)
if err != nil {
return nil, err
}
return os.Open(pkg.Export)
wrap types.Importer to canonicalize import paths The docs for go/importer.ForCompiler say: The lookup function is called each time the resulting importer needs to resolve an import path. In this mode the importer can only be invoked with canonical import paths (not relative or absolute ones); it is assumed that the translation to canonical import paths is being done by the client of the importer. We use a lookup func for two reasons: first, to support modules, and second, to be able to use our information from "go list -json -export". However, go/types does not canonicalize import paths before calling ImportFrom. This is somewhat understandable; it doesn't know whether an importer was created with a lookup func, and ImportFrom only requires the input path to be canonicalized in that scenario. When the lookup func is nil, the importer canonicalizes by itself via go/build.Import. Before this change, the added crossbuild test would fail: > garble build net/http [stderr] # vendor/golang.org/x/crypto/chacha20 typecheck error: /usr/lib/go/src/vendor/golang.org/x/crypto/chacha20/chacha_generic.go:10:2: could not import crypto/cipher (can't find import: "crypto/cipher") # vendor/golang.org/x/text/secure/bidirule typecheck error: /usr/lib/go/src/vendor/golang.org/x/text/secure/bidirule/bidirule.go:12:2: could not import errors (can't find import: "errors") # vendor/golang.org/x/crypto/cryptobyte typecheck error: /usr/lib/go/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go:8:16: could not import encoding/asn1 (can't find import: "encoding/asn1") # vendor/golang.org/x/text/unicode/norm typecheck error: /usr/lib/go/src/vendor/golang.org/x/text/unicode/norm/composition.go:7:8: could not import unicode/utf8 (can't find import: "unicode/utf8") This is because we'd fall back to importer.Default, which only knows how to find packages in $GOROOT/pkg. Those are missing for cross-builds, unsurprisingly, as those built archives end up in the build cache. After this change, we properly support importing std-vendored packages, so we can get rid of the importer.Default workaround. And, by extension, cross-builds now work as well. Note that, in the added test script, the full build of the binary fails, as there seems to be some sort of linker problem: > garble build [stderr] # test/main d9rqJyxo.uoqIiDs5: relocation target runtime.os9A16A3 not defined We leave that as a TODO for now, as this change is subtle enough as it is.
3 years ago
}).(types.ImporterFrom).ImportFrom)
start supporting asm functions better Spotted while trying to link a program using unix.Syscall, since its implementation is assembly. Telling if a function couldn't be garbled isn't trivial. If that function belongs to an imported package, we only load its export data instead of type-checking from source, so we don't have all the information needed. Instead, use the gc export data importer to import two versions of each dependency: its original version, for the initial type-checking, and its garbled version, to check if any of its exported names weren't garbled. Updates #9.
4 years ago
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
// Basic information about the package being currently compiled or linked.
curPkg *listedPackage
start hashing identifiers
5 years ago
)
error if the user forgot -trimpath
5 years ago
wrap types.Importer to canonicalize import paths The docs for go/importer.ForCompiler say: The lookup function is called each time the resulting importer needs to resolve an import path. In this mode the importer can only be invoked with canonical import paths (not relative or absolute ones); it is assumed that the translation to canonical import paths is being done by the client of the importer. We use a lookup func for two reasons: first, to support modules, and second, to be able to use our information from "go list -json -export". However, go/types does not canonicalize import paths before calling ImportFrom. This is somewhat understandable; it doesn't know whether an importer was created with a lookup func, and ImportFrom only requires the input path to be canonicalized in that scenario. When the lookup func is nil, the importer canonicalizes by itself via go/build.Import. Before this change, the added crossbuild test would fail: > garble build net/http [stderr] # vendor/golang.org/x/crypto/chacha20 typecheck error: /usr/lib/go/src/vendor/golang.org/x/crypto/chacha20/chacha_generic.go:10:2: could not import crypto/cipher (can't find import: "crypto/cipher") # vendor/golang.org/x/text/secure/bidirule typecheck error: /usr/lib/go/src/vendor/golang.org/x/text/secure/bidirule/bidirule.go:12:2: could not import errors (can't find import: "errors") # vendor/golang.org/x/crypto/cryptobyte typecheck error: /usr/lib/go/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go:8:16: could not import encoding/asn1 (can't find import: "encoding/asn1") # vendor/golang.org/x/text/unicode/norm typecheck error: /usr/lib/go/src/vendor/golang.org/x/text/unicode/norm/composition.go:7:8: could not import unicode/utf8 (can't find import: "unicode/utf8") This is because we'd fall back to importer.Default, which only knows how to find packages in $GOROOT/pkg. Those are missing for cross-builds, unsurprisingly, as those built archives end up in the build cache. After this change, we properly support importing std-vendored packages, so we can get rid of the importer.Default workaround. And, by extension, cross-builds now work as well. Note that, in the added test script, the full build of the binary fails, as there seems to be some sort of linker problem: > garble build [stderr] # test/main d9rqJyxo.uoqIiDs5: relocation target runtime.os9A16A3 not defined We leave that as a TODO for now, as this change is subtle enough as it is.
3 years ago
type importerWithMap func(path, dir string, mode types.ImportMode) (*types.Package, error)
func (fn importerWithMap) Import(path string) (*types.Package, error) {
panic("should never be called")
}
func (fn importerWithMap) ImportFrom(path, dir string, mode types.ImportMode) (*types.Package, error) {
if path2 := curPkg.ImportMap[path]; path2 != "" {
path = path2
}
return fn(path, dir, mode)
}
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
// uniqueLineWriter sits underneath log.SetOutput to deduplicate log lines.
// We log bits of useful information for debugging,
// and logging the same detail twice is not going to help the user.
add a few TODOs with uncovered code that should not be This will hopefully give new contributors a place to start. Some of these, like verifying that the "help" commands work, will be relatively simple additions to our test scripts.
2 years ago
// Duplicates are relatively normal, given that names tend to repeat.
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
type uniqueLineWriter struct {
out io.Writer
seen map[string]bool
}
func (w *uniqueLineWriter) Write(p []byte) (n int, err error) {
if !flagDebug {
panic("unexpected use of uniqueLineWriter with -debug unset")
}
if bytes.Count(p, []byte("\n")) != 1 {
panic(fmt.Sprintf("log write wasn't just one line: %q", p))
}
if w.seen[string(p)] {
return len(p), nil
}
if w.seen == nil {
w.seen = make(map[string]bool)
}
w.seen[string(p)] = true
return w.out.Write(p)
}
// debugf is like log.Printf, but it is a no-op by default.
all: drop support for Go 1.17 Now that we've released v0.6.0, that will be the last feature release to feature support for Go 1.17. The upcoming v0.7.0 will be Go 1.18+. Code-wise, the cleanup here isn't super noticeable, but it will be easier to work on features like VCS-aware version information and generics support without worrying about Go 1.17. Plus, now CI is back to being much faster. Note how "go 1.18" in go.mod makes "go mod tidy" more aggressive.
2 years ago
// TODO(mvdan): use our own debug logger instead of hijacking the global one,
// and drop the "flagDebug" no-op check now that we require Go 1.18 or later.
func debugf(format string, args ...any) {
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
if !flagDebug {
return
}
log.Printf(format, args...)
}
// debugSince is like time.Since but resulting in shorter output.
// A build process takes at least hundreds of milliseconds,
// so extra decimal points in the order of microseconds aren't meaningful.
func debugSince(start time.Time) time.Duration {
return time.Since(start).Truncate(10 * time.Microsecond)
}
initial commit
5 years ago
func main1() int {
start reporting total allocs by garble in the benchmark This is like allocs/op by testing.B.ReportAllocs, but it combines all allocations by garble sub-processes. As we currently generate quite a bit of garbage, and reductions in it may only reduce time/op very slowly, this new metric will help us visualize small improvements. The regular ReportAllocs would not help us at all, as the main process simply executes "garble build". We remove user-ns/op to make space for mallocs/op, and also since it's a bit redundant given sys-ns/op and time-ns/op. name time/op Build-16 9.20s ± 1% name bin-B Build-16 5.16M ± 0% name cached-time/op Build-16 304ms ± 4% name mallocs/op Build-16 30.7M ± 0% name sys-time/op Build-16 4.78s ± 4%
2 years ago
defer func() {
if os.Getenv("GARBLE_WRITE_ALLOCS") != "true" {
return
}
var memStats runtime.MemStats
runtime.ReadMemStats(&memStats)
fmt.Fprintf(os.Stderr, "garble allocs: %d\n", memStats.Mallocs)
}()
initial commit
5 years ago
if err := flagSet.Parse(os.Args[1:]); err != nil {
return 2
}
add a bit more docs
5 years ago
log.SetPrefix("[garble] ")
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
log.SetFlags(0) // no timestamps, as they aren't very useful
if flagDebug {
add a few TODOs with uncovered code that should not be This will hopefully give new contributors a place to start. Some of these, like verifying that the "help" commands work, will be relatively simple additions to our test scripts.
2 years ago
// TODO: cover this in the tests.
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
log.SetOutput(&uniqueLineWriter{out: os.Stderr})
} else {
log.SetOutput(io.Discard)
}
initial commit
5 years ago
args := flagSet.Args()
if len(args) < 1 {
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
usage()
return 2
initial commit
5 years ago
}
split main1 with a func returning an error
5 years ago
if err := mainErr(args); err != nil {
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
if code, ok := err.(errJustExit); ok {
make early errors count towards code coverage I recently added TODOs for bits of code we should cover in the tests. I was looking at that again just now, and was puzzled; we do indeed have test cases for many of them already. We just weren't counting them towards code coverage due to a bug. errJustExit works as expected, except that it calls os.Exit directly, whereas testscript wants a non-zero return to run its "after" code. Part of that code is what handles joining code coverage files. The total code coverage jumps from 86.2% to 87.6%.
2 years ago
return int(code)
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
}
fmt.Fprintln(os.Stderr, err)
improve the code comments around -seed Explain why we print the random seed on failure, and why we accept base64 padding when we don't use it. While at it, the flagOptions.Random field is unused, so remove it. It also seems wrong for it to exist; the random value is only for the seed flag, which already has a field of its own.
3 years ago
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
// If the build failed and a random seed was used,
// the failure might not reproduce with a different seed.
// Print it before we exit.
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
if flagSeed.random {
fmt.Fprintf(os.Stderr, "random seed: %s\n", base64.RawStdEncoding.EncodeToString(flagSeed.bytes))
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
}
split main1 with a func returning an error
5 years ago
return 1
}
return 0
}
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
type errJustExit int
func (e errJustExit) Error() string { return fmt.Sprintf("exit: %d", e) }
prevent exiting early with early errors (#205) The point of main1 returning an int is that testscript can run code afterwards, such as to collect coverage information when running with -coverprofile. We were using plain os.Exit in a couple of places: when help was requested, and when the Go version could not be fetched. In those cases, return an error to main1, and let it do the right thing. For #35.
4 years ago
fail if the current Go version is newer than what built garble For instance, Go 1.18 added support for generics, so its compiler output files changed format to accomodate for the new language feature. If garble is built with Go 1.17 and then used to perform builds on Go 1.18, it will fail in a very confusing way, because garble's go/types and go/importer packages will not know how to deal with that. As already discussed in #269, require the version that built the garble binary to be equal or newer. In that thread we discussed only comparing the major version, so for example garble built on go1.18 could be used on the toolchain go1.18.5. However, that could still fail in confusing ways if a fix to go/types or go/importer happened in a point release. While here, I noticed that we were still using Go 1.17 for some CI checks. Fix that, except for staticcheck. Fixes #269.
2 years ago
// toolchainVersionSemver is a semver-compatible version of the Go toolchain currently
// being used, as reported by "go env GOVERSION".
// Note that the version of Go that built the garble binary might be newer.
var toolchainVersionSemver string
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
follow-up patches to the 'go version' checking (#139) Give the func a name that tells what the return value means. Add missing newlines to printfs, use consistent quoting, and replace "%s" with %q. Document the Go 1.15 date. Finally, fix the imports via goimports.
4 years ago
func goVersionOK() bool {
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
const (
all: drop support for Go 1.17 Now that we've released v0.6.0, that will be the last feature release to feature support for Go 1.17. The upcoming v0.7.0 will be Go 1.18+. Code-wise, the cleanup here isn't super noticeable, but it will be easier to work on features like VCS-aware version information and generics support without worrying about Go 1.17. Plus, now CI is back to being much faster. Note how "go 1.18" in go.mod makes "go mod tidy" more aggressive.
2 years ago
minGoVersionSemver = "v1.18.0"
suggestedGoVersion = "1.18.x"
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
)
fail if the current Go version is newer than what built garble For instance, Go 1.18 added support for generics, so its compiler output files changed format to accomodate for the new language feature. If garble is built with Go 1.17 and then used to perform builds on Go 1.18, it will fail in a very confusing way, because garble's go/types and go/importer packages will not know how to deal with that. As already discussed in #269, require the version that built the garble binary to be equal or newer. In that thread we discussed only comparing the major version, so for example garble built on go1.18 could be used on the toolchain go1.18.5. However, that could still fail in confusing ways if a fix to go/types or go/importer happened in a point release. While here, I noticed that we were still using Go 1.17 for some CI checks. Fix that, except for staticcheck. Fixes #269.
2 years ago
// rxVersion looks for a version like "go1.2" or "go1.2.3"
rxVersion := regexp.MustCompile(`go\d+\.\d+(\.\d+)?`)
toolchainVersionFull := cache.GoEnv.GOVERSION
toolchainVersion := rxVersion.FindString(cache.GoEnv.GOVERSION)
if toolchainVersion == "" {
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
// Go 1.15.x and older do not have GOVERSION yet.
fail if the current Go version is newer than what built garble For instance, Go 1.18 added support for generics, so its compiler output files changed format to accomodate for the new language feature. If garble is built with Go 1.17 and then used to perform builds on Go 1.18, it will fail in a very confusing way, because garble's go/types and go/importer packages will not know how to deal with that. As already discussed in #269, require the version that built the garble binary to be equal or newer. In that thread we discussed only comparing the major version, so for example garble built on go1.18 could be used on the toolchain go1.18.5. However, that could still fail in confusing ways if a fix to go/types or go/importer happened in a point release. While here, I noticed that we were still using Go 1.17 for some CI checks. Fix that, except for staticcheck. Fixes #269.
2 years ago
// We could go the extra mile and fetch it via 'go toolchainVersion',
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
// but we'd have to error anyway.
fmt.Fprintf(os.Stderr, "Go version is too old; please upgrade to Go %s or a newer devel version\n", suggestedGoVersion)
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
return false
}
fail if the current Go version is newer than what built garble For instance, Go 1.18 added support for generics, so its compiler output files changed format to accomodate for the new language feature. If garble is built with Go 1.17 and then used to perform builds on Go 1.18, it will fail in a very confusing way, because garble's go/types and go/importer packages will not know how to deal with that. As already discussed in #269, require the version that built the garble binary to be equal or newer. In that thread we discussed only comparing the major version, so for example garble built on go1.18 could be used on the toolchain go1.18.5. However, that could still fail in confusing ways if a fix to go/types or go/importer happened in a point release. While here, I noticed that we were still using Go 1.17 for some CI checks. Fix that, except for staticcheck. Fixes #269.
2 years ago
toolchainVersionSemver = "v" + strings.TrimPrefix(toolchainVersion, "go")
if semver.Compare(toolchainVersionSemver, minGoVersionSemver) < 0 {
fmt.Fprintf(os.Stderr, "Go version %q is too old; please upgrade to Go %s\n", toolchainVersionFull, suggestedGoVersion)
return false
}
// Ensure that the version of Go that built the garble binary is equal or
// newer than toolchainVersionSemver.
builtVersionFull := os.Getenv("GARBLE_TEST_GOVERSION")
if builtVersionFull == "" {
builtVersionFull = runtime.Version()
}
builtVersion := rxVersion.FindString(builtVersionFull)
if builtVersion == "" {
// If garble built itself, we don't know what Go version was used.
// Fall back to not performing the check against the toolchain version.
return true
}
builtVersionSemver := "v" + strings.TrimPrefix(builtVersion, "go")
if semver.Compare(builtVersionSemver, toolchainVersionSemver) < 0 {
fmt.Fprintf(os.Stderr, "garble was built with %q and is being used with %q; please rebuild garble with the newer version\n",
builtVersionFull, toolchainVersionFull)
Add go version validation (#136) Fixes https://github.com/burrowers/garble/issues/121
4 years ago
return false
}
return true
}
split main1 with a func returning an error
5 years ago
func mainErr(args []string) error {
if the seed is random and the build fails, print the seed (#213) Fixes #212
3 years ago
// If we recognize an argument, we're not running within -toolexec.
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
switch command, args := args[0], args[1:]; command {
clarify usage text, add help flags Also remove the -toolexec equivalent, as it's becoming longer now that we have GARBLE_DIR, and it might become out of date in the future again. We don't want users to assume it will work forever.
4 years ago
case "help":
always require one argument for "reverse" The "reverse" command had many levels of optional arguments: garble [garble flags] reverse [build flags] [package] [files] This was pretty confusing, and could easily lead to people running the command incorrectly: # note that output.txt isn't a Go package! garble reverse output.txt Moreover, it made the handling of Go build flags pretty confusing. Should the command below work? garble reverse -tags=mytag It also made it easy to not notice that one must supply the main package to properly reverse some text that it produced, like a panic message. With the package path being implicit, one could mistakenly provide the wrong package by running garble in a directory containing a different package. See #394.
3 years ago
if hasHelpFlag(args) || len(args) > 1 {
fmt.Fprintf(os.Stderr, "usage: garble help [command]\n")
return errJustExit(2)
}
if len(args) == 1 {
return mainErr([]string{args[0], "-h"})
make "help" refuse arguments for now Since they are otherwise silently ignored.
3 years ago
}
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
usage()
return errJustExit(2)
add a "version" command (#220) Mimicking "go version", this tells the user garble's own version. The code is exactly the same that is used for another tool written in Go, shfmt. It uses runtime/debug to fetch the module version embedded in binaries built by Go. For example: $ go get mvdan.cc/sh/v3/cmd/shfmt@latest $ shfmt -version v3.2.2 $ go get mvdan.cc/sh/v3/cmd/shfmt@master $ shfmt -version v3.3.0-0.dev.0.20210203135509-56c9918c980d Note that this will not work for a plain "go build" or "go install" after a "git clone", since in that case the Go tool can't know garble's own version via go.mod - since it's the current main module: $ go build $ ./garble version (devel) For the use case of the power user building from source directly, they are probably clever enough to tell us what git commit they are on, so this is not a big problem right now. It will also get better once golang/go#37475 is fixed in the future. Until then, if we need to do "release" builds locally, we can embed an explicit version into the binary via ldflags: $ go build -ldflags=-X=main.version=v1.2.3 $ ./garble version v1.2.3 Fixes #217.
3 years ago
case "version":
always require one argument for "reverse" The "reverse" command had many levels of optional arguments: garble [garble flags] reverse [build flags] [package] [files] This was pretty confusing, and could easily lead to people running the command incorrectly: # note that output.txt isn't a Go package! garble reverse output.txt Moreover, it made the handling of Go build flags pretty confusing. Should the command below work? garble reverse -tags=mytag It also made it easy to not notice that one must supply the main package to properly reverse some text that it produced, like a panic message. With the package path being implicit, one could mistakenly provide the wrong package by running garble in a directory containing a different package. See #394.
3 years ago
if hasHelpFlag(args) || len(args) > 0 {
fmt.Fprintf(os.Stderr, "usage: garble version\n")
return errJustExit(2)
include a "garble version" test (#221) Not sure why the last commit came with none. While at it, I noticed that the version command would ignore arguments. Error instead.
3 years ago
}
add a "version" command (#220) Mimicking "go version", this tells the user garble's own version. The code is exactly the same that is used for another tool written in Go, shfmt. It uses runtime/debug to fetch the module version embedded in binaries built by Go. For example: $ go get mvdan.cc/sh/v3/cmd/shfmt@latest $ shfmt -version v3.2.2 $ go get mvdan.cc/sh/v3/cmd/shfmt@master $ shfmt -version v3.3.0-0.dev.0.20210203135509-56c9918c980d Note that this will not work for a plain "go build" or "go install" after a "git clone", since in that case the Go tool can't know garble's own version via go.mod - since it's the current main module: $ go build $ ./garble version (devel) For the use case of the power user building from source directly, they are probably clever enough to tell us what git commit they are on, so this is not a big problem right now. It will also get better once golang/go#37475 is fixed in the future. Until then, if we need to do "release" builds locally, we can embed an explicit version into the binary via ldflags: $ go build -ldflags=-X=main.version=v1.2.3 $ ./garble version v1.2.3 Fixes #217.
3 years ago
// don't overwrite the version if it was set by -ldflags=-X
if info, ok := debug.ReadBuildInfo(); ok && version == "(devel)" {
mod := &info.Main
if mod.Replace != nil {
mod = mod.Replace
}
version = mod.Version
}
fmt.Println(version)
return nil
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
case "reverse":
return commandReverse(args)
fix and re-enable "garble test" (#268) With the many refactors building up to v0.1.0, we broke "garble test" as we no longer dealt with test packages well. Luckily, now that we can depend on TOOLEXEC_IMPORTPATH, we can support the test command again, as we can always figure out what package we're currently compiling, without having to track a "main" package. Note that one major pitfall there is test packages, where TOOLEXEC_IMPORTPATH does not agree with ImportPath from "go list -json". However, we can still work around that with a bit of glue code, which is also copiously documented. The second change necessary is to consider test packages private depending on whether their non-test package is private or not. This can be done via the ForTest field in "go list -json". The third change is to obfuscate "_testmain.go" files, which are the code-generated main functions which actually run tests. We used to not need to obfuscate them, since test function names are never obfuscated and we used to not obfuscate import paths at compilation time. Now we do rewrite import paths, so we must do that for "_testmain.go" too. The fourth change is to re-enable test.txt, and expand it with more sanity checks and edge cases. Finally, document "garble test" again. Fixes #241.
3 years ago
case "build", "test":
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
cmd, err := toolexecCmd(command, args)
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
if err != nil {
return err
complain when GOPRIVATE matches no packages This is important, because it would mean that we would obfuscate nothing. At best, it would be confusing; at worst, it could mislead the user into thinking the binary is obfuscated. Fixes #20. Updates #108.
4 years ago
}
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
debugf("calling via toolexec: %s", cmd)
split main1 with a func returning an error
5 years ago
return cmd.Run()
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
}
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
start rejecting unknown non-tool commands
5 years ago
if !filepath.IsAbs(args[0]) {
// -toolexec gives us an absolute path to the tool binary to
// run, so this is most likely misuse of garble by a user.
return fmt.Errorf("unknown command: %q", args[0])
}
introduce 'garble build' shortcut This way, the user doesn't need to remember to use flags like -a and -trimpath. Also because we might need more 'go build' flags in the future.
5 years ago
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
// We're in a toolexec sub-process, not directly called by the user.
// Load the shared data and wrap the tool, like the compiler or linker.
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
if err := loadSharedCache(); err != nil {
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
return err
}
initial commit
5 years ago
_, tool := filepath.Split(args[0])
make the tool work on Windows, enable tests The tests required a few last tweaks to work on Windows.
5 years ago
if runtime.GOOS == "windows" {
tool = strings.TrimSuffix(tool, ".exe")
}
simplify globals, split hash.go (#191) The previous globals worked, but were unnecessarily complex. For example, we passed the fromPath variable around, but it's really a static global, since we only compile or link a single package in each Go process. Use such global variables instead of passing them around, which currently include the package's import path, its build ID, and its import config path. Also split all the hashing and build ID code into hash.go, since that's a relatively well contained 200 lines of code that doesn't need to make main.go any bigger. We also split the code to alter Go's own version to a separate function, so that it can be moved out of main.go as well.
4 years ago
if len(args) == 2 && args[1] == "-V=full" {
return alterToolVersion(tool, args)
}
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
toolexecImportPath := os.Getenv("TOOLEXEC_IMPORTPATH")
fix and re-enable "garble test" (#268) With the many refactors building up to v0.1.0, we broke "garble test" as we no longer dealt with test packages well. Luckily, now that we can depend on TOOLEXEC_IMPORTPATH, we can support the test command again, as we can always figure out what package we're currently compiling, without having to track a "main" package. Note that one major pitfall there is test packages, where TOOLEXEC_IMPORTPATH does not agree with ImportPath from "go list -json". However, we can still work around that with a bit of glue code, which is also copiously documented. The second change necessary is to consider test packages private depending on whether their non-test package is private or not. This can be done via the ForTest field in "go list -json". The third change is to obfuscate "_testmain.go" files, which are the code-generated main functions which actually run tests. We used to not need to obfuscate them, since test function names are never obfuscated and we used to not obfuscate import paths at compilation time. Now we do rewrite import paths, so we must do that for "_testmain.go" too. The fourth change is to re-enable test.txt, and expand it with more sanity checks and edge cases. Finally, document "garble test" again. Fixes #241.
3 years ago
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
curPkg = cache.ListedPackages[toolexecImportPath]
if curPkg == nil {
return fmt.Errorf("TOOLEXEC_IMPORTPATH not found in listed packages: %s", toolexecImportPath)
}
simplify the main code flow somewhat We don't really care about tools other than "compile" and "link". Stop trying to keep a complete list. Use "if err := f(); err != nil {" where it makes sense. Simplify some declarations, and use a better variable name than "fW".
4 years ago
transform := transformFuncs[tool]
initial commit
5 years ago
transformed := args[1:]
make the tool work on Windows, enable tests The tests required a few last tweaks to work on Windows.
5 years ago
if transform != nil {
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
startTime := time.Now()
debugf("transforming %s with args: %s", tool, strings.Join(transformed, " "))
garbling imported packages starts being supported
5 years ago
var err error
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if transformed, err = transform(transformed); err != nil {
split main1 with a func returning an error
5 years ago
return err
initial commit
5 years ago
}
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
debugf("transformed args for %s in %s: %s", tool, debugSince(startTime), strings.Join(transformed, " "))
} else {
debugf("skipping transform on %s with args: %s", tool, strings.Join(transformed, " "))
initial commit
5 years ago
}
cmd := exec.Command(args[0], transformed...)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
split main1 with a func returning an error
5 years ago
return err
initial commit
5 years ago
}
split main1 with a func returning an error
5 years ago
return nil
initial commit
5 years ago
}
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
func hasHelpFlag(flags []string) bool {
for _, f := range flags {
switch f {
case "-h", "-help", "--help":
return true
}
}
return false
}
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
// toolexecCmd builds an *exec.Cmd which is set up for running "go <command>"
// with -toolexec=garble and the supplied arguments.
//
// Note that it uses and modifies global state; in general, it should only be
// called once from mainErr in the top-level garble process.
func toolexecCmd(command string, args []string) (*exec.Cmd, error) {
// Split the flags from the package arguments, since we'll need
// to run 'go list' on the same set of packages.
flags, args := splitFlagsFromArgs(args)
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
if hasHelpFlag(flags) {
out, _ := exec.Command("go", command, "-h").CombinedOutput()
fmt.Fprintf(os.Stderr, `
usage: garble [garble flags] %s [arguments]
This command wraps "go %s". Below is its help:
%s`[1:], command, command, out)
return nil, errJustExit(2)
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
}
give a useful error for "garble build -tiny" We've had confused users a handful of times by now. And it's reasonable to expect flags to be after the command, as that's how flags work for cmd/go itself. I don't think we want to mix our flags with Go's, or start accepting flags in either place. Both seem like worse solutions long-term, as they can add confusion. However, we can quickly give a useful hint when a flag is misplaced. That should get new users unblocked without asking for help. We use a regular expression for this purpose, because it doesn't seem like a FlagSet supports what we need; to detect whether an argument is one of our flags, without actually applying its value to the flagset. Our flagset would also error on Go's flags, which we don't want.
3 years ago
for _, flag := range flags {
if rxGarbleFlag.MatchString(flag) {
return nil, fmt.Errorf("garble flags must precede command, like: garble %s build ./pkg", flag)
}
}
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
// Here is the only place we initialize the cache.
// The sub-processes will parse it from a shared gob file.
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
cache = &sharedCache{}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
// Note that we also need to pass build flags to 'go list', such
// as -tags.
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
cache.ForwardBuildFlags, _ = filterForwardBuildFlags(flags)
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
if command == "test" {
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
cache.ForwardBuildFlags = append(cache.ForwardBuildFlags, "-test")
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
}
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
if err := fetchGoEnv(); err != nil {
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
return nil, err
}
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
if !goVersionOK() {
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
return nil, errJustExit(1)
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
}
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
var err error
cache.ExecPath, err = os.Executable()
if err != nil {
return nil, err
}
ensure the runtime is built in a reproducible way We went to great lengths to ensure garble builds are reproducible. This includes how the tool itself works, as its behavior should be the same given the same inputs. However, we made one crucial mistake with the runtime package. It has go:linkname directives pointing at other packages, and some of those pointed packages aren't its dependencies. Imagine two scenarios where garble builds the runtime package: 1) We run "garble build runtime". The way we handle linkname directives calls listPackage on the target package, to obfuscate the target's import path and object name. However, since we only obtained build info of runtime and its deps, calls for some linknames such as listPackage("sync/atomic") will fail. The linkname directive will leave its target untouched. 2) We run "garble build std". Unlike the first scenario, all listPackage calls issued by runtime's linkname directives will succeed, so its linkname directive targets will be obfuscated. At best, this can result in inconsistent builds, depending on how the runtime package was built. At worst, the mismatching object names can result in errors at link time, if the target packages are actually used. The modified test reproduces the worst case scenario reliably, when the fix is reverted: > env GOCACHE=${WORK}/gocache-empty > garble build -a runtime > garble build -o=out_rebuild ./stdimporter [stderr] # test/main/stdimporter JZzQivnl.NtQJu0H3: relocation target JZzQivnl.iioHinYT not defined JZzQivnl.NtQJu0H3.func9: relocation target JZzQivnl.yz5z0NaH not defined JZzQivnl.(*ypvqhKiQ).String: relocation target JZzQivnl.eVciBQeI not defined JZzQivnl.(*ypvqhKiQ).PkgPath: relocation target JZzQivnl.eVciBQeI not defined [...] The fix consists of two steps. First, if we're building the runtime and listPackage fails on a package, that means we ran into scenario 1 above. To avoid the inconsistency, we fill ListedPackages with "go list [...] std". This means we'll always build runtime as described in scenario 2 above. Second, when building packages other than the runtime, we only allow listPackage to succeed if we're listing a dependency of the current package. This ensures we won't run into similar reproducibility bugs in the future. Finally, re-enable test-gotip on CI since this was the last test flake.
3 years ago
binaryBuildID, err := buildidOf(cache.ExecPath)
if err != nil {
return nil, err
}
cache.BinaryContentID = decodeHash(splitContentID(binaryBuildID))
slightly simplify how we deal with linknamed runtime deps Obfuscating the runtime only needs to list the linknamed packages, and doesn't need to know about their dependencies directly. Refactor the script to return a "flat" list that includes all packages we need, except those that we know the runtime already pulled in. This allows us to simplify the script and avoid passing -deps to cmd/go. Performance is unaffected, but I reckon it's worthwhile given how much we simplified the script. Longer term, it's also best to avoid using -deps when we don't need it, as cmd/go could avoid computing information we don't need. name old time/op new time/op delta Build/NoCache-16 1.68s ± 1% 1.68s ± 0% ~ (p=1.000 n=5+5) name old bin-B new bin-B delta Build/NoCache-16 6.72M ± 0% 6.72M ± 0% +0.01% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build/NoCache-16 1.88s ± 1% 1.89s ± 2% ~ (p=0.548 n=5+5) name old user-time/op new user-time/op delta Build/NoCache-16 19.9s ± 1% 19.8s ± 0% ~ (p=0.421 n=5+5)
2 years ago
if err := appendListedPackages(args, true); err != nil {
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
return nil, err
}
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
sharedTempDir, err = saveSharedCache()
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
if err != nil {
return nil, err
}
os.Setenv("GARBLE_SHARED", sharedTempDir)
defer os.Remove(sharedTempDir)
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
wd, err := os.Getwd()
if err != nil {
return nil, err
}
os.Setenv("GARBLE_PARENT_WORK", wd)
if flagDebugDir != "" {
if !filepath.IsAbs(flagDebugDir) {
flagDebugDir = filepath.Join(wd, flagDebugDir)
}
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
if err := os.RemoveAll(flagDebugDir); err != nil {
return nil, fmt.Errorf("could not empty debugdir: %v", err)
}
if err := os.MkdirAll(flagDebugDir, 0o755); err != nil {
return nil, err
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
}
}
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
goArgs := []string{
command,
"-trimpath",
all: drop support for Go 1.17 Now that we've released v0.6.0, that will be the last feature release to feature support for Go 1.17. The upcoming v0.7.0 will be Go 1.18+. Code-wise, the cleanup here isn't super noticeable, but it will be easier to work on features like VCS-aware version information and generics support without worrying about Go 1.17. Plus, now CI is back to being much faster. Note how "go 1.18" in go.mod makes "go mod tidy" more aggressive.
2 years ago
"-buildvcs=false",
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
}
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
// Pass the garble flags down to each toolexec invocation.
// This way, all garble processes see the same flag values.
var toolexecFlag strings.Builder
toolexecFlag.WriteString("-toolexec=")
toolexecFlag.WriteString(cache.ExecPath)
appendFlags(&toolexecFlag, false)
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
goArgs = append(goArgs, toolexecFlag.String())
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if flagDebugDir != "" {
// In case the user deletes the debug directory,
// and a previous build is cached,
// rebuild all packages to re-fill the debug dir.
goArgs = append(goArgs, "-a")
}
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
if command == "test" {
use "obfuscate" instead of "garble" in some more places Mainly comments. "garble" refers to the tool, but the verb and adjective is more intuitive as "obfuscate" and "obfuscated" instead of "garble" and "garbled".
3 years ago
// vet is generally not useful on obfuscated code; keep it
initial support for reversing panic output (#225) For now, this only implements reversing of exported names which are hashed with action IDs. Many other kinds of obfuscation, like positions and private names, are not yet implemented. Note that we don't document this new command yet on purpose, since it's not finished. Some other minor cleanups were done for future changes, such as making transformLineInfo into a method that also receives the original filename, and making header names more self-describing. Updates #5.
3 years ago
// disabled by default.
goArgs = append(goArgs, "-vet=off")
}
goArgs = append(goArgs, flags...)
goArgs = append(goArgs, args...)
return exec.Command("go", goArgs...), nil
}
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
var transformFuncs = map[string]func([]string) ([]string, error){
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
"asm": transformAsm,
start enforcing the link flags -w -s
5 years ago
"compile": transformCompile,
error if the user forgot -trimpath
5 years ago
"link": transformLink,
start enforcing the link flags -w -s
5 years ago
}
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
func transformAsm(args []string) ([]string, error) {
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
if !curPkg.ToObfuscate {
return args, nil // we're not obfuscating this package
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
}
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
flags, paths := splitFlagsFromFiles(args, ".s")
concentrate and simplify "to obfuscate" logic Back in the day, we used to call toObfuscate anytime we needed to know whether a package should be obfuscated. More recently, we started computing via the ToObfuscate field, which then gets shared with all sub-processes via sharedCache. We still had two places that directly called toObfuscate. Replace those with ToObfuscate, and inline toObfuscate into shared.go. obfuscatedImportPath is also a potential footgun for main packages. Some use cases always want the original "main" package name, such as for use in the compiler's "-p main" flag, while other cases want the obfuscated package import path, such as the entries in importcfg files. Since each of these call sites handles the edge case well, obfuscatedImportPath now panics on main packages to avoid any misuse. Finally, test that we never leak main package paths via ldflags.txt. We never did, but it's good to make sure. Overall, this avoids confusion and trims the size of main.go a bit.
2 years ago
// When assembling, the import path can make its way into the output object file.
if curPkg.Name != "main" {
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
flags = flagSetValue(flags, "-p", curPkg.obfuscatedImportPath())
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
}
remove unused code spotted by -coverprofile Remove some asthelper APIs that haven't been used for some time. They can be recovered from the git history if needed again. One type assertion in the literals package is always true. Embedded field objects are handled near the top of transformGo, so the extra !obj.Embedded() check was always true. Remove it. We always obfuscate standalone funcs now, so the obfuscatedTypesPackage check is no longer necessary. This was necessary when we used to not obfuscate func names when they were used in linkname directives. The workaround for test package imports in obfuscatedTypesPackage I had to add a few commits ago no longer seems to be necessary. This might be thanks to the simplification with functions in the paragraph just above. It's impossible to run garble without -trimpath nowadays, as we error before the build even starts: $ go build -toolexec=garble go tool compile: exit status 1 cannot open shared file, this is most likely due to not running "garble [command]" When run as "garble build", the trimpath flag is always set. So the check in alterTrimpath never triggers anymore, and couldn't be tested. Finally, simplify the handling of comment syntax in printFile, and add a few TODOs for other code paths not covered by our existing tests. Total code coverage is up from 90.3% to 91.0%.
3 years ago
flags = alterTrimpath(flags)
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
// If the assembler is running just for -gensymabis,
// don't obfuscate the source, as we are not assembling yet.
// The assembler will run again later; obfuscating twice is just wasteful.
symabis := false
for _, arg := range args {
if arg == "-gensymabis" {
symabis = true
break
}
}
newPaths := make([]string, 0, len(paths))
if !symabis {
var newPaths []string
for _, path := range paths {
name := filepath.Base(path)
pkgDir := filepath.Join(sharedTempDir, filepath.FromSlash(curPkg.ImportPath))
newPath := filepath.Join(pkgDir, name)
newPaths = append(newPaths, newPath)
}
return append(flags, newPaths...), nil
}
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
// We need to replace all function references with their obfuscated name
// counterparts.
// Luckily, all func names in Go assembly files are immediately followed
// by the unicode "middle dot", like:
//
// TEXT ·privateAdd(SB),$0-24
const middleDot = '·'
middleDotLen := utf8.RuneLen(middleDot)
for _, path := range paths {
// Read the entire file into memory.
// If we find issues with large files, we can use bufio.
all: replace uses of the deprecated ioutil Now that we require Go 1.16, we can simplify code by removing ioutil.
3 years ago
content, err := os.ReadFile(path)
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
if err != nil {
return nil, err
}
// Find all middle-dot names, and replace them.
remaining := content
var buf bytes.Buffer
for {
i := bytes.IndexRune(remaining, middleDot)
if i < 0 {
buf.Write(remaining)
remaining = nil
break
}
fix windows/arm cross-build linking Obfuscating some std packages for windows/arm triggered a bug; when encountering a call to runtime·memmove, we'd hash "memmove" with the current package's action ID. This is wrong on two levels: First, we aren't obfuscating the runtime package yet. And second, if we did, we would have to hash the symbol appropriately, with that package's action ID. For now, only hashing the local names does the trick. That's all that the code currently supports, anyway.
3 years ago
// We want to replace "OP ·foo" and "OP $·foo",
// but not "OP somepkg·foo" just yet.
// "somepkg" is often runtime, syscall, etc.
// We don't obfuscate any of those for now.
//
// TODO: we'll likely need to deal with this
// when we start obfuscating the runtime.
// When we do, note that we can't hash with curPkg.
localName := false
if i >= 0 {
switch remaining[i-1] {
case ' ', '\t', '$':
localName = true
}
}
i += middleDotLen
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
buf.Write(remaining[:i])
remaining = remaining[i:]
// The name ends at the first rune which cannot be part
// of a Go identifier, such as a comma or space.
nameEnd := 0
for nameEnd < len(remaining) {
c, size := utf8.DecodeRune(remaining[nameEnd:])
if !unicode.IsLetter(c) && c != '_' && !unicode.IsDigit(c) {
break
}
nameEnd += size
}
name := string(remaining[:nameEnd])
remaining = remaining[nameEnd:]
fix windows/arm cross-build linking Obfuscating some std packages for windows/arm triggered a bug; when encountering a call to runtime·memmove, we'd hash "memmove" with the current package's action ID. This is wrong on two levels: First, we aren't obfuscating the runtime package yet. And second, if we did, we would have to hash the symbol appropriately, with that package's action ID. For now, only hashing the local names does the trick. That's all that the code currently supports, anyway.
3 years ago
if !localName {
buf.WriteString(name)
continue
}
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
newName := hashWithPackage(curPkg, name)
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
debugf("asm name %q hashed with %x to %q", name, curPkg.GarbleActionID, newName)
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
buf.WriteString(newName)
}
small improvements towards obfuscating the runtime I spent a couple of days trying to obfuscate all of std. Ultimately I failed at making it fully work, especially when it comes to the runtime package, but I did fix a few problems along the way, as seen here. First, fix the TODO to allow handleDirectives and transformGo to run on runtime packages as well, if they are considered private. Note that this is never true right now, but it matters once we remove runtimeRelated. Second, modify parsedebugvars in a way that doesn't break typechecking. We can remove AST nodes or even modify them in simple ways, but if we add new AST nodes after typechecking, those will lack type information. We were replacing the entire body, running into that problem. Instead, carefully cut the body to set some defaults, but remove everything from the point GODEBUG is read. Finally, add commented-out debug prints of transformed asm files. For #193.
3 years ago
// Uncomment for some quick debugging. Do not delete.
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
// if curPkg.ToObfuscate {
small improvements towards obfuscating the runtime I spent a couple of days trying to obfuscate all of std. Ultimately I failed at making it fully work, especially when it comes to the runtime package, but I did fix a few problems along the way, as seen here. First, fix the TODO to allow handleDirectives and transformGo to run on runtime packages as well, if they are considered private. Note that this is never true right now, but it matters once we remove runtimeRelated. Second, modify parsedebugvars in a way that doesn't break typechecking. We can remove AST nodes or even modify them in simple ways, but if we add new AST nodes after typechecking, those will lack type information. We were replacing the entire body, running into that problem. Instead, carefully cut the body to set some defaults, but remove everything from the point GODEBUG is read. Finally, add commented-out debug prints of transformed asm files. For #193.
3 years ago
// fmt.Fprintf(os.Stderr, "\n-- %s --\n%s", path, buf.Bytes())
// }
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
name := filepath.Base(path)
if path, err := writeTemp(name, buf.Bytes()); err != nil {
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
return nil, err
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
} else {
newPaths = append(newPaths, path)
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
}
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
}
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
return append(flags, newPaths...), nil
}
obfuscate asm function names as well (#273) Historically, it was impossible to rename those funcs as the implementation was in assembly files, and we only transformed Go code. Now that transformAsm exists, it's only about fifty lines to do some very basic parsing and rewriting of assembly files. This fixes the obfuscated builds of multiple std packages, including a few dependencies of net/http, since they included assembly funcs which called pure Go functions. Those pure Go functions had their names obfuscated, breaking the call sites in assembly. Fixes #258. Fixes #261.
3 years ago
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
// writeTemp is a mix between os.CreateTemp and os.WriteFile, as it writes a
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
// named source file in sharedTempDir given an input buffer.
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
//
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
// Note that the file is created under a directory tree following curPkg's
// import path, mimicking how files are laid out in modules and GOROOT.
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
func writeTemp(name string, content []byte) (string, error) {
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
pkgDir := filepath.Join(sharedTempDir, filepath.FromSlash(curPkg.ImportPath))
if err := os.MkdirAll(pkgDir, 0o777); err != nil {
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
return "", err
}
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
dstPath := filepath.Join(pkgDir, name)
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
if err := writeFileExclusive(dstPath, content); err != nil {
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
return "", err
}
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
return dstPath, nil
replace the -p path when assembling (#247) The asm tool runs twice for a package with assembly. The second time it does, the path given to the -p flag matters, just like in the compiler, as we generate an object file. We don't have a -buildid flag in the asm tool, so obtaining the action ID to obfuscate the package path with is a bit tricky. We store it from transformCompile, and read it from transformAsm. See the detailed docs for more. This was the last "skip" line in the tests due to Go 1.16. After all PRs are merged, one last PR documenting that 1.16 is supported will be sent, closing the issue for good. It's unclear why this wasn't an issue in Go 1.15. My best guess is that the ABI changes only happened in Go 1.16, and this causes exported asm funcs to start showing up in object files with their package paths. Updates #124.
3 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
func transformCompile(args []string) ([]string, error) {
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
var err error
garbling imported packages starts being supported
5 years ago
flags, paths := splitFlagsFromFiles(args, ".go")
always use the compiler's -dwarf=false flag (#96) First, our original append line was completely ineffective; we never used that "flags" slice again. Second, we only attempted to use the flag when we obfuscated a package. In fact, we never care about debugging information here, so for any package we compile, we can add "-dwarf=false". At the moment, we compile all packages, even if they aren't to be obfuscated, due to the lack of access to the build cache. As such, we save a significant amount of work. The numbers below were obtained on a quiet machine with "go test -bench=. -benchtime=10x", six times before and after the change. name old time/op new time/op delta Build-8 2.06s ± 4% 1.87s ± 2% -9.21% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 1.51s ± 2% 1.46s ± 1% -3.12% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 11.9s ± 2% 10.8s ± 1% -8.71% (p=0.002 n=6+6) While at it, only do CI builds on pushes and PRs to the master branch, so that my PRs created from the same repo don't trigger duplicate builds.
4 years ago
// We will force the linker to drop DWARF via -w, so don't spend time
// generating it.
flags = append(flags, "-dwarf=false")
allow garble to test itself With this patch, 'go install && garble test' works.
4 years ago
for i, path := range paths {
if filepath.Base(path) == "_gomod_.go" {
// never include module info
add a few TODOs with uncovered code that should not be This will hopefully give new contributors a place to start. Some of these, like verifying that the "help" commands work, will be relatively simple additions to our test scripts.
2 years ago
// TODO: this seems to no longer trigger for our tests?
allow garble to test itself With this patch, 'go install && garble test' works.
4 years ago
paths = append(paths[:i], paths[i+1:]...)
break
}
}
start enforcing the link flags -w -s
5 years ago
garbling imported packages starts being supported
5 years ago
var files []*ast.File
for _, path := range paths {
don't remove "//go:" compile directives For example, this broke cgo, since it uses go:linkname. Updates #12.
4 years ago
file, err := parser.ParseFile(fset, path, nil, parser.ParseComments)
garbling imported packages starts being supported
5 years ago
if err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
garbling imported packages starts being supported
5 years ago
}
files = append(files, file)
}
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
tf := newTransformer()
if err := tf.typecheck(files); err != nil {
return nil, err
}
flags = alterTrimpath(flags)
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
// Note that if the file already exists in the cache from another build,
// we don't need to write to it again thanks to the hash.
// TODO: as an optimization, just load that one gob file.
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
if err := loadCachedOutputs(); err != nil {
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
return nil, err
}
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
tf.findReflectFunctions(files)
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
newImportCfg, err := processImportCfg(flags)
if err != nil {
return nil, err
}
use hashWith for obfuscation position information Position information was obfuscated with math/rand manually, which meant that the resulting positions were pretty small like "x.go:34", but they were also very hard to reverse due to their short length and difficulty to reproduce. We now hash them with hashWith and the package's GarbleActionID: "main.go:203" hashed with 933ad1c700755b7c3a9913c55cade1 to "mwu1xuNz.go" The input to the hash is the base filename and the byte offset of the declaration within the file, meaning that it's unique within a package. The output filename is long enough to allow easy reversal. The line number is always 1, since the information needed for reversing is contained entirely within the filename. It doesn't really matter if we encode data in the filename or line number, but it's easier for us to use a string. For #5.
3 years ago
// Literal obfuscation uses math/rand, so seed it deterministically.
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
randSeed := curPkg.GarbleActionID
if flagSeed.present() {
randSeed = flagSeed.bytes
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
}
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
// debugf("seeding math/rand with %x\n", randSeed)
share a single temporary directory between all processes Each compile and link sub-process created its own temporary directory, to be cleaned up shortly after. Moreover, we also had the global gob-encoded temporary file. Instead, place all of those under a single, start-to-end temporary directory. This is cleaner for the end user, and easier to maintain for us. A big plus is that we can also get rid of the confusing deferred global, as it was mostly used to clean up these extra temp dirs. The only remaining use was post-compile code, which is now an explicit func returned by each "transform" func. While at it, clean up the math/rand seeding code a bit and add a debug log line, and stop shadowing a cmd string with a cmd *exec.Cmd. Fixes #147.
3 years ago
mathrand.Seed(int64(binary.BigEndian.Uint64(randSeed)))
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
add support for -ldflags using quotes In particular, using -ldflags with - In particular, a command like: garble -literals build -ldflags='-X "main.foo=foo bar"' would fail, because we would try to use "\"main" as the package name for the -X qualified name, with the leading quote character. This is because we used strings.Split(ldflags, " "). Instead, use the same quoted.Split that cmd/go uses, copied over thanks to x/tools/cmd/bundle and go:generate. Updates #492.
2 years ago
if err := tf.prefillObjectMaps(files); err != nil {
return nil, err
}
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
concentrate and simplify "to obfuscate" logic Back in the day, we used to call toObfuscate anytime we needed to know whether a package should be obfuscated. More recently, we started computing via the ToObfuscate field, which then gets shared with all sub-processes via sharedCache. We still had two places that directly called toObfuscate. Replace those with ToObfuscate, and inline toObfuscate into shared.go. obfuscatedImportPath is also a potential footgun for main packages. Some use cases always want the original "main" package name, such as for use in the compiler's "-p main" flag, while other cases want the obfuscated package import path, such as the entries in importcfg files. Since each of these call sites handles the edge case well, obfuscatedImportPath now panics on main packages to avoid any misuse. Finally, test that we never leak main package paths via ldflags.txt. We never did, but it's good to make sure. Overall, this avoids confusion and trims the size of main.go a bit.
2 years ago
// If this is a package to obfuscate, swap the -p flag with the new package path.
// We don't if it's the main package, as that just uses "-p main".
// We only set newPkgPath if we're obfuscating the import path,
// to replace the original package name in the package clause below.
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
newPkgPath := ""
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
if curPkg.Name != "main" && curPkg.ToObfuscate {
fix link errors when importing crypto/ecdsa (#262) First, we had some link errors such as: cannot find package J6OzO8GN (using -importcfg) This was caused by the code that writes an updated importcfg, which did not handle import maps well. That code is now fixed, and we also add an obfuscatedImportPath method for clarity. Once fixed, we ran into other link errors: Pw3g97ww.addVW: relocation target Pw3g97ww.addVWlarge not defined After some digging, the cause of those is assembly code that we do not yet support obfuscating. #261 tracks that. Meanwhile, to fix "GOPRIVATE=* garble build" and to be able to have a test for the original import path bug, we add the packages which use that form of assembly code to runtimeRelated - math/big and crypto/sha512. There might be more, but these were the ones found by trying to link crypto/tls, a fairly common dependency. Fixes #256.
3 years ago
newPkgPath = curPkg.obfuscatedImportPath()
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags = flagSetValue(flags, "-p", newPkgPath)
}
always use the compiler's -dwarf=false flag (#96) First, our original append line was completely ineffective; we never used that "flags" slice again. Second, we only attempted to use the flag when we obfuscated a package. In fact, we never care about debugging information here, so for any package we compile, we can add "-dwarf=false". At the moment, we compile all packages, even if they aren't to be obfuscated, due to the lack of access to the build cache. As such, we save a significant amount of work. The numbers below were obtained on a quiet machine with "go test -bench=. -benchtime=10x", six times before and after the change. name old time/op new time/op delta Build-8 2.06s ± 4% 1.87s ± 2% -9.21% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 1.51s ± 2% 1.46s ± 1% -3.12% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 11.9s ± 2% 10.8s ± 1% -8.71% (p=0.002 n=6+6) While at it, only do CI builds on pushes and PRs to the master branch, so that my PRs created from the same repo don't trigger duplicate builds.
4 years ago
newPaths := make([]string, 0, len(files))
Fix calls to linkname functions (#314)
3 years ago
obfuscate local names in linkname directives Previously, the local name part of linkname directives were never obfuscated. Now that we can obfuscate function names in Go assembly, that limitation is required no longer. Fixes #309
3 years ago
for i, file := range files {
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
filename := filepath.Base(paths[i])
debugf("obfuscating %s", filename)
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
if curPkg.ImportPath == "runtime" && flagTiny {
remove unnecessary data from runtime if -tiny is passed Fixes #127. Saves an additional ~1-2% binary size in my testing.
4 years ago
// strip unneeded runtime code
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
stripRuntime(filename, file)
initial support for cgo I'm sure that the added test case doesn't cover many edge cases, but it's a start. Fixes #12.
4 years ago
}
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
tf.handleDirectives(file.Comments)
CI: start enforcing vet and staticcheck Fix a staticcheck warning about unused code, as well as an unparam warning and a missing copyright header. We also bump the action versions to their latest releases, and drop unnecessary "name" fields for self-describing steps. Note that we drop the "go env" commands, as setup-go does that now. Finally, I did briefly try to add caching, but then realised it didn't help us at all. Document why.
2 years ago
file = tf.transformGo(file)
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
if newPkgPath != "" {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
file.Name.Name = newPkgPath
}
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
src, err := printFile(file)
if err != nil {
return nil, err
}
work around a build cache regression in the previous commit The added comment in main.go explains the situation in detail. The added test is a minimization of the scenario, which failed: > cd mod1 > garble -seed=${SEED1} build -v gopkg.in/garbletest.v2 > cd ../mod2 > garble -seed=${SEED1} build -v [stderr] test/main/mod2 # test/main/mod2 cannot load garble export file for gopkg.in/garbletest.v2: open […]/go-build/ed/[…]-garble-ZV[…]-d: no such file or directory To work around the problem, we'll always add each package's GarbleActionID to its build artifact, even when not using -seed. This will get us the previous behavior with regards to the build cache, meaning that we fix the recent regression. The added variable doesn't make it to the final binary either. While here, improve the cached file loading error's context, and add an extra sanity check for duplicates on ListedPackages.
2 years ago
// It is possible to end up in an edge case where two instances of the
// same package have different Action IDs, but their obfuscation and
// builds produce exactly the same results.
// In such an edge case, Go's build cache is smart enough for the second
// instance to reuse the first's build artifact.
// However, garble's caching via garbleExportFile is not as smart,
// as we base the location of these files purely based on Action IDs.
// Thus, the incremental build can fail to find garble's cached file.
// To sidestep this bug entirely, ensure that different action IDs never
// produce the same cached output when building with garble.
// Note that this edge case tends to happen when a -seed is provided,
// as then a package's Action ID is not used as an obfuscation seed.
// TODO(mvdan): replace this workaround with an actual fix if we can.
// This workaround is presumably worse on the build cache,
// as we end up with extra near-duplicate cached artifacts.
if i == 0 {
src = append(src, fmt.Sprintf(
"\nvar garbleActionID = %q\n", hashToString(curPkg.GarbleActionID),
)...)
}
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
fix link errors when importing crypto/ecdsa (#262) First, we had some link errors such as: cannot find package J6OzO8GN (using -importcfg) This was caused by the code that writes an updated importcfg, which did not handle import maps well. That code is now fixed, and we also add an obfuscatedImportPath method for clarity. Once fixed, we ran into other link errors: Pw3g97ww.addVW: relocation target Pw3g97ww.addVWlarge not defined After some digging, the cause of those is assembly code that we do not yet support obfuscating. #261 tracks that. Meanwhile, to fix "GOPRIVATE=* garble build" and to be able to have a test for the original import path bug, we add the packages which use that form of assembly code to runtimeRelated - math/big and crypto/sha512. There might be more, but these were the ones found by trying to link crypto/tls, a fairly common dependency. Fixes #256.
3 years ago
// Uncomment for some quick debugging. Do not delete.
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
// if curPkg.ToObfuscate {
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
// fmt.Fprintf(os.Stderr, "\n-- %s/%s --\n%s", curPkg.ImportPath, filename, src)
fix link errors when importing crypto/ecdsa (#262) First, we had some link errors such as: cannot find package J6OzO8GN (using -importcfg) This was caused by the code that writes an updated importcfg, which did not handle import maps well. That code is now fixed, and we also add an obfuscatedImportPath method for clarity. Once fixed, we ran into other link errors: Pw3g97ww.addVW: relocation target Pw3g97ww.addVWlarge not defined After some digging, the cause of those is assembly code that we do not yet support obfuscating. #261 tracks that. Meanwhile, to fix "GOPRIVATE=* garble build" and to be able to have a test for the original import path bug, we add the packages which use that form of assembly code to runtimeRelated - math/big and crypto/sha512. There might be more, but these were the ones found by trying to link crypto/tls, a fairly common dependency. Fixes #256.
3 years ago
// }
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
if path, err := writeTemp(filename, src); err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
add a writeTemp helper func We had two nearly identical copies of the code to open a temp file with CreateTemp, write to it, and handle closing properly. Unify them. With the added docs this isn't exactly a net win, but we want the long funcs such as transformCompile to be easy to follow, and this helps.
3 years ago
} else {
newPaths = append(newPaths, path)
garbling imported packages starts being supported
5 years ago
}
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
if flagDebugDir != "" {
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
osPkgPath := filepath.FromSlash(curPkg.ImportPath)
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
pkgDebugDir := filepath.Join(flagDebugDir, osPkgPath)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if err := os.MkdirAll(pkgDebugDir, 0o755); err != nil {
return nil, err
}
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
debugFilePath := filepath.Join(pkgDebugDir, filename)
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
if err := os.WriteFile(debugFilePath, src, 0o666); err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
}
}
garbling imported packages starts being supported
5 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags = flagSetValue(flags, "-importcfg", newImportCfg)
speed up builds with the compiler's -dwarf=false flag Generating DWARF in the compiler object files could take as much as 10% extra CPU time, while we ignore it entirely at the link stage. Speeds up 'go test -short' from ~19.5s to ~18.5s on my laptop.
4 years ago
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
if err := writeGobExclusive(
garbleExportFile(curPkg),
cachedOutput,
); err != nil && !errors.Is(err, fs.ErrExist) {
return nil, err
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return append(flags, newPaths...), nil
garbling imported packages starts being supported
5 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
// handleDirectives looks at all the comments in a file containing build
// directives, and does the necessary for the obfuscation process to work.
//
// Right now, this means recording what local names are used with go:linkname,
// and rewriting those directives to use obfuscated name from other packages.
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
func (tf *transformer) handleDirectives(comments []*ast.CommentGroup) {
for _, group := range comments {
for _, comment := range group.List {
if !strings.HasPrefix(comment.Text, "//go:linkname ") {
continue
}
fields := strings.Fields(comment.Text)
if len(fields) != 3 {
fix obfuscating linkname directives that where the package name contained a dot
3 years ago
// TODO: the 2nd argument is optional, handle when it's not present
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
continue
}
// This directive has two arguments: "go:linkname localName newName"
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
Obfuscate more packages of the standard library (#312) Also update linkname directives of public packages, to allow the package where something is linknamed to to be obfuscated regardless. Public packages can now depend on private packages.
3 years ago
// obfuscate the local name, if the current package is obfuscated
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
if curPkg.ToObfuscate {
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
fields[1] = hashWithPackage(curPkg, fields[1])
Obfuscate more packages of the standard library (#312) Also update linkname directives of public packages, to allow the package where something is linknamed to to be obfuscated regardless. Public packages can now depend on private packages.
3 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
// If the new name is of the form "pkgpath.Name", and
// we've obfuscated "Name" in that package, rewrite the
// directive to use the obfuscated name.
fix obfuscating linkname directives that where the package name contained a dot
3 years ago
newName := fields[2]
dotCnt := strings.Count(newName, ".")
if dotCnt < 1 {
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
// cgo-generated code uses linknames to made up symbol names,
// which do not have a package path at all.
// Replace the comment in case the local name was obfuscated.
comment.Text = strings.Join(fields, " ")
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
continue
}
ensure the runtime is built in a reproducible way We went to great lengths to ensure garble builds are reproducible. This includes how the tool itself works, as its behavior should be the same given the same inputs. However, we made one crucial mistake with the runtime package. It has go:linkname directives pointing at other packages, and some of those pointed packages aren't its dependencies. Imagine two scenarios where garble builds the runtime package: 1) We run "garble build runtime". The way we handle linkname directives calls listPackage on the target package, to obfuscate the target's import path and object name. However, since we only obtained build info of runtime and its deps, calls for some linknames such as listPackage("sync/atomic") will fail. The linkname directive will leave its target untouched. 2) We run "garble build std". Unlike the first scenario, all listPackage calls issued by runtime's linkname directives will succeed, so its linkname directive targets will be obfuscated. At best, this can result in inconsistent builds, depending on how the runtime package was built. At worst, the mismatching object names can result in errors at link time, if the target packages are actually used. The modified test reproduces the worst case scenario reliably, when the fix is reverted: > env GOCACHE=${WORK}/gocache-empty > garble build -a runtime > garble build -o=out_rebuild ./stdimporter [stderr] # test/main/stdimporter JZzQivnl.NtQJu0H3: relocation target JZzQivnl.iioHinYT not defined JZzQivnl.NtQJu0H3.func9: relocation target JZzQivnl.yz5z0NaH not defined JZzQivnl.(*ypvqhKiQ).String: relocation target JZzQivnl.eVciBQeI not defined JZzQivnl.(*ypvqhKiQ).PkgPath: relocation target JZzQivnl.eVciBQeI not defined [...] The fix consists of two steps. First, if we're building the runtime and listPackage fails on a package, that means we ran into scenario 1 above. To avoid the inconsistency, we fill ListedPackages with "go list [...] std". This means we'll always build runtime as described in scenario 2 above. Second, when building packages other than the runtime, we only allow listPackage to succeed if we're listing a dependency of the current package. This ensures we won't run into similar reproducibility bugs in the future. Finally, re-enable test-gotip on CI since this was the last test flake.
3 years ago
switch newName {
case "main.main", "main..inittask", "runtime..inittask":
// The runtime uses some special symbols with "..".
// We aren't touching those at the moment.
continue
}
fix obfuscating linkname directives that where the package name contained a dot
3 years ago
// If the package path has multiple dots, split on the
// last one.
Fix linkname directives with dots in importpath (#407) Obfuscating newName arguments of linkname directives with dots in the importpath didn't work before. We had a test which covers this, but the corresponding package wasn't actually obfuscated.
3 years ago
lastDotIdx := strings.LastIndex(newName, ".")
pkgPath, name := newName[:lastDotIdx], newName[lastDotIdx+1:]
fix obfuscating linkname directives that where the package name contained a dot
3 years ago
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
lpkg, err := listPackage(pkgPath)
if err != nil {
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
// Probably a made up name like above, but with a dot.
obfuscate local names in linkname directives Previously, the local name part of linkname directives were never obfuscated. Now that we can obfuscate function names in Go assembly, that limitation is required no longer. Fixes #309
3 years ago
comment.Text = strings.Join(fields, " ")
continue
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
}
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
if lpkg.ToObfuscate {
obfuscate local names in linkname directives Previously, the local name part of linkname directives were never obfuscated. Now that we can obfuscate function names in Go assembly, that limitation is required no longer. Fixes #309
3 years ago
// The name exists and was obfuscated; obfuscate
// the new name.
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
newName := hashWithPackage(lpkg, name)
obfuscate local names in linkname directives Previously, the local name part of linkname directives were never obfuscated. Now that we can obfuscate function names in Go assembly, that limitation is required no longer. Fixes #309
3 years ago
newPkgPath := pkgPath
if pkgPath != "main" {
newPkgPath = lpkg.obfuscatedImportPath()
}
fields[2] = newPkgPath + "." + newName
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
rework the position obfuscator (#282) First, rename line_obfuscator.go to position.go. We obfuscate filenames, not just line numbers, and "obfuscator" is a bit redundant. Second, use "/*line :x*/" comments rather than the "//line :x" form, as the former allows us to insert them in any position without adding unnecessary newlines. This will be important for changing the position of call sites, which will be important for "garble reverse". Third, do not rely on go/ast to remove and add comments. Since they are free-floating, we can very easily end up with misplaced comments, especially as the literal obfuscator heavily modifies the AST. The new method prints and re-parses the file, to ensure all node positions are consistent with a buffer, buf1. Then, we copy the contents into a new buffer, buf2, while inserting the comments that we need. The new method also modifies line numbers at the very end of obfuscating a Go file, instead of at the very beginning. That's going to be more robust long-term, as we will also obfuscate line numbers for any additions or modifications to the AST. Fourth, detachedDirectives is unnecessary, as we can accomplish the same with two simple prefix matches. Finally, this means we can stop using detachedComments entirely, as printFile already inserts the comments we need. For #5.
3 years ago
comment.Text = strings.Join(fields, " ")
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
all: use better names than "blacklist", and docs (#206) The three transformer map fields are now very well documented, which was badly needed for anyone trying to understand the source code. ignoreObjects is also a better field name than blacklist, as it says what the map is indexed by (types.Object) and what we do with those: ignore them when we obfuscate code. The rewriting of go:linkname directives is moved to a separate func, so that we can name that func from the docs. Finally, the docs are overall improved a bit, as I was re-tracing all the pieces of code that used the ambiguous "blacklist" terminology. Fixes #169.
4 years ago
}
}
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
// processImportCfg parses the importcfg file passed to a compile or link step.
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
// It also builds a new importcfg file to account for obfuscated import paths.
avoid one more call to 'go tool buildid' (#253) We use it to get the content ID of garble's binary, which is used for both the garble action IDs, as well as 'go tool compile -V=full'. Since those two happen in separate processes, both used to call 'go tool buildid' separately. Store it in the gob cache the first time, and reuse it the second time. Since each call to cmd/go costs about 10ms (new process, running its many init funcs, etc), this results in a nice speed-up for our small benchmark. Most builds will take many seconds though, so note that a ~15ms speedup there will likely not be noticeable. While at it, simplify the buildInfo global, as now it just contains a map representation of the -importcfg contents. It now has better names, docs, and a simpler representation. We also stop using the term "garbled import", as it was a bit confusing. "obfuscated types.Package" is a much better description. name old time/op new time/op delta Build-8 106ms ± 1% 92ms ± 0% -14.07% (p=0.010 n=6+4) name old bin-B new bin-B delta Build-8 6.60M ± 0% 6.60M ± 0% -0.01% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 208ms ± 5% 149ms ± 3% -28.27% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 433ms ± 3% 384ms ± 3% -11.35% (p=0.002 n=6+6)
3 years ago
func processImportCfg(flags []string) (newImportCfg string, _ error) {
start using original action IDs (#251) When we obfuscate a name, what we do is hash the name with the action ID of the package that contains the name. To ensure that the hash changes if the garble tool changes, we used the action ID of the obfuscated build, which is different than the original action ID, as we include garble's own content ID in "go tool compile -V=full" via -toolexec. Let's call that the "obfuscated action ID". Remember that a content ID is roughly the hash of a binary or object file, and an action ID contains the hash of a package's source code plus the content IDs of its dependencies. This had the advantage that it did what we wanted. However, it had one massive drawback: when we compile a package, we only have the obfuscated action IDs of its dependencies. This is because one can't have the content ID of dependent packages before they are built. Usually, this is not a problem, because hashing a foreign name means it comes from a dependency, where we already have the obfuscated action ID. However, that's not always the case. First, go:linkname directives can point to any symbol that ends up in the binary, even if the package is not a dependency. So garble could only support linkname targets belonging to dependencies. This is at the root of why we could not obfuscate the runtime; it contains linkname directives targeting the net package, for example, which depends on runtime. Second, some other places did not have an easy access to obfuscated action IDs, like transformAsm, which had to recover it from a temporary file stored by transformCompile. Plus, this was all pretty expensive, as each toolexec sub-process had to make repeated calls to buildidOf with the object files of dependencies. We even had to use extra calls to "go list" in the case of indirect dependencies, as their export files do not appear in importcfg files. All in all, the old method was complex and expensive. A better mechanism is to use the original action IDs directly, as listed by "go list" without garble in the picture. This would mean that the hashing does not change if garble changes, meaning weaker obfuscation. To regain that property, we define the "garble action ID", which is just the original action ID hashed together with garble's own content ID. This is practically the same as the obfuscated build ID we used before, but since it doesn't go through "go tool compile -V=full" and the obfuscated build itself, we can work out *all* the garble action IDs upfront, before the obfuscated build even starts. This fixes all of our problems. Now we know all garble build IDs upfront, so a bunch of hacks can be entirely removed. Plus, since we know them upfront, we can also cache them and avoid repeated calls to "go tool buildid". While at it, make use of the new BuildID field in Go 1.16's "list -json -export". This avoids the vast majority of "go tool buildid" calls, as the only ones that remain are 2 on the garble binary itself. The numbers for Go 1.16 look very good: name old time/op new time/op delta Build-8 146ms ± 4% 101ms ± 1% -31.01% (p=0.002 n=6+6) name old bin-B new bin-B delta Build-8 6.61M ± 0% 6.60M ± 0% -0.09% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 321ms ± 7% 202ms ± 6% -37.11% (p=0.002 n=6+6) name old user-time/op new user-time/op delta Build-8 538ms ± 4% 414ms ± 4% -23.12% (p=0.002 n=6+6)
3 years ago
importCfg := flagValue(flags, "-importcfg")
if importCfg == "" {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return "", fmt.Errorf("could not find -importcfg argument")
garbling imported packages starts being supported
5 years ago
}
all: replace uses of the deprecated ioutil Now that we require Go 1.16, we can simplify code by removing ioutil.
3 years ago
data, err := os.ReadFile(importCfg)
garbling imported packages starts being supported
5 years ago
if err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return "", err
garbling imported packages starts being supported
5 years ago
}
Use latest Binject/debug version to support importmap directives, fixes #146 (#189) * Use latest Binject/debug version to support importmap directives in the importcfg file * Uncomment line in goprivate testscript to test ImportMap * Fixed issue where a package in specified in importmap would be hashed differently in a package that imported it, due to the mapping of import paths. Also commented out the 'net' import in the goprivate testscript (again) due to cgo compile errors
4 years ago
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
var packagefiles, importmaps [][2]string
avoid one more call to 'go tool buildid' (#253) We use it to get the content ID of garble's binary, which is used for both the garble action IDs, as well as 'go tool compile -V=full'. Since those two happen in separate processes, both used to call 'go tool buildid' separately. Store it in the gob cache the first time, and reuse it the second time. Since each call to cmd/go costs about 10ms (new process, running its many init funcs, etc), this results in a nice speed-up for our small benchmark. Most builds will take many seconds though, so note that a ~15ms speedup there will likely not be noticeable. While at it, simplify the buildInfo global, as now it just contains a map representation of the -importcfg contents. It now has better names, docs, and a simpler representation. We also stop using the term "garbled import", as it was a bit confusing. "obfuscated types.Package" is a much better description. name old time/op new time/op delta Build-8 106ms ± 1% 92ms ± 0% -14.07% (p=0.010 n=6+4) name old bin-B new bin-B delta Build-8 6.60M ± 0% 6.60M ± 0% -0.01% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 208ms ± 5% 149ms ± 3% -28.27% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 433ms ± 3% 384ms ± 3% -11.35% (p=0.002 n=6+6)
3 years ago
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
for _, line := range strings.SplitAfter(string(data), "\n") {
garbling imported packages starts being supported
5 years ago
line = strings.TrimSpace(line)
if line == "" || strings.HasPrefix(line, "#") {
start hashing identifiers
5 years ago
continue
}
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
i := strings.IndexByte(line, ' ')
garbling imported packages starts being supported
5 years ago
if i < 0 {
continue
}
Use latest Binject/debug version to support importmap directives, fixes #146 (#189) * Use latest Binject/debug version to support importmap directives in the importcfg file * Uncomment line in goprivate testscript to test ImportMap * Fixed issue where a package in specified in importmap would be hashed differently in a package that imported it, due to the mapping of import paths. Also commented out the 'net' import in the goprivate testscript (again) due to cgo compile errors
4 years ago
verb := line[:i]
switch verb {
case "importmap":
args := strings.TrimSpace(line[i+1:])
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
j := strings.IndexByte(args, '=')
Use latest Binject/debug version to support importmap directives, fixes #146 (#189) * Use latest Binject/debug version to support importmap directives in the importcfg file * Uncomment line in goprivate testscript to test ImportMap * Fixed issue where a package in specified in importmap would be hashed differently in a package that imported it, due to the mapping of import paths. Also commented out the 'net' import in the goprivate testscript (again) due to cgo compile errors
4 years ago
if j < 0 {
continue
}
beforePath, afterPath := args[:j], args[j+1:]
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
importmaps = append(importmaps, [2]string{beforePath, afterPath})
Use latest Binject/debug version to support importmap directives, fixes #146 (#189) * Use latest Binject/debug version to support importmap directives in the importcfg file * Uncomment line in goprivate testscript to test ImportMap * Fixed issue where a package in specified in importmap would be hashed differently in a package that imported it, due to the mapping of import paths. Also commented out the 'net' import in the goprivate testscript (again) due to cgo compile errors
4 years ago
case "packagefile":
args := strings.TrimSpace(line[i+1:])
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
j := strings.IndexByte(args, '=')
Use latest Binject/debug version to support importmap directives, fixes #146 (#189) * Use latest Binject/debug version to support importmap directives in the importcfg file * Uncomment line in goprivate testscript to test ImportMap * Fixed issue where a package in specified in importmap would be hashed differently in a package that imported it, due to the mapping of import paths. Also commented out the 'net' import in the goprivate testscript (again) due to cgo compile errors
4 years ago
if j < 0 {
continue
}
importPath, objectPath := args[:j], args[j+1:]
add seed flag to control how builds are reproducible Fixes #26.
4 years ago
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
packagefiles = append(packagefiles, [2]string{importPath, objectPath})
start hashing identifiers
5 years ago
}
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
// Produce the modified importcfg file.
properly fix obfuscated imports with their package names (#245) The TODO I left there didn't take long to surface as a bug. If the package path ends with a word containing a hyphen, that's not a valid identifier, so we end up with invalid Go syntax. Add that test case, as well as one where an import was already named. To fix the issue, we just need to use the package name we got from 'go list -json'. Fixes #243.
3 years ago
// This is mainly replacing the obfuscated paths.
// Note that we range over maps, so this is non-deterministic, but that
// should not matter as the file is treated like a lookup table.
all: replace uses of the deprecated ioutil Now that we require Go 1.16, we can simplify code by removing ioutil.
3 years ago
newCfg, err := os.CreateTemp(sharedTempDir, "importcfg")
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if err != nil {
return "", err
}
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
for _, pair := range importmaps {
beforePath, afterPath := pair[0], pair[1]
concentrate and simplify "to obfuscate" logic Back in the day, we used to call toObfuscate anytime we needed to know whether a package should be obfuscated. More recently, we started computing via the ToObfuscate field, which then gets shared with all sub-processes via sharedCache. We still had two places that directly called toObfuscate. Replace those with ToObfuscate, and inline toObfuscate into shared.go. obfuscatedImportPath is also a potential footgun for main packages. Some use cases always want the original "main" package name, such as for use in the compiler's "-p main" flag, while other cases want the obfuscated package import path, such as the entries in importcfg files. Since each of these call sites handles the edge case well, obfuscatedImportPath now panics on main packages to avoid any misuse. Finally, test that we never leak main package paths via ldflags.txt. We never did, but it's good to make sure. Overall, this avoids confusion and trims the size of main.go a bit.
2 years ago
lpkg, err := listPackage(beforePath)
if err != nil {
panic(err) // shouldn't happen
}
if lpkg.ToObfuscate {
fix link errors when importing crypto/ecdsa (#262) First, we had some link errors such as: cannot find package J6OzO8GN (using -importcfg) This was caused by the code that writes an updated importcfg, which did not handle import maps well. That code is now fixed, and we also add an obfuscatedImportPath method for clarity. Once fixed, we ran into other link errors: Pw3g97ww.addVW: relocation target Pw3g97ww.addVWlarge not defined After some digging, the cause of those is assembly code that we do not yet support obfuscating. #261 tracks that. Meanwhile, to fix "GOPRIVATE=* garble build" and to be able to have a test for the original import path bug, we add the packages which use that form of assembly code to runtimeRelated - math/big and crypto/sha512. There might be more, but these were the ones found by trying to link crypto/tls, a fairly common dependency. Fixes #256.
3 years ago
// Note that beforePath is not the canonical path.
// For beforePath="vendor/foo", afterPath and
// lpkg.ImportPath can be just "foo".
// Don't use obfuscatedImportPath here.
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
beforePath = hashWithPackage(lpkg, beforePath)
fix link errors when importing crypto/ecdsa (#262) First, we had some link errors such as: cannot find package J6OzO8GN (using -importcfg) This was caused by the code that writes an updated importcfg, which did not handle import maps well. That code is now fixed, and we also add an obfuscatedImportPath method for clarity. Once fixed, we ran into other link errors: Pw3g97ww.addVW: relocation target Pw3g97ww.addVWlarge not defined After some digging, the cause of those is assembly code that we do not yet support obfuscating. #261 tracks that. Meanwhile, to fix "GOPRIVATE=* garble build" and to be able to have a test for the original import path bug, we add the packages which use that form of assembly code to runtimeRelated - math/big and crypto/sha512. There might be more, but these were the ones found by trying to link crypto/tls, a fairly common dependency. Fixes #256.
3 years ago
afterPath = lpkg.obfuscatedImportPath()
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
fmt.Fprintf(newCfg, "importmap %s=%s\n", beforePath, afterPath)
}
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
for _, pair := range packagefiles {
impPath, pkgfile := pair[0], pair[1]
concentrate and simplify "to obfuscate" logic Back in the day, we used to call toObfuscate anytime we needed to know whether a package should be obfuscated. More recently, we started computing via the ToObfuscate field, which then gets shared with all sub-processes via sharedCache. We still had two places that directly called toObfuscate. Replace those with ToObfuscate, and inline toObfuscate into shared.go. obfuscatedImportPath is also a potential footgun for main packages. Some use cases always want the original "main" package name, such as for use in the compiler's "-p main" flag, while other cases want the obfuscated package import path, such as the entries in importcfg files. Since each of these call sites handles the edge case well, obfuscatedImportPath now panics on main packages to avoid any misuse. Finally, test that we never leak main package paths via ldflags.txt. We never did, but it's good to make sure. Overall, this avoids confusion and trims the size of main.go a bit.
2 years ago
lpkg, err := listPackage(impPath)
if err != nil {
panic(err) // shouldn't happen
}
if lpkg.Name != "main" {
fix link errors when importing crypto/ecdsa (#262) First, we had some link errors such as: cannot find package J6OzO8GN (using -importcfg) This was caused by the code that writes an updated importcfg, which did not handle import maps well. That code is now fixed, and we also add an obfuscatedImportPath method for clarity. Once fixed, we ran into other link errors: Pw3g97ww.addVW: relocation target Pw3g97ww.addVWlarge not defined After some digging, the cause of those is assembly code that we do not yet support obfuscating. #261 tracks that. Meanwhile, to fix "GOPRIVATE=* garble build" and to be able to have a test for the original import path bug, we add the packages which use that form of assembly code to runtimeRelated - math/big and crypto/sha512. There might be more, but these were the ones found by trying to link crypto/tls, a fairly common dependency. Fixes #256.
3 years ago
impPath = lpkg.obfuscatedImportPath()
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
fmt.Fprintf(newCfg, "packagefile %s=%s\n", impPath, pkgfile)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
fix and re-enable "garble test" (#268) With the many refactors building up to v0.1.0, we broke "garble test" as we no longer dealt with test packages well. Luckily, now that we can depend on TOOLEXEC_IMPORTPATH, we can support the test command again, as we can always figure out what package we're currently compiling, without having to track a "main" package. Note that one major pitfall there is test packages, where TOOLEXEC_IMPORTPATH does not agree with ImportPath from "go list -json". However, we can still work around that with a bit of glue code, which is also copiously documented. The second change necessary is to consider test packages private depending on whether their non-test package is private or not. This can be done via the ForTest field in "go list -json". The third change is to obfuscate "_testmain.go" files, which are the code-generated main functions which actually run tests. We used to not need to obfuscate them, since test function names are never obfuscated and we used to not obfuscate import paths at compilation time. Now we do rewrite import paths, so we must do that for "_testmain.go" too. The fourth change is to re-enable test.txt, and expand it with more sanity checks and edge cases. Finally, document "garble test" again. Fixes #241.
3 years ago
// Uncomment to debug the transformed importcfg. Do not delete.
// newCfg.Seek(0, 0)
// io.Copy(os.Stderr, newCfg)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
if err := newCfg.Close(); err != nil {
return "", err
}
return newCfg.Name(), nil
garbling imported packages starts being supported
5 years ago
}
always require one argument for "reverse" The "reverse" command had many levels of optional arguments: garble [garble flags] reverse [build flags] [package] [files] This was pretty confusing, and could easily lead to people running the command incorrectly: # note that output.txt isn't a Go package! garble reverse output.txt Moreover, it made the handling of Go build flags pretty confusing. Should the command below work? garble reverse -tags=mytag It also made it easy to not notice that one must supply the main package to properly reverse some text that it produced, like a panic message. With the package path being implicit, one could mistakenly provide the wrong package by running garble in a directory containing a different package. See #394.
3 years ago
type (
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
funcFullName = string // as per go/types.Func.FullName
objectString = string // as per recordedObjectString
always require one argument for "reverse" The "reverse" command had many levels of optional arguments: garble [garble flags] reverse [build flags] [package] [files] This was pretty confusing, and could easily lead to people running the command incorrectly: # note that output.txt isn't a Go package! garble reverse output.txt Moreover, it made the handling of Go build flags pretty confusing. Should the command below work? garble reverse -tags=mytag It also made it easy to not notice that one must supply the main package to properly reverse some text that it produced, like a panic message. With the package path being implicit, one could mistakenly provide the wrong package by running garble in a directory containing a different package. See #394.
3 years ago
reflectParameterPosition = int
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
typeName struct {
PkgPath, Name string
}
always require one argument for "reverse" The "reverse" command had many levels of optional arguments: garble [garble flags] reverse [build flags] [package] [files] This was pretty confusing, and could easily lead to people running the command incorrectly: # note that output.txt isn't a Go package! garble reverse output.txt Moreover, it made the handling of Go build flags pretty confusing. Should the command below work? garble reverse -tags=mytag It also made it easy to not notice that one must supply the main package to properly reverse some text that it produced, like a panic message. With the package path being implicit, one could mistakenly provide the wrong package by running garble in a directory containing a different package. See #394.
3 years ago
)
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
// TODO: read-write globals like these should probably be inside transformer
// knownCannotObfuscateUnexported is like KnownCannotObfuscate but for
// unexported names. We don't need to store this in the build cache,
// because these names cannot be referenced by downstream packages.
var knownCannotObfuscateUnexported = map[types.Object]bool{}
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
// cachedOutput contains information that will be stored as per garbleExportFile.
var cachedOutput = struct {
// KnownReflectAPIs is a static record of what std APIs use reflection on their
// parameters, so we can avoid obfuscating types used with them.
//
// TODO: we're not including fmt.Printf, as it would have many false positives,
// unless we were smart enough to detect which arguments get used as %#v or %T.
KnownReflectAPIs map[funcFullName][]reflectParameterPosition
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
// KnownCannotObfuscate is filled with the fully qualified names from each
// package that we could not obfuscate as per cannotObfuscateNames.
// This record is necessary for knowing what names from imported packages
// weren't obfuscated, so we can obfuscate their local uses accordingly.
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
KnownCannotObfuscate map[objectString]struct{}
// KnownEmbeddedAliasFields records which embedded fields use a type alias.
// They are the only instance where a type alias matters for obfuscation,
// because the embedded field name is derived from the type alias itself,
// and not the type that the alias points to.
// In that way, the type alias is obfuscated as a form of named type,
// bearing in mind that it may be owned by a different package.
KnownEmbeddedAliasFields map[objectString]typeName
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
}{
KnownReflectAPIs: map[funcFullName][]reflectParameterPosition{
"reflect.TypeOf": {0},
"reflect.ValueOf": {0},
},
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
KnownCannotObfuscate: map[objectString]struct{}{},
KnownEmbeddedAliasFields: map[objectString]typeName{},
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
}
avoid a filesystem race with build cache entries After the last commit, I started seeing seemingly random test failures: --- FAIL: TestScripts/cgo (1.17s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # runtime/internal/math EOF # internal/bytealg EOF exit status 2 [exit status 1] FAIL: testdata/scripts/cgo.txt:3: unexpected command failure --- FAIL: TestScripts/reflect (8.63s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/reflect.txt:3: unexpected command failure --- FAIL: TestScripts/linkname (8.72s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/linkname.txt:3: unexpected command failure After some investigation, it turned out that concurrent "garble build" processes were writing to the same build cache paths at the same time. This is effectively a filesystem race, and encoding/gob could error when reading partly written files. To fix this problem, use a cache path that changes according to the obfuscated build. See garbleExportFile. Note that the data we store in that file does not vary with obfuscation. We could fix the filesystem race by adding locking around the old path. However, we'll want to cache data that does vary with garble flags, such as the -debugdir source code.
3 years ago
// garbleExportFile returns an absolute path to a build cache entry
// which belongs to garble and corresponds to the given Go package.
//
// Unlike pkg.Export, it is only read and written by garble itself.
// Also unlike pkg.Export, it includes GarbleActionID,
// so its path will change if the obfuscated build changes.
//
// The purpose of such a file is to store garble-specific information
// in the build cache, to be reused at a later time.
// The file should have the same lifetime as pkg.Export,
// as it lives under the same cache directory that gets trimmed automatically.
func garbleExportFile(pkg *listedPackage) string {
trimmed := strings.TrimSuffix(pkg.Export, "-d")
if trimmed == pkg.Export {
panic(fmt.Sprintf("unexpected export path of %s: %q", pkg.ImportPath, pkg.Export))
}
return trimmed + "-garble-" + hashToString(pkg.GarbleActionID) + "-d"
}
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
func loadCachedOutputs() error {
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
startTime := time.Now()
loaded := 0
avoid a filesystem race with build cache entries After the last commit, I started seeing seemingly random test failures: --- FAIL: TestScripts/cgo (1.17s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # runtime/internal/math EOF # internal/bytealg EOF exit status 2 [exit status 1] FAIL: testdata/scripts/cgo.txt:3: unexpected command failure --- FAIL: TestScripts/reflect (8.63s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/reflect.txt:3: unexpected command failure --- FAIL: TestScripts/linkname (8.72s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/linkname.txt:3: unexpected command failure After some investigation, it turned out that concurrent "garble build" processes were writing to the same build cache paths at the same time. This is effectively a filesystem race, and encoding/gob could error when reading partly written files. To fix this problem, use a cache path that changes according to the obfuscated build. See garbleExportFile. Note that the data we store in that file does not vary with obfuscation. We could fix the filesystem race by adding locking around the old path. However, we'll want to cache data that does vary with garble flags, such as the -debugdir source code.
3 years ago
for _, path := range curPkg.Deps {
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
pkg, err := listPackage(path)
if err != nil {
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
panic(err) // shouldn't happen
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
}
avoid a filesystem race with build cache entries After the last commit, I started seeing seemingly random test failures: --- FAIL: TestScripts/cgo (1.17s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # runtime/internal/math EOF # internal/bytealg EOF exit status 2 [exit status 1] FAIL: testdata/scripts/cgo.txt:3: unexpected command failure --- FAIL: TestScripts/reflect (8.63s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/reflect.txt:3: unexpected command failure --- FAIL: TestScripts/linkname (8.72s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/linkname.txt:3: unexpected command failure After some investigation, it turned out that concurrent "garble build" processes were writing to the same build cache paths at the same time. This is effectively a filesystem race, and encoding/gob could error when reading partly written files. To fix this problem, use a cache path that changes according to the obfuscated build. See garbleExportFile. Note that the data we store in that file does not vary with obfuscation. We could fix the filesystem race by adding locking around the old path. However, we'll want to cache data that does vary with garble flags, such as the -debugdir source code.
3 years ago
if pkg.Export == "" {
continue // nothing to load
}
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
// this function literal is used for the deferred close
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
if err := func() error {
avoid a filesystem race with build cache entries After the last commit, I started seeing seemingly random test failures: --- FAIL: TestScripts/cgo (1.17s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # runtime/internal/math EOF # internal/bytealg EOF exit status 2 [exit status 1] FAIL: testdata/scripts/cgo.txt:3: unexpected command failure --- FAIL: TestScripts/reflect (8.63s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/reflect.txt:3: unexpected command failure --- FAIL: TestScripts/linkname (8.72s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/linkname.txt:3: unexpected command failure After some investigation, it turned out that concurrent "garble build" processes were writing to the same build cache paths at the same time. This is effectively a filesystem race, and encoding/gob could error when reading partly written files. To fix this problem, use a cache path that changes according to the obfuscated build. See garbleExportFile. Note that the data we store in that file does not vary with obfuscation. We could fix the filesystem race by adding locking around the old path. However, we'll want to cache data that does vary with garble flags, such as the -debugdir source code.
3 years ago
filename := garbleExportFile(pkg)
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
f, err := os.Open(filename)
if err != nil {
return err
}
defer f.Close()
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
// Decode appends new entries to the existing maps
if err := gob.NewDecoder(f).Decode(&cachedOutput); err != nil {
avoid a filesystem race with build cache entries After the last commit, I started seeing seemingly random test failures: --- FAIL: TestScripts/cgo (1.17s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # runtime/internal/math EOF # internal/bytealg EOF exit status 2 [exit status 1] FAIL: testdata/scripts/cgo.txt:3: unexpected command failure --- FAIL: TestScripts/reflect (8.63s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/reflect.txt:3: unexpected command failure --- FAIL: TestScripts/linkname (8.72s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # math EOF exit status 2 [exit status 1] FAIL: testdata/scripts/linkname.txt:3: unexpected command failure After some investigation, it turned out that concurrent "garble build" processes were writing to the same build cache paths at the same time. This is effectively a filesystem race, and encoding/gob could error when reading partly written files. To fix this problem, use a cache path that changes according to the obfuscated build. See garbleExportFile. Note that the data we store in that file does not vary with obfuscation. We could fix the filesystem race by adding locking around the old path. However, we'll want to cache data that does vary with garble flags, such as the -debugdir source code.
3 years ago
return fmt.Errorf("gob decode: %w", err)
}
return nil
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
}(); err != nil {
work around a build cache regression in the previous commit The added comment in main.go explains the situation in detail. The added test is a minimization of the scenario, which failed: > cd mod1 > garble -seed=${SEED1} build -v gopkg.in/garbletest.v2 > cd ../mod2 > garble -seed=${SEED1} build -v [stderr] test/main/mod2 # test/main/mod2 cannot load garble export file for gopkg.in/garbletest.v2: open […]/go-build/ed/[…]-garble-ZV[…]-d: no such file or directory To work around the problem, we'll always add each package's GarbleActionID to its build artifact, even when not using -seed. This will get us the previous behavior with regards to the build cache, meaning that we fix the recent regression. The added variable doesn't make it to the final binary either. While here, improve the cached file loading error's context, and add an extra sanity check for duplicates on ListedPackages.
2 years ago
return fmt.Errorf("cannot load garble export file for %s: %w", path, err)
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
}
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
loaded++
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
}
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
debugf("%d cached output files loaded in %s", loaded, debugSince(startTime))
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
return nil
}
func (tf *transformer) findReflectFunctions(files []*ast.File) {
visitReflect := func(node ast.Node) {
funcDecl, ok := node.(*ast.FuncDecl)
if !ok {
return
}
funcObj := tf.info.ObjectOf(funcDecl.Name).(*types.Func)
var paramNames []string
for _, param := range funcDecl.Type.Params.List {
for _, name := range param.Names {
paramNames = append(paramNames, name.Name)
}
}
ast.Inspect(funcDecl, func(node ast.Node) bool {
call, ok := node.(*ast.CallExpr)
if !ok {
return true
}
sel, ok := call.Fun.(*ast.SelectorExpr)
if !ok {
return true
}
fnType, _ := tf.info.ObjectOf(sel.Sel).(*types.Func)
if fnType == nil || fnType.Pkg() == nil {
return true
}
fullName := fnType.FullName()
var identifiers []string
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
for _, argPos := range cachedOutput.KnownReflectAPIs[fullName] {
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
arg := call.Args[argPos]
ident, ok := arg.(*ast.Ident)
if !ok {
continue
}
obj := tf.info.ObjectOf(ident)
if obj.Parent() == funcObj.Scope() {
identifiers = append(identifiers, ident.Name)
}
}
if identifiers == nil {
return true
}
var argumentPosReflect []int
for _, ident := range identifiers {
for paramPos, paramName := range paramNames {
if ident == paramName {
argumentPosReflect = append(argumentPosReflect, paramPos)
}
}
}
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
cachedOutput.KnownReflectAPIs[funcObj.FullName()] = argumentPosReflect
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
return true
})
}
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
lenPrevKnownReflectAPIs := len(cachedOutput.KnownReflectAPIs)
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
for _, file := range files {
for _, decl := range file.Decls {
visitReflect(decl)
}
}
// if a new reflectAPI is found we need to Re-evaluate all functions which might be using that API
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
if len(cachedOutput.KnownReflectAPIs) > lenPrevKnownReflectAPIs {
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
tf.findReflectFunctions(files)
}
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
}
remove duplicate go:generate directive I hadn't noticed that cmd/bundle prints its own go:generate directive. I guess that makes sense for the average user running it directly, but that doesn't apply to us, and we end up with duplicate directives. Before: $ go generate -n bundle -o cmdgo_quoted.go -prefix cmdgoQuoted cmd/internal/quoted go run golang.org/x/tools/cmd/bundle@v0.1.9 -o cmdgo_quoted.go -prefix cmdgoQuoted cmd/internal/quoted After: $ go generate -n go run golang.org/x/tools/cmd/bundle@v0.1.9 -o cmdgo_quoted.go -prefix cmdgoQuoted cmd/internal/quoted sed -i /go:generate/d cmdgo_quoted.go While here, I made a typo in the last release notes, because of course. I already edited that out in the GitHub release.
2 years ago
// cmd/bundle will include a go:generate directive in its output by default.
// Ours specifies a version and doesn't assume bundle is in $PATH, so drop it.
add support for -ldflags using quotes In particular, using -ldflags with - In particular, a command like: garble -literals build -ldflags='-X "main.foo=foo bar"' would fail, because we would try to use "\"main" as the package name for the -X qualified name, with the leading quote character. This is because we used strings.Split(ldflags, " "). Instead, use the same quoted.Split that cmd/go uses, copied over thanks to x/tools/cmd/bundle and go:generate. Updates #492.
2 years ago
//go:generate go run golang.org/x/tools/cmd/bundle@v0.1.9 -o cmdgo_quoted.go -prefix cmdgoQuoted cmd/internal/quoted
remove duplicate go:generate directive I hadn't noticed that cmd/bundle prints its own go:generate directive. I guess that makes sense for the average user running it directly, but that doesn't apply to us, and we end up with duplicate directives. Before: $ go generate -n bundle -o cmdgo_quoted.go -prefix cmdgoQuoted cmd/internal/quoted go run golang.org/x/tools/cmd/bundle@v0.1.9 -o cmdgo_quoted.go -prefix cmdgoQuoted cmd/internal/quoted After: $ go generate -n go run golang.org/x/tools/cmd/bundle@v0.1.9 -o cmdgo_quoted.go -prefix cmdgoQuoted cmd/internal/quoted sed -i /go:generate/d cmdgo_quoted.go While here, I made a typo in the last release notes, because of course. I already edited that out in the GitHub release.
2 years ago
//go:generate sed -i /go:generate/d cmdgo_quoted.go
add support for -ldflags using quotes In particular, using -ldflags with - In particular, a command like: garble -literals build -ldflags='-X "main.foo=foo bar"' would fail, because we would try to use "\"main" as the package name for the -X qualified name, with the leading quote character. This is because we used strings.Split(ldflags, " "). Instead, use the same quoted.Split that cmd/go uses, copied over thanks to x/tools/cmd/bundle and go:generate. Updates #492.
2 years ago
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
// prefillObjectMaps collects objects which should not be obfuscated,
keep cgo-exported Go names non-obfuscated Otherwise, the added test case would fail, as we don't modify the C code and so there would be a name mismatch. In the far future we might start modifying Go names in C code, similar to what we did for Go assembly, but right now that seems out of scope and too complex. An easier fix is to simply record those (hopefully few) names in ignoreObjects. While at it, recordReflectArgs started to really outgrow its name, as it also collected expressions used as constants for literal obfuscation. Give it a better name. Fixes #366.
3 years ago
// such as those used as arguments to reflect.TypeOf or reflect.ValueOf.
// Since we obfuscate one package at a time, we only detect those if the type
// definition and the reflect usage are both in the same package.
add support for -ldflags using quotes In particular, using -ldflags with - In particular, a command like: garble -literals build -ldflags='-X "main.foo=foo bar"' would fail, because we would try to use "\"main" as the package name for the -X qualified name, with the leading quote character. This is because we used strings.Split(ldflags, " "). Instead, use the same quoted.Split that cmd/go uses, copied over thanks to x/tools/cmd/bundle and go:generate. Updates #492.
2 years ago
func (tf *transformer) prefillObjectMaps(files []*ast.File) error {
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
tf.linkerVariableStrings = make(map[types.Object]string)
add a TODO about a possible cache bug with -literals and -ldflags I spent some time trying to reproduce the bug but couldn't, so for now, make a detailed note for it. We can come back to it if we actually run into it in the future. Fixes #492.
2 years ago
// TODO: this is a linker flag that affects how we obfuscate a package at
// compile time. Note that, if the user changes ldflags, then Go may only
// re-link the final binary, without re-compiling any packages at all.
// It's possible that this could result in:
//
// garble -literals build -ldflags=-X=pkg.name=before # name="before"
// garble -literals build -ldflags=-X=pkg.name=after # name="before" as cached
//
// We haven't been able to reproduce this problem for now,
// but it's worth noting it and keeping an eye out for it in the future.
// If we do confirm this theoretical bug,
// the solution will be to either find a different solution for -literals,
// or to force including -ldflags into the build cache key.
add support for -ldflags using quotes In particular, using -ldflags with - In particular, a command like: garble -literals build -ldflags='-X "main.foo=foo bar"' would fail, because we would try to use "\"main" as the package name for the -X qualified name, with the leading quote character. This is because we used strings.Split(ldflags, " "). Instead, use the same quoted.Split that cmd/go uses, copied over thanks to x/tools/cmd/bundle and go:generate. Updates #492.
2 years ago
ldflags, err := cmdgoQuotedSplit(flagValue(cache.ForwardBuildFlags, "-ldflags"))
if err != nil {
return err
}
flagValueIter(ldflags, "-X", func(val string) {
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
// val is in the form of "importpath.name=value".
i := strings.IndexByte(val, '=')
if i < 0 {
return // invalid
}
stringValue := val[i+1:]
val = val[:i] // "importpath.name"
i = strings.LastIndexByte(val, '.')
path, name := val[:i], val[i+1:]
// -X represents the main package as "main", not its import path.
if path != curPkg.ImportPath && !(path == "main" && curPkg.Name == "main") {
return // not the current package
}
obj := tf.pkg.Scope().Lookup(name)
if obj == nil {
return // not found; skip
}
tf.linkerVariableStrings[obj] = stringValue
})
simplify detection of reflection
4 years ago
make detection of reflect more robust It now works with variables and composite type expressions too.
4 years ago
visit := func(node ast.Node) bool {
call, ok := node.(*ast.CallExpr)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
if !ok {
return true
}
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
ident, ok := call.Fun.(*ast.Ident)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
if !ok {
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
sel, ok := call.Fun.(*ast.SelectorExpr)
if !ok {
return true
}
ident = sel.Sel
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
}
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
fnType, _ := tf.info.ObjectOf(ident).(*types.Func)
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
if fnType == nil || fnType.Pkg() == nil {
add basic literal obfuscation, starting with strings Fixes #16.
4 years ago
return true
}
detect more std API calls which use reflection Before, we would just notice direct calls to reflect's TypeOf and ValueOf. Any other uses of reflection, such as encoding/json or google.golang.org/protobuf, would require hints as documented by the README. Issue #162 outlines some ways we could fix this issue in a general way, automatically detecting what functions use reflection on their parameters, even for third party API funcs. However, that goal is pretty significant in terms of code and effort. As a temporary improvement, we can expand the list of "known" reflection APIs via a static table. Since this table is keyed by "func full name" strings, we could potentially include third party APIs, such as: google.golang.org/protobuf/proto.Marshal However, for now simply include all the std APIs we know about. If we fail to do the proper fix for automatic detection in the future, we can then fall back to expanding this global table for third parties. Update the README's docs, to clarify that the hint is not always necessary anymore. Also update the reflect.txt test to stop using the hint for encoding/json, and to also start testing text/template with a method call. While at it, I noticed that we weren't testing the println outputs, as they'd go to stderr - fix that too. Updates #162.
3 years ago
fullName := fnType.FullName()
stop relying on nested "go list -toolexec" calls (#422) We rely on importcfg files to load type info for obfuscated packages. We use this type information to remember what names we didn't obfuscate. Unfortunately, indirect dependencies aren't listed in importcfg files, so we relied on extra "go list -toolexec" calls to locate object files. This worked fine, but added a significant amount of complexity. The extra "go list -export -toolexec=garble" invocations weren't slow, as they avoided rebuilding or re-obfuscating thanks to the build cache. Still, it was hard to reason about how garble runs during a build if we might have multiple layers of -toolexec invocations. Instead, record the export files we encounter in an incremental map, and persist it in the build cache via the gob file we're already using. This way, each garble invocation knows where all object files are, even those for indirect imports. One wrinkle is that importcfg files can point to temporary object files. In that case, figure out its final location in the build cache. This requires hard-coding a bit of knowledge about how GOCACHE works, but it seems relatively harmless given how it's very little code. Plus, if GOCACHE ever changes, it will be obvious when our code breaks. Finally, add a TODO about potentially saving even more work.
3 years ago
for _, argPos := range cachedOutput.KnownReflectAPIs[fullName] {
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
arg := call.Args[argPos]
argType := tf.info.TypeOf(arg)
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
tf.recursivelyRecordAsNotObfuscated(argType)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
}
More robust reflection detection Functions which use reflection on one of their parameters are, now added to knownReflectAPIs automatically. This makes most explicit hints for reflection redundant. Simple protobuf code now works correctly when obfuscated. Fixes #162 Fixes #373
3 years ago
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
return true
}
for _, file := range files {
keep cgo-exported Go names non-obfuscated Otherwise, the added test case would fail, as we don't modify the C code and so there would be a name mismatch. In the far future we might start modifying Go names in C code, similar to what we did for Go assembly, but right now that seems out of scope and too complex. An easier fix is to simply record those (hopefully few) names in ignoreObjects. While at it, recordReflectArgs started to really outgrow its name, as it also collected expressions used as constants for literal obfuscation. Give it a better name. Fixes #366.
3 years ago
for _, group := range file.Comments {
for _, comment := range group.List {
name := strings.TrimPrefix(comment.Text, "//export ")
if name == comment.Text {
continue
}
name = strings.TrimSpace(name)
obj := tf.pkg.Scope().Lookup(name)
if obj == nil {
continue // not found; skip
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
// TODO(mvdan): it seems like removing this doesn't break any tests.
recordAsNotObfuscated(obj)
keep cgo-exported Go names non-obfuscated Otherwise, the added test case would fail, as we don't modify the C code and so there would be a name mismatch. In the far future we might start modifying Go names in C code, similar to what we did for Go assembly, but right now that seems out of scope and too complex. An easier fix is to simply record those (hopefully few) names in ignoreObjects. While at it, recordReflectArgs started to really outgrow its name, as it also collected expressions used as constants for literal obfuscation. Give it a better name. Fixes #366.
3 years ago
}
}
make detection of reflect more robust It now works with variables and composite type expressions too.
4 years ago
ast.Inspect(file, visit)
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
}
add support for -ldflags using quotes In particular, using -ldflags with - In particular, a command like: garble -literals build -ldflags='-X "main.foo=foo bar"' would fail, because we would try to use "\"main" as the package name for the -X qualified name, with the leading quote character. This is because we used strings.Split(ldflags, " "). Instead, use the same quoted.Split that cmd/go uses, copied over thanks to x/tools/cmd/bundle and go:generate. Updates #492.
2 years ago
return nil
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
}
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
// transformer holds all the information and state necessary to obfuscate a
// single Go package.
type transformer struct {
// The type-checking results; the package itself, and the Info struct.
pkg *types.Package
info *types.Info
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
// linkerVariableStrings is also initialized by prefillObjectMaps.
// It records objects for variables used in -ldflags=-X flags,
// as well as the strings the user wants to inject them with.
linkerVariableStrings map[types.Object]string
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
handle aliases to foreign named types properly When such an alias name was used to define an embedded field, we handled that case gracefully via the code using: tf.info.Uses[node].(*types.TypeName) Unfortunately, when the same field name was used elsewhere, such as a composite literal, tf.Info.Uses gave us a *types.Var, not a *types.TypeName, meaning we could no longer tell if this was an alias, or what it pointed to. Thus, we failed to obfuscate the name properly in the added test case: > garble build [stderr] # test/main/sub xxWZf66u.go:36: unknown field 'foreignAlias' in struct literal of type smhWelwn It doesn't seem like any of the go/types APIs allows us to obtain the *types.TypeName directly in this scenario. Thus, use a trick that we used before: after typechecking, but before obfuscating, record all embedded struct field *types.Var which are aliases via a map, where the value holds the *types.TypeName for the alias. Updates #349.
3 years ago
// recordTypeDone helps avoid cycles in recordType.
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
recordTypeDone map[types.Type]bool
handle aliases to foreign named types properly When such an alias name was used to define an embedded field, we handled that case gracefully via the code using: tf.info.Uses[node].(*types.TypeName) Unfortunately, when the same field name was used elsewhere, such as a composite literal, tf.Info.Uses gave us a *types.Var, not a *types.TypeName, meaning we could no longer tell if this was an alias, or what it pointed to. Thus, we failed to obfuscate the name properly in the added test case: > garble build [stderr] # test/main/sub xxWZf66u.go:36: unknown field 'foreignAlias' in struct literal of type smhWelwn It doesn't seem like any of the go/types APIs allows us to obtain the *types.TypeName directly in this scenario. Thus, use a trick that we used before: after typechecking, but before obfuscating, record all embedded struct field *types.Var which are aliases via a map, where the value holds the *types.TypeName for the alias. Updates #349.
3 years ago
// fieldToStruct helps locate struct types from any of their field
// objects. Useful when obfuscating field names.
fieldToStruct map[*types.Var]*types.Struct
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
}
// newTransformer helps initialize some maps.
func newTransformer() *transformer {
return &transformer{
info: &types.Info{
Types: make(map[ast.Expr]types.TypeAndValue),
Defs: make(map[*ast.Ident]types.Object),
Uses: make(map[*ast.Ident]types.Object),
},
recordTypeDone: make(map[types.Type]bool),
fieldToStruct: make(map[*types.Var]*types.Struct),
}
}
func (tf *transformer) typecheck(files []*ast.File) error {
origTypesConfig := types.Config{Importer: origImporter}
pkg, err := origTypesConfig.Check(curPkg.ImportPath, fset, files, tf.info)
if err != nil {
return fmt.Errorf("typecheck error: %v", err)
}
tf.pkg = pkg
// Run recordType on all types reachable via types.Info.
// A bit hacky, but I could not find an easier way to do this.
for _, obj := range tf.info.Defs {
if obj != nil {
tf.recordType(obj.Type())
}
}
handle aliases to foreign named types properly When such an alias name was used to define an embedded field, we handled that case gracefully via the code using: tf.info.Uses[node].(*types.TypeName) Unfortunately, when the same field name was used elsewhere, such as a composite literal, tf.Info.Uses gave us a *types.Var, not a *types.TypeName, meaning we could no longer tell if this was an alias, or what it pointed to. Thus, we failed to obfuscate the name properly in the added test case: > garble build [stderr] # test/main/sub xxWZf66u.go:36: unknown field 'foreignAlias' in struct literal of type smhWelwn It doesn't seem like any of the go/types APIs allows us to obtain the *types.TypeName directly in this scenario. Thus, use a trick that we used before: after typechecking, but before obfuscating, record all embedded struct field *types.Var which are aliases via a map, where the value holds the *types.TypeName for the alias. Updates #349.
3 years ago
for name, obj := range tf.info.Uses {
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
if obj == nil {
continue
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
}
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
tf.recordType(obj.Type())
// Record into KnownEmbeddedAliasFields.
obj, ok := obj.(*types.TypeName)
if !ok || !obj.IsAlias() {
continue
}
vr, _ := tf.info.Defs[name].(*types.Var)
if vr == nil || !vr.Embedded() {
continue
}
vrStr := recordedObjectString(vr)
if vrStr == "" {
continue
}
aliasTypeName := typeName{
PkgPath: obj.Pkg().Path(),
Name: obj.Name(),
}
cachedOutput.KnownEmbeddedAliasFields[vrStr] = aliasTypeName
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
}
for _, tv := range tf.info.Types {
tf.recordType(tv.Type)
}
return nil
}
// recordType visits every reachable type after typechecking a package.
// Right now, all it does is fill the fieldToStruct field.
// Since types can be recursive, we need a map to avoid cycles.
func (tf *transformer) recordType(t types.Type) {
if tf.recordTypeDone[t] {
return
}
tf.recordTypeDone[t] = true
switch t := t.(type) {
case interface{ Elem() types.Type }:
tf.recordType(t.Elem())
case *types.Named:
tf.recordType(t.Underlying())
}
strct, _ := t.(*types.Struct)
if strct == nil {
return
}
for i := 0; i < strct.NumFields(); i++ {
field := strct.Field(i)
tf.fieldToStruct[field] = strct
if field.Embedded() {
tf.recordType(field.Type())
}
}
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
// TODO: consider caching recordedObjectString via a map,
// if that shows an improvement in our benchmark
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
func recordedObjectString(obj types.Object) objectString {
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
if obj, ok := obj.(*types.Var); ok && obj.IsField() {
// For exported fields, "pkgpath.Field" is not unique,
// because two exported top-level types could share "Field".
//
// Moreover, note that not all fields belong to named struct types;
// an API could be exposing:
//
// var usedInReflection = struct{Field string}
//
// For now, a hack: assume that packages don't declare the same field
// more than once in the same line. This works in practice, but one
// could craft Go code to break this assumption.
// Also note that the compiler's object files include filenames and line
// numbers, but not column numbers nor byte offsets.
// TODO(mvdan): give this another think, and add tests involving anon types.
pos := fset.Position(obj.Pos())
return fmt.Sprintf("%s.%s - %s:%d", obj.Pkg().Path(), obj.Name(),
filepath.Base(pos.Filename), pos.Line)
}
// Names which are not at the top level cannot be imported,
// so we don't need to record them either.
// Note that this doesn't apply to fields, which are never top-level.
if obj.Pkg().Scope().Lookup(obj.Name()) != obj {
return ""
}
// For top-level exported names, "pkgpath.Name" is unique.
return fmt.Sprintf("%s.%s", obj.Pkg().Path(), obj.Name())
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
// recordAsNotObfuscated records all the objects whose names we cannot obfuscate.
// An object is any named entity, such as a declared variable or type.
//
// So far, it records:
//
// * Types which are used for reflection.
// * Declarations exported via "//export".
// * Types or variables from external packages which were not obfuscated.
func recordAsNotObfuscated(obj types.Object) {
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
if obj.Pkg().Path() != curPkg.ImportPath {
panic("called recordedAsNotObfuscated with a foreign object")
}
if !obj.Exported() {
// Unexported names will never be used by other packages,
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
// so we don't need to bother recording them in cachedOutput.
knownCannotObfuscateUnexported[obj] = true
return
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
objStr := recordedObjectString(obj)
if objStr == "" {
// If the object can't be described via a qualified string,
// then other packages can't use it.
// TODO: should we still record it in knownCannotObfuscateUnexported?
return
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
cachedOutput.KnownCannotObfuscate[objStr] = struct{}{}
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
}
func recordedAsNotObfuscated(obj types.Object) bool {
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
if knownCannotObfuscateUnexported[obj] {
return true
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
}
objStr := recordedObjectString(obj)
if objStr == "" {
return false
}
_, ok := cachedOutput.KnownCannotObfuscate[objStr]
return ok
}
obfuscate literals as part of transformGo (#299) This is easier to understand, since now the modification of the *ast.File is all within a single chunk of code. We can also simplify literals.Obfuscate to work on a single file, as transformGo runs in a loop. We also remove the "use receiver" TODOs, since the code is now in a different package and it can't declare methods on a type here.
3 years ago
// transformGo obfuscates the provided Go syntax file.
CI: start enforcing vet and staticcheck Fix a staticcheck warning about unused code, as well as an unparam warning and a missing copyright header. We also bump the action versions to their latest releases, and drop unnecessary "name" fields for self-describing steps. Note that we drop the "go env" commands, as setup-go does that now. Finally, I did briefly try to add caching, but then realised it didn't help us at all. Document why.
2 years ago
func (tf *transformer) transformGo(file *ast.File) *ast.File {
only obfuscate literals in packages to obfuscate Add a regression test in gogarble.txt, as that test is already set up with packages to not obfuscate. This bug manifested in the form of a build failure for GOOS=plan9 with -literals turned on: [...]/os/file_plan9.go:151:12: invalid operation: cannot call non-function append (variable of type bool) In this case, the "os" package is not to be obfuscated, but we would still obfuscate its literals as per the bug. But, since the package's identifiers were not obfuscated, names like "append" were not replaced as per ea2e0bdf71, meaning that the shadowing would still affect us. Fixes #417.
3 years ago
// Only obfuscate the literals here if the flag is on
// and if the package in question is to be obfuscated.
support GOGARBLE=* with -literals again We recently made an important change when obfuscating the runtime, so that if it's missing any linkname packages in ListedPackages, it does an extra "go list" call to obtain their information. This works very well, but we missed an edge case. In main.go, we disable flagLiterals for the runtime package, but not for other packages like sync/atomic. And, since the runtime's extra "go list" has to compute GarbleActionIDs, it uses the list of garble flags via appendFlags. Unfortunately, it thinks "-literals" isn't set, when it is, and the other packages see it as being set. This discrepancy results in link time errors, as each end of the linkname obfuscates with a different hash: > garble -literals build [stderr] # test/main jccGkbFG.(*yijmzGHo).String: relocation target jccGkbFG.e_77sflf not defined jQg9GEkg.(*NLxfRPAP).pB5p2ZP0: relocation target jQg9GEkg.ce66Fmzl not defined jQg9GEkg.(*NLxfRPAP).pB5p2ZP0: relocation target jQg9GEkg.e5kPa1qY not defined jQg9GEkg.(*NLxfRPAP).pB5p2ZP0: relocation target jQg9GEkg.aQ_3sL3Q not defined jQg9GEkg.(*NLxfRPAP).pB5p2ZP0: relocation target jQg9GEkg.zls3wmws not defined jQg9GEkg.(*NLxfRPAP).pB5p2ZP0: relocation target jQg9GEkg.g69WgKIS not defined To fix the problem, treat flagLiterals as read-only after flag.Parse, just like we already do with the other flags except flagDebugDir. The code that turned flagLiterals to false is no longer needed, as literals.Obfuscate is only called when ToObfuscate is true, and ToObfuscate is false for runtimeAndDeps already.
2 years ago
//
// We can't obfuscate literals in the runtime and its dependencies,
// because obfuscated literals sometimes escape to heap,
// and that's not allowed in the runtime itself.
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
if flagLiterals && curPkg.ToObfuscate {
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
file = literals.Obfuscate(file, tf.info, fset, tf.linkerVariableStrings)
Remove unused imports via go/types. Fixes #481
2 years ago
// some imported constants might not be needed anymore, remove unnecessary imports
usedImports := make(map[string]bool)
ast.Inspect(file, func(n ast.Node) bool {
node, ok := n.(*ast.Ident)
if !ok {
return true
}
uses, ok := tf.info.Uses[node].(*types.PkgName)
if !ok {
return true
}
usedImports[uses.Imported().Path()] = true
return true
})
for _, imp := range file.Imports {
if imp.Name != nil && (imp.Name.Name == "_" || imp.Name.Name == ".") {
continue
}
path, err := strconv.Unquote(imp.Path.Value)
if err != nil {
panic(err)
}
// The import path can't be used directly here, because the actual
// path resolved via go/types might be different from the naive path.
lpkg, err := listPackage(path)
if err != nil {
panic(err)
}
if usedImports[lpkg.ImportPath] {
continue
}
if !astutil.DeleteImport(fset, file, path) {
panic(fmt.Sprintf("cannot delete unused import: %q", path))
}
}
obfuscate literals as part of transformGo (#299) This is easier to understand, since now the modification of the *ast.File is all within a single chunk of code. We can also simplify literals.Obfuscate to work on a single file, as transformGo runs in a loop. We also remove the "use receiver" TODOs, since the code is now in a different package and it can't declare methods on a type here.
3 years ago
}
support type switches with symbolic vars
5 years ago
pre := func(cursor *astutil.Cursor) bool {
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
node, ok := cursor.Node().(*ast.Ident)
if !ok {
return true
}
implement TODO to use a name variable Slightly simplifies the main chunk of code. While here, improve the wording for when Go isn't installed correctly.
2 years ago
name := node.Name
if name == "_" {
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
return true // unnamed remains unnamed
}
introduce a receiver type to transform a Go package Means that we no longer have to pass a dozen parameters around, mainly to transformGo. We can also start documenting what each of the fields actually does, and group them better. While at it, pkgPath and pkgScope can both be replaced by a *types.Package, since they're both accessible via trivially cheap methods.
4 years ago
obj := tf.info.ObjectOf(node)
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
if obj == nil {
obfuscate all variable names, even local ones (#420) In the added test case, "garble -literals build" would fail: --- FAIL: TestScripts/literals (8.29s) testscript.go:397: > env GOPRIVATE=test/main > garble -literals build [stderr] # test/main Usz1FmFm.go:1: cannot call non-function string (type int), declared at Usz1FmFm.go:1 Usz1FmFm.go:1: string is not a type Usz1FmFm.go:1: cannot call non-function append (type int), declared at Usz1FmFm.go:1 That is, for input code such as: var append int println("foo") _ = append We'd end up with obfuscated code like: var append int println(func() string { // obfuscation... x = append(x, ...) // obfuscation... return string(x) }) _ = append Which would then break, as the code is shadowing the "append" builtin. To work around this, always obfuscate variable names, so we end up with: var mwu1xuNz int println(func() string { // obfuscation... x = append(x, ...) // obfuscation... return string(x) }) _ = mwu1xuNz This change shouldn't make the quality of our obfuscation stronger, as local variable names do not currently end up in Go binaries. However, this does make garble more consistent in treating identifiers, and it completely avoids any issues related to shadowing builtins. Moreover, this also paves the way for publishing obfuscated source code, such as #369. Fixes #417.
3 years ago
_, isImplicit := tf.info.Defs[node]
_, parentIsFile := cursor.Parent().(*ast.File)
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
if !isImplicit || parentIsFile {
// We only care about nil objects in the switch scenario below.
obfuscate all variable names, even local ones (#420) In the added test case, "garble -literals build" would fail: --- FAIL: TestScripts/literals (8.29s) testscript.go:397: > env GOPRIVATE=test/main > garble -literals build [stderr] # test/main Usz1FmFm.go:1: cannot call non-function string (type int), declared at Usz1FmFm.go:1 Usz1FmFm.go:1: string is not a type Usz1FmFm.go:1: cannot call non-function append (type int), declared at Usz1FmFm.go:1 That is, for input code such as: var append int println("foo") _ = append We'd end up with obfuscated code like: var append int println(func() string { // obfuscation... x = append(x, ...) // obfuscation... return string(x) }) _ = append Which would then break, as the code is shadowing the "append" builtin. To work around this, always obfuscate variable names, so we end up with: var mwu1xuNz int println(func() string { // obfuscation... x = append(x, ...) // obfuscation... return string(x) }) _ = mwu1xuNz This change shouldn't make the quality of our obfuscation stronger, as local variable names do not currently end up in Go binaries. However, this does make garble more consistent in treating identifiers, and it completely avoids any issues related to shadowing builtins. Moreover, this also paves the way for publishing obfuscated source code, such as #369. Fixes #417.
3 years ago
return true
}
minor code tidying up We don't need to nest the RemoveAll and MkdirAll calls for debugdir. Fill the string for -toolexec= when we actually append it to goArgs. Consistently use the objectString type alias. Remove unnecessary parameter names in transformFuncs. Unindent the code for switch variables by reversing the conditional.
2 years ago
// In a type switch like "switch foo := bar.(type) {",
// "foo" is being declared as a symbolic variable,
// as it is only actually declared in each "case SomeType:".
//
// As such, the symbolic "foo" in the syntax tree has no object,
// but it is still recorded under Defs with a nil value.
// We still want to obfuscate that syntax tree identifier,
// so if we detect the case, create a dummy types.Var for it.
//
// Note that "package mypkg" also denotes a nil object in Defs,
// and we don't want to treat that "mypkg" as a variable,
// so avoid that case by checking the type of cursor.Parent.
obj = types.NewVar(node.Pos(), tf.pkg, name, nil)
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
}
pkg := obj.Pkg()
first version of plugins working Add a caveat about -trimpath too. Fixes #18.
4 years ago
if vr, ok := obj.(*types.Var); ok && vr.Embedded() {
obfuscate alias names like any other objects Before this change, we would try to never obfuscate alias names. That was far from ideal, as they can end up in field names via anonymous fields. Even then, we would sometimes still fail to build, because we would inconsistently obfuscate alias names. For example, in the added test case: --- FAIL: TestScripts/syntax (0.23s) testscript.go:397: > env GOPRIVATE='test/main,private.source' > garble build [stderr] # test/main/sub Lv_a8gRD.go:15: undefined: KCvSpxmQ To fix this problem, we set obj to be the TypeName corresponding to the alias when it is used as an embedded field. We can then make the right choice when obfuscating the name. Right now, all aliases will be obfuscated. A TODO exists about not obfuscating alias names when they're used as embedded fields in a struct type in the same package, and that package is used for reflection - since then, the alias name ends up as the field name. With these changes, the protobuf module now builds.
3 years ago
// The docs for ObjectOf say:
//
// If id is an embedded struct field, ObjectOf returns the
// field (*Var) it defines, not the type (*TypeName) it uses.
//
// If this embedded field is a type alias, we want to
support aliases as embedded fields in dependencies Our recent work in fieldToAlias worked well when the embedded field declaration (using an alias) was in the same package as the use of that field. We would have the *ast.Ident for the field declaration, so types.Info.Uses would give us the TypeName for the alias. Unfortunately, if the declaration was in a dependency package, we did not have that same *ast.Ident, as we weren't parsing the source code for dependencies for type-checking. This resulted in us incorrectly obfuscating the use of such an embedded field: > garble build [stderr] # test/main JtzmzxWf.go:4: unknown field 'ExternalForeignAlias' in struct literal of type _BdSNiEL.Vcs_smer To fix this, look through the direct imports of the package defining the field to find an alias under the exact same name. Not a foolproof solution, as there's a TODO, but it should work for most cases. Fixes the obfuscation of google.golang.org/grpc/internal/status, too. Updates #349.
3 years ago
// handle the alias's TypeName instead of treating it as
// the type the alias points to.
obfuscate alias names like any other objects Before this change, we would try to never obfuscate alias names. That was far from ideal, as they can end up in field names via anonymous fields. Even then, we would sometimes still fail to build, because we would inconsistently obfuscate alias names. For example, in the added test case: --- FAIL: TestScripts/syntax (0.23s) testscript.go:397: > env GOPRIVATE='test/main,private.source' > garble build [stderr] # test/main/sub Lv_a8gRD.go:15: undefined: KCvSpxmQ To fix this problem, we set obj to be the TypeName corresponding to the alias when it is used as an embedded field. We can then make the right choice when obfuscating the name. Right now, all aliases will be obfuscated. A TODO exists about not obfuscating alias names when they're used as embedded fields in a struct type in the same package, and that package is used for reflection - since then, the alias name ends up as the field name. With these changes, the protobuf module now builds.
3 years ago
//
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
// Alternatively, if we don't have an alias, we still want to
obfuscate alias names like any other objects Before this change, we would try to never obfuscate alias names. That was far from ideal, as they can end up in field names via anonymous fields. Even then, we would sometimes still fail to build, because we would inconsistently obfuscate alias names. For example, in the added test case: --- FAIL: TestScripts/syntax (0.23s) testscript.go:397: > env GOPRIVATE='test/main,private.source' > garble build [stderr] # test/main/sub Lv_a8gRD.go:15: undefined: KCvSpxmQ To fix this problem, we set obj to be the TypeName corresponding to the alias when it is used as an embedded field. We can then make the right choice when obfuscating the name. Right now, all aliases will be obfuscated. A TODO exists about not obfuscating alias names when they're used as embedded fields in a struct type in the same package, and that package is used for reflection - since then, the alias name ends up as the field name. With these changes, the protobuf module now builds.
3 years ago
// use the embedded type, not the field.
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
vrStr := recordedObjectString(vr)
aliasTypeName, ok := cachedOutput.KnownEmbeddedAliasFields[vrStr]
if ok {
pkg2 := tf.pkg
remove TODO for tf.pkg.Imports I tried to fix the TODO, but ran into the problem described by the added documentation - that some packages in the import graph are incomplete, as go/types was clever and didn't fully load them. While here, also make the panics a bit more descriptive, which helped me debug what was going wrong after the attempted refactor.
2 years ago
if path := aliasTypeName.PkgPath; pkg2.Path() != path {
// If the package is a dependency, import it.
// We can't grab the package via tf.pkg.Imports,
// because some of the packages under there are incomplete.
// ImportFrom will cache complete imports, anyway.
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
var err error
remove TODO for tf.pkg.Imports I tried to fix the TODO, but ran into the problem described by the added documentation - that some packages in the import graph are incomplete, as go/types was clever and didn't fully load them. While here, also make the panics a bit more descriptive, which helped me debug what was going wrong after the attempted refactor.
2 years ago
pkg2, err = origImporter.ImportFrom(path, parentWorkDir, 0)
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
if err != nil {
panic(err)
}
}
tname, ok := pkg2.Scope().Lookup(aliasTypeName.Name).(*types.TypeName)
if !ok || !tname.IsAlias() {
remove TODO for tf.pkg.Imports I tried to fix the TODO, but ran into the problem described by the added documentation - that some packages in the import graph are incomplete, as go/types was clever and didn't fully load them. While here, also make the panics a bit more descriptive, which helped me debug what was going wrong after the attempted refactor.
2 years ago
if !ok {
panic(fmt.Sprintf("KnownEmbeddedAliasFields pointed %q to a missing type %q", vrStr, aliasTypeName))
}
panic(fmt.Sprintf("KnownEmbeddedAliasFields pointed %q to a non-alias type %q", vrStr, aliasTypeName))
handle aliases to foreign named types properly When such an alias name was used to define an embedded field, we handled that case gracefully via the code using: tf.info.Uses[node].(*types.TypeName) Unfortunately, when the same field name was used elsewhere, such as a composite literal, tf.Info.Uses gave us a *types.Var, not a *types.TypeName, meaning we could no longer tell if this was an alias, or what it pointed to. Thus, we failed to obfuscate the name properly in the added test case: > garble build [stderr] # test/main/sub xxWZf66u.go:36: unknown field 'foreignAlias' in struct literal of type smhWelwn It doesn't seem like any of the go/types APIs allows us to obtain the *types.TypeName directly in this scenario. Thus, use a trick that we used before: after typechecking, but before obfuscating, record all embedded struct field *types.Var which are aliases via a map, where the value holds the *types.TypeName for the alias. Updates #349.
3 years ago
}
obfuscate alias names like any other objects Before this change, we would try to never obfuscate alias names. That was far from ideal, as they can end up in field names via anonymous fields. Even then, we would sometimes still fail to build, because we would inconsistently obfuscate alias names. For example, in the added test case: --- FAIL: TestScripts/syntax (0.23s) testscript.go:397: > env GOPRIVATE='test/main,private.source' > garble build [stderr] # test/main/sub Lv_a8gRD.go:15: undefined: KCvSpxmQ To fix this problem, we set obj to be the TypeName corresponding to the alias when it is used as an embedded field. We can then make the right choice when obfuscating the name. Right now, all aliases will be obfuscated. A TODO exists about not obfuscating alias names when they're used as embedded fields in a struct type in the same package, and that package is used for reflection - since then, the alias name ends up as the field name. With these changes, the protobuf module now builds.
3 years ago
obj = tname
} else {
named := namedType(obj.Type())
if named == nil {
return true // unnamed type (probably a basic type, e.g. int)
}
properly record when type aliases are embedded as fields There are two scenarios when it comes to embedding fields. The first is easy, and we always handled it well: type Named struct { Foo int } type T struct { Named } In this scenario, T ends up with an embedded field named "Named", and a promoted field named "Foo". Then there's the form with a type alias: type Named struct { Foo int } type Alias = Named type T struct { Alias } This case is different: T ends up with an embedded field named "Alias", and a promoted field named "Foo". Note how the field gets its name from the referenced type, even if said type is just an alias to another type. This poses two problems. First, we must obfuscate the field T.Alias as the name "Alias", and not as the name "Named" that the alias points to. Second, we must be careful of cases where Named and Alias are declared in different packages, as they will obfuscate the same name differently. Both of those problems compounded in the reported issue. The actual reason is that quic-go has a type alias in the form of: type ConnectionState = qtls.ConnectionState In other words, the entire problem boils down to a type alias which points to a named type in a different package, where both types share the same name. For example: package parent import "parent/p1" type T struct { p1.SameName } [...] package p1 import "parent/p2" type SameName = p2.SameName [...] package p2 type SameName struct { Foo int } This broke garble because we had a heuristic to detect when an embedded field was a type alias: // Instead, detect such a "foreign alias embed". // If we embed a final named type, // but the field name does not match its name, // then it must have been done via an alias. // We dig out the alias's TypeName via locateForeignAlias. if named.Obj().Name() != node.Name { As the reader can deduce, this heuristic would incorrectly assume that the snippet above does not embed a type alias, when in fact it does. When obfuscating the field T.SameName, which uses a type alias, we would correctly obfuscate the name "SameName", but we would incorrectly obfuscate it with the package p2, not p1. This would then result in build errors. To fix this problem for good, we need to get rid of the heuristic. Instead, we now mimic what was done for KnownCannotObfuscate, but for embedded fields which use type aliases. KnownEmbeddedAliasFields is now filled for each package and stored in the cache as part of cachedOutput. We can then detect the "embedded alias" case reliably, even when the field is declared in an imported package. On the plus side, we get to remove locateForeignAlias. We also add a couple of TODOs to record further improvements. Finally, add a test. Fixes #466.
2 years ago
obj = named.Obj()
handle embedded struct fields with universe scope Whilst it may not be particularly common, it is legal to embed fields where the type has universe scope (e.g. int, error, etc). This can cause a panic in 2 difference places: - When embedding `error`, a named type is resolved but the package is nil. The call to `pkg.Name()` results in a panic - When embedding a basic type such as `int`, no named type is resolved at all. The call to `namedType(obj.Type()).Obj()` results in a panic I'm assuming it is OK to return early when a named type cannot be resolved.. we could let it continue but I think `pkg` should be set to nil to be correct, so it'd end up returning straight away anyway.
4 years ago
}
first version of plugins working Add a caveat about -trimpath too. Fixes #18.
4 years ago
pkg = obj.Pkg()
}
handle embedded struct fields with universe scope Whilst it may not be particularly common, it is legal to embed fields where the type has universe scope (e.g. int, error, etc). This can cause a panic in 2 difference places: - When embedding `error`, a named type is resolved but the package is nil. The call to `pkg.Name()` results in a panic - When embedding a basic type such as `int`, no named type is resolved at all. The call to `namedType(obj.Type()).Obj()` results in a panic I'm assuming it is OK to return early when a named type cannot be resolved.. we could let it continue but I think `pkg` should be set to nil to be correct, so it'd end up returning straight away anyway.
4 years ago
if pkg == nil {
return true // universe scope
}
first version of plugins working Add a caveat about -trimpath too. Fixes #18.
4 years ago
support embedding via embed.FS We already added support for "//go:embed" with string and []byte, by not obfuscating the "embed" import path. However, embed.FS was still failing: > garble build [stderr] # test/main :13: go:embed cannot apply to var of type embed.WtKNvwbN The compiler detects the type by matching its name to exactly "embed.FS", so don't obfuscate the name "FS" either. While at it, ensure that the embed code behaves the same with "go build". Updates #349.
3 years ago
if pkg.Path() == "embed" {
// The Go compiler needs to detect types such as embed.FS.
// That will fail if we change the import path or type name.
// Leave it as is.
// Luckily, the embed package just declares the FS type.
return true
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
// The package that declared this object did not obfuscate it.
stop loading obfuscated type information from deps If package P1 imports package P2, P1 needs to know which names from P2 weren't obfuscated. For instance, if P2 declares T2 and does "reflect.TypeOf(T2{...})", then P2 won't obfuscate the name T2, and neither should P1. This information should flow from P2 to P1, as P2 builds before P1. We do this via obfuscatedTypesPackage; P1 loads the type information of the obfuscated version of P2, and does a lookup for T2. If T2 exists, then it wasn't obfuscated. This mechanism has served us well, but it has downsides: 1) It wastes CPU; we load the type information for the entire package. 2) It's complex; for instance, we need KnownObjectFiles as an extra. 3) It makes our code harder to understand, as we load both the original and obfuscated type informaiton. Instead, we now have each package record what names were not obfuscated as part of its cachedOuput file. Much like KnownObjectFiles, the map records incrementally through the import graph, to avoid having to load cachedOutput files for indirect dependencies. We shouldn't need to worry about those maps getting large; we only skip obfuscating declared names in a few uncommon scenarios, such as the use of reflection or cgo's "//export". Since go/types is relatively allocation-heavy, and the export files contain a lot of data, we get a nice speed-up: name old time/op new time/op delta Build-16 11.5s ± 2% 11.1s ± 3% -3.77% (p=0.008 n=5+5) name old bin-B new bin-B delta Build-16 5.15M ± 0% 5.15M ± 0% ~ (all equal) name old cached-time/op new cached-time/op delta Build-16 375ms ± 3% 341ms ± 6% -8.96% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build-16 283ms ±17% 289ms ±13% ~ (p=0.841 n=5+5) name old user-time/op new user-time/op delta Build-16 687ms ± 6% 664ms ± 7% ~ (p=0.548 n=5+5) Fixes #456. Updates #475.
2 years ago
if recordedAsNotObfuscated(obj) {
return true
}
// TODO(mvdan): investigate obfuscating these too.
filename := fset.Position(obj.Pos()).Filename
if strings.HasPrefix(filename, "_cgo_") || strings.Contains(filename, ".cgo1.") {
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
return true
exclude identifiers used via reflection If reflect.TypeOf or reflect.ValueOf are used on a type declared in the same package, don't garble that type name or any of its fields. Fixes #15.
4 years ago
}
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
path := pkg.Path()
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
lpkg, err := listPackage(path)
if err != nil {
panic(err) // shouldn't happen
}
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
if !lpkg.ToObfuscate {
return true // we're not obfuscating this package
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
}
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
hashToUse := lpkg.GarbleActionID
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
debugName := "variable"
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
// debugf("%s: %#v %T", fset.Position(node.Pos()), node, obj)
simplify the uses of obfuscatedTypesPackage (#284) obfuscatedTypesPackage is now only useful for one scenario: a type which is used with reflection in a dependency, so neither its name nor any of its potential struct field names are obfuscated. This is because we can only detect the use of reflection with go/ast, which we don't have for dependencies. As such, we only need obfuscatedTypesPackage in two places - when considering to obfuscate a field or a type name. There were two other calls to the function, which we remove. The first was used for linkname directives. Those directives only work for variables and functions, neither of which is affected by the reflection detection. The second was used for all identifiers, at the very end of the transformGo inner func. It's entirely unnecessary right now, as it never triggers anymore. It's possible it was necessary some time ago when we still didn't obfuscate assembly functions. While at it, improve some comments and add a few TODOs for edge cases which do not have code coverage.
3 years ago
switch obj := obj.(type) {
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
case *types.Var:
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
if !obj.IsField() {
obfuscate all variable names, even local ones (#420) In the added test case, "garble -literals build" would fail: --- FAIL: TestScripts/literals (8.29s) testscript.go:397: > env GOPRIVATE=test/main > garble -literals build [stderr] # test/main Usz1FmFm.go:1: cannot call non-function string (type int), declared at Usz1FmFm.go:1 Usz1FmFm.go:1: string is not a type Usz1FmFm.go:1: cannot call non-function append (type int), declared at Usz1FmFm.go:1 That is, for input code such as: var append int println("foo") _ = append We'd end up with obfuscated code like: var append int println(func() string { // obfuscation... x = append(x, ...) // obfuscation... return string(x) }) _ = append Which would then break, as the code is shadowing the "append" builtin. To work around this, always obfuscate variable names, so we end up with: var mwu1xuNz int println(func() string { // obfuscation... x = append(x, ...) // obfuscation... return string(x) }) _ = mwu1xuNz This change shouldn't make the quality of our obfuscation stronger, as local variable names do not currently end up in Go binaries. However, this does make garble more consistent in treating identifiers, and it completely avoids any issues related to shadowing builtins. Moreover, this also paves the way for publishing obfuscated source code, such as #369. Fixes #417.
3 years ago
// Identifiers denoting variables are always obfuscated.
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
break
}
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
debugName = "field"
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
// From this point on, we deal with struct fields.
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
// Fields don't get hashed with the package's action ID.
// They get hashed with the type of their parent struct.
// This is because one struct can be converted to another,
// as long as the underlying types are identical,
// even if the structs are defined in different packages.
//
// TODO: Consider only doing this for structs where all
// fields are exported. We only need this special case
// for cross-package conversions, which can't work if
// any field is unexported. If that is done, add a test
// that ensures unexported fields from different
// packages result in different obfuscated names.
fix a number of issues involving types from indirect imports obfuscatedTypesPackage is used to figure out if a name in a dependency package was obfuscated or not. For example, if that package used reflection on a named type, it wasn't obfuscated, so we must have the same information to not obfuscate the same name downstream. obfuscatedTypesPackage could return nil if the package was indirectly imported, though. This can happen if a direct import has a function that returns an indirect type, or if a direct import exposes a name that's a type alias to an indirect type. We sort of dealt with this in two pieces of code by checking for obfPkg!=nil, but a third one did not have this check and caused a panic in the added test case: --- FAIL: TestScripts/reflect (0.81s) testscript.go:397: > env GOPRIVATE=test/main > garble build [stderr] # test/main panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x8a5e39] More importantly though, the nil check only avoids panics. It doesn't fix the root cause of the problem: that importcfg does not contain indirectly imported packages. The added test case would still fail, as we would obfuscate a type in the main package, but not in the indirectly imported package where the type is defined. To fix this, resurrect a bit of code from earlier garble versions, which uses "go list -toolexec=garble" to fetch a package's export file. This lets us fill the indirect import gaps in importcfg, working around the problem entirely. This solution is still not particularly great, so we add a TODO about possibly rethinking this in the future. It does add some overhead and complexity, though thankfully indirect imports should be uncommon. This fixes a few panics while building the protobuf module.
3 years ago
strct := tf.fieldToStruct[obj]
if strct == nil {
implement TODO to use a name variable Slightly simplifies the main chunk of code. While here, improve the wording for when Go isn't installed correctly.
2 years ago
panic("could not find for " + name)
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
}
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
node.Name = hashWithStruct(strct, name)
debugf("%s %q hashed with struct fields to %q", debugName, name, node.Name)
return true
hash field names equally in all packages Packages P1 and P2 can define identical struct types T1 and T2, and one can convert from type T1 to T2 or vice versa. The spec defines two identical struct types as: Two struct types are identical if they have the same sequence of fields, and if corresponding fields have the same names, and identical types, and identical tags. Non-exported field names from different packages are always different. Unfortunately, garble broke this: since we obfuscated field names differently depending on the package, cross-package conversions like the case above would result in typechecking errors. To fix this, implement Joe Tsai's idea: hash struct field names with the string representation of the entire struct. This way, identical struct types will have their field names obfuscated in the same way in all packages across a build. Note that we had to refactor "reverse" a bit to start using transformer, since now it needs to keep track of struct types as well. This failure was affecting the build of google.golang.org/protobuf, since it makes regular use of cross-package struct conversions. Note that the protobuf module still fails to build, but for other reasons. The package that used to fail now succeeds, so the build gets a bit further than before. #240 tracks adding relevant third-party Go modules to CI, so we'll track the other remaining failures there. Fixes #310.
3 years ago
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
case *types.TypeName:
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
debugName = "type"
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
case *types.Func:
sign := obj.Type().(*types.Signature)
add -debug to aid in debugging (#431) Not really meant for end users, but they might still debug failures before filing bugs. We add the -debug flag itself, as well as machinery to deduplicate output lines. There are quite a lot of them otherwise, which aren't helpful and simply add noise. In the future, if we always want to output a debug log line, such as "choosing not to obfuscate here because X", we can simply insert the unique position string. Finally, turn all commented-out log.Printf calls to debugf. Improve a few log lines to be more human-friendly, and also add a few extras like how long it takes to load files. We can improve the logging further in the future. This seems like a good starting point.
3 years ago
if sign.Recv() == nil {
debugName = "func"
} else {
debugName = "method"
}
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
if obj.Exported() && sign.Recv() != nil {
return true // might implement an interface
initial support for cgo I'm sure that the added test case doesn't cover many edge cases, but it's a start. Fixes #12.
4 years ago
}
implement TODO to use a name variable Slightly simplifies the main chunk of code. While here, improve the wording for when Go isn't installed correctly.
2 years ago
switch name {
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
case "main", "init", "TestMain":
return true // don't break them
}
implement TODO to use a name variable Slightly simplifies the main chunk of code. While here, improve the wording for when Go isn't installed correctly.
2 years ago
if strings.HasPrefix(name, "Test") && isTestSignature(sign) {
clean up the function that walks the syntax tree Avoiding a type switch for the entire node prevents an indentation level. We can obtain obj and pkg early, and return early as well if either is uninteresting. That means less nil checks later on, which means even less indentation and complexity.
4 years ago
return true // don't break tests
}
default:
return true // we only want to rename the above
}
fix garbling names belonging to indirect imports (#203) main.go includes a lengthy comment that documents this edge case, why it happened, and how we are fixing it. To summarize, we should no longer error with a build error in those cases. Read the comment for details. A few other minor changes were done to allow writing this patch. First, the actionID and contentID funcs were renamed, since they started to collide with variable names. Second, the logging has been improved a bit, which allowed me to debug the issue. Third, the "cache" global shared by all garble sub-processes now includes the necessary parameters to run "go list -toolexec", including the path to garble and the build flags being used. Thanks to lu4p for writing a test case, which also applied gofmt to that testdata Go file. Fixes #180. Closes #181, since it includes its test case.
4 years ago
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
node.Name = hashWithPackage(lpkg, name)
// TODO: probably move the debugf lines inside the hash funcs
implement TODO to use a name variable Slightly simplifies the main chunk of code. While here, improve the wording for when Go isn't installed correctly.
2 years ago
debugf("%s %q hashed with %x… to %q", debugName, name, hashToUse[:4], node.Name)
start hashing identifiers
5 years ago
return true
support type switches with symbolic vars
5 years ago
}
join the import-rewrite ast.Inspect with transformGo Walking the entire Go file again seems unnecessary, when we have an astutil.Apply just next to it. We could add to its "pre" function, but it's a bit easier to use the "post" instead, which is empty. Another advantage here is that astutil.Apply is more powerful than ast.Inspect, which can come in handy in the future.
3 years ago
post := func(cursor *astutil.Cursor) bool {
imp, ok := cursor.Node().(*ast.ImportSpec)
if !ok {
return true
}
path, err := strconv.Unquote(imp.Path.Value)
if err != nil {
panic(err) // should never happen
}
// We're importing an obfuscated package.
// Replace the import path with its obfuscated version.
// If the import was unnamed, give it the name of the
// original package name, to keep references working.
lpkg, err := listPackage(path)
if err != nil {
panic(err) // should never happen
}
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
if !lpkg.ToObfuscate {
join the import-rewrite ast.Inspect with transformGo Walking the entire Go file again seems unnecessary, when we have an astutil.Apply just next to it. We could add to its "pre" function, but it's a bit easier to use the "post" instead, which is empty. Another advantage here is that astutil.Apply is more powerful than ast.Inspect, which can come in handy in the future.
3 years ago
return true
}
newPath := lpkg.obfuscatedImportPath()
imp.Path.Value = strconv.Quote(newPath)
if imp.Name == nil {
imp.Name = &ast.Ident{Name: lpkg.Name}
}
return true
}
return astutil.Apply(file, pre, post).(*ast.File)
start hashing identifiers
5 years ago
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
// recursivelyRecordAsNotObfuscated calls recordAsNotObfuscated on any named
// types and fields under typ.
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
//
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
// Only the names declared in the current package are recorded. This is to ensure
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
// that reflection detection only happens within the package declaring a type.
// Detecting it in downstream packages could result in inconsistencies.
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
func (tf *transformer) recursivelyRecordAsNotObfuscated(t types.Type) {
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
switch t := t.(type) {
case *types.Named:
obj := t.Obj()
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
if obj.Pkg() == nil || obj.Pkg() != tf.pkg {
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
return // not from the specified package
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
if recordedAsNotObfuscated(obj) {
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
return // prevent endless recursion
}
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
recordAsNotObfuscated(obj)
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
// Record the underlying type, too.
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
tf.recursivelyRecordAsNotObfuscated(t.Underlying())
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
case *types.Struct:
for i := 0; i < t.NumFields(); i++ {
field := t.Field(i)
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
// This check is similar to the one in *types.Named.
// It's necessary for unnamed struct types,
// as they aren't named but still have named fields.
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
if field.Pkg() == nil || field.Pkg() != tf.pkg {
skip reflection detection for sibling packages Our allPkgs boolean logic was wrong, because it could still lead to garble obfuscating a type when used in the main package, but not in its defining package. The added test case shows such a case. To fix that, use a package path to only record the named objects from the target package, which is a narrower operation without this problem, but still makes all our tests pass. This makes the google.golang.org/protobuf/internal/filetype package start building.
3 years ago
return // not from the specified package
improve handling of reflect on foreign unnamed types If a package A imports package B, and uses reflect.TypeOf on an unnamed struct type B.T (such as an alias), we don't want to record B.T's fields as "do not obfuscate". This is for the same reason that we don't if B.T is a named struct type: the detection only works for the package defining the type, as otherwise it's inconsistent. We failed to handle this case well, because we assumed all struct types would be under some named type. This is not the case for type aliases. Fortunately, struct fields are named, and as such they are objects. Check their package too, just like we do for named types. Fixes another build error when obfuscating the protobuf module. We add a simplified version of the example above as a test case, which originated from debugging the protobuf build failure.
3 years ago
}
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
// Record the field itself, too.
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
recordAsNotObfuscated(field)
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
tf.recursivelyRecordAsNotObfuscated(field.Type())
record types into ignoreObjects more reliably Our previous logic only took care of fairly simple types, such as a simple struct or a pointer to a struct. If we had a struct embedding another struct, we'd fail to record the objects for the fields in the inner struct, and that would lead to miscompilation: > garble build [stderr] # test/main LZmt64Nm.go:7: outer.InnerField undefined (type *CcUt1wkQ.EmbeddingOuter has no field or method InnerField) To fix this issue, make the function that records all objects under a types.Type smarter. Since it now does more than just dealing with structs, it's also renamed. Since the function now walks types properly, we get to remove the extra ast.Inspect in recordReflectArgs, which is nice. We also make it a method, to avoid the map parameter. A boolean parameter is also added, since we need this feature to only look at the current package when looking at reflect calls. Finally, we add a test case, a simplified version of the original bug report. Fixes #315.
3 years ago
}
case interface{ Elem() types.Type }:
// Get past pointers, slices, etc.
clarify how each "cannot obfuscate" map works We used to record all objects in cannotObfuscateNames, and then we'd add the exported ones to KnownCannotObfuscate. Instead, teach recordAsNotObfuscated to store each object in either knownCannotObfuscateUnexported or KnownCannotObfuscate, but not both. The former isn't cached so it uses in-memory pointers as keys, and the latter uses the cross-process objectStrings like before. Functionally, this is all the same, but with the difference that the map indexed by types.Object will not contain objects already recorded in KnownCannotObfuscate, reducing the amount of duplicate memory use. While here, give recordIgnore a less ambiguous name, and remove the second parameter as it was always tf.pkg.Path(). This also means we can compare *types.Package pointers directly. Finally, add more TODOs for further improvement ideas. It does mean that we end up with more TODOs than before, even though I'm fixing one, but I reckon that's a good thing. Recording these ideas can give first-time contributors ways to help, and it ensures I don't forget about ideas just in my head.
2 years ago
tf.recursivelyRecordAsNotObfuscated(t.Elem())
Fix bug where structs would get garbled in some packages but not in others (#161) * fix bug where structs would get garbled in some packages but not in others * only check if struct/field was not defined in current package * fix a related bug when two objects share the same name in the same package and one is garbled but the other one is not * renamed parameter for clarity
4 years ago
}
}
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
// named tries to obtain the *types.Named behind a type, if there is one.
// This is useful to obtain "testing.T" from "*testing.T", or to obtain the type
// declaration object from an embedded field.
func namedType(t types.Type) *types.Named {
don't panic with struct pointer anonymous fields While at it, make the "object of type" code shared and more robust.
5 years ago
switch t := t.(type) {
case *types.Named:
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
return t
don't panic with struct pointer anonymous fields While at it, make the "object of type" code shared and more robust.
5 years ago
case interface{ Elem() types.Type }:
blacklist struct fields with reflection too In the added test, the unexported field used to be garbled. Reflection can only reach exported methods, exported fields, and unexported fields. Exported methods and fields are currently never garbled, so unexported fields was the only missing piece.
4 years ago
return namedType(t.Elem())
don't panic with struct pointer anonymous fields While at it, make the "object of type" code shared and more robust.
5 years ago
default:
return nil
}
}
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
// isTestSignature returns true if the signature matches "func _(*testing.T)".
func isTestSignature(sign *types.Signature) bool {
if sign.Recv() != nil {
avoid panic on funcs that almost look like tests (#235) The added test case used to crash garble: panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x8fe71b] goroutine 1 [running]: golang.org/x/tools/go/ast/astutil.Apply.func1(0xc0001e8880, 0xc000221570) /go/pkg/mod/golang.org/x/tools@v0.0.0-20210115202250-e0d201561e39/go/ast/astutil/rewrite.go:47 +0x97 panic(0x975bc0, 0xd6c610) /sdk/go1.15.8/src/runtime/panic.go:969 +0x1b9 go/types.(*Named).Obj(...) /sdk/go1.15.8/src/go/types/type.go:473 mvdan.cc/garble.isTestSignature(0xc0001e7080, 0xa02e84) /src/garble/main.go:1170 +0x7b mvdan.cc/garble.(*transformer).transformGo.func2(0xc000122df0, 0xaac301) /src/garble/main.go:1028 +0xff1 We were assuming that the first parameter was a named type, but that might not be the case. This crash was found out in the wild, from which a minimal repro was written. We add two variants of it to the test data, just in case.
3 years ago
return false // test funcs don't have receivers
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
}
params := sign.Params()
if params.Len() != 1 {
avoid panic on funcs that almost look like tests (#235) The added test case used to crash garble: panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x8fe71b] goroutine 1 [running]: golang.org/x/tools/go/ast/astutil.Apply.func1(0xc0001e8880, 0xc000221570) /go/pkg/mod/golang.org/x/tools@v0.0.0-20210115202250-e0d201561e39/go/ast/astutil/rewrite.go:47 +0x97 panic(0x975bc0, 0xd6c610) /sdk/go1.15.8/src/runtime/panic.go:969 +0x1b9 go/types.(*Named).Obj(...) /sdk/go1.15.8/src/go/types/type.go:473 mvdan.cc/garble.isTestSignature(0xc0001e7080, 0xa02e84) /src/garble/main.go:1170 +0x7b mvdan.cc/garble.(*transformer).transformGo.func2(0xc000122df0, 0xaac301) /src/garble/main.go:1028 +0xff1 We were assuming that the first parameter was a named type, but that might not be the case. This crash was found out in the wild, from which a minimal repro was written. We add two variants of it to the test data, just in case.
3 years ago
return false // too many parameters for a test func
}
named := namedType(params.At(0).Type())
if named == nil {
return false // the only parameter isn't named, like "string"
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
}
avoid panic on funcs that almost look like tests (#235) The added test case used to crash garble: panic: runtime error: invalid memory address or nil pointer dereference [recovered] panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x8fe71b] goroutine 1 [running]: golang.org/x/tools/go/ast/astutil.Apply.func1(0xc0001e8880, 0xc000221570) /go/pkg/mod/golang.org/x/tools@v0.0.0-20210115202250-e0d201561e39/go/ast/astutil/rewrite.go:47 +0x97 panic(0x975bc0, 0xd6c610) /sdk/go1.15.8/src/runtime/panic.go:969 +0x1b9 go/types.(*Named).Obj(...) /sdk/go1.15.8/src/go/types/type.go:473 mvdan.cc/garble.isTestSignature(0xc0001e7080, 0xa02e84) /src/garble/main.go:1170 +0x7b mvdan.cc/garble.(*transformer).transformGo.func2(0xc000122df0, 0xaac301) /src/garble/main.go:1028 +0xff1 We were assuming that the first parameter was a named type, but that might not be the case. This crash was found out in the wild, from which a minimal repro was written. We add two variants of it to the test data, just in case.
3 years ago
obj := named.Obj()
don't panic with struct pointer anonymous fields While at it, make the "object of type" code shared and more robust.
5 years ago
return obj != nil && obj.Pkg().Path() == "testing" && obj.Name() == "T"
add initial support for running tests For now, it mainly consists of not garbling Test* funcs, and not garbling the _testmain.go file that will run them. Updates #6.
5 years ago
}
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
func transformLink(args []string) ([]string, error) {
initial support for build caching (#142) As per the discussion in https://github.com/golang/go/issues/41145, it turns out that we don't need special support for build caching in -toolexec. We can simply modify the behavior of "[...]/compile -V=full" and "[...]/link -V=full" so that they include garble's own version and options in the printed build ID. The part of the build ID that matters is the last, since it's the "content ID" which is used to work out whether there is a need to redo the action (build) or not. Since cmd/go parses the last word in the output as "buildID=...", we simply add "+garble buildID=_/_/_/${hash}". The slashes let us imitate a full binary build ID, but we assume that the other components such as the action ID are not necessary, since the only reader here is cmd/go and it only consumes the content ID. The reported content ID includes the tool's original content ID, garble's own content ID from the built binary, and the garble options which modify how we obfuscate code. If any of the three changes, we should use a different build cache key. GOPRIVATE also affects caching, since a different GOPRIVATE value means that we might have to garble a different set of packages. Include tests, which mainly check that 'garble build -v' prints package lines when we expect to always need to rebuild packages, and that it prints nothing when we should be reusing the build cache even when the built binary is missing. After this change, 'go test' on Go 1.15.2 stabilizes at about 8s on my machine, whereas it used to be at around 25s before.
4 years ago
// We can't split by the ".a" extension, because cached object files
// lack any extension.
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags, args := splitFlagsFromArgs(args)
Garble imports and package paths in GOPRIVATE (#116) Finally, finally this is done. This allows import paths to be obfuscated by modifying object/archive files and garbling import paths contained within. The bulk of the code that makes parsing and writing Go object/archive files possible lives at https://github.com/Binject/debug/tree/master/goobj2, which I wrote as well. I have tested by garbling and checking for import paths via strings and grep (in order of difficulty) https://github.com/lu4p/binclude, garble itself, and https://github.com/dominikh/go-tools/tree/master/cmd/staticcheck. This only supports object/archive files produced from the Go 1.15 compiler. The object file format changed at 1.15, and 1.14 and earlier is not supported. Fixes #13.
4 years ago
avoid one more call to 'go tool buildid' (#253) We use it to get the content ID of garble's binary, which is used for both the garble action IDs, as well as 'go tool compile -V=full'. Since those two happen in separate processes, both used to call 'go tool buildid' separately. Store it in the gob cache the first time, and reuse it the second time. Since each call to cmd/go costs about 10ms (new process, running its many init funcs, etc), this results in a nice speed-up for our small benchmark. Most builds will take many seconds though, so note that a ~15ms speedup there will likely not be noticeable. While at it, simplify the buildInfo global, as now it just contains a map representation of the -importcfg contents. It now has better names, docs, and a simpler representation. We also stop using the term "garbled import", as it was a bit confusing. "obfuscated types.Package" is a much better description. name old time/op new time/op delta Build-8 106ms ± 1% 92ms ± 0% -14.07% (p=0.010 n=6+4) name old bin-B new bin-B delta Build-8 6.60M ± 0% 6.60M ± 0% -0.01% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 208ms ± 5% 149ms ± 3% -28.27% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 433ms ± 3% 384ms ± 3% -11.35% (p=0.002 n=6+6)
3 years ago
newImportCfg, err := processImportCfg(flags)
Garble imports and package paths in GOPRIVATE (#116) Finally, finally this is done. This allows import paths to be obfuscated by modifying object/archive files and garbling import paths contained within. The bulk of the code that makes parsing and writing Go object/archive files possible lives at https://github.com/Binject/debug/tree/master/goobj2, which I wrote as well. I have tested by garbling and checking for import paths via strings and grep (in order of difficulty) https://github.com/lu4p/binclude, garble itself, and https://github.com/dominikh/go-tools/tree/master/cmd/staticcheck. This only supports object/archive files produced from the Go 1.15 compiler. The object file format changed at 1.15, and 1.14 and earlier is not supported. Fixes #13.
4 years ago
if err != nil {
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
return nil, err
Garble imports and package paths in GOPRIVATE (#116) Finally, finally this is done. This allows import paths to be obfuscated by modifying object/archive files and garbling import paths contained within. The bulk of the code that makes parsing and writing Go object/archive files possible lives at https://github.com/Binject/debug/tree/master/goobj2, which I wrote as well. I have tested by garbling and checking for import paths via strings and grep (in order of difficulty) https://github.com/lu4p/binclude, garble itself, and https://github.com/dominikh/go-tools/tree/master/cmd/staticcheck. This only supports object/archive files produced from the Go 1.15 compiler. The object file format changed at 1.15, and 1.14 and earlier is not supported. Fixes #13.
4 years ago
}
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
// TODO: unify this logic with the -X handling when using -literals.
// We should be able to handle both cases via the syntax tree.
//
use "obfuscate" instead of "garble" in some more places Mainly comments. "garble" refers to the tool, but the verb and adjective is more intuitive as "obfuscate" and "obfuscated" instead of "garble" and "garbled".
3 years ago
// Make sure -X works with obfuscated identifiers.
// To cover both obfuscated and non-obfuscated names,
// duplicate each flag with a obfuscated version.
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
flagValueIter(flags, "-X", func(val string) {
// val is in the form of "pkg.name=str"
i := strings.IndexByte(val, '=')
if i <= 0 {
return
}
name := val[:i]
str := val[i+1:]
Handle ldflags set variable with . in package name Fixes #84
4 years ago
j := strings.LastIndexByte(name, '.')
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
if j <= 0 {
return
}
pkg := name[:j]
name = name[j+1:]
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
// If the package path is "main", it's the current top-level
// package we are linking.
// Otherwise, find it in the cache.
lpkg := curPkg
if pkg != "main" {
lpkg = cache.ListedPackages[pkg]
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
}
ignore -ldflags=-X flags mentioning unknown packages That would panic, since the *listedPackage would be nil for a package path we aren't aware of: panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x88 pc=0x126b57d] goroutine 1 [running]: main.transformLink.func1(0x7ffeefbff28b, 0x5d) mvdan.cc/garble@v0.0.0-20210302140807-b03cd08c0946/main.go:1260 +0x17d main.flagValueIter(0xc0000a8e20, 0x2f, 0x2f, 0x12e278e, 0x2, 0xc000129e28) mvdan.cc/garble@v0.0.0-20210302140807-b03cd08c0946/main.go:1410 +0x1e9 main.transformLink(0xc0000a8e20, 0x30, 0x36, 0x4, 0xc000114648, 0x23, 0x12dfd60, 0x0) mvdan.cc/garble@v0.0.0-20210302140807-b03cd08c0946/main.go:1241 +0x1b9 main.mainErr(0xc0000a8e10, 0x31, 0x37, 0x37, 0x0) mvdan.cc/garble@v0.0.0-20210302140807-b03cd08c0946/main.go:287 +0x389 main.main1(0xc000096058) mvdan.cc/garble@v0.0.0-20210302140807-b03cd08c0946/main.go:150 +0xe7 main.main() mvdan.cc/garble@v0.0.0-20210302140807-b03cd08c0946/main.go:83 +0x25 The linker ignores such unknown references, so we should too. Fixes #259.
3 years ago
if lpkg == nil {
// We couldn't find the package.
// Perhaps a typo, perhaps not part of the build.
// cmd/link ignores those, so we should too.
return
}
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
// As before, the main package must remain as "main".
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
newPkg := pkg
refactor "current package" with TOOLEXEC_IMPORTPATH (#266) Now that we've dropped support for Go 1.15.x, we can finally rely on this environment variable for toolexec calls, present in Go 1.16. Before, we had hacky ways of trying to figure out the current package's import path, mostly from the -p flag. The biggest rough edge there was that, for main packages, that was simply the package name, and not its full import path. To work around that, we had a restriction on a single main package, so we could work around that issue. That restriction is now gone. The new code is simpler, especially because we can set curPkg in a single place for all toolexec transform funcs. Since we can always rely on curPkg not being nil now, we can also start reusing listedPackage.Private and avoid the majority of repeated calls to isPrivate. The function is cheap, but still not free. isPrivate itself can also get simpler. We no longer have to worry about the "main" edge case. Plus, the sanity check for invalid package paths is now unnecessary; we only got malformed paths from goobj2, and we now require exact matches with the ImportPath field from "go list -json". Another effect of clearing up the "main" edge case is that -debugdir now uses the right directory for main packages. We also start using consistent debugdir paths in the tests, for the sake of being easier to read and maintain. Finally, note that commandReverse did not need the extra call to "go list -toolexec", as the "shared" call stored in the cache is enough. We still call toolexecCmd to get said cache, which should probably be simplified in a future PR. While at it, replace the use of the "-std" compiler flag with the Standard field from "go list -json".
3 years ago
if pkg != "main" {
newPkg = lpkg.obfuscatedImportPath()
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
}
make obfuscation fully deterministic with -seed The default behavior of garble is to seed via the build inputs, including the build IDs of the entire Go build of each package. This works well as a default, and does give us determinism, but it means that building for different platforms will result in different obfuscation per platform. Instead, when -seed is provided, don't use any other hash seed or salt. This means that a particular Go name will be obfuscated the same way as long as the seed, package path, and name itself remain constant. In other words, when the user supplies a custom -seed, we assume they know what they're doing in terms of storage and rotation. Expand the README docs with more examples and detail. Fixes #449.
2 years ago
newName := hashWithPackage(lpkg, name)
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags = append(flags, fmt.Sprintf("-X=%s.%s=%s", newPkg, newName, str))
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
})
update support for Go 1.17 in time for beta1 Back in early April we added initial support for Go 1.17, working on a commit from master at that time. For that to work, we just needed to add a couple of packages to runtimeRelated and tweak printFile a bit to not break the new "//go:build" directives. A significant amount of changes have landed since, though, and the tests broke in multiple ways. Most notably, the new register ABI is enabled by default for GOOS=amd64. That affected garble indirectly in two ways: there's a new internal package to add to runtimeRelated, and we must make reverse.txt more clever in making its output constant across ABIs. Another noticeable change is that Go 1.17 changes how its own version is injected into the runtime package. It used to be via a constant in runtime/internal/sys, such as: const TheVersion = `devel ...` Since we couldn't override such constants via the linker's -X flag, we had to directly alter the declaration while compiling. Thankfully, Go 1.17 simply uses a "var buildVersion string" in the runtime package, and its value is injected by the linker. This means we can now override it with the linker's -X flag. We make the code to alter TheVersion for Go 1.16 a bit more clever, to not break the package when building with Go 1.17. Finally, our hack to work around ambiguous TOOLEXEC_IMPORTPATH values now only kicks in for non-test packages, since Go 1.17 includes our upstream fix. Otherwise, some tests would end up with the ".test" variant suffix added a second time: test/bar [test/bar.test] [test/bar [test/bar.test].test] All the code to keep compatibility with Go 1.16.x remains in place. We're still leaving TODOs to remind ourselves to remove it or simplify it once we remove support for 1.16.x. The 1.17 development freeze has already been in place for a month, and beta1 is due to come this week, so it's unlikely that Go will change in any considerable way at this point. Hence, we can say that support for 1.17 is done. Fixes #347.
3 years ago
// Starting in Go 1.17, Go's version is implicitly injected by the linker.
// It's the same method as -X, so we can override it with an extra flag.
flags = append(flags, "-X=runtime.buildVersion=unknown")
strip buildid information from linked binaries Otherwise, one can use 'go tool buildid' to obtain the main package's build ID, which can make de-obfuscating the main package much simpler. Fixes #43.
4 years ago
// Ensure we strip the -buildid flag, to not leak any build IDs for the
// link operation or the main package's compilation.
flags = flagSetValue(flags, "-buildid", "")
speed up builds with the compiler's -dwarf=false flag Generating DWARF in the compiler object files could take as much as 10% extra CPU time, while we ignore it entirely at the link stage. Speeds up 'go test -short' from ~19.5s to ~18.5s on my laptop.
4 years ago
// Strip debug information and symbol tables.
start enforcing the link flags -w -s
5 years ago
flags = append(flags, "-w", "-s")
reimplement import path obfuscation without goobj2 (#242) We used to rely on a parallel implementation of an object file parser and writer to be able to obfuscate import paths. After compiling each package, we would parse the object file, replace the import paths, and write the updated object file in-place. That worked well, in most cases. Unfortunately, it had some flaws: * Complexity. Even when most of the code is maintained in a separate module, the import_obfuscation.go file was still close to a thousand lines of code. * Go compatibility. The object file format changes between Go releases, so we were supporting Go 1.15, but not 1.16. Fixing the object file package to work with 1.16 would probably break 1.15 support. * Bugs. For example, we recently had to add a workaround for #224, since import paths containing dots after the domain would end up escaped. Another example is #190, which seems to be caused by the object file parser or writer corrupting the compiled code and causing segfaults in some rare edge cases. Instead, let's drop that method entirely, and force the compiler and linker to do the work for us. The steps necessary when compiling a package to obfuscate are: 1) Replace its "package foo" lines with the obfuscated package path. No need to separate the package path and name, since the obfuscated path does not contain slashes. 2) Replace the "-p pkg/foo" flag with the obfuscated path. 3) Replace the "import" spec lines with the obfuscated package paths, for those dependencies which were obfuscated. 4) Replace the "-importcfg [...]" file with a version that uses the obfuscated paths instead. The linker also needs that last step, since it also uses an importcfg file to find object files. There are three noteworthy drawbacks to this new method: 1) Since we no longer write object files, we can't use them to store data to be cached. As such, the -debugdir flag goes back to using the "-a" build flag to always rebuild all packages. On the plus side, that caching didn't work very well; see #176. 2) The package name "main" remains in all declarations under it, not just "func main", since we can only rename entire packages. This seems fine, as it gives little information to the end user. 3) The -tiny mode no longer sets all lines to 0, since it did that by modifying object files. As a temporary measure, we instead set all top-level declarations to be on line 1. A TODO is added to hopefully improve this again in the near future. The upside is that we get rid of all the issues mentioned before. Plus, garble now nearly works with Go 1.16, with the exception of two very minor bugs that look fixable. A follow-up PR will take care of that and start testing on 1.16. Fixes #176. Fixes #190.
3 years ago
flags = flagSetValue(flags, "-importcfg", newImportCfg)
return append(flags, args...), nil
start enforcing the link flags -w -s
5 years ago
}
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
func splitFlagsFromArgs(all []string) (flags, args []string) {
for i := 0; i < len(all); i++ {
arg := all[i]
if !strings.HasPrefix(arg, "-") {
always use the compiler's -dwarf=false flag (#96) First, our original append line was completely ineffective; we never used that "flags" slice again. Second, we only attempted to use the flag when we obfuscated a package. In fact, we never care about debugging information here, so for any package we compile, we can add "-dwarf=false". At the moment, we compile all packages, even if they aren't to be obfuscated, due to the lack of access to the build cache. As such, we save a significant amount of work. The numbers below were obtained on a quiet machine with "go test -bench=. -benchtime=10x", six times before and after the change. name old time/op new time/op delta Build-8 2.06s ± 4% 1.87s ± 2% -9.21% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build-8 1.51s ± 2% 1.46s ± 1% -3.12% (p=0.004 n=6+5) name old user-time/op new user-time/op delta Build-8 11.9s ± 2% 10.8s ± 1% -8.71% (p=0.002 n=6+6) While at it, only do CI builds on pushes and PRs to the master branch, so that my PRs created from the same repo don't trigger duplicate builds.
4 years ago
return all[:i:i], all[i:]
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
}
if booleanFlags[arg] || strings.Contains(arg, "=") {
// Either "-bool" or "-name=value".
continue
}
// "-name value", so the next arg is part of this flag.
i++
}
return all, nil
}
remove unused code spotted by -coverprofile Remove some asthelper APIs that haven't been used for some time. They can be recovered from the git history if needed again. One type assertion in the literals package is always true. Embedded field objects are handled near the top of transformGo, so the extra !obj.Embedded() check was always true. Remove it. We always obfuscate standalone funcs now, so the obfuscatedTypesPackage check is no longer necessary. This was necessary when we used to not obfuscate func names when they were used in linkname directives. The workaround for test package imports in obfuscatedTypesPackage I had to add a few commits ago no longer seems to be necessary. This might be thanks to the simplification with functions in the paragraph just above. It's impossible to run garble without -trimpath nowadays, as we error before the build even starts: $ go build -toolexec=garble go tool compile: exit status 1 cannot open shared file, this is most likely due to not running "garble [command]" When run as "garble build", the trimpath flag is always set. So the check in alterTrimpath never triggers anymore, and couldn't be tested. Finally, simplify the handling of comment syntax in printFile, and add a few TODOs for other code paths not covered by our existing tests. Total code coverage is up from 90.3% to 91.0%.
3 years ago
func alterTrimpath(flags []string) []string {
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
// If the value of -trimpath doesn't contain the separator ';', the 'go
// build' command is most likely not using '-trimpath'.
trimpath := flagValue(flags, "-trimpath")
// Add our temporary dir to the beginning of -trimpath, so that we don't
// leak temporary dirs. Needs to be at the beginning, since there may be
// shorter prefixes later in the list, such as $PWD if TMPDIR=$PWD/tmp.
remove unused code spotted by -coverprofile Remove some asthelper APIs that haven't been used for some time. They can be recovered from the git history if needed again. One type assertion in the literals package is always true. Embedded field objects are handled near the top of transformGo, so the extra !obj.Embedded() check was always true. Remove it. We always obfuscate standalone funcs now, so the obfuscatedTypesPackage check is no longer necessary. This was necessary when we used to not obfuscate func names when they were used in linkname directives. The workaround for test package imports in obfuscatedTypesPackage I had to add a few commits ago no longer seems to be necessary. This might be thanks to the simplification with functions in the paragraph just above. It's impossible to run garble without -trimpath nowadays, as we error before the build even starts: $ go build -toolexec=garble go tool compile: exit status 1 cannot open shared file, this is most likely due to not running "garble [command]" When run as "garble build", the trimpath flag is always set. So the check in alterTrimpath never triggers anymore, and couldn't be tested. Finally, simplify the handling of comment syntax in printFile, and add a few TODOs for other code paths not covered by our existing tests. Total code coverage is up from 90.3% to 91.0%.
3 years ago
return flagSetValue(flags, "-trimpath", sharedTempDir+"=>;"+trimpath)
avoid reproducibility issues with full rebuilds We were using temporary filenames for modified Go and assembly files. For example, an obfuscated "encoding/json/encode.go" would end up as: /tmp/garble-shared123/encode.go.456.go where "123" and "456" are random numbers, usually longer. This was usually fine for two reasons: 1) We would add "/tmp/garble-shared123/" to -trimpath, so the temporary directory and its random number would be invisible. 2) We would add "//line" directives to the source files, replacing the filename with obfuscated versions excluding any random number. Unfortunately, this broke in multiple ways. Most notably, assembly files do not have any line directives, and it's not clear that there's any support for them. So the random number in their basename could end up in the binary, breaking reproducibility. Another issue is that the -trimpath addition described above was only done for cmd/compile, not cmd/asm, so assembly filenames included the randomized temporary directory. To fix the issues above, the same "encoding/json/encode.go" would now end up as: /tmp/garble-shared123/encoding/json/encode.go Such a path is still unique even though the "456" random number is gone, as import paths are unique within a single build. This fixes issues with the base name of each file, so we no longer rely on line directives as the only way to remove the second original random number. We still rely on -trimpath to get rid of the temporary directory in filenames. To fix its problem with assembly files, also amend the -trimpath flag when running the assembler tool. Finally, add a test that reproducible builds still work when a full rebuild is done. We choose goprivate.txt for such a test as its stdimporter package imports a number of std packages, including uses of assembly and cgo. For the time being, we don't use such a "full rebuild" reproducibility test in other test scripts, as this step is expensive, rebuilding many packages from scratch. This issue went unnoticed for over a year because such random numbers "123" and "456" were created when a package was obfuscated, and that only happened once per package version as long as the build cache was kept intact. When clearing the build cache, or forcing a rebuild with -a, one gets new random numbers, and thus a different binary resulting from the same build input. That's not something that most users would do regularly, and our tests did not cover that edge case either, until now. Fixes #328.
3 years ago
}
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
// forwardBuildFlags is obtained from 'go help build' as of Go 1.18beta1.
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
var forwardBuildFlags = map[string]bool{
// These shouldn't be used in nested cmd/go calls.
"-a": false,
"-n": false,
"-x": false,
"-v": false,
// These are always set by garble.
remove the use of -buildinfo=false It looks like the flag will be scrapped from Go 1.18. Stop using it before 1.18rc1 releases without it. See: https://github.com/golang/go/issues/50501#issuecomment-1010225207
3 years ago
"-trimpath": false,
"-toolexec": false,
"-buildvcs": false,
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
"-p": true,
"-race": true,
"-msan": true,
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
"-asan": true,
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
"-work": true,
"-asmflags": true,
"-buildmode": true,
"-compiler": true,
"-gccgoflags": true,
"-gcflags": true,
"-installsuffix": true,
"-ldflags": true,
"-linkshared": true,
"-mod": true,
"-modcacherw": true,
"-modfile": true,
"-pkgdir": true,
"-tags": true,
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
"-workfile": true,
update build and test flag list for Go 1.16 Go 1.16 just added one flag, -overlay, as documented in https://golang.org/doc/go1.16#go-command. We forgot to update these tables for 1.16, though it probably doesn't matter as this flag is pretty much only used by gopls.
3 years ago
"-overlay": true,
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
}
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
// booleanFlags is obtained from 'go help build' and 'go help testflag' as of Go 1.18beta1.
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
var booleanFlags = map[string]bool{
// Shared build flags.
"-a": true,
"-i": true,
"-n": true,
"-v": true,
"-x": true,
"-race": true,
"-msan": true,
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
"-asan": true,
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
"-linkshared": true,
"-modcacherw": true,
"-trimpath": true,
update cmd/go flags for 1.18 As of 1.18beta1. I used bash commands like: diff -u <(go1.17.5 help build) <(gotip help build) While here, supply -buildinfo=false and -buildvcs=false to go build. We already remove that information by discarding the _gomod_.go file, but we might as well pass the flags too. If anything, it lets the toolchain avoid the work entirely. Note that we can't use these flags on Go 1.17 for now, though. Add a TODO that came to mind while writing this, too.
3 years ago
"-buildvcs": true,
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
// Test flags (TODO: support its special -args flag)
"-c": true,
"-json": true,
"-cover": true,
"-failfast": true,
"-short": true,
"-benchmem": true,
}
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
func filterForwardBuildFlags(flags []string) (filtered []string, firstUnknown string) {
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
for i := 0; i < len(flags); i++ {
arg := flags[i]
avoid obfuscating literals set via -ldflags=-X The -X linker flag sets a string variable to a given value, which is often used to inject strings such as versions. The way garble's literal obfuscation works, we replace string literals with anonymous functions which, when evaluated, result in the original string. Both of these features work fine separately, but when intersecting, they break. For example, given: var myVar = "original" [...] -ldflags=-X=main.myVar=replaced The -X flag effectively replaces the initial value, and -literals adds code to be run at init time: var myVar = "replaced" func init() { myVar = func() string { ... } } Since the init func runs later, -literals breaks -X. To avoid that problem, don't obfuscate literals whose variables are set via -ldflags=-X. We also leave TODOs about obfuscating those in the future, but we're also leaving regression tests to ensure we get it right. Fixes #323.
2 years ago
if strings.HasPrefix(arg, "--") {
arg = arg[1:] // "--name" to "-name"; keep the short form
}
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
name := arg
if i := strings.IndexByte(arg, '='); i > 0 {
handle --long build flags properly cmd/go treats "--foo=bar" juts like "-foo=bar", just like any other program using the flag package. However, we didn't support this longer form in filterForwardBuildFlags. Because of it, "garble build -tags=foo" worked, but "garble build --tags=foo" did not, as we wouldn't forward "--tags=foo" as a build flag for "go list". Fixes #429.
3 years ago
name = arg[:i] // "-name=value" to "-name"
}
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
fail if we are unexpectedly overwriting files (#418) While investigating a bug report, I noticed that garble was writing to the same temp file twice. At best, writing to the same path on disk twice is wasteful, as the design is careful to be deterministic and use unique paths. At worst, the two writes could cause races at the filesystem level. To prevent either of those situations, we now create files with os.OpenFile and os.O_EXCL, meaning that we will error if the file already exists. That change uncovered a number of such unintended cases. First, transformAsm would write obfuscated Go files twice. This is because the Go toolchain actually runs: [...]/asm -gensymabis [...] foo.s bar.s [...]/asm [...] foo.s bar.s That is, the first run is only meant to generate symbol ABIs, which are then used by the compiler. We need to obfuscate at that first stage, because the symbol ABI descriptions need to use obfuscated names. However, having already obfuscated the assembly on the first stage, there is no need to do so again on the second stage. If we detect gensymabis is missing, we simply reuse the previous files. This first situation doesn't seem racy, but obfuscating the Go assembly files twice is certainly unnecessary. Second, saveKnownReflectAPIs wrote a gob file to the build cache. Since the build cache can be kept between builds, and since the build cache uses reproducible paths for each build, running the same "garble build" twice could overwrite those files. This could actually cause races at the filesystem level; if two concurrent builds write to the same gob file on disk, one of them could end up using a partially-written file. Note that this is the only of the three cases not using temporary files. As such, it is expected that the file may already exist. In such a case, we simply avoid overwriting it rather than failing. Third, when "garble build -a" was used, and when we needed an export file not listed in importcfg, we would end up calling roughly: go list -export -toolexec=garble -a <dependency> This meant we would re-build and re-obfuscate those packages. Which is unfortunate, because the parent process already did via: go build -toolexec=garble -a <main> The repeated dependency builds tripped the new os.O_EXCL check, as we would try to overwrite the same obfuscated Go files. Beyond being wasteful, this could again cause subtle filesystem races. To fix the problem, avoid passing flags like "-a" to nested go commands. Overall, we should likely be using safer ways to write to disk, be it via either atomic writes or locked files. However, for now, catching duplicate writes is a big step. I have left a self-assigned TODO for further improvements. CI on the pull request found a failure on test-gotip. The failure reproduces on master, so it seems to be related to gotip, and not a regression introduced by this change. For now, disable test-gotip until we can investigate.
3 years ago
buildFlag := forwardBuildFlags[name]
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
if buildFlag {
filtered = append(filtered, arg)
handle unknown flags in reverse (#290) While at it, expand the tests for build and test too.
3 years ago
} else {
firstUnknown = name
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
}
if booleanFlags[arg] || strings.Contains(arg, "=") {
// Either "-bool" or "-name=value".
continue
}
// "-name value", so the next arg is part of this flag.
properly skip non-build flags for 'go list' If the flags list included ["-o" "binary"], we would properly skip "-o", but we wouldn't skip "binary". Thus, 'go list' would receive "binary" as the first argument, and assume that's the first parameter and the end of the flags. And add a unit test case. Fixes #82, again.
4 years ago
if i++; buildFlag && i < len(flags) {
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
filtered = append(filtered, flags[i])
}
}
handle unknown flags in reverse (#290) While at it, expand the tests for build and test too.
3 years ago
return filtered, firstUnknown
keep build flags when calling 'go list' Otherwise any build flags like -tags won't be used, and we might easily end up with errors or incorrect packages. The common case with -tags is covered by one of the integration test scripts. On top of that, we add a table-driven unit test to cover all edge cases, since there are many we can do quickly in a unit test. Fixes #82.
4 years ago
}
add a bit more docs
5 years ago
// splitFlagsFromFiles splits args into a list of flag and file arguments. Since
// we can't rely on "--" being present, and we don't parse all flags upfront, we
// rely on finding the first argument that doesn't begin with "-" and that has
garbling imported packages starts being supported
5 years ago
// the extension we expect for the list of paths.
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
//
// This function only makes sense for lower-level tool commands, such as
// "compile" or "link", since their arguments are predictable.
func splitFlagsFromFiles(all []string, ext string) (flags, paths []string) {
for i, arg := range all {
start enforcing the link flags -w -s
5 years ago
if !strings.HasPrefix(arg, "-") && strings.HasSuffix(arg, ext) {
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
return all[:i:i], all[i:]
start enforcing the link flags -w -s
5 years ago
}
}
reuse a single 'go list -json -export -deps' call Instead of doing a 'go list' call every time we need to fetch a dependency's export file, we now do a single 'go list' call before the build begins. With the '-deps' flag, it gives us all the dependency packages recursively. We store that data in the gob format in a temporary file, and share it with the future garble sub-processes via an env var. This required lazy parsing of flags for the 'build' and 'test' commands, since now we need to run 'go list' with the same package pattern arguments. Fixes #63.
4 years ago
return all, nil
initial commit
5 years ago
}
error if the user forgot -trimpath
5 years ago
add a bit more docs
5 years ago
// flagValue retrieves the value of a flag such as "-foo", from strings in the
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
// list of arguments like "-foo=bar" or "-foo" "bar". If the flag is repeated,
// the last value is returned.
error if the user forgot -trimpath
5 years ago
func flagValue(flags []string, name string) string {
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
lastVal := ""
flagValueIter(flags, name, func(val string) {
lastVal = val
})
return lastVal
}
// flagValueIter retrieves all the values for a flag such as "-foo", like
// flagValue. The difference is that it allows handling complex flags, such as
// those whose values compose a list.
func flagValueIter(flags []string, name string, fn func(string)) {
error if the user forgot -trimpath
5 years ago
for i, arg := range flags {
if val := strings.TrimPrefix(arg, name+"="); val != arg {
// -name=value
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
fn(val)
error if the user forgot -trimpath
5 years ago
}
parse boolean flags differently from string flags This is important, because "-std -foo" and "-buildid -foo" are entirely different cases. The first is equivalent to "-std=true -foo" since the flag is boolean, but the second is equivalent to "-buildid=-foo" since the flag isn't boolean. We can keep track of which of the flags we're interested in are boolean, which isn't much extra work. Also add unit tests; the build ID is a hash, so it's very hard to write an end-to-end test that reliably has an ID starting with a dash.
4 years ago
if arg == name { // -name ...
start hashing identifiers
5 years ago
if i+1 < len(flags) {
parse boolean flags differently from string flags This is important, because "-std -foo" and "-buildid -foo" are entirely different cases. The first is equivalent to "-std=true -foo" since the flag is boolean, but the second is equivalent to "-buildid=-foo" since the flag isn't boolean. We can keep track of which of the flags we're interested in are boolean, which isn't much extra work. Also add unit tests; the build ID is a hash, so it's very hard to write an end-to-end test that reliably has an ID starting with a dash.
4 years ago
// -name value
support -ldflags=-X=pkg.name=str with garbled names Because the linker has access to all the build IDs, just like the compiler, we can support this transparently. Add a test too. Fixes #21.
4 years ago
fn(flags[i+1])
start hashing identifiers
5 years ago
}
error if the user forgot -trimpath
5 years ago
}
}
}
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
func flagSetValue(flags []string, name, value string) []string {
for i, arg := range flags {
if strings.HasPrefix(arg, name+"=") {
// -name=value
parse boolean flags differently from string flags This is important, because "-std -foo" and "-buildid -foo" are entirely different cases. The first is equivalent to "-std=true -foo" since the flag is boolean, but the second is equivalent to "-buildid=-foo" since the flag isn't boolean. We can keep track of which of the flags we're interested in are boolean, which isn't much extra work. Also add unit tests; the build ID is a hash, so it's very hard to write an end-to-end test that reliably has an ID starting with a dash.
4 years ago
flags[i] = name + "=" + value
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
return flags
}
parse boolean flags differently from string flags This is important, because "-std -foo" and "-buildid -foo" are entirely different cases. The first is equivalent to "-std=true -foo" since the flag is boolean, but the second is equivalent to "-buildid=-foo" since the flag isn't boolean. We can keep track of which of the flags we're interested in are boolean, which isn't much extra work. Also add unit tests; the build ID is a hash, so it's very hard to write an end-to-end test that reliably has an ID starting with a dash.
4 years ago
if arg == name { // -name ...
if i+1 < len(flags) {
// -name value
flags[i+1] = value
return flags
make output binaries deterministic We were leaking temporary file paths, which is no longer the case.
5 years ago
}
return flags
}
}
return append(flags, name+"="+value)
}
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
func fetchGoEnv() error {
out, err := exec.Command("go", "env", "-json",
only list missing packages when obfuscating the runtime We were listing all of std, which certainly worked, but was quite slow at over 200 packages. In practice, we can only be missing up to 20-30 packages. It was a good change as it fixed a severe bug, but it also introduced a fairly noticeable slow-down. The numbers are clear; this change shaves off multiple seconds when obfuscating the runtime with a cold cache: name old time/op new time/op delta Build/NoCache-16 5.06s ± 1% 1.94s ± 1% -61.64% (p=0.008 n=5+5) name old bin-B new bin-B delta Build/NoCache-16 6.70M ± 0% 6.71M ± 0% +0.05% (p=0.008 n=5+5) name old sys-time/op new sys-time/op delta Build/NoCache-16 13.4s ± 2% 5.0s ± 2% -62.45% (p=0.008 n=5+5) name old user-time/op new user-time/op delta Build/NoCache-16 60.6s ± 1% 19.8s ± 1% -67.34% (p=0.008 n=5+5) Since we only want to call "go list" one extra time, instead of once for every package we find out we're missing, we want to know what packages we could be missing in advance. Resurrect a smarter version of the runtime-related script. Finally, remove the runtime-related.txt test script, as it has now been superseeded by the sanity checks in listPackage. That is, obfuscating the runtime package will now panic if we are missing any necessary package information. To double check that we get the runtime's linkname edge case right, make gogarble.txt use runtime/debug.WriteHeapDump, which is implemented via a direct runtime linkname. This ensures we don't lose test coverage from runtime-related.txt.
3 years ago
"GOOS", "GOPRIVATE", "GOMOD", "GOVERSION", "GOCACHE",
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
).CombinedOutput()
if err != nil {
add a few TODOs with uncovered code that should not be This will hopefully give new contributors a place to start. Some of these, like verifying that the "help" commands work, will be relatively simple additions to our test scripts.
2 years ago
// TODO: cover this in the tests.
implement TODO to use a name variable Slightly simplifies the main chunk of code. While here, improve the wording for when Go isn't installed correctly.
2 years ago
fmt.Fprintf(os.Stderr, `Can't find the Go toolchain: %v
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
implement TODO to use a name variable Slightly simplifies the main chunk of code. While here, improve the wording for when Go isn't installed correctly.
2 years ago
This is likely due to Go not being installed/setup correctly.
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
implement TODO to use a name variable Slightly simplifies the main chunk of code. While here, improve the wording for when Go isn't installed correctly.
2 years ago
To install Go, see: https://go.dev/doc/install
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
`, err)
make "garble command -h" give command-specific help Before, "garble build -h" would print the same as "garble -h", which is too much and confusing, as it doesn't tell us much about "build". Now it's far better, and includes the output of "go build -h": $ garble build -h usage: garble [garble flags] build [arguments] This command wraps "go build". Below is its help: usage: go build [-o output] [build flags] [packages] Run 'go help build' for details. We do the same for "garble reverse -h", since it doesn't wrap a Go tool command.
3 years ago
return errJustExit(1)
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
}
if err := json.Unmarshal(out, &cache.GoEnv); err != nil {
return err
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
}
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
cache.GOGARBLE = os.Getenv("GOGARBLE")
if cache.GOGARBLE != "" {
// GOGARBLE is non-empty; nothing to do.
} else if cache.GoEnv.GOPRIVATE != "" {
// GOGARBLE is empty and GOPRIVATE is non-empty.
// Set GOGARBLE to GOPRIVATE's value.
cache.GOGARBLE = cache.GoEnv.GOPRIVATE
} else {
// If GOPRIVATE isn't set and we're in a module, use its module
// path as a GOPRIVATE default. Include a _test variant too.
// TODO(mvdan): we shouldn't need the _test variant here,
// as the import path should not include it; only the package name.
unify the definition and storage of flag values The parent garble process parses the original flags, as provided by the user via the command line. Previously, those got stored in the shared cache file, so that child processes spawned by toolexec could see them. Unfortunately, this made the code relatively easy to misuse. A child process would always see flagLiterals as zero value, given that it should never see such a flag argument directly. Similarly, one would have to be careful with cached options, as they could only be consumed after the cache file is loaded. Simplify the situation by deduplicating the storage of flags. Now, the parent passes all flags onto children via toolexec. One exception is GarbleDir, which now becomes an env var. This seems in line with other top-level dirs like GARBLE_SHARED. Finally, we turn -seed into a flag.Value, which lets us implement its "set" behavior as part of flag.Parse. Overall, we barely reduce the amount of code involved, but we certainly remove a couple of footguns. As part of the cleanup, we also introduce appendFlags.
3 years ago
if mod, err := os.ReadFile(cache.GoEnv.GOMOD); err == nil {
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
modpath := modfile.ModulePath(mod)
if modpath != "" {
deprecate using GOPRIVATE in favor of GOGARBLE (#427) Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.
3 years ago
cache.GOGARBLE = modpath + "," + modpath + "_test"
use "go env -json" to collect env info all at once In the worst case scenario, when GOPRIVATE isn't set at all, we would run these three commands: * "go env GOPRIVATE", to fetch GOPRIVATE itself * "go list -m", for GOPRIVATE's fallback * "go version", to check the version of Go being used Now that we support Go 1.16 and later, all these three can be obtained via "go env -json": $ go env -json GOPRIVATE GOMOD GOVERSION { "GOMOD": "/home/mvdan/src/garble/go.mod", "GOPRIVATE": "", "GOVERSION": "go1.16.3" } Note that we don't get the module path directly, but we can use the x/mod/modfile Go API to parse it from the GOMOD file cheaply. Notably, this also simplifies our Go version checking logic, as now we get just the version string without the "go version" prefix and "GOOS/GOARCH" suffix we don't care about. This makes our code a bit more maintainable and robust. When running a short incremental build, we can also see a small speed-up, as saving two "go" invocations can save a few milliseconds: name old time/op new time/op delta Build/Cache-8 168ms ± 0% 166ms ± 1% -1.26% (p=0.009 n=6+6) name old bin-B new bin-B delta Build/Cache-8 6.36M ± 0% 6.36M ± 0% +0.12% (p=0.002 n=6+6) name old sys-time/op new sys-time/op delta Build/Cache-8 222ms ± 2% 219ms ± 3% ~ (p=0.589 n=6+6) name old user-time/op new user-time/op delta Build/Cache-8 857ms ± 1% 846ms ± 1% -1.31% (p=0.041 n=6+6)
3 years ago
}
Share data between processes via a shared file. (#192) Previously garble heavily used env vars to share data between processes. This also makes it easy to share complex data between processes. The complexity of main.go is considerably reduced.
4 years ago
}
}
return nil
}