VERSION

@@ -1 +1 @@
-go1.7.3
+go1.7.4

doc/devel/release.html

@@ -63,6 +63,12 @@ <h3 id="go1.7.minor">Minor revisions</h3>
 1.7.3 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.7.4 (released 2016/12/01) includes two security fixes.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.7.4">Go
+1.7.4 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.6">go1.6 (released 2016/02/17)</h2>
 
 <p>
@@ -89,11 +95,18 @@ <h3 id="go1.6.minor">Minor revisions</h3>
 <p>
 go1.6.3 (released 2016/07/17) includes security fixes to the
 <code>net/http/cgi</code> package and <code>net/http</code> package when used in
-a CGI environment. This release also adds support for macOS Sierra.
+a CGI environment.
 See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.6.3">Go
 1.6.3 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.6.4 (released 2016/12/01) includes two security fixes.
+It contains the same fixes as Go 1.7.4 and was released at the same time.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.7.4">Go
+1.7.4 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.5">go1.5 (released 2015/08/19)</h2>
 
 <p>

doc/go1.7.html

@@ -67,8 +67,7 @@ <h2 id="ports">Ports</h2>
 
 <p>
 Go 1.7 adds support for macOS 10.12 Sierra.
-This support was backported to Go 1.6.3.
-Binaries built with versions of Go before 1.6.3 will not work
+Binaries built with versions of Go before 1.7 will not work
 correctly on Sierra.
 </p>
 

doc/install-source.html

@@ -119,27 +119,39 @@ <h2 id="go14">Install Go compiler binaries</h2>
 <p>
 The Go tool chain is written in Go. To build it, you need a Go compiler installed.
 The scripts that do the initial build of the tools look for an existing Go tool
-chain in <code>$HOME/go1.4</code>.
-(This path may be overridden by setting the <code>GOROOT_BOOTSTRAP</code>
-environment variable.)
+chain in <code>$GOROOT_BOOTSTRAP</code>.
+If unset, the default value of <code>GOROOT_BOOTSTRAP</code>
+is <code>$HOME/go1.4</code>.
 </p>
 
 <p>
-Build the tools with Go version 1.4 or a point release (1.4.1, 1.4.2 etc.).
-Go 1.4 binaries can be found at <a href="/dl/">the downloads page</a>.
+There are many options for the bootstrap tool chain.
+After obtaining one, set <code>GOROOT_BOOTSTRAP</code> to the
+directory containing the unpacked tree.
+For example, <code>$GOROOT_BOOTSTRAP/bin/go</code> should be
+the <code>go</code> command binary for the bootstrap tool chain.
 </p>
 
 <p>
-Download the zip or tarball of Go 1.4 for your platform and extract it to
-<code>$HOME/go1.4</code> (or your nominated <code>GOROOT_BOOTSTRAP</code>
-location).
+To use a binary release as a bootstrap tool chain, see
+<a href="/dl/">the downloads page</a> or use any other
+packaged Go distribution.
 </p>
 
 <p>
-If you want to install Go 1.5 on a system that is not supported by Go 1.4 (such
-as <code>linux/ppc64</code> and <code>linux/mips64le</code>) you can either use
-<a href="/src/bootstrap.bash">bootstrap.bash</a> on a system that can bootstrap Go
-1.5 normally, or bootstrap with gccgo 5.
+To build a bootstrap tool chain from source, use
+either the git branch <code>release-branch.go1.4</code> or
+<a href="https://storage.googleapis.com/golang/go1.4-bootstrap-20161024.tar.gz">go1.4-bootstrap-20161024.tar.gz</a>,
+which contains the Go 1.4 source code plus accumulated fixes
+to keep the tools running on newer operating systems.
+(Go 1.4 was the last distribution in which the tool chain was written in C.)
+</p>
+
+<p>
+To cross-compile a bootstrap tool chain from source, which is
+necessary on systems Go 1.4 did not target (for
+example, <code>linux/ppc64le</code>), install Go on a different system
+and run <a href="/src/bootstrap.bash">bootstrap.bash</a>.
 </p>
 
 <p>
@@ -158,8 +170,9 @@ <h2 id="go14">Install Go compiler binaries</h2>
 </p>
 
 <p>
-To use gccgo, you need to arrange for <code>$GOROOT_BOOTSTRAP/bin/go</code> to be
-the go tool that comes as part of gccgo 5. For example on Ubuntu Vivid:
+To use gccgo as the bootstrap toolchain, you need to arrange
+for <code>$GOROOT_BOOTSTRAP/bin/go</code> to be the go tool that comes
+as part of gccgo 5. For example on Ubuntu Vivid:
 </p>
 
 <pre>

src/crypto/x509/cert_pool.go

@@ -64,6 +64,21 @@ func (s *CertPool) findVerifiedParents(cert *Certificate) (parents []int, errCer
 	return
 }
 
+func (s *CertPool) contains(cert *Certificate) bool {
+	if s == nil {
+		return false
+	}
+
+	candidates := s.byName[string(cert.RawSubject)]
+	for _, c := range candidates {
+		if s.certs[c].Equal(cert) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // AddCert adds a certificate to a pool.
 func (s *CertPool) AddCert(cert *Certificate) {
 	if cert == nil {

src/crypto/x509/root_cgo_darwin.go

@@ -73,10 +73,11 @@ int useOldCode() {
 //
 // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
 // certificates of the system. On failure, the function returns -1.
+// Additionally, it fills untrustedPemRoots with certs that must be removed from pemRoots.
 //
-// Note: The CFDataRef returned in pemRoots must be released (using CFRelease) after
-// we've consumed its content.
-int FetchPEMRoots(CFDataRef *pemRoots) {
+// Note: The CFDataRef returned in pemRoots and untrustedPemRoots must
+// be released (using CFRelease) after we've consumed its content.
+int FetchPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
 	if (useOldCode()) {
 		return FetchPEMRoots_MountainLion(pemRoots);
 	}
@@ -93,23 +94,69 @@ int FetchPEMRoots(CFDataRef *pemRoots) {
 		return -1;
 	}
 
+	// kSecTrustSettingsResult is defined as CFSTR("kSecTrustSettingsResult"),
+	// but the Go linker's internal linking mode can't handle CFSTR relocations.
+	// Create our own dynamic string instead and release it below.
+	CFStringRef policy = CFStringCreateWithCString(NULL, "kSecTrustSettingsResult", kCFStringEncodingUTF8);
+
 	CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
+	CFMutableDataRef combinedUntrustedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
 	for (int i = 0; i < numDomains; i++) {
 		CFArrayRef certs = NULL;
-		// Only get certificates from domain that are trusted
 		OSStatus err = SecTrustSettingsCopyCertificates(domains[i], &certs);
 		if (err != noErr) {
 			continue;
 		}
 
-		int numCerts = CFArrayGetCount(certs);
+		CFIndex numCerts = CFArrayGetCount(certs);
 		for (int j = 0; j < numCerts; j++) {
 			CFDataRef data = NULL;
 			CFErrorRef errRef = NULL;
+			CFArrayRef trustSettings = NULL;
 			SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, j);
 			if (cert == NULL) {
 				continue;
 			}
+			// We only want trusted certs.
+			int untrusted = 0;
+			if (i != 0) {
+				// Certs found in the system domain are always trusted. If the user
+				// configures "Never Trust" on such a cert, it will also be found in the
+				// admin or user domain, causing it to be added to untrustedPemRoots. The
+				// Go code will then clean this up.
+
+				// Trust may be stored in any of the domains. According to Apple's
+				// SecTrustServer.c, "user trust settings overrule admin trust settings",
+				// so take the last trust settings array we find.
+				// Skip the system domain since it is always trusted.
+				for (int k = 1; k < numDomains; k++) {
+					CFArrayRef domainTrustSettings = NULL;
+					err = SecTrustSettingsCopyTrustSettings(cert, domains[k], &domainTrustSettings);
+					if (err == errSecSuccess && domainTrustSettings != NULL) {
+						if (trustSettings) {
+							CFRelease(trustSettings);
+						}
+						trustSettings = domainTrustSettings;
+					}
+				}
+				if (trustSettings == NULL) {
+					// "this certificate must be verified to a known trusted certificate"; aka not a root.
+					continue;
+				}
+				for (CFIndex k = 0; k < CFArrayGetCount(trustSettings); k++) {
+					CFNumberRef cfNum;
+					CFDictionaryRef tSetting = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, k);
+					if (CFDictionaryGetValueIfPresent(tSetting, policy, (const void**)&cfNum)){
+						SInt32 result = 0;
+						CFNumberGetValue(cfNum, kCFNumberSInt32Type, &result);
+						// TODO: The rest of the dictionary specifies conditions for evaluation.
+						if (result == kSecTrustSettingsResultDeny) {
+							untrusted = 1;
+						}
+					}
+				}
+				CFRelease(trustSettings);
+			}
 			// We only want to add Root CAs, so make sure Subject and Issuer Name match
 			CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, &errRef);
 			if (errRef != NULL) {
@@ -138,13 +185,16 @@ int FetchPEMRoots(CFDataRef *pemRoots) {
 			}
 
 			if (data != NULL) {
-				CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
+				CFMutableDataRef appendTo = untrusted ? combinedUntrustedData : combinedData;
+				CFDataAppendBytes(appendTo, CFDataGetBytePtr(data), CFDataGetLength(data));
 				CFRelease(data);
 			}
 		}
 		CFRelease(certs);
 	}
+	CFRelease(policy);
 	*pemRoots = combinedData;
+	*untrustedPemRoots = combinedUntrustedData;
 	return 0;
 }
 */
@@ -158,7 +208,8 @@ func loadSystemRoots() (*CertPool, error) {
 	roots := NewCertPool()
 
 	var data C.CFDataRef = nil
-	err := C.FetchPEMRoots(&data)
+	var untrustedData C.CFDataRef = nil
+	err := C.FetchPEMRoots(&data, &untrustedData)
 	if err == -1 {
 		// TODO: better error message
 		return nil, errors.New("crypto/x509: failed to load darwin system roots with cgo")
@@ -167,5 +218,19 @@ func loadSystemRoots() (*CertPool, error) {
 	defer C.CFRelease(C.CFTypeRef(data))
 	buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
 	roots.AppendCertsFromPEM(buf)
-	return roots, nil
+	if untrustedData == nil {
+		return roots, nil
+	}
+	defer C.CFRelease(C.CFTypeRef(untrustedData))
+	buf = C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(untrustedData)), C.int(C.CFDataGetLength(untrustedData)))
+	untrustedRoots := NewCertPool()
+	untrustedRoots.AppendCertsFromPEM(buf)
+
+	trustedRoots := NewCertPool()
+	for _, c := range roots.certs {
+		if !untrustedRoots.contains(c) {
+			trustedRoots.AddCert(c)
+		}
+	}
+	return trustedRoots, nil
 }