justan0th3rstud3nt
/
garble
mirror of https://github.com/burrowers/garble
1
0
Fork 0
Code Issues 1 Projects Releases Wiki Activity

default to GOGARBLE=*, stop using GOPRIVATE

Browse Source 
We can drop the code that kicked in when GOGARBLE was empty.
We can also add the value in addGarbleToHash unconditionally,
as we never allow it to be empty.

In the tests, remove all GOGARBLE lines where it just meant "obfuscate
everything" or "obfuscate the entire main module".

cgo.txtar had "obfuscate everything" as a separate step,
so remove it entirely.

linkname.txtar started failing because the imported package did not
import strings, so listPackage errored out. This wasn't a problem when
strings itself wasn't obfuscated, as transformLinkname silently left
strings.IndexByte untouched. It is a problem when IndexByte does get
obfuscated. Make that kind of listPackage error visible, and fix it.

reflect.txtar started failing with "unreachable method" runtime throws.
It's not clear to me why; it appears that GOGARBLE=* makes the linker
think that ExportedMethodName is suddenly unreachable.
Work around the problem by making the method explicitly reachable,
and leave a TODO as a reminder to investigate.

Finally, gogarble.txtar no longer needs to test for GOPRIVATE.
The rest of the test is left the same, as we still want the various
values for GOGARBLE to continue to work just like before.

Fixes #594.
pull/617/head
Daniel Martí 2 years ago
parent ec32030be0
commit 481e3a1f09
29 changed files with 38 additions and 90 deletions
Show Stats Download Patch File Download Diff File

3
CHANGELOG.md
Unescape Escape View File

@ -7,6 +7,8 @@ and adds initial support for the upcoming Go 1.20.
Noteworthy changes include: Noteworthy changes include:
* `GOGARBLE=*` is now the default to obfuscate all packages - [#594]
* `GOPRIVATE` is no longer used, being deprecated in [v0.5.0]
* Obfuscate assembly source code filenames - [#605] * Obfuscate assembly source code filenames - [#605]
* Randomize the lengths of obfuscated names * Randomize the lengths of obfuscated names
* Support obfuscating `time` and `syscall` * Support obfuscating `time` and `syscall`
@ -157,6 +159,7 @@ Known bugs:
* obfuscating the standard library with `GOPRIVATE=*` is not well supported yet * obfuscating the standard library with `GOPRIVATE=*` is not well supported yet
* `garble test` is temporarily disabled, as it is currently broken * `garble test` is temporarily disabled, as it is currently broken
[#594]: https://github.com/burrowers/garble/issues/594
[#605]: https://github.com/burrowers/garble/issues/605 [#605]: https://github.com/burrowers/garble/issues/605
[v0.7.2]: https://github.com/burrowers/garble/releases/tag/v0.7.2 [v0.7.2]: https://github.com/burrowers/garble/releases/tag/v0.7.2

10
README.md
Unescape Escape View File

@ -34,12 +34,10 @@ order to:
* [Obfuscate literals](#literal-obfuscation), if the `-literals` flag is given * [Obfuscate literals](#literal-obfuscation), if the `-literals` flag is given
* Remove [extra information](#tiny-mode), if the `-tiny` flag is given * Remove [extra information](#tiny-mode), if the `-tiny` flag is given
The tool obfuscates the packages matching `GOGARBLE`, a comma-separated list of By default, the tool obfuscates all the packages being built.
glob patterns of module path prefixes, as documented in `go help private`. You can manually specify which packages to obfuscate via `GOGARBLE`,
To obfuscate all the packages in a build, use `GOGARBLE=*`. a comma-separated list of glob patterns matching package path prefixes.
When `GOGARBLE` is empty, it assumes the value of `GOPRIVATE`. This format is borrowed from `GOPRIVATE`; see `go help private`.
When `GOPRIVATE` is also empty, then `GOGARBLE` assumes the value of the current
module path, to obfuscate all packages under the current module.
Note that commands like `garble build` will use the `go` version found in your Note that commands like `garble build` will use the `go` version found in your
`$PATH`. To use different versions of Go, you can `$PATH`. To use different versions of Go, you can

1
bench_test.go
Unescape Escape View File

@ -84,7 +84,6 @@ func BenchmarkBuild(b *testing.B) {
gocache, err := os.MkdirTemp(b.TempDir(), "gocache-*") gocache, err := os.MkdirTemp(b.TempDir(), "gocache-*")
qt.Assert(b, err, qt.IsNil) qt.Assert(b, err, qt.IsNil)
env := append(os.Environ(), env := append(os.Environ(),
"GOGARBLE=*",
"GOCACHE="+gocache, "GOCACHE="+gocache,
"GARBLE_WRITE_ALLOCS=true", "GARBLE_WRITE_ALLOCS=true",
) )

2
hash.go
Unescape Escape View File

@ -98,9 +98,7 @@ func addGarbleToHash(inputHash []byte) []byte {
// We also need to add the selected options to the full version string, // We also need to add the selected options to the full version string,
// because all of them result in different output. We use spaces to // because all of them result in different output. We use spaces to
// separate the env vars and flags, to reduce the chances of collisions. // separate the env vars and flags, to reduce the chances of collisions.
if cache.GOGARBLE != "" {
fmt.Fprintf(hasher, " GOGARBLE=%s", cache.GOGARBLE) fmt.Fprintf(hasher, " GOGARBLE=%s", cache.GOGARBLE)
}
appendFlags(hasher, true) appendFlags(hasher, true)
// addGarbleToHash returns the sum buffer, so we need a new copy. // addGarbleToHash returns the sum buffer, so we need a new copy.
// Otherwise the next use of the global sumBuffer would conflict. // Otherwise the next use of the global sumBuffer would conflict.

36
main.go
Unescape Escape View File

@ -36,7 +36,6 @@ import (
"golang.org/x/exp/maps" "golang.org/x/exp/maps"
"golang.org/x/exp/slices" "golang.org/x/exp/slices"
"golang.org/x/mod/modfile"
"golang.org/x/mod/module" "golang.org/x/mod/module"
"golang.org/x/mod/semver" "golang.org/x/mod/semver"
"golang.org/x/tools/go/ast/astutil" "golang.org/x/tools/go/ast/astutil"
@ -998,9 +997,22 @@ func (tf *transformer) transformLinkname(localName, newName string) (string, str
lpkg, err := listPackage(pkgPath) lpkg, err := listPackage(pkgPath)
if err != nil { if err != nil {
// TODO(mvdan): use errors.As or errors.Is instead
if strings.Contains(err.Error(), "path not found") {
// Probably a made up name like above, but with a dot. // Probably a made up name like above, but with a dot.
return localName, newName return localName, newName
} }
if strings.Contains(err.Error(), "refusing to list") {
fmt.Fprintf(os.Stderr,
"//go:linkname refers to %s - add `import _ %q` so garble can find the package",
newName, pkgPath)
return localName, newName
}
if err != nil {
panic(err) // shouldn't happen
}
return localName, newName
}
if lpkg.ToObfuscate { if lpkg.ToObfuscate {
// The name exists and was obfuscated; obfuscate the new name. // The name exists and was obfuscated; obfuscate the new name.
newForeignName := hashWithPackage(lpkg, foreignName) newForeignName := hashWithPackage(lpkg, foreignName)
@ -2185,7 +2197,8 @@ func flagSetValue(flags []string, name, value string) []string {
func fetchGoEnv() error { func fetchGoEnv() error {
out, err := exec.Command("go", "env", "-json", out, err := exec.Command("go", "env", "-json",
"GOOS", "GOPRIVATE", "GOMOD", "GOVERSION", "GOCACHE", // Keep in sync with sharedCache.GoEnv.
"GOOS", "GOMOD", "GOVERSION",
).CombinedOutput() ).CombinedOutput()
if err != nil { if err != nil {
// TODO: cover this in the tests. // TODO: cover this in the tests.
@ -2201,23 +2214,8 @@ To install Go, see: https://go.dev/doc/install
return fmt.Errorf(`cannot unmarshal from "go env -json": %w`, err) return fmt.Errorf(`cannot unmarshal from "go env -json": %w`, err)
} }
cache.GOGARBLE = os.Getenv("GOGARBLE") cache.GOGARBLE = os.Getenv("GOGARBLE")
if cache.GOGARBLE != "" { if cache.GOGARBLE == "" {
// GOGARBLE is non-empty; nothing to do. cache.GOGARBLE = "*" // we default to obfuscating everything
} else if cache.GoEnv.GOPRIVATE != "" {
// GOGARBLE is empty and GOPRIVATE is non-empty.
// Set GOGARBLE to GOPRIVATE's value.
cache.GOGARBLE = cache.GoEnv.GOPRIVATE
} else {
// If GOPRIVATE isn't set and we're in a module, use its module
// path as a GOPRIVATE default. Include a _test variant too.
// TODO(mvdan): we shouldn't need the _test variant here,
// as the import path should not include it; only the package name.
if mod, err := os.ReadFile(cache.GoEnv.GOMOD); err == nil {
modpath := modfile.ModulePath(mod)
if modpath != "" {
cache.GOGARBLE = modpath + "," + modpath + "_test"
}
}
} }
return nil return nil
} }

2
scripts/check-third-party.sh
Unescape Escape View File

@ -38,8 +38,6 @@ modules=(
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
export GOGARBLE="*"
exit_code=0 exit_code=0
show() { show() {

4
shared.go
Unescape Escape View File

@ -44,14 +44,12 @@ type sharedCache struct {
GOGARBLE string GOGARBLE string
// Filled directly from "go env". // Filled directly from "go env".
// Remember to update the exec call when adding or removing names. // Keep in sync with fetchGoEnv.
GoEnv struct { GoEnv struct {
GOOS string // i.e. the GOOS build target GOOS string // i.e. the GOOS build target
GOPRIVATE string
GOMOD string GOMOD string
GOVERSION string GOVERSION string
GOCACHE string
} }
} }

2
testdata/script/asm.txtar vendored
Unescape Escape View File

@ -3,8 +3,6 @@
# TODO: support arm64, at least # TODO: support arm64, at least
[!amd64] skip 'the assembly is only written for amd64' [!amd64] skip 'the assembly is only written for amd64'
env GOGARBLE=test/main
garble build garble build
exec ./main exec ./main
cmp stderr main.stderr cmp stderr main.stderr

8
testdata/script/cgo.txtar vendored
Unescape Escape View File

@ -1,7 +1,5 @@
[!cgo] skip 'this test requires cgo to be enabled' [!cgo] skip 'this test requires cgo to be enabled'
env GOGARBLE=test/main
garble build garble build
! stderr 'warning' # check that the C toolchain is happy ! stderr 'warning' # check that the C toolchain is happy
exec ./main exec ./main
@ -19,12 +17,6 @@ garble reverse .
cmp stdout reversed.stdout cmp stdout reversed.stdout
env GARBLE_TEST_REVERSING=false env GARBLE_TEST_REVERSING=false
env GOGARBLE=*
garble build
exec ./main
cmp stdout main.stdout
env GOGARBLE=test/main
garble -tiny build garble -tiny build
exec ./main exec ./main
cmp stdout main.stdout cmp stdout main.stdout

1
testdata/script/crossbuild.txtar vendored
Unescape Escape View File

@ -9,7 +9,6 @@
[arm] env GOARCH=arm64 [arm] env GOARCH=arm64
# A fairly average Go build, importing some std libraries. # A fairly average Go build, importing some std libraries.
env GOGARBLE='*'
garble build garble build
-- go.mod -- -- go.mod --
module test/main module test/main

2
testdata/script/debugdir.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=*
garble -debugdir ./debug1 build garble -debugdir ./debug1 build
exists 'debug1/test/main/imported/imported.go' 'debug1/test/main/main.go' 'debug1/reflect/type.go' exists 'debug1/test/main/imported/imported.go' 'debug1/test/main/main.go' 'debug1/reflect/type.go'
exists 'debug1/runtime/map.go' 'debug1/runtime/funcdata.h' 'debug1/runtime/asm.s' exists 'debug1/runtime/map.go' 'debug1/runtime/funcdata.h' 'debug1/runtime/asm.s'

2
testdata/script/embed.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=*
garble build garble build
exec ./main exec ./main

8
testdata/script/gogarble.txtar vendored
Unescape Escape View File

@ -1,13 +1,8 @@
# Ensure that "does not match any packages" works with GOPRIVATE and GOGARBLE. # Ensure that "does not match any packages" works.
env GOGARBLE=match-absolutely/nothing env GOGARBLE=match-absolutely/nothing
! garble build -o=out ./standalone ! garble build -o=out ./standalone
stderr '^GOGARBLE="match-absolutely/nothing" does not match any packages to be built$' stderr '^GOGARBLE="match-absolutely/nothing" does not match any packages to be built$'
env GOGARBLE=
env GOPRIVATE=match-absolutely/nothing
! garble build -o=out ./standalone
stderr '^GOGARBLE="match-absolutely/nothing" does not match any packages to be built$'
# A build where just some packages are obfuscated. # A build where just some packages are obfuscated.
env GOGARBLE=test/main/imported env GOGARBLE=test/main/imported
garble -literals build -o=out ./importer garble -literals build -o=out ./importer
@ -23,6 +18,7 @@ garble build -o=out ./stdimporter
[short] stop # rebuilding std is slow [short] stop # rebuilding std is slow
# Go back to the default of obfuscating all packages.
env GOGARBLE='*' env GOGARBLE='*'
# Try garbling all of std, given some std packages. # Try garbling all of std, given some std packages.

2
testdata/script/help.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=*
! garble ! garble
stderr 'Garble obfuscates Go code' stderr 'Garble obfuscates Go code'
stderr 'garble \[garble flags\] command' stderr 'garble \[garble flags\] command'

2
testdata/script/implement.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=test/main
garble build garble build
exec ./main exec ./main
cmp stdout main.stdout cmp stdout main.stdout

6
testdata/script/imports.txtar vendored
Unescape Escape View File

@ -1,7 +1,5 @@
# Note that this is the only test with a module where we rely on the detection # Since this is the only test using "real" external modules fetched via GOPROXY,
# of GOGARBLE. # go.mod and go.sum should declare the dependencies.
# Also note that, since this is the only test using "real" external modules
# fetched via GOPROXY, go.mod and go.sum should declare the dependencies.
# For now, use a throwaway module download cache instead of the host machine's. # For now, use a throwaway module download cache instead of the host machine's.
# Usually it would be fine to reuse the host's, since we expose exact copies of # Usually it would be fine to reuse the host's, since we expose exact copies of

2
testdata/script/ldflags.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=*
# Note the proper domain, since the dot adds an edge case. # Note the proper domain, since the dot adds an edge case.
# #
# Also note that there are three forms of -X allowed: # Also note that there are three forms of -X allowed:

3
testdata/script/linkname.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=test/main,big.chungus/meme
garble build garble build
exec ./main exec ./main
cmp stderr main.stderr cmp stderr main.stderr
@ -76,6 +74,7 @@ func main() {
package imported package imported
import ( import (
_ "strings"
_ "unsafe" _ "unsafe"
) )

3
testdata/script/literals.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=*
garble -literals build garble -literals build
exec ./main$exe exec ./main$exe
cmp stderr main.stderr cmp stderr main.stderr
@ -52,7 +50,6 @@ grep '^\s+\w+ = .*\bappend\(\w+,(\s+\w+\[\d+\][\^\-+]\w+\[\d+\],?)+\)$' debug1/t
# Finally, sanity check that we can build all of std with -literals. # Finally, sanity check that we can build all of std with -literals.
# Analogous to gogarble.txt. # Analogous to gogarble.txt.
env GOGARBLE='*'
garble -literals build std garble -literals build std
-- go.mod -- -- go.mod --
module test/main module test/main

2
testdata/script/modinfo.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=test/main
[exec:git] exec git init -q [exec:git] exec git init -q
[exec:git] exec git config user.name "name" [exec:git] exec git config user.name "name"
[exec:git] exec git config user.email "name@email.local" [exec:git] exec git config user.email "name@email.local"

2
testdata/script/plugin.txtar vendored
Unescape Escape View File

@ -2,8 +2,6 @@ skip # TODO: get plugins working properly. See issue #87
[windows] skip 'Go plugins are not supported on Windows' [windows] skip 'Go plugins are not supported on Windows'
env GOGARBLE=test/main
garble build -buildmode=plugin ./plugin garble build -buildmode=plugin ./plugin
binsubstr plugin.so 'PublicVar' 'PublicFunc' binsubstr plugin.so 'PublicVar' 'PublicFunc'
! binsubstr plugin.so 'privateFunc' ! binsubstr plugin.so 'privateFunc'

2
testdata/script/position.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=test/main
garble build garble build
exec ./main exec ./main
! stdout 'garble_main\.go|garble_other_filename|is sorted' ! stdout 'garble_main\.go|garble_other_filename|is sorted'

8
testdata/script/reflect.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=test/main
garble build garble build
exec ./main exec ./main
cmp stdout main.stdout cmp stdout main.stdout
@ -32,6 +30,8 @@ import (
"test/main/importedpkg2" "test/main/importedpkg2"
) )
var Sink interface{}
func main() { func main() {
// Fields still work fine when they are not obfuscated. // Fields still work fine when they are not obfuscated.
fmt.Println(importedpkg.ReflectInDefinedVar.ExportedField2) fmt.Println(importedpkg.ReflectInDefinedVar.ExportedField2)
@ -41,9 +41,13 @@ func main() {
printfWithoutPackage("%T\n", importedpkg.ReflectTypeOf(2)) printfWithoutPackage("%T\n", importedpkg.ReflectTypeOf(2))
printfWithoutPackage("%T\n", importedpkg.ReflectTypeOfIndirect(4)) printfWithoutPackage("%T\n", importedpkg.ReflectTypeOfIndirect(4))
// More complex use of reflect. // More complex use of reflect.
v := importedpkg.ReflectValueOfVar v := importedpkg.ReflectValueOfVar
printfWithoutPackage("%#v\n", v) printfWithoutPackage("%#v\n", v)
// Keep the method from being unreachable, otherwise Call below may panic.
// TODO(mvdan): This only started being necessary with GOGARBLE=*. Why?
Sink = v.ExportedMethodName
method := reflect.ValueOf(&v).MethodByName("ExportedMethodName") method := reflect.ValueOf(&v).MethodByName("ExportedMethodName")
if method.IsValid() { if method.IsValid() {
fmt.Println(method.Call(nil)) fmt.Println(method.Call(nil))

2
testdata/script/reverse.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=test/main
# Unknown build flags should result in errors. # Unknown build flags should result in errors.
! garble reverse -badflag=foo . ! garble reverse -badflag=foo .
stderr 'flag provided but not defined' stderr 'flag provided but not defined'

1
testdata/script/seed-cache.txtar vendored
Unescape Escape View File

@ -7,7 +7,6 @@
# In the past, this threw off garble's extra cached gob files. # In the past, this threw off garble's extra cached gob files.
env SEED1=OQg9kACEECQ env SEED1=OQg9kACEECQ
env GOGARBLE=*
# First, ensure that mod1's garbletest.v2 is in the cache. # First, ensure that mod1's garbletest.v2 is in the cache.
cd mod1 cd mod1

2
testdata/script/seed.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=test/main
# Note that in this test we use "! bincmp" on plaintext output files, # Note that in this test we use "! bincmp" on plaintext output files,
# as a workaround for "cmp" not supporting "! cmp". # as a workaround for "cmp" not supporting "! cmp".
# TODO: now that obfuscation with -seed is deterministic, # TODO: now that obfuscation with -seed is deterministic,

2
testdata/script/syntax.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE='test/main,private.source'
garble build garble build
exec ./main$exe exec ./main$exe
cmp stderr main.stderr cmp stderr main.stderr

2
testdata/script/tiny.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=test/main
# Tiny mode # Tiny mode
garble -tiny build garble -tiny build
! binsubstr main$exe 'garble_main.go' 'fmt/print.go' ! binsubstr main$exe 'garble_main.go' 'fmt/print.go'

2
testdata/script/typeparams.txtar vendored
Unescape Escape View File

@ -1,5 +1,3 @@
env GOGARBLE=*
garble build garble build
! binsubstr main$exe ${WORK} 'garble_main.go' 'GenericFunc' 'GenericVector' 'PredeclaredSignedInteger' 'StringableSignedInteger' 'CombineEmbeds' 'GenericParam' ! binsubstr main$exe ${WORK} 'garble_main.go' 'GenericFunc' 'GenericVector' 'PredeclaredSignedInteger' 'StringableSignedInteger' 'CombineEmbeds' 'GenericParam'
-- go.mod -- -- go.mod --

Write Preview
Loading…
Cancel
Save