Restore Darling Specific Changes

2024-11-23 03:59:39 +00:00 · 2022-12-20 08:44:30 -08:00 · 2022-12-20 08:44:30 -08:00 · 6beec0389b
commit 6beec0389b
parent 9bba1c54a7
31 changed files with 374 additions and 3 deletions
--- a/Analytics/Clients/LocalKeychainAnalytics.m
+++ b/Analytics/Clients/LocalKeychainAnalytics.m
@ -8,6 +8,10 @@
 #include <utilities/SecFileLocations.h>
 #include <utilities/SecAKSWrappers.h>

+#ifdef DARLING
+#import <Foundation/Foundation.h>
+#endif
+
@interface LKAUpgradeOutcomeReport : NSObject
@property LKAKeychainUpgradeOutcome outcome;
@property NSDictionary* attributes;
@ -24,6 +28,7 @@
 }
@end

+#if !defined(DARLING) || defined(__OBJC2__)
 // Approved event types
 // rdar://problem/41745059 SFAnalytics: collect keychain upgrade outcome information
 LKAnalyticsFailableEvent const LKAEventUpgrade = (LKAnalyticsFailableEvent)@"LKAEventUpgrade";
@ -174,22 +179,28 @@ NSString* const LKABackupLastSuccessDate = @"backupLastSuccess";
 }

@end
+#endif // !defined(DARLING) || defined(__OBJC2__)

 // MARK: C Bridging

 void LKAReportKeychainUpgradeOutcome(int fromversion, int toversion, LKAKeychainUpgradeOutcome outcome) {
+    #if !defined(DARLING) || defined(__OBJC2__)
    @autoreleasepool {
        [[LocalKeychainAnalytics logger] reportKeychainUpgradeFrom:fromversion to:toversion outcome:outcome error:NULL];
    }
+    #endif
 }

 void LKAReportKeychainUpgradeOutcomeWithError(int fromversion, int toversion, LKAKeychainUpgradeOutcome outcome, CFErrorRef error) {
+    #if !defined(DARLING) || defined(__OBJC2__)
    @autoreleasepool {
        [[LocalKeychainAnalytics logger] reportKeychainUpgradeFrom:fromversion to:toversion outcome:outcome error:(__bridge NSError*)error];
    }
+    #endif
 }

 void LKABackupReportStart(bool hasKeybag, bool hasPasscode, bool isEMCS) {
+    #if !defined(DARLING) || defined(__OBJC2__)
    LKAKeychainBackupType type;
    if (isEMCS) {
        type = LKAKeychainBackupTypeEMCS;
@ -207,12 +218,15 @@ void LKABackupReportStart(bool hasKeybag, bool hasPasscode, bool isEMCS) {
    @autoreleasepool {
        [[LocalKeychainAnalytics logger] reportKeychainBackupStartWithType:type];
    }
+    #endif
 }

 void LKABackupReportEnd(bool hasBackup, CFErrorRef error) {
+    #if !defined(DARLING) || defined(__OBJC2__)
    @autoreleasepool {
        [[LocalKeychainAnalytics logger] reportKeychainBackupEnd:hasBackup error:(__bridge NSError*)error];
    }
+    #endif
 }

 void LKAForceClose(void)
--- a/OSX/libsecurity_authorization/lib/Authorization.c
+++ b/OSX/libsecurity_authorization/lib/Authorization.c
@ -16,7 +16,11 @@
 #include <mach/mach.h>
 #include <AssertMacros.h>
 #include <CoreFoundation/CFXPCBridge.h>
+#ifndef DARLING
 #include <CoreGraphics/CGWindow.h>
+#else
+typedef uint32_t CGWindowID;
+#endif
 #include <dlfcn.h>
 #include <os/log.h>

--- a/OSX/libsecurity_authorization/lib/Authorization.h
+++ b/OSX/libsecurity_authorization/lib/Authorization.h
@ -190,7 +190,16 @@ static const size_t kAuthorizationExternalFormLength = 32;
 	potential attackers since it would authorize rights to them.
 */
 typedef struct {
+#if defined(DARLING) && defined(__clang__)
+	// this warning is useless and repeated throughout MANY compilation units if left enabled
+	// it's easier to disable it here than to disable in each and every CMakeLists.txt
+	#pragma GCC diagnostic push
+	#pragma GCC diagnostic ignored "-Wgnu-folding-constant"
+#endif
 	char bytes[kAuthorizationExternalFormLength];
+#if defined(DARLING) && defined(__clang__)
+	#pragma GCC diagnostic pop
+#endif
 } AuthorizationExternalForm;


--- a/OSX/libsecurity_codesigning/lib/SecStaticCode.h
+++ b/OSX/libsecurity_codesigning/lib/SecStaticCode.h
@ -39,6 +39,9 @@
 #define _H_SECSTATICCODE

 #include <Security/CSCommon.h>
+#ifdef DARLING
+#include <CoreFoundation/CoreFoundation.h>
+#endif

 #ifdef __cplusplus
 extern "C" {
--- a/OSX/libsecurity_codesigning/lib/cskernel.cpp
+++ b/OSX/libsecurity_codesigning/lib/cskernel.cpp
@ -131,15 +131,18 @@ SecStaticCode *KernelCode::identifyGuest(SecCode *iguest, CFDataRef *cdhash)
                        SecPointer<SecStaticCode> code = new ProcessDynamicCode(guest);
 						guest->pidBased()->setCredentials(code->codeDirectory());

+#ifndef DARLING
                        SHA1::Digest kernelHash;
                        MacOSError::check(guest->csops(CS_OPS_CDHASH, kernelHash, sizeof(kernelHash)));
                        *cdhash = makeCFData(kernelHash, sizeof(kernelHash));
+#endif

                        return code.yield();
                }
                
 		char path[2 * MAXPATHLEN];	// reasonable upper limit
 		if (::proc_pidpath(guest->pid(), path, sizeof(path))) {
+#ifndef DARLING
 			off_t offset;
 			csops(guest, CS_OPS_PIDOFFSET, &offset, sizeof(offset));
 			SecPointer<SecStaticCode> code = new ProcessStaticCode(DiskRep::bestGuess(path, (size_t)offset));
@ -160,6 +163,9 @@ SecStaticCode *KernelCode::identifyGuest(SecCode *iguest, CFDataRef *cdhash)
 					*cdhash = makeCFData(kernelHash, sizeof(kernelHash));
 				CODESIGN_GUEST_CDHASH_PROCESS(guest, kernelHash, sizeof(kernelHash));
 			}
+#else
+			SecPointer<SecStaticCode> code = new ProcessStaticCode(DiskRep::bestGuess(path));
+#endif
 			return code.yield();
 		} else
 			UnixError::throwMe();
@ -225,6 +231,7 @@ void KernelCode::identify()
 //
 void KernelCode::csops(ProcessCode *proc, unsigned int op, void *addr, size_t length)
 {
+#ifndef DARLING
 	if (proc->csops(op, addr, length) == -1) {
 		switch (errno) {
 		case ESRCH:
@ -233,6 +240,7 @@ void KernelCode::csops(ProcessCode *proc, unsigned int op, void *addr, size_t le
 			UnixError::throwMe();
 		}
 	}
+#endif
 }


--- a/OSX/libsecurity_mds/lib/MDSSession.cpp
+++ b/OSX/libsecurity_mds/lib/MDSSession.cpp
@ -335,7 +335,12 @@ static bool doesFileExist(
 	
 	/* it's there...how does it look? */
 	mode_t fileType = sb.st_mode & S_IFMT;
+#ifdef DARLING
+	// we don't care about UIDs in Darling
+	if((fileType == S_IFREG)) {
+#else
 	if((fileType == S_IFREG) && (sb.st_uid == forUid)) {
+#endif
 		return true;
 	}
 	if(!purge) {
@ -453,10 +458,12 @@ static bool doesDirectExist(
 		directStatus = MDS_NotDirectory;
 		return false;
 	}
+#ifndef DARLING
 	if(sb.st_uid != forUid) {
 		directStatus = MDS_BadOwnerMode;
 		return false;
 	}
+#endif
 	if((sb.st_mode & 07777) != mode) {
 		directStatus = MDS_BadOwnerMode;
 		return false;
@ -1440,7 +1447,7 @@ MDSSession::DbFilesInfo::~DbFilesInfo()
 	}
 }

-/* lazy evaluation of both DB handlesÊ*/
+/* lazy evaluation of both DB handles<EFBFBD>*/
 CSSM_DB_HANDLE MDSSession::DbFilesInfo::objDbHand()
 {
 	if(mObjDbHand != 0) {
--- a/OSX/libsecurity_ocspd/client/ocspdClient.cpp
+++ b/OSX/libsecurity_ocspd/client/ocspdClient.cpp
@ -32,7 +32,11 @@
 #include <security_utilities/threading.h>
 #include <security_utilities/mach++.h>
 #include <security_utilities/unix++.h>
+#ifdef DARLING
+#include "ocspd.h"
+#else
 #include <security_ocspd/ocspd.h>			/* MIG interface */
+#endif
 #include <Security/SecBase.h>
 class ocspdGlobals
 {
--- a/OSX/libsecurity_utilities/lib/dispatch.h
+++ b/OSX/libsecurity_utilities/lib/dispatch.h
@ -106,7 +106,11 @@ private:


 class SemaphoreWait {
+// this has to be disabled because Clang 13 incorrectly detects a block variable non-const copy as a const copy in `libsecurity_codesigning/lib/csutilities.cpp`.
+// it still compiles correctly, it just generates an incorrect error if this is left in.
+#ifndef DARLING
 	NOCOPY(SemaphoreWait)
+#endif
 public:
 	SemaphoreWait(SemaphoreWait& originalWait);
 	SemaphoreWait(Semaphore& semaphore, dispatch_time_t timeout = DISPATCH_TIME_FOREVER);
--- a/OSX/libsecurity_utilities/lib/powerwatch.cpp
+++ b/OSX/libsecurity_utilities/lib/powerwatch.cpp
@ -65,14 +65,18 @@ void PowerWatcher::systemWillPowerOn()
 IOPowerWatcher::IOPowerWatcher() :
    mKernelPort(0)
 {
+#ifndef DARLING
 	if (!(mKernelPort = ::IORegisterForSystemPower(this, &mPortRef, ioCallback, &mHandle)))
 		UnixError::throwMe(EINVAL);	// no clue
+#endif
 }

 IOPowerWatcher::~IOPowerWatcher()
 {
+#ifndef DARLING
 	if (mKernelPort)
 		::IODeregisterForSystemPower(&mHandle);
+#endif
 }

 //
@ -149,13 +153,17 @@ void IOPowerWatcher::ioCallback(void *refCon, io_service_t service,
 //
 PortPowerWatcher::PortPowerWatcher()
 {
+#ifndef DARLING
    port(IONotificationPortGetMachPort(mPortRef));
+#endif
 }

 boolean_t PortPowerWatcher::handle(mach_msg_header_t *in)
 {
+#ifndef DARLING
    IODispatchCalloutFromMessage(NULL, in, mPortRef);
    return TRUE;
+#endif
 }


--- a/OSX/sec/Security/SecCertificate.c
+++ b/OSX/sec/Security/SecCertificate.c
@ -73,6 +73,9 @@
 #include <Security/SecKeyInternal.h>
 #include "AppleExternalRootCertificates.h"
 #include <Security/SecInternalReleasePriv.h>
+#ifdef DARLING
+#include <libDER/oidsPriv.h>
+#endif

 #pragma clang diagnostic ignored "-Wformat=2"

@ -1644,7 +1647,11 @@ static bool SecCertificateParse(SecCertificateRef certificate)

 	/* sequence we're given: encoded DERSubjPubKeyInfo */
 	DERSubjPubKeyInfo pubKeyInfo;
+#ifdef DARLING
+	drtn = DERParseSequence(&tbsCert.subjectPubKey,
+#else
 	drtn = DERParseSequenceContent(&tbsCert.subjectPubKey,
+#endif
 		DERNumSubjPubKeyInfoItemSpecs, DERSubjPubKeyInfoItemSpecs,
 		&pubKeyInfo, sizeof(pubKeyInfo));
 	require_noerr_quiet(drtn, badCert);
--- a/OSX/sec/Security/SecPolicy.c
+++ b/OSX/sec/Security/SecPolicy.c
@ -46,6 +46,9 @@
 #include <ipc/securityd_client.h>
 #include <os/variant_private.h>
 #include <MobileGestalt.h>
+#ifdef DARLING
+#include <libDER/oidsPriv.h>
+#endif

 #include <utilities/SecInternalReleasePriv.h>

--- a/OSX/sec/Security/SecRecoveryKey.m
+++ b/OSX/sec/Security/SecRecoveryKey.m
@ -20,7 +20,9 @@

 #if !TARGET_OS_BRIDGE
 #include <dlfcn.h>
+#ifndef DARLING
 #include <AppleIDAuthSupport/AppleIDAuthSupport.h>
+#endif
 #define PATH_FOR_APPLEIDAUTHSUPPORTFRAMEWORK "/System/Library/PrivateFrameworks/AppleIDAuthSupport.framework/AppleIDAuthSupport"
 #endif

--- a/OSX/sec/Security/SecTrustStatusCodes.c
+++ b/OSX/sec/Security/SecTrustStatusCodes.c
@ -32,6 +32,14 @@
 #include <Security/SecTrustStatusCodes.h>
 #include <CoreFoundation/CoreFoundation.h>
 #include <libDER/oids.h>
+#ifdef DARLING
+// if i had to guess, i'd say Apple changed up libDER when they stopped releasing it and now
+// their "private" OIDs are included in the regular `libDER/oids.h` header
+//
+// if this error keeps popping up, i'll stop manually including `libDER/oidsPriv.h` and instead patch
+// `libDER/oids.h` to include `libDER/oidsPriv.h`
+#include <libDER/oidsPriv.h>
+#endif

 struct resultmap_entry_s {
    const CFStringRef checkstr;
--- a/OSX/utilities/SecDb.c
+++ b/OSX/utilities/SecDb.c
@ -42,6 +42,9 @@
 #include <os/assumes.h>
 #include <xpc/private.h>    // xpc_transaction_exit_clean()

+#ifdef DARLING
+#include <pthread.h>
+#endif

 //
 // Architecturally inverted files
--- a/OSX/utilities/SecKnownFilePaths.m
+++ b/OSX/utilities/SecKnownFilePaths.m
@ -16,7 +16,21 @@ CFURLRef SecCopyHomeURL(void)
    if (homeURL) {
        CFRetain(homeURL);
    } else {
+#ifdef DARLING
+        // ported from an older version of Security
+        //
+        // i'm not sure how Apple is convincing the compiler that CFCopyHomeDirectoryURL is available on macOS
+        // because there's nothing new in the public headers to indicate that the function has suddenly become
+        // available on macOS, nor is there any indication in the Xcode build files that this code is being
+        // compiled for Catalyst for macOS
+        //
+        // maybe they're just not using compiler availability warnings/errors
+        //
+        // either way, this should work fine and provide the same behavior as Apple's code
+        homeURL = CFCopyHomeDirectoryURLForUser(NULL);
+#else
        homeURL = CFCopyHomeDirectoryURL();
+#endif
    }

    return homeURL;
--- a/base/SecBase.h
+++ b/base/SecBase.h
@ -27,6 +27,12 @@
 #include <TargetConditionals.h>
 #include <CoreFoundation/CFBase.h>
 #include <Availability.h>
+#ifdef DARLING
+    // for unprefixed API_AVAILABLE and friends
+    #include <os/availability.h>
+    // not sure if we're supposed to be including that header in CoreFoundation or in Availability.h,
+    // but this works for all of Security
+#endif

 // Truth table for following declarations:
 //
--- a/base/Security.h
+++ b/base/Security.h
@ -114,7 +114,11 @@
 #endif

 /* DER */
+#ifdef DARLING
+#include <libDER/oids.h>
+#else
 #include <Security/oids.h>
+#endif

 #endif // SEC_OS_OSX

--- a/cmake/security_lib.cmake
+++ b/cmake/security_lib.cmake
@ -0,0 +1,126 @@
+include(CMakeParseArguments)
+
+# add_security_library
+# Helper function for adding Security libraries
+# (because there's a lot of them, and it's easier to configure all necessary options with a single function)
+#
+# Options:
+# 	FAT
+# 		Build the library for both x86_64 and i386.
+# 	OBJC_ARC
+# 		Enable Objective-C ARC for the library.
+# 	MODERN_OBJC
+# 		Only build the library for targets where the "modern" Objective-C runtime is available
+#
+# Single-value arguments:
+# 	OUTPUT_NAME
+# 		The filename for the built library. This is combined with PREFIX and SUFFIX to produce the full filename.
+# 		Defaults to the target name.
+# 	PREFIX
+# 		The prefix to add to the library filename.
+# 		Defaults to `lib`.
+# 	SUFFIX
+# 		The suffix to add to the library filename.
+# 		Defaults to `.dylib`.
+# 	C_STANDARD
+# 		The C standard to use when compiling the code. E.g. `gnu99`, `c99`, etc.
+# 	CXX_STANDARD
+# 		The C++ standard to use when compiling the code. E.g. `gnu++11`, `c++1`, etc.
+#
+# Multi-value arguments:
+# 	SOURCES
+# 		A list of sources to use to build the library.
+# 		Can include any source that `add_darling_static_library` supports.
+# 	LIBRARIES
+# 		A list of libraries to link to. If target names are provided, they are also added as dependencies.
+# 	INCLUDES
+# 		A list of directories to add as private header directories.
+# 	DEFINITIONS
+# 		A list of preprocessor definitions to add as private preprocessor definitions.
+# 		Supports the same syntax as `add_compile_definitions`.
+# 	FLAGS
+# 		A list of flags to pass to the compiler when compiling the library.
+# 		Supports the same syntax as `add_compile_options`.
+function(add_security_library name)
+	cmake_parse_arguments(SECLIB "FAT;OBJC_ARC;MODERN_OBJC" "OUTPUT_NAME;PREFIX;SUFFIX;C_STANDARD;CXX_STANDARD" "SOURCES;LIBRARIES;INCLUDES;DEFINITIONS;FLAGS" ${ARGN})
+
+	set(STATICLIB_ARG_RUNTIME "")
+	set(STATICLIB_ARG_FAT "")
+
+	if(SECLIB_FAT)
+		set(STATICLIB_ARG_FAT "FAT")
+	endif()
+
+	if(SECLIB_MODERN_OBJC)
+		set(STATICLIB_ARG_RUNTIME "64BIT_ONLY")
+		set(STATICLIB_ARG_FAT "")
+	endif()
+
+	add_darling_static_library(${name} ${STATICLIB_ARG_FAT} ${STATICLIB_ARG_RUNTIME} SOURCES ${SECLIB_SOURCES})
+
+	if(SECLIB_OBJC_ARC)
+		target_compile_options(${name} PRIVATE -fobjc-arc)
+	endif()
+
+	if(DEFINED SECLIB_OUTPUT_NAME)
+		set_target_properties(${name} PROPERTIES OUTPUT_NAME "${SECLIB_OUTPUT_NAME}")
+	endif()
+
+	if(DEFINED SECLIB_PREFIX)
+		set_target_properties(${name} PROPERTIES PREFIX "${SECLIB_PREFIX}")
+	endif()
+
+	if(DEFINED SECLIB_SUFFIX)
+		set_target_properties(${name} PROPERTIES SUFFIX "${SECLIB_SUFFIX}")
+	endif()
+
+	if(SECLIB_C_STANDARD)
+		set(SECLIB_C_STANDARD_VALID TRUE)
+		if(SECLIB_C_STANDARD MATCHES "[cC][0-9]+([a-zA-Z])?")
+			set_property(TARGET ${name} PROPERTY C_EXTENSIONS OFF)
+		elseif(SECLIB_C_STANDARD MATCHES "([gG][nN][uU])?[0-9]+([a-zA-Z])?")
+			# the default is to enable extensions
+			set_property(TARGET ${name} PROPERTY C_EXTENSIONS ON)
+		else()
+			set(SECLIB_C_STANDARD_VALID FALSE)
+			message(WARNING "Unrecognized C standard: ${SECLIB_C_STANDARD}")
+		endif()
+		if(SECLIB_C_STANDARD_VALID)
+			string(REGEX MATCH "[0-9]+" SECLIB_C_STANDARD_VERSION "${SECLIB_C_STANDARD}")
+			set_property(TARGET ${name} PROPERTY C_STANDARD "${SECLIB_C_STANDARD_VERSION}")
+		endif()
+	endif()
+
+	if(SECLIB_CXX_STANDARD)
+		set(SECLIB_CXX_STANDARD_VALID TRUE)
+		if(SECLIB_CXX_STANDARD MATCHES "[cC](\\+\\+|[xX][xX])[0-9]+([a-zA-Z])?")
+			set_property(TARGET ${name} PROPERTY CXX_EXTENSIONS OFF)
+		elseif(SECLIB_CXX_STANDARD MATCHES "([gG][nN][uU](\\+\\+|[xX][xX]))?[0-9]+([a-zA-Z])?")
+			# the default is to enable extensions
+			set_property(TARGET ${name} PROPERTY CXX_EXTENSIONS ON)
+		else()
+			set(SECLIB_CXX_STANDARD_VALID FALSE)
+			message(WARNING "Unrecognized C standard: ${SECLIB_CXX_STANDARD}")
+		endif()
+		if(SECLIB_CXX_STANDARD_VALID)
+			string(REGEX MATCH "[0-9]+" SECLIB_CXX_STANDARD_VERSION "${SECLIB_CXX_STANDARD}")
+			set_property(TARGET ${name} PROPERTY CXX_STANDARD "${SECLIB_CXX_STANDARD_VERSION}")
+		endif()
+	endif()
+
+	if(SECLIB_LIBRARIES)
+		target_link_libraries(${name} ${SECLIB_LIBRARIES})
+	endif()
+
+	if(SECLIB_INCLUDES)
+		target_include_directories(${name} PRIVATE ${SECLIB_INCLUDES})
+	endif()
+
+	if(SECLIB_DEFINITIONS)
+		target_compile_definitions(${name} PRIVATE ${SECLIB_DEFINITIONS})
+	endif()
+
+	if (SECLIB_FLAGS)
+		target_compile_options(${name} PRIVATE ${SECLIB_FLAGS})
+	endif()
+endfunction()
--- a/cmake/security_xcconfigs.cmake
+++ b/cmake/security_xcconfigs.cmake
@ -0,0 +1,38 @@
+# some Xcode `.xcconfig` files translated into CMake functions
+
+include(security_lib)
+include(CMakeParseArguments)
+
+function(add_macos_legacy_lib name)
+	add_security_library(${name}
+		FAT
+		INCLUDES
+			${SECURITY_PROJECT_DIR}/OSX/libsecurity_cssm/lib
+			${SECURITY_PROJECT_DIR}/OSX/include
+			${SECURITY_PROJECT_DIR}/OSX/utilities/src
+			${SECURITY_PROJECT_DIR}/OSX/libsecurity_apple_csp/open_ssl
+			${SECURITY_PROJECT_DIR}/OSX/lib${name}/lib
+		${ARGN}
+	)
+endfunction()
+
+function(add_lib_ios name)
+	add_security_library(${name}
+		FAT
+		C_STANDARD gnu99
+		INCLUDES
+			${SECURITY_PROJECT_DIR}/OSX/libsecurity_smime
+			#$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers
+		DEFINITIONS
+			SEC_IOS_ON_OSX=1
+		${ARGN}
+	)
+endfunction()
+
+function(add_lib_ios_shim name)
+	add_lib_ios(${name}
+		DEFINITIONS
+			SECITEM_SHIM_OSX=1
+		${ARGN}
+	)
+endfunction()
--- a/keychain/SigninMetrics/OctagonSignPosts.h
+++ b/keychain/SigninMetrics/OctagonSignPosts.h
@ -138,6 +138,28 @@ extern os_log_t _OctagonSignpostLogSystem(void);
 extern OctagonSignpost _OctagonSignpostCreate(os_log_t subsystem);
 extern uint64_t _OctagonSignpostGetNanoseconds(OctagonSignpost signpost);

+#ifdef DARLING
+// the compiler was being weird with the preprocessor trickery that was happening in Apple's code
+// so i had to manually expand parts of it
+#define _OctagonSignpostBegin(subsystem, name, something, ...) __extension__({ \
+    OctagonSignpost internalSignpost = _OctagonSignpostCreate(subsystem); \
+    os_signpost_interval_begin(subsystem, internalSignpost.identifier, name, __VA_ARGS__); \
+    os_log(subsystem, "BEGIN [%lld]: " name " " something, internalSignpost.identifier, ##__VA_ARGS__); \
+    internalSignpost; \
+})
+
+#define _OctagonSignpostEvent(subsystem, signpost, name, something, ...) __extension__({ \
+    double interval = ((double)_OctagonSignpostGetNanoseconds(_signpost) / NSEC_PER_SEC); \
+    os_signpost_event_emit(subsystem, signpost.identifier, name, __VA_ARGS__); \
+    os_log(subsystem, "EVENT [%lld] %fs: " name " " something, signpost.identifier, interval, ##__VA_ARGS__); \
+})
+
+#define _OctagonSignpostEnd(subsystem, signpost, name, something, ...) __extension__({ \
+    double interval = ((double)_OctagonSignpostGetNanoseconds(signpost) / NSEC_PER_SEC); \
+    os_signpost_interval_end(subsystem, signpost.identifier, name, __VA_ARGS__); \
+    os_log(subsystem, "END [%lld] %fs: " name " " something, signpost.identifier, interval, ##__VA_ARGS__); \
+})
+#else
 #define _OctagonSignpostBegin(subsystem, name, ...) __extension__({ \
    OctagonSignpost internalSignpost = _OctagonSignpostCreate(subsystem); \
    os_signpost_interval_begin(subsystem, internalSignpost.identifier, name, __VA_ARGS__); \
@ -159,6 +181,7 @@ extern uint64_t _OctagonSignpostGetNanoseconds(OctagonSignpost signpost);

 #define _OctagonSwizzle1(x, a, ...) a, x, ##__VA_ARGS__
 #define _OctagonSwizzle2(x, y, a, ...) a, x, y, ##__VA_ARGS__
+#endif // DARLING

 NS_ASSUME_NONNULL_END

--- a/keychain/escrowrequest/Framework/SecEscrowRequest.m
+++ b/keychain/escrowrequest/Framework/SecEscrowRequest.m
@ -10,6 +10,8 @@ NSString* const SecEscrowRequestHavePrecord = @"have_prerecord";
 NSString* const SecEscrowRequestPendingPasscode = @"pending_passcode";
 NSString* const SecEscrowRequestPendingCertificate = @"pending_certificate";

+// `!defined(DARLING)` is used to indicate that normally (in Apple's original code) the body is present without a conditional
+#if !defined(DARLING) || defined(__OBJC2__)
@interface SecEscrowRequest ()
@property NSXPCConnection *connection;
@end
@ -246,3 +248,5 @@ NSString* const SecEscrowRequestPendingCertificate = @"pending_certificate";
 }

@end
+
+#endif // !defined(DARLING) || defined(__OBJC2__)
--- a/keychain/ot/OTClique.h
+++ b/keychain/ot/OTClique.h
@ -100,6 +100,22 @@ extern NSString* kSecEntitlementPrivateOctagonEscrow;
@property (nonatomic, assign) BOOL useCachedAccountStatus;
@end

+#endif // this #endif was added for Darling
+// see OTControlProtocol.m for an explanation of why we need to do this
+#if defined(DARLING) || defined(__OBJC2__)
+
+#if defined(DARLING)
+#if __OBJC2__
+NS_ASSUME_NONNULL_END
+#endif
+
+#import <Foundation/Foundation.h>
+
+#if __OBJC2__
+NS_ASSUME_NONNULL_BEGIN
+#endif
+#endif
+
 typedef NSString* OTCliqueCDPContextType NS_STRING_ENUM;
 extern OTCliqueCDPContextType OTCliqueCDPContextTypeNone;
 extern OTCliqueCDPContextType OTCliqueCDPContextTypeSignIn;
@ -110,6 +126,8 @@ extern OTCliqueCDPContextType OTCliqueCDPContextTypeRecoveryKeyNew;
 extern OTCliqueCDPContextType OTCliqueCDPContextTypeUpdatePasscode;
 extern OTCliqueCDPContextType OTCliqueCDPContextTypeConfirmPasscodeCyrus;

+#endif // defined(DARLING) || defined(__OBJC2__)
+#if __OBJC2__ // this #if was added for Darling

 // OTClique

--- a/keychain/ot/OTClique.m
+++ b/keychain/ot/OTClique.m
@ -72,6 +72,13 @@ SOFT_LINK_CONSTANT(CloudServices, kSecureBackupUsesRecoveryKeyKey, NSString*);
 #pragma clang diagnostic pop
 #endif

+#endif // this #endif was added for Darling
+// see OTControlProtocol.m for an explanation of why we need to do this
+#if defined(DARLING) || defined(__OBJC2__)
+
+#import <Foundation/Foundation.h>
+#import "keychain/ot/OTClique.h"
+
 OTCliqueCDPContextType OTCliqueCDPContextTypeNone = @"cdpContextTypeNone";
 OTCliqueCDPContextType OTCliqueCDPContextTypeSignIn = @"cdpContextTypeSignIn";
 OTCliqueCDPContextType OTCliqueCDPContextTypeRepair = @"cdpContextTypeRepair";
@ -128,6 +135,9 @@ NSString* OTCDPStatusToString(OTCDPStatus status) {
    }
 }

+#endif // defined(DARLING) || defined(__OBJC2__)
+#if __OBJC2__ // this #if was added for Darling
+

@implementation OTConfigurationContext

--- a/keychain/ot/OTControlProtocol.m
+++ b/keychain/ot/OTControlProtocol.m
@ -22,11 +22,20 @@
 */

 #import <Foundation/Foundation.h>
+#if !defined(DARLING) || OCTAGON
+// Apple has some weird stuff going on here
+//
+// they say this function needs to be exported even when the "modern" Objective-C runtime (a.k.a. __OBJC2__) isn't available
+// (you can see this in Security.exp-in)
+// but then they turn around and make it impossible to compile this file as-is for i386
+// (because some classes and types aren't defined when __OBJC2__ isn't available)
+// i had to manually disable these includes to make it possible to compile this file for i386
 #import "keychain/ot/OTClique.h"
 #import "keychain/ot/OTControlProtocol.h"
 #import "keychain/ot/OTJoiningConfiguration.h"
 #import <Security/SecXPCHelper.h>
 #include <utilities/debugging.h>
+#endif // !defined(DARLING) || OCTAGON

 NSXPCInterface* OTSetupControlProtocol(NSXPCInterface* interface) {
 #if OCTAGON
--- a/keychain/securityd/SecItemDataSource.c
+++ b/keychain/securityd/SecItemDataSource.c
@ -43,6 +43,9 @@
 #include <Security/SecItemPriv.h>
 #include <utilities/array_size.h>
 #include <keychain/ckks/CKKS.h>
+#ifdef DARLING
+#include <string.h>
+#endif

 /*
 *
@ -403,9 +406,19 @@ static bool dsForEachObject(SOSDataSourceRef data_source, SOSTransactionRef txn,
    bool (^use_attr_in_where)(const SecDbAttr *attr) = ^bool (const SecDbAttr * attr) {
        return attr->kind == kSecDbSHA1Attr;
    };
+#ifdef DARLING
+    Query *select_queries[dsSyncedClassesSize];
+    CFStringRef select_sql[dsSyncedClassesSize];
+    sqlite3_stmt *select_stmts[dsSyncedClassesSize];
+
+    memset(select_queries, 0, sizeof(select_queries));
+    memset(select_sql, 0, sizeof(select_sql));
+    memset(select_stmts, 0, sizeof(select_stmts));
+#else
    Query *select_queries[dsSyncedClassesSize] = {};
    CFStringRef select_sql[dsSyncedClassesSize] = {};
    sqlite3_stmt *select_stmts[dsSyncedClassesSize] = {};
+#endif

    __block Query **queries = select_queries;
    __block CFStringRef *sqls = select_sql;
--- a/securityd/src/securityd_dtrace.h
+++ b/securityd/src/securityd_dtrace.h
@ -0,0 +1,7 @@
+// fake DTrace probes for Darling
+#ifndef _SECURITYD_SECURITYD_DTRACE_H
+#define _SECURITYD_SECURITYD_DTRACE_H
+
+
+
+#endif // _SECURITYD_SECURITYD_DTRACE_H
--- a/securityd/src/server.cpp
+++ b/securityd/src/server.cpp
@ -57,8 +57,10 @@ Server::Server(CodeSignatures &signatures, const char *bootstrapName)
 	// make me eternal (in the object mesh)
 	ref();

+#ifndef DARLING
    // engage the subsidiary port handler for sleep notifications
 	add(sleepWatcher);
+#endif
 }


--- a/trust/trustd/OTATrustUtilities.m
+++ b/trust/trustd/OTATrustUtilities.m
@ -1700,10 +1700,14 @@ static SecOTAPKIRef SecOTACreate() {

 #if !TARGET_OS_BRIDGE
    /* Initialize our update handling */
+#ifndef DARLING
    InitializeOTATrustAsset(kOTABackgroundQueue);
+#endif
    otapkiref->_ctKillSwitch = InitializeKillSwitch((__bridge NSString*)kOTAPKIKillSwitchCT);
    otapkiref->_nonTlsCtKillSwitch = InitializeKillSwitch((__bridge NSString*)kOTAPKIKillSwitchNonTLSCT);
+#ifndef DARLING
    InitializeOTASecExperimentAsset(kOTABackgroundQueue);
+#endif
 #else // TARGET_OS_BRIDGE
    otapkiref->_ctKillSwitch = true; // bridgeOS never enforces CT
    otapkiref->_nonTlsCtKillSwitch = true;
--- a/trust/trustd/SecPinningDb.m
+++ b/trust/trustd/SecPinningDb.m
@ -844,6 +844,9 @@ void SecPinningDbInitialize(void) {
 }

 CFDictionaryRef _Nullable SecPinningDbCopyMatching(CFDictionaryRef query) {
+#ifdef DARLING
+    return nil;
+#else
    @autoreleasepool {
        SecPinningDbInitialize();
        NSDictionary *nsQuery = (__bridge NSDictionary*)query;
@ -860,6 +863,7 @@ CFDictionaryRef _Nullable SecPinningDbCopyMatching(CFDictionaryRef query) {
        results = [pinningDb queryForDomain:hostname];
        return CFBridgingRetain(results);
    }
+#endif
 }

 #if !TARGET_OS_BRIDGE
--- a/trust/trustd/SecRevocationDb.c
+++ b/trust/trustd/SecRevocationDb.c
@ -1020,7 +1020,7 @@ void SecRevocationDbInitialize() {
    CFIndex version = 0;
    secnotice("validupdate", "initializing database");
    if (!SecValidUpdateSatisfiedLocally(server, version, true)) {
-#if !TARGET_OS_BRIDGE
+#if !TARGET_OS_BRIDGE && !defined(DARLING)
        /* Schedule full update as a maintenance task */
        (void)SecValidUpdateRequest(SecRevocationDbGetUpdateQueue(), server, version);
 #endif
@ -1182,7 +1182,7 @@ static CFIndex _SecRevocationDbGetUpdateVersion(CFStringRef server) {
 static bool _SecRevocationDbIsUpdateEnabled(void) {
    CFTypeRef value = NULL;
    // determine whether update fetching is enabled
-#if !TARGET_OS_WATCH && !TARGET_OS_BRIDGE
+#if !TARGET_OS_WATCH && !TARGET_OS_BRIDGE && !defined(DARLING)
    // Valid update fetching was initially enabled on macOS 10.13 and iOS 11.0.
    // This conditional has been changed to include every platform and version
    // except for those where the db should not be updated over the air.
--- a/trust/trustd/trustd.c
+++ b/trust/trustd/trustd.c
@ -842,7 +842,12 @@ int main(int argc, char *argv[])
        kill(getpid(), SIGSTOP);
    }

+    // fails in Darling because launchd sets the wrong HOME for its tasks
+    // doesn't matter because our libsanbox is a stub anyways (we don't do sandboxing)
+    // TODO: fix that by changing the user's home directory in our `/etc/passwd` (which is where launchd gets its value for HOME from)
+#ifndef DARLING
    trustd_sandbox();
+#endif
    FixTrustdFilePermissions();
    /* set up SQLite before some other component has a chance to create a database connection */
    _SecDbServerSetup();