From 555bc46f3dfaec15aa239802506fe2b71e1e335b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 01 2022 17:55:25 +0000 Subject: import golang-1.17.5-1.el9 --- diff --git a/.gitignore b/.gitignore index 4217694..a14ac52 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/go-go-1.17.2-1-openssl-fips.tar.gz +SOURCES/go-go-1.17.5-1-openssl-fips.tar.gz diff --git a/.golang.metadata b/.golang.metadata index 922df85..e1b760c 100644 --- a/.golang.metadata +++ b/.golang.metadata @@ -1 +1 @@ -583ddd5dc54fa694c25b6768ad80c9fff04d2bb5 SOURCES/go-go-1.17.2-1-openssl-fips.tar.gz +f0b72c96855f50d91288f1226a7660b97c1fdd73 SOURCES/go-go-1.17.5-1-openssl-fips.tar.gz diff --git a/SOURCES/remove_ed25519vectors_test.patch b/SOURCES/remove_ed25519vectors_test.patch new file mode 100644 index 0000000..45e3182 --- /dev/null +++ b/SOURCES/remove_ed25519vectors_test.patch @@ -0,0 +1,128 @@ +From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= +Date: Wed, 15 Dec 2021 16:02:15 +0100 +Subject: [PATCH] Remove ed25519vectors_test.go + +--- + src/crypto/ed25519/ed25519vectors_test.go | 109 ---------------------- + 1 file changed, 109 deletions(-) + delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go + +diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go +deleted file mode 100644 +index 74fcdcdf4e..0000000000 +--- a/src/crypto/ed25519/ed25519vectors_test.go ++++ /dev/null +@@ -1,109 +0,0 @@ +-// Copyright 2021 The Go Authors. All rights reserved. +-// Use of this source code is governed by a BSD-style +-// license that can be found in the LICENSE file. +- +-package ed25519_test +- +-import ( +- "crypto/ed25519" +- "encoding/hex" +- "encoding/json" +- "internal/testenv" +- "os" +- "os/exec" +- "path/filepath" +- "testing" +-) +- +-// TestEd25519Vectors runs a very large set of test vectors that exercise all +-// combinations of low-order points, low-order components, and non-canonical +-// encodings. These vectors lock in unspecified and spec-divergent behaviors in +-// edge cases that are not security relevant in most contexts, but that can +-// cause issues in consensus applications if changed. +-// +-// Our behavior matches the "classic" unwritten verification rules of the +-// "ref10" reference implementation. +-// +-// Note that although we test for these edge cases, they are not covered by the +-// Go 1 Compatibility Promise. Applications that need stable verification rules +-// should use github.com/hdevalence/ed25519consensus. +-// +-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details. +-func TestEd25519Vectors(t *testing.T) { +- jsonVectors := downloadEd25519Vectors(t) +- var vectors []struct { +- A, R, S, M string +- Flags []string +- } +- if err := json.Unmarshal(jsonVectors, &vectors); err != nil { +- t.Fatal(err) +- } +- for i, v := range vectors { +- expectedToVerify := true +- for _, f := range v.Flags { +- switch f { +- // We use the simplified verification formula that doesn't multiply +- // by the cofactor, so any low order residue will cause the +- // signature not to verify. +- // +- // This is allowed, but not required, by RFC 8032. +- case "LowOrderResidue": +- expectedToVerify = false +- // Our point decoding allows non-canonical encodings (in violation +- // of RFC 8032) but R is not decoded: instead, R is recomputed and +- // compared bytewise against the canonical encoding. +- case "NonCanonicalR": +- expectedToVerify = false +- } +- } +- +- publicKey := decodeHex(t, v.A) +- signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...) +- message := []byte(v.M) +- +- didVerify := ed25519.Verify(publicKey, message, signature) +- if didVerify && !expectedToVerify { +- t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags) +- } +- if !didVerify && expectedToVerify { +- t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags) +- } +- } +-} +- +-func downloadEd25519Vectors(t *testing.T) []byte { +- testenv.MustHaveExternalNetwork(t) +- +- // Download the JSON test file from the GOPROXY with `go mod download`, +- // pinning the version so test and module caching works as expected. +- goTool := testenv.GoToolPath(t) +- path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94" +- cmd := exec.Command(goTool, "mod", "download", "-json", path) +- // TODO: enable the sumdb once the TryBots proxy supports it. +- cmd.Env = append(os.Environ(), "GONOSUMDB=*") +- output, err := cmd.Output() +- if err != nil { +- t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output) +- } +- var dm struct { +- Dir string // absolute path to cached source root directory +- } +- if err := json.Unmarshal(output, &dm); err != nil { +- t.Fatal(err) +- } +- +- jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json")) +- if err != nil { +- t.Fatalf("failed to read ed25519vectors.json: %v", err) +- } +- return jsonVectors +-} +- +-func decodeHex(t *testing.T, s string) []byte { +- t.Helper() +- b, err := hex.DecodeString(s) +- if err != nil { +- t.Errorf("invalid hex: %v", err) +- } +- return b +-} +-- +2.33.1 + diff --git a/SOURCES/remove_waitgroup_misuse_tests.patch b/SOURCES/remove_waitgroup_misuse_tests.patch new file mode 100644 index 0000000..b643563 --- /dev/null +++ b/SOURCES/remove_waitgroup_misuse_tests.patch @@ -0,0 +1,151 @@ +diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go +index c569e0faa2eb..4ded218d2d8d 100644 +--- a/src/sync/waitgroup_test.go ++++ b/src/sync/waitgroup_test.go +@@ -5,8 +5,6 @@ + package sync_test + + import ( +- "internal/race" +- "runtime" + . "sync" + "sync/atomic" + "testing" +@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) { + } + } + +-func knownRacy(t *testing.T) { +- if race.Enabled { +- t.Skip("skipping known-racy test under the race detector") +- } +-} +- + func TestWaitGroupMisuse(t *testing.T) { + defer func() { + err := recover() +@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) { + t.Fatal("Should panic") + } + +-// pollUntilEqual blocks until v, loaded atomically, is +-// equal to the target. +-func pollUntilEqual(v *uint32, target uint32) { +- for { +- for i := 0; i < 1e3; i++ { +- if atomic.LoadUint32(v) == target { +- return +- } +- } +- // yield to avoid deadlock with the garbage collector +- // see issue #20072 +- runtime.Gosched() +- } +-} +- +-func TestWaitGroupMisuse2(t *testing.T) { +- knownRacy(t) +- if runtime.NumCPU() <= 4 { +- t.Skip("NumCPU<=4, skipping: this test requires parallelism") +- } +- defer func() { +- err := recover() +- if err != "sync: negative WaitGroup counter" && +- err != "sync: WaitGroup misuse: Add called concurrently with Wait" && +- err != "sync: WaitGroup is reused before previous Wait has returned" { +- t.Fatalf("Unexpected panic: %#v", err) +- } +- }() +- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4)) +- done := make(chan interface{}, 2) +- // The detection is opportunistic, so we want it to panic +- // at least in one run out of a million. +- for i := 0; i < 1e6; i++ { +- var wg WaitGroup +- var here uint32 +- wg.Add(1) +- go func() { +- defer func() { +- done <- recover() +- }() +- atomic.AddUint32(&here, 1) +- pollUntilEqual(&here, 3) +- wg.Wait() +- }() +- go func() { +- defer func() { +- done <- recover() +- }() +- atomic.AddUint32(&here, 1) +- pollUntilEqual(&here, 3) +- wg.Add(1) // This is the bad guy. +- wg.Done() +- }() +- atomic.AddUint32(&here, 1) +- pollUntilEqual(&here, 3) +- wg.Done() +- for j := 0; j < 2; j++ { +- if err := <-done; err != nil { +- panic(err) +- } +- } +- } +- t.Fatal("Should panic") +-} +- +-func TestWaitGroupMisuse3(t *testing.T) { +- knownRacy(t) +- if runtime.NumCPU() <= 1 { +- t.Skip("NumCPU==1, skipping: this test requires parallelism") +- } +- defer func() { +- err := recover() +- if err != "sync: negative WaitGroup counter" && +- err != "sync: WaitGroup misuse: Add called concurrently with Wait" && +- err != "sync: WaitGroup is reused before previous Wait has returned" { +- t.Fatalf("Unexpected panic: %#v", err) +- } +- }() +- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4)) +- done := make(chan interface{}, 3) +- // The detection is opportunistically, so we want it to panic +- // at least in one run out of a million. +- for i := 0; i < 1e6; i++ { +- var wg WaitGroup +- wg.Add(1) +- go func() { +- defer func() { +- done <- recover() +- }() +- wg.Done() +- }() +- go func() { +- defer func() { +- done <- recover() +- }() +- wg.Wait() +- // Start reusing the wg before waiting for the Wait below to return. +- wg.Add(1) +- go func() { +- wg.Done() +- }() +- wg.Wait() +- }() +- go func() { +- defer func() { +- done <- recover() +- }() +- wg.Wait() +- }() +- for j := 0; j < 3; j++ { +- if err := <-done; err != nil { +- panic(err) +- } +- } +- } +- t.Fatal("Should panic") +-} +- + func TestWaitGroupRace(t *testing.T) { + // Run this test for about 1ms. + for i := 0; i < 1000; i++ { diff --git a/SPECS/golang.spec b/SPECS/golang.spec index bcc88b4..711a3a5 100644 --- a/SPECS/golang.spec +++ b/SPECS/golang.spec @@ -96,7 +96,7 @@ %endif %global go_api 1.17 -%global go_version 1.17.2 +%global go_version 1.17.5 %global pkg_release 1 Name: golang @@ -147,6 +147,9 @@ Patch221: fix_TestScript_list_std.patch # Port to openssl 3.0 Patch1952381: rhbz1952381.patch +Patch222: remove_waitgroup_misuse_tests.patch +Patch223: remove_ed25519vectors_test.patch + # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -242,6 +245,10 @@ Requires: %{name} = %{version}-%{release} %patch1952381 -p1 +%patch222 -p1 + +%patch223 -p1 + cp %{SOURCE1} ./src/runtime/ %build @@ -440,61 +447,19 @@ export GO_TEST_RUN="" %if %{fail_on_tests} -TEST_BORING_CONFIGS=`mktemp -d` -TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf -TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf -trap "rm -rf $TEST_BORING_CONFIGS" EXIT - -cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF -openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF - -cat > $TEST_BORING_CNF << EOM -openssl_conf = openssl_test - -[openssl_test] -providers = provider_test -alg_section = algorithm_test -ssl_conf = ssl_module - -[algorithm_test] -default_properties = fips=yes - -[provider_test] -default = default_sect - # The fips section name should match the section name inside the - # included fipsmodule.cnf. -fips = fips_sect -.include $TEST_BORING_FIPS_CNF - -[default_sect] -activate = 1 - -[ ssl_module ] - -system_default = crypto_policy - -[ crypto_policy ] - -.include = /etc/crypto-policies/back-ends/opensslcnf.config - -[ new_oids ] - -EOM - ./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN -export OPENSSL_CONF=$TEST_BORING_CNF +export OPENSSL_FORCE_FIPS_MODE=1 # Run tests with FIPS enabled. -export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$" pushd crypto # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later - GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST + GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v # Check that signature functions have parity between boring and notboring - CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST + CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v popd # Run all FIPS specific TLS tests pushd crypto/tls - GOLANG_FIPS=1 go test -v -run "Boring" $DISABLE_Ed25519_TEST + GOLANG_FIPS=1 go test -v -run "Boring" popd %else ./run.bash --no-rebuild -v -v -v -k || : @@ -557,6 +522,17 @@ cd .. %endif %changelog +* Mon Dec 13 2021 Alejandro Sáez - 1.17.5-1 +- Rebase to Go 1.17.5 +- Add remove_waitgroup_misuse_tests patch +- Add remove_ed25519vectors_test.patch +- Remove FIPS checks to avoid issues in the CI +- Related: rhbz#2031116 +- Resolves: rhbz#2022829 +- Resolves: rhbz#2024687 +- Resolves: rhbz#2030851 +- Resolves: rhbz#2031253 + * Wed Nov 03 2021 Alejandro Sáez - 1.17.2-1 - Rebase to Go 1.17.2 - Related: rhbz#2014087