diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3334520 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/go-go-1.16.6-3-openssl-fips.tar.gz diff --git a/.golang.metadata b/.golang.metadata new file mode 100644 index 0000000..771796a --- /dev/null +++ b/.golang.metadata @@ -0,0 +1 @@ +97a713b08ed6438c1b488c29fb4c1b2d654831c8 SOURCES/go-go-1.16.6-3-openssl-fips.tar.gz diff --git a/SOURCES/cgo-lto-fix.patch b/SOURCES/cgo-lto-fix.patch new file mode 100644 index 0000000..2aca0e3 --- /dev/null +++ b/SOURCES/cgo-lto-fix.patch @@ -0,0 +1,289 @@ +From 24e9707cbfa6b1ed6abdd4b11f9ddaf3aac5ad88 Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor +Date: Tue, 25 May 2021 16:31:41 -0700 +Subject: [PATCH] cmd/link, cmd/cgo: support -flto in CFLAGS + +The linker now accepts unrecognized object files in external linking mode. +These objects will simply be passed to the external linker. +This permits using -flto which can generate pure byte code objects, +whose symbol table the linker does not know how to read. + +The cgo tool now passes -fno-lto when generating objects whose symbols +it needs to read. The cgo tool now emits matching types in different +objects, so that the lto linker does not report a mismatch. + +This is based on https://golang.org/cl/293290 by Derek Parker. + +For #43505 +Fixes #43830 +Fixes #46295 + +Change-Id: I6787de213417466784ddef5af8899e453b4ae1ad +Reviewed-on: https://go-review.googlesource.com/c/go/+/322614 +Trust: Ian Lance Taylor +Run-TryBot: Ian Lance Taylor +TryBot-Result: Go Bot +Reviewed-by: Michael Hudson-Doyle +--- + +diff --git a/src/cmd/cgo/gcc.go b/src/cmd/cgo/gcc.go +index ae61725..a73e998 100644 +--- a/src/cmd/cgo/gcc.go ++++ b/src/cmd/cgo/gcc.go +@@ -1638,6 +1638,8 @@ + c = append(c, "-maix64") + c = append(c, "-mcmodel=large") + } ++ // disable LTO so we get an object whose symbols we can read ++ c = append(c, "-fno-lto") + c = append(c, "-") //read input from standard input + return c + } +diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go +index 8c31d5b..94152f4 100644 +--- a/src/cmd/cgo/out.go ++++ b/src/cmd/cgo/out.go +@@ -168,8 +168,18 @@ + if *gccgo { + fmt.Fprintf(fc, "extern byte *%s;\n", n.C) + } else { +- fmt.Fprintf(fm, "extern char %s[];\n", n.C) +- fmt.Fprintf(fm, "void *_cgohack_%s = %s;\n\n", n.C, n.C) ++ // Force a reference to all symbols so that ++ // the external linker will add DT_NEEDED ++ // entries as needed on ELF systems. ++ // Treat function variables differently ++ // to avoid type confict errors from LTO ++ // (Link Time Optimization). ++ if n.Kind == "fpvar" { ++ fmt.Fprintf(fm, "extern void %s();\n", n.C) ++ } else { ++ fmt.Fprintf(fm, "extern char %s[];\n", n.C) ++ fmt.Fprintf(fm, "void *_cgohack_%s = %s;\n\n", n.C, n.C) ++ } + fmt.Fprintf(fgo2, "//go:linkname __cgo_%s %s\n", n.C, n.C) + fmt.Fprintf(fgo2, "//go:cgo_import_static %s\n", n.C) + fmt.Fprintf(fgo2, "var __cgo_%s byte\n", n.C) +@@ -1042,7 +1052,7 @@ + fmt.Fprintf(fgo2, "//go:cgo_export_static _cgoexp%s_%s\n", cPrefix, exp.ExpName) + fmt.Fprintf(fgo2, "func _cgoexp%s_%s(a *%s) {\n", cPrefix, exp.ExpName, gotype) + +- fmt.Fprintf(fm, "int _cgoexp%s_%s;\n", cPrefix, exp.ExpName) ++ fmt.Fprintf(fm, "void _cgoexp%s_%s(void* p){}\n", cPrefix, exp.ExpName) + + if gccResult != "void" { + // Write results back to frame. +diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go +index 50bf80b..bc49c6d 100644 +--- a/src/cmd/dist/test.go ++++ b/src/cmd/dist/test.go +@@ -722,14 +722,29 @@ + }, + }) + if t.hasCxx() { +- t.tests = append(t.tests, distTest{ +- name: "swig_callback", +- heading: "../misc/swig/callback", +- fn: func(dt *distTest) error { +- t.addCmd(dt, "misc/swig/callback", t.goTest()) +- return nil ++ t.tests = append(t.tests, ++ distTest{ ++ name: "swig_callback", ++ heading: "../misc/swig/callback", ++ fn: func(dt *distTest) error { ++ t.addCmd(dt, "misc/swig/callback", t.goTest()) ++ return nil ++ }, + }, +- }) ++ distTest{ ++ name: "swig_callback_lto", ++ heading: "../misc/swig/callback", ++ fn: func(dt *distTest) error { ++ cmd := t.addCmd(dt, "misc/swig/callback", t.goTest()) ++ cmd.Env = append(os.Environ(), ++ "CGO_CFLAGS=-flto", ++ "CGO_CXXFLAGS=-flto", ++ "CGO_LDFLAGS=-flto", ++ ) ++ return nil ++ }, ++ }, ++ ) + } + } + } +diff --git a/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt b/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt +new file mode 100644 +index 0000000..e2483ba +--- /dev/null ++++ b/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt +@@ -0,0 +1,33 @@ ++# tests golang.org/issue/43830 ++ ++[!cgo] skip 'skipping test without cgo' ++[openbsd] env CC='clang' ++[openbsd] [!exec:clang] skip 'skipping test without clang present' ++[!openbsd] env CC='gcc' ++[!openbsd] [!exec:gcc] skip 'skipping test without gcc present' ++ ++env CGO_CFLAGS='-Wno-ignored-optimization-argument -flto -ffat-lto-objects' ++ ++go build main.go ++ ++-- main.go -- ++ ++package main ++ ++import "fmt" ++ ++// #include "hello.h" ++import "C" ++ ++func main() { ++ hello := C.hello ++ fmt.Printf("%v\n", hello) ++} ++ ++-- hello.h -- ++ ++#include ++ ++void hello(void) { ++ printf("hello\n"); ++} +diff --git a/src/cmd/go/testdata/script/cgo_lto_issue43830.txt b/src/cmd/go/testdata/script/cgo_lto_issue43830.txt +new file mode 100644 +index 0000000..06ab2f3 +--- /dev/null ++++ b/src/cmd/go/testdata/script/cgo_lto_issue43830.txt +@@ -0,0 +1,39 @@ ++# tests golang.org/issue/43830 ++ ++[!cgo] skip 'skipping test without cgo' ++[openbsd] env CC='clang' ++[openbsd] [!exec:clang] skip 'skipping test without clang present' ++[!openbsd] env CC='gcc' ++[!openbsd] [!exec:gcc] skip 'skipping test without gcc present' ++ ++env CGO_CFLAGS='-Wno-ignored-optimization-argument -flto -ffat-lto-objects' ++ ++go build main.go add.go ++ ++-- main.go -- ++ ++package main ++ ++/* ++int c_add(int a, int b) { ++ return myadd(a, b); ++} ++*/ ++import "C" ++ ++func main() { ++ println(C.c_add(1, 2)) ++} ++ ++-- add.go -- ++ ++package main ++ ++import "C" ++ ++/* test */ ++ ++//export myadd ++func myadd(a C.int, b C.int) C.int { ++ return a + b ++} +diff --git a/src/cmd/link/internal/ld/ar.go b/src/cmd/link/internal/ld/ar.go +index 22f53a4..23915f9 100644 +--- a/src/cmd/link/internal/ld/ar.go ++++ b/src/cmd/link/internal/ld/ar.go +@@ -124,6 +124,10 @@ + + libgcc := sym.Library{Pkg: "libgcc"} + h := ldobj(ctxt, f, &libgcc, l, pname, name) ++ if h.ld == nil { ++ Errorf(nil, "%s unrecognized object file at offset %d", name, off) ++ continue ++ } + f.MustSeek(h.off, 0) + h.ld(ctxt, f, h.pkg, h.length, h.pn) + } +diff --git a/src/cmd/link/internal/ld/config.go b/src/cmd/link/internal/ld/config.go +index ae0d752..20f1d0b 100644 +--- a/src/cmd/link/internal/ld/config.go ++++ b/src/cmd/link/internal/ld/config.go +@@ -241,6 +241,10 @@ + return true, "dynamically linking with a shared library" + } + ++ if unknownObjFormat { ++ return true, "some input objects have an unrecognized file format" ++ } ++ + return false, "" + } + +@@ -248,7 +252,7 @@ + // + // It is called after flags are processed and inputs are processed, + // so the ctxt.LinkMode variable has an initial value from the -linkmode +-// flag and the iscgo externalobj variables are set. ++// flag and the iscgo, externalobj, and unknownObjFormat variables are set. + func determineLinkMode(ctxt *Link) { + extNeeded, extReason := mustLinkExternal(ctxt) + via := "" +diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go +index e8f001b..644faeb 100644 +--- a/src/cmd/link/internal/ld/lib.go ++++ b/src/cmd/link/internal/ld/lib.go +@@ -343,10 +343,16 @@ + const pkgdef = "__.PKGDEF" + + var ( +- // Set if we see an object compiled by the host compiler that is not +- // from a package that is known to support internal linking mode. ++ // externalobj is set to true if we see an object compiled by ++ // the host compiler that is not from a package that is known ++ // to support internal linking mode. + externalobj = false +- theline string ++ ++ // unknownObjFormat is set to true if we see an object whose ++ // format we don't recognize. ++ unknownObjFormat = false ++ ++ theline string + ) + + func Lflag(ctxt *Link, arg string) { +@@ -1065,6 +1071,10 @@ + } + + f.MustSeek(h.off, 0) ++ if h.ld == nil { ++ Errorf(nil, "%s: unrecognized object file format", h.pn) ++ continue ++ } + h.ld(ctxt, f, h.pkg, h.length, h.pn) + f.Close() + } +@@ -1855,6 +1865,14 @@ + return ldhostobj(ldxcoff, ctxt.HeadType, f, pkg, length, pn, file) + } + ++ if c1 != 'g' || c2 != 'o' || c3 != ' ' || c4 != 'o' { ++ // An unrecognized object is just passed to the external linker. ++ // If we try to read symbols from this object, we will ++ // report an error at that time. ++ unknownObjFormat = true ++ return ldhostobj(nil, ctxt.HeadType, f, pkg, length, pn, file) ++ } ++ + /* check the header */ + line, err := f.ReadString('\n') + if err != nil { diff --git a/SOURCES/fedora.go b/SOURCES/fedora.go new file mode 100644 index 0000000..81b28ba --- /dev/null +++ b/SOURCES/fedora.go @@ -0,0 +1,7 @@ +// +build rpm_crashtraceback + +package runtime + +func init() { + setTraceback("crash") +} diff --git a/SOURCES/fix_TestScript_list_std.patch b/SOURCES/fix_TestScript_list_std.patch new file mode 100644 index 0000000..1387cb7 --- /dev/null +++ b/SOURCES/fix_TestScript_list_std.patch @@ -0,0 +1,13 @@ +diff --git a/src/cmd/go/testdata/script/list_std.txt b/src/cmd/go/testdata/script/list_std.txt +index 6ab1bd1674..4a00e436fd 100644 +--- a/src/cmd/go/testdata/script/list_std.txt ++++ b/src/cmd/go/testdata/script/list_std.txt +@@ -6,7 +6,7 @@ env GO111MODULE=off + # Listing GOROOT should only find standard packages. + cd $GOROOT/src + go list -f '{{if not .Standard}}{{.ImportPath}}{{end}}' ./... +-! stdout . ++stdout _$GOROOT + + # Standard packages should include cmd, but not cmd/vendor. + go list ./... diff --git a/SOURCES/go1.5-zoneinfo_testing_only.patch b/SOURCES/go1.5-zoneinfo_testing_only.patch new file mode 100644 index 0000000..581cb94 --- /dev/null +++ b/SOURCES/go1.5-zoneinfo_testing_only.patch @@ -0,0 +1,70 @@ +diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go +--- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.time 2017-12-05 01:10:10.000000000 +0100 ++++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go 2017-12-05 14:55:10.574637475 +0100 +@@ -4,13 +4,15 @@ + + package time + ++import "runtime" ++ + func init() { + // force US/Pacific for time zone tests + ForceUSPacificForTesting() + } + + func initTestingZone() { +- z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:]) ++ z, err := loadLocation("America/Los_Angeles", zoneSources) + if err != nil { + panic("cannot load America/Los_Angeles for testing: " + err.Error()) + } +@@ -21,8 +23,9 @@ func initTestingZone() { + var OrigZoneSources = zoneSources + + func forceZipFileForTesting(zipOnly bool) { +- zoneSources = make([]string, len(OrigZoneSources)) ++ zoneSources = make([]string, len(OrigZoneSources)+1) + copy(zoneSources, OrigZoneSources) ++ zoneSources = append(zoneSources, runtime.GOROOT()+"/lib/time/zoneinfo.zip") + if zipOnly { + zoneSources = zoneSources[len(zoneSources)-1:] + } +diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go +--- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.time 2017-12-05 01:10:10.000000000 +0100 ++++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go 2017-12-05 14:58:09.823109248 +0100 +@@ -8,6 +8,7 @@ import ( + "fmt" + "os" + "reflect" ++ "runtime" + "testing" + "time" + ) +@@ -128,7 +129,7 @@ func TestLoadLocationFromTZData(t *testi + t.Fatal(err) + } + +- tzinfo, err := time.LoadTzinfo(locationName, time.OrigZoneSources[len(time.OrigZoneSources)-1]) ++ tzinfo, err := time.LoadTzinfo(locationName, runtime.GOROOT()+"/lib/time/zoneinfo.zip") + if err != nil { + t.Fatal(err) + } +diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go +--- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go.time 2017-12-05 01:10:10.000000000 +0100 ++++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go 2017-12-05 14:55:10.574637475 +0100 +@@ -12,7 +12,6 @@ + package time + + import ( +- "runtime" + "syscall" + ) + +@@ -22,7 +21,6 @@ var zoneSources = []string{ + "/usr/share/zoneinfo/", + "/usr/share/lib/zoneinfo/", + "/usr/lib/locale/TZ/", +- runtime.GOROOT() + "/lib/time/zoneinfo.zip", + } + + func initLocal() { diff --git a/SOURCES/golang-1.15-warnCN.patch b/SOURCES/golang-1.15-warnCN.patch new file mode 100644 index 0000000..5d9cf82 --- /dev/null +++ b/SOURCES/golang-1.15-warnCN.patch @@ -0,0 +1,25 @@ +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 50f4d4a..121fd1b 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -20,6 +20,9 @@ import ( + + // ignoreCN disables interpreting Common Name as a hostname. See issue 24151. + var ignoreCN = !strings.Contains(os.Getenv("GODEBUG"), "x509ignoreCN=0") ++// if using Common Name as a hostname is enabled via x509ignoreCN=0, ++// warnCN enables a warning whenever Common Name is interpreted as a hostname. ++var warnCN = strings.Contains(os.Getenv("GODEBUG"), "x509warnCN=1") + + type InvalidReason int + +@@ -1078,6 +1081,10 @@ func (c *Certificate) VerifyHostname(h string) error { + names := c.DNSNames + if c.commonNameAsHostname() { + names = []string{c.Subject.CommonName} ++ if warnCN { ++ fmt.Fprintf(os.Stderr, "x509: Warning - certificate relies on legacy Common Name field. " + ++ "Using CN without SAN is deprecated and will not work in future versions.\n") ++ } + } + + candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. diff --git a/SOURCES/golang-gdbinit b/SOURCES/golang-gdbinit new file mode 100644 index 0000000..4ef690b --- /dev/null +++ b/SOURCES/golang-gdbinit @@ -0,0 +1 @@ +add-auto-load-safe-path /usr/lib/golang/src/pkg/runtime/runtime-gdb.py diff --git a/SOURCES/golang-prelink.conf b/SOURCES/golang-prelink.conf new file mode 100644 index 0000000..471e8e6 --- /dev/null +++ b/SOURCES/golang-prelink.conf @@ -0,0 +1,3 @@ +# there are ELF files in src which are testdata and shouldn't be modified +-b /usr/lib/golang/src +-b /usr/lib64/golang/src diff --git a/SOURCES/ppc64le-vdso-segfault-fix.patch b/SOURCES/ppc64le-vdso-segfault-fix.patch new file mode 100644 index 0000000..09dd101 --- /dev/null +++ b/SOURCES/ppc64le-vdso-segfault-fix.patch @@ -0,0 +1,229 @@ +From 16ab7e49d4070c4f68e88836b123dbe6da8bb015 Mon Sep 17 00:00:00 2001 +From: Derek Parker +Date: Thu, 17 Jun 2021 20:22:40 +0000 +Subject: [PATCH] [release-branch.go1.16] runtime: fix crash during VDSO calls on PowerPC + +This patch reinstates a fix for PowerPC with regard to making VDSO calls +while receiving a signal, and subsequently crashing. The crash happens +because certain VDSO calls can modify the r30 register, which is where g +is stored. This change was reverted for PowerPC because r30 is supposed +to be a non-volatile register. This is true, but that only makes a +guarantee across function calls, but not "within" a function call. This +patch was seemingly fine before because the Linux kernel still had hand +rolled assembly VDSO function calls, however with a recent change to C +function calls it seems the compiler used can generate instructions +which temporarily clobber r30. This means that when we receive a signal +during one of these calls the value of r30 will not be the g as the +runtime expects, causing a segfault. + +You can see from this assembly dump how the register is clobbered during +the call: + +(the following is from a 5.13rc2 kernel) + +``` +Dump of assembler code for function __cvdso_clock_gettime_data: + 0x00007ffff7ff0700 <+0>: cmplwi r4,15 + 0x00007ffff7ff0704 <+4>: bgt 0x7ffff7ff07f0 <__cvdso_clock_gettime_data+240> + 0x00007ffff7ff0708 <+8>: li r9,1 + 0x00007ffff7ff070c <+12>: slw r9,r9,r4 + 0x00007ffff7ff0710 <+16>: andi. r10,r9,2179 + 0x00007ffff7ff0714 <+20>: beq 0x7ffff7ff0810 <__cvdso_clock_gettime_data+272> + 0x00007ffff7ff0718 <+24>: rldicr r10,r4,4,59 + 0x00007ffff7ff071c <+28>: lis r9,32767 + 0x00007ffff7ff0720 <+32>: std r30,-16(r1) + 0x00007ffff7ff0724 <+36>: std r31,-8(r1) + 0x00007ffff7ff0728 <+40>: add r6,r3,r10 + 0x00007ffff7ff072c <+44>: ori r4,r9,65535 + 0x00007ffff7ff0730 <+48>: lwz r8,0(r3) + 0x00007ffff7ff0734 <+52>: andi. r9,r8,1 + 0x00007ffff7ff0738 <+56>: bne 0x7ffff7ff07d0 <__cvdso_clock_gettime_data+208> + 0x00007ffff7ff073c <+60>: lwsync + 0x00007ffff7ff0740 <+64>: mftb r30 <---- RIGHT HERE +=> 0x00007ffff7ff0744 <+68>: ld r12,40(r6) +``` + +What I believe is happening is that the kernel changed the PowerPC VDSO +calls to use standard C calls instead of using hand rolled assembly. The +hand rolled assembly calls never touched r30, so this change was safe to +roll back. That does not seem to be the case anymore as on the 5.13rc2 +kernel the compiler *is* generating assembly which modifies r30, making +this change again unsafe and causing a crash when the program receives a +signal during these calls (which will happen often due to async +preempt). This change happened here: +https://lwn.net/ml/linux-kernel/235e5571959cfa89ced081d7e838ed5ff38447d2.1601365870.git.christophe.leroy@csgroup.eu/. + +I realize this was reverted due to unexplained hangs in PowerPC +builders, but I think we should reinstate this change and investigate +those issues separately: +https://github.com/golang/go/commit/f4ca3c1e0a2066ca4f7bd6203866d282ed34acf2 + +Fixes #46858 + +Change-Id: Ib18d7bbfc80a1a9cb558f0098878d41081324b52 +GitHub-Last-Rev: c3002bcfca3ef58b27485e31328e6297b7a9dfe7 +GitHub-Pull-Request: golang/go#46767 +Reviewed-on: https://go-review.googlesource.com/c/go/+/328110 +Run-TryBot: Lynn Boger +TryBot-Result: Go Bot +Reviewed-by: Cherry Mui +Trust: Lynn Boger +(cherry picked from commit 16e82be454cbf41299e6a055d54d489ca4612ee0) +Reviewed-on: https://go-review.googlesource.com/c/go/+/334410 +Run-TryBot: Cherry Mui +--- + +diff --git a/src/runtime/signal_unix.go b/src/runtime/signal_unix.go +index 3f70707..89f936e 100644 +--- a/src/runtime/signal_unix.go ++++ b/src/runtime/signal_unix.go +@@ -381,7 +381,7 @@ + //go:nosplit + func sigFetchG(c *sigctxt) *g { + switch GOARCH { +- case "arm", "arm64": ++ case "arm", "arm64", "ppc64", "ppc64le": + if !iscgo && inVDSOPage(c.sigpc()) { + // When using cgo, we save the g on TLS and load it from there + // in sigtramp. Just use that. +diff --git a/src/runtime/sys_linux_ppc64x.s b/src/runtime/sys_linux_ppc64x.s +index fd69ee7..7be8c4c 100644 +--- a/src/runtime/sys_linux_ppc64x.s ++++ b/src/runtime/sys_linux_ppc64x.s +@@ -215,15 +215,45 @@ + MOVD (g_sched+gobuf_sp)(R7), R1 // Set SP to g0 stack + + noswitch: +- SUB $16, R1 // Space for results +- RLDICR $0, R1, $59, R1 // Align for C code ++ SUB $16, R1 // Space for results ++ RLDICR $0, R1, $59, R1 // Align for C code + MOVD R12, CTR + MOVD R1, R4 +- BL (CTR) // Call from VDSO +- MOVD $0, R0 // Restore R0 +- MOVD 0(R1), R3 // sec +- MOVD 8(R1), R5 // nsec +- MOVD R15, R1 // Restore SP ++ ++ // Store g on gsignal's stack, so if we receive a signal ++ // during VDSO code we can find the g. ++ // If we don't have a signal stack, we won't receive signal, ++ // so don't bother saving g. ++ // When using cgo, we already saved g on TLS, also don't save ++ // g here. ++ // Also don't save g if we are already on the signal stack. ++ // We won't get a nested signal. ++ MOVBZ runtime·iscgo(SB), R22 ++ CMP R22, $0 ++ BNE nosaveg ++ MOVD m_gsignal(R21), R22 // g.m.gsignal ++ CMP R22, $0 ++ BEQ nosaveg ++ ++ CMP g, R22 ++ BEQ nosaveg ++ MOVD (g_stack+stack_lo)(R22), R22 // g.m.gsignal.stack.lo ++ MOVD g, (R22) ++ ++ BL (CTR) // Call from VDSO ++ ++ MOVD $0, (R22) // clear g slot, R22 is unchanged by C code ++ ++ JMP finish ++ ++nosaveg: ++ BL (CTR) // Call from VDSO ++ ++finish: ++ MOVD $0, R0 // Restore R0 ++ MOVD 0(R1), R3 // sec ++ MOVD 8(R1), R5 // nsec ++ MOVD R15, R1 // Restore SP + + // Restore vdsoPC, vdsoSP + // We don't worry about being signaled between the two stores. +@@ -235,7 +265,7 @@ + MOVD 32(R1), R6 + MOVD R6, m_vdsoPC(R21) + +-finish: ++return: + MOVD R3, sec+0(FP) + MOVW R5, nsec+8(FP) + RET +@@ -246,7 +276,7 @@ + SYSCALL $SYS_clock_gettime + MOVD 32(R1), R3 + MOVD 40(R1), R5 +- JMP finish ++ JMP return + + TEXT runtime·nanotime1(SB),NOSPLIT,$16-8 + MOVD $1, R3 // CLOCK_MONOTONIC +@@ -282,7 +312,37 @@ + RLDICR $0, R1, $59, R1 // Align for C code + MOVD R12, CTR + MOVD R1, R4 +- BL (CTR) // Call from VDSO ++ ++ // Store g on gsignal's stack, so if we receive a signal ++ // during VDSO code we can find the g. ++ // If we don't have a signal stack, we won't receive signal, ++ // so don't bother saving g. ++ // When using cgo, we already saved g on TLS, also don't save ++ // g here. ++ // Also don't save g if we are already on the signal stack. ++ // We won't get a nested signal. ++ MOVBZ runtime·iscgo(SB), R22 ++ CMP R22, $0 ++ BNE nosaveg ++ MOVD m_gsignal(R21), R22 // g.m.gsignal ++ CMP R22, $0 ++ BEQ nosaveg ++ ++ CMP g, R22 ++ BEQ nosaveg ++ MOVD (g_stack+stack_lo)(R22), R22 // g.m.gsignal.stack.lo ++ MOVD g, (R22) ++ ++ BL (CTR) // Call from VDSO ++ ++ MOVD $0, (R22) // clear g slot, R22 is unchanged by C code ++ ++ JMP finish ++ ++nosaveg: ++ BL (CTR) // Call from VDSO ++ ++finish: + MOVD $0, R0 // Restore R0 + MOVD 0(R1), R3 // sec + MOVD 8(R1), R5 // nsec +@@ -298,7 +358,7 @@ + MOVD 32(R1), R6 + MOVD R6, m_vdsoPC(R21) + +-finish: ++return: + // sec is in R3, nsec in R5 + // return nsec in R3 + MOVD $1000000000, R4 +@@ -313,7 +373,7 @@ + SYSCALL $SYS_clock_gettime + MOVD 32(R1), R3 + MOVD 40(R1), R5 +- JMP finish ++ JMP return + + TEXT runtime·rtsigprocmask(SB),NOSPLIT|NOFRAME,$0-28 + MOVW how+0(FP), R3 +@@ -366,7 +426,7 @@ + // this might be called in external code context, + // where g is not set. + MOVBZ runtime·iscgo(SB), R6 +- CMP R6, $0 ++ CMP R6, $0 + BEQ 2(PC) + BL runtime·load_g(SB) + diff --git a/SOURCES/rhbz1952381.patch b/SOURCES/rhbz1952381.patch new file mode 100644 index 0000000..1e70af8 --- /dev/null +++ b/SOURCES/rhbz1952381.patch @@ -0,0 +1,1091 @@ +diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go +index 2ca64bf..8111b6d 100644 +--- a/src/crypto/internal/boring/aes.go ++++ b/src/crypto/internal/boring/aes.go +@@ -130,7 +130,11 @@ func (c *aesCipher) Decrypt(dst, src []byte) { + panic("cipher: unable to initialize EVP cipher ctx") + } + } +- ++ // Workaround - padding detection is broken but we don't need it ++ // since we check for full blocks ++ if C._goboringcrypto_EVP_CIPHER_CTX_set_padding(c.dec_ctx, 0) != 1 { ++ panic("crypto/cipher: could not disable cipher padding") ++ } + outlen := C.int(0) + C._goboringcrypto_EVP_CipherUpdate(c.dec_ctx, (*C.uchar)(unsafe.Pointer(&dst[0])), &outlen, (*C.uchar)(unsafe.Pointer(&src[0])), C.int(aesBlockSize)) + runtime.KeepAlive(c) +@@ -165,6 +169,11 @@ func (x *aesCBC) CryptBlocks(dst, src []byte) { + } + if len(src) > 0 { + outlen := C.int(0) ++ // Workaround - padding detection is broken but we don't need it ++ // since we check for full blocks ++ if C._goboringcrypto_EVP_CIPHER_CTX_set_padding(x.ctx, 0) != 1 { ++ panic("crypto/cipher: could not disable cipher padding") ++ } + if C._goboringcrypto_EVP_CipherUpdate( + x.ctx, + base(dst), &outlen, +diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go +index e7ae80c..45c856b 100644 +--- a/src/crypto/internal/boring/boring.go ++++ b/src/crypto/internal/boring/boring.go +@@ -20,7 +20,8 @@ import ( + "math/big" + "os" + "runtime" +- "strings" ++ "unsafe" ++ "fmt" + ) + + const ( +@@ -68,8 +69,22 @@ func enableBoringFIPSMode() { + } + + func fipsModeEnabled() bool { +- return os.Getenv("GOLANG_FIPS") == "1" || +- C._goboringcrypto_FIPS_mode() == fipsOn ++ // Due to the way providers work in openssl 3, the FIPS methods are not ++ // necessarily going to be available for us to load based on the GOLANG_FIPS ++ // environment variable alone. For now, we must rely on the config to tell ++ // us if the provider is configured and active. ++ ++ fipsConfigured := C._goboringcrypto_FIPS_mode() == fipsOn ++ openSSLVersion := C._goboringcrypto_internal_OPENSSL_VERSION_NUMBER() ++ if openSSLVersion >= C.ulong(0x30000000) { ++ if !fipsConfigured && os.Getenv("GOLANG_FIPS") == "1" { ++ panic("GOLANG_FIPS=1 specified but OpenSSL FIPS provider is not configured") ++ } ++ return fipsConfigured ++ ++ } else { ++ return os.Getenv("GOLANG_FIPS") == "1" || fipsConfigured ++ } + } + + var randstub bool +@@ -126,23 +141,31 @@ func PanicIfStrictFIPS(msg string) { + } + + func NewOpenSSLError(msg string) error { +- var b strings.Builder + var e C.ulong + +- b.WriteString(msg) +- b.WriteString("\nopenssl error(s):\n") ++ message := fmt.Sprintf("\n%v\nopenssl error(s):", msg) + + for { +- e = C._goboringcrypto_internal_ERR_get_error() ++ var file *C.char ++ var line C.int ++ var fnc *C.char ++ var data *C.char ++ var flags C.int ++ e = C._goboringcrypto_internal_ERR_get_error_all(&file, &line, &fnc, &data, &flags) + if e == 0 { + break + } +- var buf [256]byte +- C._goboringcrypto_internal_ERR_error_string_n(e, base(buf[:]), 256) +- b.Write(buf[:]) +- b.WriteByte('\n') ++ var buf [256]C.char ++ C._goboringcrypto_internal_ERR_error_string_n(e, (*C.uchar)(unsafe.Pointer (&buf[0])), 256) ++ message = fmt.Sprintf("%v\nfile: %v\nline: %v\nfunction: %v\nflags: %v\nerror string: %s\n", ++ message, ++ C.GoString(file), ++ line, ++ C.GoString(fnc), ++ flags, ++ C.GoString(&(buf[0]))) + } +- return errors.New(b.String()) ++ return errors.New(message) + } + + type fail string +diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h +index 3585458..0762c95 100644 +--- a/src/crypto/internal/boring/goopenssl.h ++++ b/src/crypto/internal/boring/goopenssl.h +@@ -14,6 +14,15 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER < 0x30000000 ++#define OPENSSL_DLSYM_CALL(handle, func) dlsym(handle, func) ++#else ++#define __USE_GNU ++#define OPENSSL_DLSYM_CALL(handle, func) dlvsym(handle, func, "OPENSSL_3.0.0") ++#endif ++ ++#include ++ + #define unlikely(x) __builtin_expect(!!(x), 0) + #define DEFINEFUNC(ret, func, args, argscall) \ + typedef ret(*_goboringcrypto_PTR_##func) args; \ +@@ -22,7 +31,7 @@ + { \ + if (unlikely(!_g_##func)) \ + { \ +- _g_##func = dlsym(handle, #func); \ ++ _g_##func = OPENSSL_DLSYM_CALL(handle, #func); \ + } \ + return _g_##func argscall; \ + } +@@ -34,7 +43,7 @@ + { \ + if (unlikely(!_g_internal_##func)) \ + { \ +- _g_internal_##func = dlsym(handle, #func); \ ++ _g_internal_##func = OPENSSL_DLSYM_CALL(handle, #func); \ + } \ + return _g_internal_##func argscall; \ + } +@@ -45,7 +54,6 @@ + return func argscall; \ + } + +-#include + + static void* handle; + static void* +@@ -57,8 +65,10 @@ _goboringcrypto_DLOPEN_OPENSSL(void) + } + #if OPENSSL_VERSION_NUMBER < 0x10100000L + handle = dlopen("libcrypto.so.10", RTLD_NOW | RTLD_GLOBAL); +-#else ++#elif OPENSSL_VERSION_NUMBER < 0x30000000L + handle = dlopen("libcrypto.so.1.1", RTLD_NOW | RTLD_GLOBAL); ++#else ++ handle = dlopen("libcrypto.so.3", RTLD_NOW | RTLD_GLOBAL); + #endif + return handle; + } +@@ -68,6 +78,10 @@ _goboringcrypto_DLOPEN_OPENSSL(void) + + DEFINEFUNCINTERNAL(int, OPENSSL_init, (void), ()) + ++static unsigned long _goboringcrypto_internal_OPENSSL_VERSION_NUMBER(void) { ++ return OPENSSL_VERSION_NUMBER; ++} ++ + static void + _goboringcrypto_OPENSSL_setup(void) { + _goboringcrypto_internal_OPENSSL_init(); +@@ -76,6 +90,9 @@ _goboringcrypto_OPENSSL_setup(void) { + #include + DEFINEFUNCINTERNAL(void, ERR_print_errors_fp, (FILE* fp), (fp)) + DEFINEFUNCINTERNAL(unsigned long, ERR_get_error, (void), ()) ++DEFINEFUNCINTERNAL(unsigned long, ERR_get_error_all, ++ (const char **file, int *line, const char **func, const char **data, int *flags), ++ (file, line, func, data, flags)) + DEFINEFUNCINTERNAL(void, ERR_error_string_n, (unsigned long e, unsigned char *buf, size_t len), (e, buf, len)) + + #include +@@ -112,8 +129,15 @@ _goboringcrypto_CRYPTO_set_locking_callback(void (*locking_function)(int mode, i + + int _goboringcrypto_OPENSSL_thread_setup(void); + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + DEFINEFUNC(int, FIPS_mode, (void), ()) + DEFINEFUNC(int, FIPS_mode_set, (int r), (r)) ++#else ++DEFINEFUNC(int, EVP_default_properties_is_fips_enabled, (OSSL_LIB_CTX *libctx), (libctx)) ++static inline int _goboringcrypto_FIPS_mode(void) { ++ return _goboringcrypto_EVP_default_properties_is_fips_enabled(NULL); ++} ++#endif + + #include + +@@ -716,6 +741,7 @@ static inline int + _goboringcrypto_EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { + return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, 0, (void *)md); + } ++ + static inline int + _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP_MD *md) { + return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, +diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c +index a8d047d..1936d5d 100644 +--- a/src/crypto/internal/boring/openssl_port_rsa.c ++++ b/src/crypto/internal/boring/openssl_port_rsa.c +@@ -83,34 +83,51 @@ int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_ + return 0; + + if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0) +- return 0; ++ return -1; + + ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */); + if (!ctx) +- return 0; ++ return -2; + + int ret = 0; + +- if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0) +- goto err; +- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0) ++ if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0) { ++ ret = -3; + goto err; +- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0) ++ } ++ // This is moved earlier because openssl 3.0 alpha defaults ++ // to sha1 in EVP_PKEY_CTRL_RSA_PADDING if unset and produces an error ++ if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { ++ ret = -4; + goto err; +- if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) ++ } ++ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0) { ++ ret = -5; + goto err; +- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0) ++ } ++ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0) { ++ ret = -6; + goto err; +- ++ } ++ // doesnt take null anymore ++ if (mgf1_md) ++ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0) { ++ ret = -7; ++ goto err; ++ } + /* Determine buffer length */ +- if (_goboringcrypto_EVP_PKEY_sign(ctx, NULL, &siglen, in, in_len) <= 0) ++ if (_goboringcrypto_EVP_PKEY_sign(ctx, NULL, &siglen, in, in_len) <= 0) { ++ ret = -8; + goto err; +- +- if (max_out < siglen) ++ } ++ if (max_out < siglen) { ++ ret = -9; + goto err; +- +- if (_goboringcrypto_EVP_PKEY_sign(ctx, out, &siglen, in, in_len) <= 0) ++ } ++ if (_goboringcrypto_EVP_PKEY_sign(ctx, out, &siglen, in, in_len) <= 0) { ++ ret = -10; + goto err; ++ } + + *out_len = siglen; + ret = 1; +@@ -130,27 +147,41 @@ int _goboringcrypto_RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, unsigned i + + pkey = _goboringcrypto_EVP_PKEY_new(); + if (!pkey) +- return 0; ++ return -1; + + if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0) +- return 0; ++ return -2; + + ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */); + if (!ctx) +- return 0; ++ return -3; + +- if (_goboringcrypto_EVP_PKEY_verify_init(ctx) <= 0) +- goto err; +- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0) ++ if (_goboringcrypto_EVP_PKEY_verify_init(ctx) <= 0) { ++ ret = -4; + goto err; +- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0) ++ } ++ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0) { ++ ret = -5; + goto err; +- if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) ++ } ++ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0) { ++ ret = -6; + goto err; +- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0) ++ } ++ if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) { ++ ret = -7; + goto err; +- if (_goboringcrypto_EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len) <= 0) ++ } ++ // doesnt take null anymore ++ if (mgf1_md) ++ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0) { ++ ret = -8; ++ goto err; ++ } ++ if (_goboringcrypto_EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len) <= 0) { ++ ret = -9; + goto err; ++ } + + ret = 1; + +diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go +index ff5c439..6047d65 100644 +--- a/src/crypto/internal/boring/rand.go ++++ b/src/crypto/internal/boring/rand.go +@@ -20,7 +20,7 @@ func (randReader) Read(b []byte) (int, error) { + // Note: RAND_bytes should never fail; the return value exists only for historical reasons. + // We check it even so. + if len(b) > 0 && C._goboringcrypto_RAND_bytes((*C.uint8_t)(unsafe.Pointer(&b[0])), C.size_t(len(b))) == 0 { +- return 0, fail("RAND_bytes") ++ return 0, NewOpenSSLError("RAND_bytes") + } + return len(b), nil + } +diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go +index 2eefc27..668c12f 100644 +--- a/src/crypto/internal/boring/rsa.go ++++ b/src/crypto/internal/boring/rsa.go +@@ -141,7 +141,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int, + if withKey(func(key *C.GO_RSA) C.int { + return C._goboringcrypto_EVP_PKEY_set1_RSA(pkey, key) + }) == 0 { +- return nil, nil, fail("EVP_PKEY_set1_RSA") ++ return nil, nil, NewOpenSSLError("EVP_PKEY_set1_RSA") + } + ctx = C._goboringcrypto_EVP_PKEY_CTX_new(pkey, nil) + if ctx == nil { +@@ -164,7 +164,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int, + // ctx takes ownership of label, so malloc a copy for BoringCrypto to free. + clabel := (*C.uint8_t)(C.malloc(C.size_t(len(label)))) + if clabel == nil { +- return nil, nil, fail("OPENSSL_malloc") ++ return nil, nil, NewOpenSSLError("OPENSSL_malloc") + } + copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label) + if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) == 0 { +@@ -265,12 +265,13 @@ func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) + } + var out []byte + var outLen C.uint +- if priv.withKey(func(key *C.GO_RSA) C.int { ++ result := priv.withKey(func(key *C.GO_RSA) C.int { + out = make([]byte, C._goboringcrypto_RSA_size(key)) + return C._goboringcrypto_RSA_sign_pss_mgf1(key, &outLen, base(out), C.uint(len(out)), + base(hashed), C.uint(len(hashed)), md, nil, C.int(saltLen)) +- }) == 0 { +- return nil, fail("RSA_sign_pss_mgf1") ++ }) ++ if result != 1 { ++ return nil, NewOpenSSLError("RSA_sign_pss_mgf1: returned " + strconv.Itoa(int(result))) + } + + return out[:outLen], nil +@@ -284,11 +285,12 @@ func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen + if saltLen == 0 { + saltLen = -2 // auto-recover + } +- if pub.withKey(func(key *C.GO_RSA) C.int { ++ result := pub.withKey(func(key *C.GO_RSA) C.int { + return C._goboringcrypto_RSA_verify_pss_mgf1(key, base(hashed), C.uint(len(hashed)), + md, nil, C.int(saltLen), base(sig), C.uint(len(sig))) +- }) == 0 { +- return fail("RSA_verify_pss_mgf1") ++ }) ++ if result != 1 { ++ return NewOpenSSLError("RSA_verify_pss_mgf1: returned " + strconv.Itoa(int(result))) + } + return nil + } +diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go +index 2d425f9..ceb32d0 100644 +--- a/src/crypto/rsa/pkcs1v15.go ++++ b/src/crypto/rsa/pkcs1v15.go +@@ -102,7 +102,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt + } + out, err := boring.DecryptRSAPKCS1(bkey, ciphertext) + if err != nil { +- return nil, ErrDecryption ++ return nil, err + } + return out, nil + } +diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go +index 3dd1ec9..60c769c 100644 +--- a/src/crypto/rsa/pkcs1v15_test.go ++++ b/src/crypto/rsa/pkcs1v15_test.go +@@ -9,7 +9,6 @@ import ( + "crypto" + "crypto/internal/boring" + "crypto/rand" +- "crypto/sha1" + "crypto/sha256" + "encoding/base64" + "encoding/hex" +@@ -32,22 +31,22 @@ type DecryptPKCS1v15Test struct { + in, out string + } + +-// These test vectors were generated with `openssl rsautl -pkcs -encrypt` ++// Test vectors for testRSA2048PrivateKey + var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{ + { +- "gIcUIoVkD6ATMBk/u/nlCZCCWRKdkfjCgFdo35VpRXLduiKXhNz1XupLLzTXAybEq15juc+EgY5o0DHv/nt3yg==", ++ "Ppg5lRhQZ8zLMgU8jFWURwm+Oj3t1+9x8qIDZwWMlP6O1QVO4xXxHdheVnLRa0Iq+L5HTgjk/PNNkSLIMD11ERxbMD5NtXoj64qaQDkyIBXaN0FNc5Nga/Lbb+vXVYSJ5F4KIOUYaOwzgNSCMensYNz5/7TloMy2Zoqa6vsWzcU+ujfyFaNjJXC26ZM0zv/4v9Aqqb/WIsLjEgdVvplqL1jwbI8Vv/MLEpQRay3S2RHoS9PIcvGKe3Ze0nOE8rAPiRQKfAsX+zlMkw1+LDttb5Dg/vM4lGF6jTg/nmfgCb6gjWE+QpapLKuZIN3WOwG/zslKeROErPn71xAlVeHI1Q==", + "x", + }, + { +- "Y7TOCSqofGhkRb+jaVRLzK8xw2cSo1IVES19utzv6hwvx+M8kFsoWQm5DzBeJCZTCVDPkTpavUuEbgp8hnUGDw==", ++ "kjtn1z9R67b0t7RydEoXeK9GC9wWt1J47i+14alOLCuWr9aqnJxYJS+jr2Z3/TWf4qqTiEujIP5bzvM8vnU2cnJqOGUqoH5xH1+8gq9aD0RbVY0auvUxPUKI3foLoMlp6M1fTSJGiuD9DASp7BZfiMvsU1kKPrLlHpu4azOKbAfIojyyt64Dl3cIpha8FBakym1SRM2iJKKBVae3Reu58uGX9lHroJAWiIdDT4VDIGXQv9dvsViPn4hvWKls5xYtf3V5GPHyvrptsLYcqBOUXM1Wnu2SpZxKRuyz9tWA3w377XNByDMchLJeC4qxdA6ayo53ckXr0no0fU0JrRHkdg==", + "testing.", + }, + { +- "arReP9DJtEVyV2Dg3dDp4c/PSk1O6lxkoJ8HcFupoRorBZG+7+1fDAwT1olNddFnQMjmkb8vxwmNMoTAT/BFjQ==", ++ "gljV2jJNON8RwzgVezwG/ddFWPSpGHgnUgEot42vU7Kow5TMvd43f9QAJsPQd0ocT9YIp/3km+2CSWWr+5E3fWW0p2cQBxUfnsJFsNKPvQt6Ct7Bn8HzkhxLJuvIShFzQlBuph4hBuN33dWhAFFDESsZnPvU6EFJlmTHrmqY+H9cdECU4hXQ1R7Z+lHlvT8RxDNBu1fdAarRXcKrw9EeN2ZwSvVx62aXnAcAQQkijmOn9dkObgqeii/wHPI28SR/Aa/hTw1XE5DoZmDBCx6EFJ4hcY7MKAX0iSQiaxinM+IxkqiCftOnvYv737cD/vKG6llhGCCDx0Et5xYu2JWakw==", + "testing.\n", + }, + { +- "WtaBXIoGC54+vH0NH0CHHE+dRDOsMc/6BrfFu2lEqcKL9+uDuWaf+Xj9mrbQCjjZcpQuX733zyok/jsnqe/Ftw==", ++ "iJiYwVBtLhZBmYngT5u+YR5+raI33OvpShPR9arl4zSss+eK5krMANZUTrRCsw8Tho6kpyDgVohfH5V/8zX4Rtslak1peZdvnmcEkJCFk0FpnlcALRBGTCXUJEwxlSgaTz00awCjkfLzMYNCwTAlEP9QxUX2kSIABKSUw4ARwZ5jQTGCdJNl696Q/cF1JjEqsjpPbjn4UYkV3gNl0xXPiTVgfNJKZir1caEGOKfOsfbTFixvA5oANgRySxwZfoj/6dW9xIVgcq/ssmkTl8TnTKQTY0dRTNWs8+HuQxp2I4MSmAun6LYdr8pom1IazJtp1BEaSDZ+thRIQ/oMsYDJXQ==", + "01234567890123456789012345678901234567890123456789012", + }, + } +@@ -55,10 +54,10 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{ + func TestDecryptPKCS1v15(t *testing.T) { + decryptionFuncs := []func([]byte) ([]byte, error){ + func(ciphertext []byte) (plaintext []byte, err error) { +- return DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext) ++ return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext) + }, + func(ciphertext []byte) (plaintext []byte, err error) { +- return rsaPrivateKey.Decrypt(nil, ciphertext, nil) ++ return testRSA2048PrivateKey.Decrypt(nil, ciphertext, nil) + }, + } + +@@ -78,14 +77,14 @@ func TestDecryptPKCS1v15(t *testing.T) { + + func TestEncryptPKCS1v15(t *testing.T) { + random := rand.Reader +- k := (rsaPrivateKey.N.BitLen() + 7) / 8 ++ k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8 + + tryEncryptDecrypt := func(in []byte, blind bool) bool { + if len(in) > k-11 { + in = in[0 : k-11] + } + +- ciphertext, err := EncryptPKCS1v15(random, &rsaPrivateKey.PublicKey, in) ++ ciphertext, err := EncryptPKCS1v15(random, &testRSA2048PrivateKey.PublicKey, in) + if err != nil { + t.Errorf("error encrypting: %s", err) + return false +@@ -97,7 +96,7 @@ func TestEncryptPKCS1v15(t *testing.T) { + } else { + rand = random + } +- plaintext, err := DecryptPKCS1v15(rand, rsaPrivateKey, ciphertext) ++ plaintext, err := DecryptPKCS1v15(rand, testRSA2048PrivateKey, ciphertext) + if err != nil { + t.Errorf("error decrypting: %s", err) + return false +@@ -117,22 +116,22 @@ func TestEncryptPKCS1v15(t *testing.T) { + quick.Check(tryEncryptDecrypt, config) + } + +-// These test vectors were generated with `openssl rsautl -pkcs -encrypt` ++// Test vectors for testRSA2048PrivateKey + var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{ + { +- "e6ukkae6Gykq0fKzYwULpZehX+UPXYzMoB5mHQUDEiclRbOTqas4Y0E6nwns1BBpdvEJcilhl5zsox/6DtGsYg==", ++ "cSBy/rsocfCY2L/WDP7+oyI/uk0qf3BuJvWo1VwV/DG9XLuu7J1Gb2e7hYl3kmdf6rSnoqDuVE3viOsGeq1OsW9w0uw08syTwdOp34z90qxlrrKsGjjz9XIgErqwlWvfQ5KQQb8KA29Ub7q0sqQMMQD75bUxN3P4GhtOG6kNVY33QoCIVR65vHLcqe3SlrxAfYzlOjMNwdPsNP1GGVyAZpccxOiBJSUrssAFvRJ3g62wj2xrrtneRztmOGOy8ZSiEjGNjJ4/lmJXt2GyPXapTTKeHFbyqh5Xu8PNgMxaCgtWgMqnK6CPbJOGgski9axyaxPzjKEjUcs99dJ1mTT+qw==", + "1234", + }, + { +- "Dtis4uk/q/LQGGqGk97P59K03hkCIVFMEFZRgVWOAAhxgYpCRG0MX2adptt92l67IqMki6iVQyyt0TtX3IdtEw==", ++ "lcsS8tzZSJSiaaOSQSO4pT3Je5vvrNfAVUy3Axojr4uRreMuLRTIOOmEYRM/JcWakpJelPd+EHG/aXxId8aCoBg1MkH5q8AHW3zUARhlOd91rpASVs03v5wuk0jtiQiqr0HLNyxifSEzj04VPklc6n00yuHbI+DNTATTVkxj3a5hgOECqKi2matXGcJ5FtMEPAi2V+36y2dQ+DA/tgQrhlZ4ycA2FJnjvOHRJbC6QwNzPkzbjTlCqNzq92nwWKDypVJ29CrIQ2HYXG63DOuT96gIa08hyeZEeIrAUjtb9DK1TSEF/9BDASffHevW3/CqfpRYnFSNOj2xli3wBn1Dvg==", + "FAIL", + }, + { +- "LIyFyCYCptPxrvTxpol8F3M7ZivlMsf53zs0vHRAv+rDIh2YsHS69ePMoPMe3TkOMZ3NupiL3takPxIs1sK+dw==", ++ "Bsrz5yYuevhqx1Pxx4zEsegU2aVBZ2h9ebtAgQkq3N/og0t+8O92XpPBoNH/HT2jHclh01aij1niCqdBn2/6GBN4irnVjrWQkoAV2Q5Q+gVS0ZYeTzeX/15M/iq9xeLjBPXqj5PmNYh+vbL05FyPB+CcY8MPyv7HmtDsAWRVDxQVWy6y4lmC1/VwnG5jtmAbapE+Vyty0iVb9/Q6UaaV7DVKVssEDmwnychibJ4ACcTQ18kLkB1AE73dXp1B/XHh6ExbHXoaPeaRYr2gEI0No6VBTrMrG5eVz3dub/a5MVeat9n/oU2QQ3s/Pm0FlF9n2mwgvKm/4nLjwjiTFt3ToQ==", + "abcd", + }, + { +- "bafnobel46bKy76JzqU/RIVOH0uAYvzUtauKmIidKgM0sMlvobYVAVQPeUQ/oTGjbIZ1v/6Gyi5AO4DtHruGdw==", ++ "FKynVeuuoYxonMoXWwIw3mY7KTV3yS3fe2D+h5v6FXs/0xb5PeINCEq0+Ub5LFAZcx/lIbnt4bkLZcaKDxLpBCxpvpZNdgGxP970BvE5xmOuagF47VaqCciiERTTztRjwKTu0PZ5VtcpsxiSN4axlC1NOpJnIpDsNOWUaf5G6fCCEdfZWwgxaHLbxSAy+IdUHBH+honCPPZAyGyhERdcDRGJ8a6R20MFXC18e8asHtF5VWaicaYe0fy1Mrii46WqFY8hwoSrbHOGEQkjRymM/IQvXFdxQ1vtzAFavUsr5taiVe84DvcFJ5eRZ2jpVQTdO4gBy6RyD64iNSrv8a5dqA==", + "FAIL", + }, + } +@@ -140,7 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{ + func TestEncryptPKCS1v15SessionKey(t *testing.T) { + for i, test := range decryptPKCS1v15SessionKeyTests { + key := []byte("FAIL") +- err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, decodeBase64(test.in), key) ++ err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key) + if err != nil { + t.Errorf("#%d error decrypting", i) + } +@@ -153,7 +152,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) { + + func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) { + for i, test := range decryptPKCS1v15SessionKeyTests { +- plaintext, err := rsaPrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4}) ++ plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4}) + if err != nil { + t.Fatalf("#%d: error decrypting: %s", i, err) + } +@@ -187,19 +186,19 @@ type signPKCS1v15Test struct { + in, out string + } + +-// These vectors have been tested with +-// `openssl rsautl -verify -inkey pk -in signature | hexdump -C` +-var signPKCS1v15Tests = []signPKCS1v15Test{ +- {"Test.\n", "a4f3fa6ea93bcdd0c57be020c1193ecbfd6f200a3d95c409769b029578fa0e336ad9a347600e40d3ae823b8c7e6bad88cc07c1d54c3a1523cbbb6d58efc362ae"}, ++// Test vector for testRSA2048PrivateKey ++// generated with `openssl pkeyutl -rawin -digest sha256 -sign -inkey ` ++ var signPKCS1v15Tests = []signPKCS1v15Test{ ++ {"Test.\n", "467c3c8f16223ba09aecfe44488d6b34b3f91f11379949b1d8af31636ee8b3aa51eebb96ee11678323cb1f909af17c9d0fe4b6012078af8120474474efd1bb51765e1647369ddba6525c6608113857bb0e2aaed9ad01fe041b476b162f7d4db55bb31fa957046616ce463cecb2a66f38fa62c594d07afcc870582d545853b31fa705ab8565e4085804c32e73459720bf4e08f097843b0845116d4376231fa2472abc89b1e42462002bf70f9a1df31db6d2ab6dc52c8223798a4f57c40d6a9123b80739846d779044eac28d8c783e8ce73919f1d4a6efe8fb601b8d36c5c9b61654d6f8717d1fb9fcafa19669200900899dd08ce921a1745312eb06040a405903"}, + } + + func TestSignPKCS1v15(t *testing.T) { + for i, test := range signPKCS1v15Tests { +- h := sha1.New() ++ h := sha256.New() + h.Write([]byte(test.in)) + digest := h.Sum(nil) + +- s, err := SignPKCS1v15(nil, rsaPrivateKey, crypto.SHA1, digest) ++ s, err := SignPKCS1v15(nil, testRSA2048PrivateKey, crypto.SHA256, digest) + if err != nil { + t.Errorf("#%d %s", i, err) + } +@@ -213,13 +212,13 @@ func TestSignPKCS1v15(t *testing.T) { + + func TestVerifyPKCS1v15(t *testing.T) { + for i, test := range signPKCS1v15Tests { +- h := sha1.New() ++ h := sha256.New() + h.Write([]byte(test.in)) + digest := h.Sum(nil) + + sig, _ := hex.DecodeString(test.out) + +- err := VerifyPKCS1v15(&rsaPrivateKey.PublicKey, crypto.SHA1, digest, sig) ++ err := VerifyPKCS1v15(&testRSA2048PrivateKey.PublicKey, crypto.SHA256, digest, sig) + if err != nil { + t.Errorf("#%d %s", i, err) + } +@@ -230,7 +229,7 @@ func TestHashVerifyPKCS1v15(t *testing.T) { + for i, test := range signPKCS1v15Tests { + sig, _ := hex.DecodeString(test.out) + +- err := HashVerifyPKCS1v15(&rsaPrivateKey.PublicKey, crypto.SHA1, []byte(test.in), sig) ++ err := HashVerifyPKCS1v15(&testRSA2048PrivateKey.PublicKey, crypto.SHA256, []byte(test.in), sig) + if err != nil { + t.Errorf("#%d %s", i, err) + } +@@ -273,19 +272,47 @@ func TestUnpaddedSignature(t *testing.T) { + func TestShortSessionKey(t *testing.T) { + // This tests that attempting to decrypt a session key where the + // ciphertext is too small doesn't run outside the array bounds. +- ciphertext, err := EncryptPKCS1v15(rand.Reader, &rsaPrivateKey.PublicKey, []byte{1}) +- if err != nil { +- t.Fatalf("Failed to encrypt short message: %s", err) ++ var keys []*PrivateKey ++ if boring.Enabled() { ++ keys = GenerateTestPrivateKeys() ++ } else { ++ keys = []*PrivateKey{rsaPrivateKey} + } + +- var key [32]byte +- if err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, ciphertext, key[:]); err != nil { +- t.Fatalf("Failed to decrypt short message: %s", err) +- } ++ for i, k := range keys { ++ ++ if k.Size() >= 256 || !boring.Enabled() { ++ ciphertext, err := EncryptPKCS1v15(rand.Reader, &k.PublicKey, []byte{1}) ++ if err != nil { ++ t.Fatalf("Failed to encrypt short message: key: %v, %s", i, err) ++ continue ++ } ++ ++ var key [32]byte ++ if err := DecryptPKCS1v15SessionKey(nil, k, ciphertext, key[:]); err != nil { ++ t.Fatalf("Failed to decrypt short message: key: %v, %s", i, err) ++ continue ++ } ++ ++ for _, v := range key { ++ if v != 0 { ++ t.Fatal("key was modified when ciphertext was invalid") ++ } ++ } ++ } else { ++ ciphertext, err := EncryptPKCS1v15(rand.Reader, &k.PublicKey, []byte{1}) ++ if err == nil { ++ t.Errorf("EncryptPKCS1v15: Should reject key smaller than 2048 bits") ++ } else { ++ continue ++ } ++ ++ var key [32]byte ++ err = DecryptPKCS1v15SessionKey(nil, k, ciphertext, key[:]); ++ if err != nil { ++ t.Errorf("DecryptPKCS1v15SessionKey: Should reject key smaller than 2048 bits") ++ } + +- for _, v := range key { +- if v != 0 { +- t.Fatal("key was modified when ciphertext was invalid") + } + } + } +@@ -313,6 +340,28 @@ var rsaPrivateKey = &PrivateKey{ + }, + } + ++func generateKey(size int) *PrivateKey { ++ result, err := GenerateKey(rand.Reader, size) ++ if err != nil { ++ panic("could not generate key") ++ } ++ return result ++} ++ ++func GenerateTestPrivateKeys() []*PrivateKey { ++ ++ keys := []*PrivateKey{ ++ generateKey(128), ++ generateKey(256), ++ generateKey(768), ++ generateKey(1024), ++ generateKey(2048), ++ generateKey(3072), ++ generateKey(4096), ++ } ++ return keys ++} ++ + func TestShortPKCS1v15Signature(t *testing.T) { + pub := &PublicKey{ + E: 65537, +diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go +index 497dd62..d83e7e0 100644 +--- a/src/crypto/rsa/pss_test.go ++++ b/src/crypto/rsa/pss_test.go +@@ -10,6 +10,7 @@ import ( + "compress/bzip2" + "crypto" + "crypto/rand" ++ "crypto/boring" + "crypto/sha1" + _ "crypto/sha256" + "encoding/hex" +@@ -131,7 +132,6 @@ func TestPSSGolden(t *testing.T) { + opts := &PSSOptions{ + SaltLength: PSSSaltLengthEqualsHash, + } +- + for marker := range values { + switch marker { + case newKeyMarker: +@@ -173,18 +173,13 @@ func TestPSSOpenSSL(t *testing.T) { + h.Write(hashed) + hashed = h.Sum(nil) + ++ // Test vector for testRSA2048PrivateKey + // Generated with `echo -n testing | openssl dgst -sign key.pem -sigopt rsa_padding_mode:pss -sha256 > sig` + sig := []byte{ +- 0x95, 0x59, 0x6f, 0xd3, 0x10, 0xa2, 0xe7, 0xa2, 0x92, 0x9d, +- 0x4a, 0x07, 0x2e, 0x2b, 0x27, 0xcc, 0x06, 0xc2, 0x87, 0x2c, +- 0x52, 0xf0, 0x4a, 0xcc, 0x05, 0x94, 0xf2, 0xc3, 0x2e, 0x20, +- 0xd7, 0x3e, 0x66, 0x62, 0xb5, 0x95, 0x2b, 0xa3, 0x93, 0x9a, +- 0x66, 0x64, 0x25, 0xe0, 0x74, 0x66, 0x8c, 0x3e, 0x92, 0xeb, +- 0xc6, 0xe6, 0xc0, 0x44, 0xf3, 0xb4, 0xb4, 0x2e, 0x8c, 0x66, +- 0x0a, 0x37, 0x9c, 0x69, ++ 0x50, 0x97, 0xc1, 0xe2, 0x7c, 0x67, 0x99, 0x50, 0xdc, 0x5a, 0x43, 0xc6, 0xc6, 0xf2, 0xf1, 0xff, 0xcd, 0xe7, 0x66, 0xef, 0x61, 0x41, 0x5f, 0x49, 0x4f, 0xf0, 0x11, 0xfc, 0x3d, 0xa8, 0xf9, 0x3c, 0x3a, 0x8a, 0x71, 0x5c, 0xfa, 0xbc, 0x48, 0x73, 0x37, 0xec, 0x68, 0x6d, 0x6c, 0xca, 0xe, 0x30, 0x74, 0xe1, 0xbd, 0x88, 0xb6, 0x42, 0x92, 0x8d, 0x41, 0x5f, 0x7, 0x80, 0xc5, 0xef, 0xa3, 0x2e, 0x68, 0x47, 0x83, 0xb4, 0x96, 0x4c, 0x53, 0x61, 0x2c, 0xe8, 0xb8, 0x3, 0xae, 0x44, 0x5e, 0xb3, 0x44, 0x10, 0x58, 0xfd, 0x68, 0x9c, 0x33, 0xac, 0x63, 0xfe, 0x9d, 0x84, 0xab, 0x45, 0x70, 0x54, 0xc5, 0x90, 0x1e, 0x80, 0xd4, 0x31, 0x16, 0x15, 0x4b, 0x60, 0x13, 0x24, 0xa, 0xa8, 0xbc, 0xe5, 0xeb, 0xf8, 0x7d, 0x32, 0xd9, 0xcd, 0x8b, 0xef, 0x55, 0x60, 0x1, 0xa6, 0x99, 0xa2, 0xde, 0xb0, 0x68, 0xc1, 0x64, 0x8b, 0x6, 0xe6, 0x75, 0xcf, 0x2d, 0x7a, 0x8b, 0xd6, 0xa3, 0x99, 0xf1, 0xc9, 0xaf, 0x9a, 0x81, 0xe4, 0xac, 0x2e, 0x17, 0x8c, 0x49, 0xfc, 0x12, 0x79, 0xfb, 0x4a, 0xba, 0x68, 0xd8, 0xdb, 0x43, 0x6c, 0x15, 0xaf, 0xa4, 0x16, 0x2f, 0xc9, 0x1e, 0xbe, 0xef, 0xb3, 0x35, 0x14, 0x2f, 0x35, 0x41, 0x10, 0xf8, 0x32, 0xf8, 0x0, 0x5c, 0xbf, 0x77, 0xa, 0xbb, 0x77, 0x49, 0x47, 0x54, 0x7a, 0x58, 0xfd, 0xb3, 0x2c, 0x46, 0xa0, 0x5c, 0x3, 0x7a, 0xf7, 0xab, 0x77, 0xdb, 0xca, 0x9a, 0x38, 0x89, 0xb, 0x3e, 0xb0, 0x13, 0xe8, 0x16, 0xc0, 0xca, 0x29, 0xbb, 0x4a, 0x97, 0x46, 0x53, 0x59, 0x66, 0x81, 0x84, 0x6d, 0xe5, 0xda, 0x26, 0xc9, 0x83, 0xfc, 0x67, 0xd0, 0x96, 0x72, 0x81, 0x1c, 0xe0, 0x4, 0xb7, 0x0, 0xca, 0xe0, 0x4a, 0x51, 0x4e, 0x83, 0xc8, 0xeb, 0xf7, 0x6d, + } + +- if err := VerifyPSS(&rsaPrivateKey.PublicKey, hash, hashed, sig, nil); err != nil { ++ if err := VerifyPSS(&testRSA2048PrivateKey.PublicKey, hash, hashed, sig, nil); err != nil { + t.Error(err) + } + } +@@ -211,24 +206,47 @@ func TestPSSSigning(t *testing.T) { + {8, 8, true}, + } + ++ var opts PSSOptions + hash := crypto.SHA1 ++ keys := []*PrivateKey{rsaPrivateKey} ++ if boring.Enabled() { ++ hash = crypto.SHA256 ++ keys = GenerateTestPrivateKeys() ++ } + h := hash.New() + h.Write([]byte("testing")) + hashed := h.Sum(nil) +- var opts PSSOptions + +- for i, test := range saltLengthCombinations { +- opts.SaltLength = test.signSaltLength +- sig, err := SignPSS(rand.Reader, rsaPrivateKey, hash, hashed, &opts) +- if err != nil { +- t.Errorf("#%d: error while signing: %s", i, err) +- continue +- } ++ for _, key := range keys { ++ if !boring.Enabled() || key.Size() >= 256 { ++ for i, test := range saltLengthCombinations { ++ opts.SaltLength = test.signSaltLength ++ sig, err := SignPSS(rand.Reader, key, hash, hashed, &opts) ++ if err != nil { ++ t.Errorf("#%d: ALG: %v, error while signing: %s", i, hash, err) ++ continue ++ } ++ opts.SaltLength = test.verifySaltLength ++ err = VerifyPSS(&key.PublicKey, hash, hashed, sig, &opts) ++ if (err == nil) != test.good { ++ t.Errorf("#%d: bad result, wanted: %t, got: %s", i, test.good, err) ++ } ++ } ++ } else { ++ for _, test := range saltLengthCombinations { ++ opts.SaltLength = test.signSaltLength ++ sig, err := SignPSS(rand.Reader, key, hash, hashed, &opts) ++ if err == nil { ++ t.Errorf("SignPSS should reject key of size: %v\n%v", key.Size() * 8, err) ++ continue ++ } ++ opts.SaltLength = test.verifySaltLength ++ err = VerifyPSS(&key.PublicKey, hash, hashed, sig, &opts) ++ if (err == nil) { ++ t.Errorf("VerifyPSS should reject key of size: %v\n%v", key.Size() * 8, err) ++ } ++ } + +- opts.SaltLength = test.verifySaltLength +- err = VerifyPSS(&rsaPrivateKey.PublicKey, hash, hashed, sig, &opts) +- if (err == nil) != test.good { +- t.Errorf("#%d: bad result, wanted: %t, got: %s", i, test.good, err) + } + } + } +diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go +index d9693a7..cfe020e 100644 +--- a/src/crypto/rsa/rsa_test.go ++++ b/src/crypto/rsa/rsa_test.go +@@ -13,6 +13,7 @@ import ( + "fmt" + "math/big" + "testing" ++ + ) + + import "crypto/internal/boring" +@@ -34,34 +35,42 @@ func TestKeyGeneration(t *testing.T) { + } + + func Test3PrimeKeyGeneration(t *testing.T) { +- size := 768 ++ var sizes []int + if testing.Short() { +- size = 256 ++ sizes = []int{256} ++ } else { ++ sizes = []int{128, 768, 1024, 2048, 3072} + } ++ for _, size := range sizes { + +- priv, err := GenerateMultiPrimeKey(rand.Reader, 3, size) +- if err != nil { +- t.Errorf("failed to generate key") ++ priv, err := GenerateMultiPrimeKey(rand.Reader, 3, size) ++ if err != nil { ++ t.Errorf("failed to generate key") ++ } ++ testKeyBasics(t, priv) + } +- testKeyBasics(t, priv) + } + + func Test4PrimeKeyGeneration(t *testing.T) { +- size := 768 ++ var sizes []int + if testing.Short() { +- size = 256 ++ sizes = []int{256} ++ } else { ++ sizes = []int{128, 768, 1024, 2048, 3072} + } ++ for _, size := range sizes { + +- priv, err := GenerateMultiPrimeKey(rand.Reader, 4, size) +- if err != nil { +- t.Errorf("failed to generate key") ++ priv, err := GenerateMultiPrimeKey(rand.Reader, 4, size) ++ if err != nil { ++ t.Errorf("failed to generate key") ++ } ++ testKeyBasics(t, priv) + } +- testKeyBasics(t, priv) + } + + func TestNPrimeKeyGeneration(t *testing.T) { + primeSize := 64 +- maxN := 24 ++ maxN := 32 + if testing.Short() { + primeSize = 16 + maxN = 16 +@@ -117,18 +126,32 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) { + if boring.Enabled() { + // Cannot call encrypt/decrypt directly. Test via PKCS1v15. + msg := []byte("hi!") +- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) +- if err != nil { +- t.Errorf("EncryptPKCS1v15: %v", err) +- return +- } +- dec, err := DecryptPKCS1v15(rand.Reader, priv, enc) +- if err != nil { +- t.Errorf("DecryptPKCS1v15: %v", err) +- return +- } +- if !bytes.Equal(dec, msg) { +- t.Errorf("got:%x want:%x (%+v)", dec, msg, priv) ++ // Should not accept keys smaller than 2048 bits (256 bytes) ++ if priv.Size() >= 256 { ++ enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) ++ if err != nil { ++ t.Errorf("EncryptPKCS1v15: %v", err) ++ return ++ } ++ dec, err := DecryptPKCS1v15(rand.Reader, priv, enc) ++ if err != nil { ++ t.Errorf("DecryptPKCS1v15: %v", err) ++ return ++ } ++ if !bytes.Equal(dec, msg) { ++ t.Errorf("got:%x want:%x (%+v)", dec, msg, priv) ++ } ++ } else { ++ enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) ++ if err == nil { ++ t.Errorf("EncryptPKCS1v15: Should not accept key of size %v", priv.Size() * 8) ++ return ++ } ++ _ , err = DecryptPKCS1v15(rand.Reader, priv, enc) ++ if err == nil { ++ t.Errorf("DecryptPKCS1v15: Should not accept key of size %v", priv.Size() * 8) ++ return ++ } + } + return + } +@@ -164,6 +187,7 @@ func fromBase10(base10 string) *big.Int { + } + + var test2048Key *PrivateKey ++var testRSA2048PrivateKey *PrivateKey + + func init() { + test2048Key = &PrivateKey{ +@@ -178,6 +202,21 @@ func init() { + }, + } + test2048Key.Precompute() ++ // This is the same testRSA2048PrivateKey from src/crypto/tls/boring_test.go, ++ // just formatted without using the x509 Parser ++ testRSA2048PrivateKey = &PrivateKey { ++ PublicKey: PublicKey{ ++ N: fromBase10("20191212046465051006148469115982609963794084216822290493008497548603282433337961188011759317867632936762484431807200684727542982286641865915343951546098189846608892055894575224375729344858650310374442622904229900868894242623139807621975608166515302294530216022389036816474348374698399654955992710180316983674809047409565569027596663420090767109285120403886497729233127551307356270679924351259776100107640885071765865832767303853854517356000385050677175012549806941229051812974721510192346810990827150439838227830352248569839727388943852973737249863837089274675024496841834194785931485429238306703429257731792443735979"), ++ E: 65537, ++ }, ++ D: fromBase10("17880854551669112566868255345124108779447961606053558991611260520405836487267781427740459393783689829925402008838157275130340717548134956040019107677074732476577915942750039777107871579671122369249613210066309031335411813988461299033587444447689322284662780986426216011635232478916424602504476935371549462113036228740820951710434375466081011497256196435741125837599218374223248197677547321257961509961401385322723627033844333644253777689603896264679633990939957571483400832267925506777396569554295752505112186882586887396943424085633026984063372469902814987050483471096892524886948283571883744403645335501920852525393"), ++ Primes: []*big.Int{ ++ fromBase10("135564917074042739008372452399559667250812269638554028593490636590148234941034106656615266472037321030780472224077878987192393666277731486488609490961161995141171813440923127505183021899359310251888145112092740773465142711876177808655062479870526201006500762429604105802612357839979630776094264195301632424911"), ++ fromBase10("148941278335581696308445609123523329975323575697232717856977715718810138995490768513650108277383732380774181214791356462453504708304090734692215322335879527529217737837271384209093576836051031684425884921572908683147368296418243939771852059523598364231128661438022752350148969064661946939745752818523498309989"), ++ }, ++ } ++ testRSA2048PrivateKey.Precompute() ++ + } + + func BenchmarkRSA2048Decrypt(b *testing.B) { +@@ -317,6 +356,11 @@ func TestEncryptDecryptOAEP(t *testing.T) { + priv.PublicKey = PublicKey{N: n, E: test.e} + priv.D = d + ++ if boring.Enabled() && priv.PublicKey.Size() < 256 { ++ t.Logf("skipping check for unsupported key less than 2048 bits") ++ continue; ++ } ++ t.Logf("running check for supported key size") + for j, message := range test.msgs { + label := []byte(fmt.Sprintf("hi#%d", j)) + enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, message.in, label) +diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go +index 5485080..575b99f 100644 +--- a/src/crypto/tls/boring_test.go ++++ b/src/crypto/tls/boring_test.go +@@ -26,7 +26,7 @@ import ( + func TestBoringServerProtocolVersion(t *testing.T) { + test := func(name string, v uint16, msg string) { + t.Run(name, func(t *testing.T) { +- serverConfig := testConfig.Clone() ++ serverConfig := testConfigTemplate() + serverConfig.MinVersion = VersionSSL30 + clientHello := &clientHelloMsg{ + vers: v, +@@ -108,7 +108,7 @@ func isBoringSignatureScheme(alg SignatureScheme) bool { + } + + func TestBoringServerCipherSuites(t *testing.T) { +- serverConfig := testConfig.Clone() ++ serverConfig := testConfigTemplate() + serverConfig.CipherSuites = allCipherSuites() + serverConfig.Certificates = make([]Certificate, 1) + +@@ -148,7 +148,7 @@ func TestBoringServerCipherSuites(t *testing.T) { + } + + func TestBoringServerCurves(t *testing.T) { +- serverConfig := testConfig.Clone() ++ serverConfig := testConfigTemplate() + serverConfig.Certificates = make([]Certificate, 1) + serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} + serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey +@@ -203,7 +203,7 @@ func TestBoringServerSignatureAndHash(t *testing.T) { + + for _, sigHash := range defaultSupportedSignatureAlgorithms { + t.Run(fmt.Sprintf("%#x", sigHash), func(t *testing.T) { +- serverConfig := testConfig.Clone() ++ serverConfig := testConfigTemplate() + serverConfig.Certificates = make([]Certificate, 1) + + testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash} +@@ -262,7 +262,7 @@ func TestBoringClientHello(t *testing.T) { + defer c.Close() + defer s.Close() + +- clientConfig := testConfig.Clone() ++ clientConfig := testConfigTemplate() + // All sorts of traps for the client to avoid. + clientConfig.MinVersion = VersionSSL30 + clientConfig.MaxVersion = VersionTLS13 +@@ -336,12 +336,12 @@ func TestBoringCertAlgs(t *testing.T) { + + // client verifying server cert + testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { +- clientConfig := testConfig.Clone() ++ clientConfig := testConfigTemplate() + clientConfig.RootCAs = pool + clientConfig.InsecureSkipVerify = false + clientConfig.ServerName = "example.com" + +- serverConfig := testConfig.Clone() ++ serverConfig := testConfigTemplate() + serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} + serverConfig.BuildNameToCertificate() + +@@ -364,11 +364,11 @@ func TestBoringCertAlgs(t *testing.T) { + + // server verifying client cert + testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { +- clientConfig := testConfig.Clone() ++ clientConfig := testConfigTemplate() + clientConfig.ServerName = "example.com" + clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} + +- serverConfig := testConfig.Clone() ++ serverConfig := testConfigTemplate() + serverConfig.ClientCAs = pool + serverConfig.ClientAuth = RequireAndVerifyClientCert + +@@ -393,8 +393,13 @@ func TestBoringCertAlgs(t *testing.T) { + // exhaustive test with computed answers. + r1pool := x509.NewCertPool() + r1pool.AddCert(R1.cert) +- testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true) +- testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true) ++ // openssl 3 FIPS provider fails these now without fipstls.Force() ++ shouldPass := true ++ if boring.Enabled() { ++ shouldPass = false ++ } ++ testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, shouldPass) ++ testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, shouldPass) + fipstls.Force() + testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) + testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) +@@ -457,6 +462,10 @@ func TestBoringCertAlgs(t *testing.T) { + addRoot(r&1, R1) + addRoot(r&2, R2) + rootName = rootName[1:] // strip leading comma ++ // openssl 3 FIPS provider fails these now without fipstls.Force() ++ if boring.Enabled() { ++ shouldVerify = shouldVerifyFIPS ++ } + testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify) + testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify) + fipstls.Force() +@@ -576,6 +585,16 @@ var ( + testRSA2048PrivateKey *rsa.PrivateKey + ) + ++func testConfigTemplate() *Config { ++ config := testConfig.Clone() ++ if boring.Enabled() { ++ config.Certificates[0].Certificate = [][]byte{testRSA2048Certificate} ++ config.Certificates[0].PrivateKey = testRSA2048PrivateKey ++ } ++ return config ++ ++} ++ + func init() { + block, _ := pem.Decode([]byte(` + -----BEGIN CERTIFICATE----- +diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go +index 51dda16..31723b6 100644 +--- a/src/crypto/x509/x509_test.go ++++ b/src/crypto/x509/x509_test.go +@@ -151,6 +151,7 @@ func TestPKIXMismatchPublicKeyFormat(t *testing.T) { + } + + var testPrivateKey *rsa.PrivateKey ++var testPrivateKey2048 *rsa.PrivateKey + + func init() { + block, _ := pem.Decode([]byte(pemPrivateKey)) +@@ -159,6 +160,9 @@ func init() { + if testPrivateKey, err = ParsePKCS1PrivateKey(block.Bytes); err != nil { + panic("Failed to parse private key: " + err.Error()) + } ++ if testPrivateKey2048, err = rsa.GenerateKey(rand.Reader, 2048); err != nil { ++ panic("Failed to generate key: " + err.Error()) ++ } + } + + func bigFromString(s string) *big.Int { +@@ -589,8 +593,9 @@ func TestCreateSelfSignedCertificate(t *testing.T) { + {"RSA/ECDSA", &testPrivateKey.PublicKey, ecdsaPriv, false, ECDSAWithSHA384}, + {"ECDSA/RSA", &ecdsaPriv.PublicKey, testPrivateKey, false, SHA256WithRSA}, + {"ECDSA/ECDSA", &ecdsaPriv.PublicKey, ecdsaPriv, true, ECDSAWithSHA1}, +- {"RSAPSS/RSAPSS", &testPrivateKey.PublicKey, testPrivateKey, true, SHA256WithRSAPSS}, +- {"ECDSA/RSAPSS", &ecdsaPriv.PublicKey, testPrivateKey, false, SHA256WithRSAPSS}, ++ // TODO: hardcode the next two keys ++ {"RSAPSS/RSAPSS", &testPrivateKey2048.PublicKey, testPrivateKey2048, true, SHA256WithRSAPSS}, ++ {"ECDSA/RSAPSS", &ecdsaPriv.PublicKey, testPrivateKey2048, false, SHA256WithRSAPSS}, + {"RSAPSS/ECDSA", &testPrivateKey.PublicKey, ecdsaPriv, false, ECDSAWithSHA384}, + {"Ed25519", ed25519Pub, ed25519Priv, true, PureEd25519}, + } diff --git a/SOURCES/skip_test_rhbz1939923.patch b/SOURCES/skip_test_rhbz1939923.patch new file mode 100644 index 0000000..80302d0 --- /dev/null +++ b/SOURCES/skip_test_rhbz1939923.patch @@ -0,0 +1,12 @@ +diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go +index 51dda16815..2d1e1b1e6e 100644 +--- a/src/crypto/x509/x509_test.go ++++ b/src/crypto/x509/x509_test.go +@@ -2880,6 +2880,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte + } + + func TestCreateCertificateBrokenSigner(t *testing.T) { ++ t.Skip("TODO Fix me: rhbz#1939923") + template := &Certificate{ + SerialNumber: big.NewInt(10), + DNSNames: []string{"example.com"}, diff --git a/SPECS/golang.spec b/SPECS/golang.spec new file mode 100644 index 0000000..7e9152a --- /dev/null +++ b/SPECS/golang.spec @@ -0,0 +1,1260 @@ +%undefine _missing_build_ids_terminate_build + +%global bcond_with strict_fips + +# build ids are not currently generated: +# https://code.google.com/p/go/issues/detail?id=5238 +# +# also, debuginfo extraction currently fails with +# "Failed to write file: invalid section alignment" +%global debug_package %{nil} + +# we are shipping the full contents of src in the data subpackage, which +# contains binary-like things (ELF data for tests, etc) +%global _binaries_in_noarch_packages_terminate_build 0 + +# Do not check any files in doc or src for requires +%global __requires_exclude_from ^(%{_datadir}|/usr/lib)/%{name}/(doc|src)/.*$ + +# Don't alter timestamps of especially the .a files (or else go will rebuild later) +# Actually, don't strip at all since we are not even building debug packages and this corrupts the dwarf testdata +%global __strip /bin/true + +# rpmbuild magic to keep from having meta dependency on libc.so.6 +%define _use_internal_dependency_generator 0 +%define __find_requires %{nil} +%global __spec_install_post /usr/lib/rpm/check-rpaths /usr/lib/rpm/check-buildroot \ + /usr/lib/rpm/brp-compress + +# Define GOROOT macros +%global goroot %{_prefix}/lib/%{name} +%global gopath %{_datadir}/gocode +%global golang_arches x86_64 aarch64 ppc64le s390x +%global golibdir %{_libdir}/%{name} + +# Golang build options. + +# Build golang using external/internal(close to cgo disabled) linking. +%ifarch x86_64 ppc64le %{arm} aarch64 s390x +%global external_linker 1 +%else +%global external_linker 0 +%endif + +# Build golang with cgo enabled/disabled(later equals more or less to internal linking). +%ifarch x86_64 ppc64le %{arm} aarch64 s390x +%global cgo_enabled 1 +%else +%global cgo_enabled 0 +%endif + +# Use golang/gcc-go as bootstrap compiler +%ifarch %{golang_arches} +%global golang_bootstrap 1 +%else +%global golang_bootstrap 0 +%endif + +# Controls what ever we fail on failed tests +%ifarch x86_64 %{arm} aarch64 ppc64le +%global fail_on_tests 1 +%else +%global fail_on_tests 0 +%endif + +# Build golang shared objects for stdlib +%ifarch 0 +%global shared 1 +%else +%global shared 0 +%endif + +# Pre build std lib with -race enabled +%ifarch x86_64 +%global race 1 +%else +%global race 0 +%endif + +%ifarch x86_64 +%global gohostarch amd64 +%endif +%ifarch %{arm} +%global gohostarch arm +%endif +%ifarch aarch64 +%global gohostarch arm64 +%endif +%ifarch ppc64 +%global gohostarch ppc64 +%endif +%ifarch ppc64le +%global gohostarch ppc64le +%endif +%ifarch s390x +%global gohostarch s390x +%endif + +%global go_api 1.16 +%global go_version 1.16.6 +%global pkg_release 3 + +Name: golang +Version: %{go_version} +Release: 4%{?dist} +Summary: The Go Programming Language +# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain +License: BSD and Public Domain +URL: http://golang.org/ +Source0: https://pagure.io/go/archive/go-%{go_version}-%{pkg_release}-openssl-fips/go-go-%{go_version}-%{pkg_release}-openssl-fips.tar.gz +# make possible to override default traceback level at build time by setting build tag rpm_crashtraceback +Source1: fedora.go + +# The compiler is written in Go. Needs go(1.4+) compiler for build. +# Actual Go based bootstrap compiler provided by above source. +%if !%{golang_bootstrap} +BuildRequires: gcc-go >= 5 +%else +BuildRequires: golang +%endif +%if 0%{?rhel} > 6 || 0%{?fedora} > 0 +BuildRequires: hostname +%else +BuildRequires: net-tools +%endif +# For OpenSSL FIPS +BuildRequires: openssl-devel + +# For openssl-fipsinstall +BuildRequires: openssl + +# for tests +BuildRequires: pcre-devel, glibc-static, perl + +Provides: go = %{version}-%{release} +Requires: %{name}-bin = %{version}-%{release} +Requires: %{name}-src = %{version}-%{release} +Requires: openssl-devel +Requires: diffutils + +# we had been just removing the zoneinfo.zip, but that caused tests to fail for users that +# later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests. +Patch215: go1.5-zoneinfo_testing_only.patch + +# Proposed patch by jcajka https://golang.org/cl/86541 +Patch221: fix_TestScript_list_std.patch + +# Add an env var to optionally trigger a warning in x509 when +# Common Name is used as hostname +# rhbz#1889437 +Patch223: golang-1.15-warnCN.patch + +Patch1939923: skip_test_rhbz1939923.patch + +# Port to openssl 3.0 +Patch1952381: rhbz1952381.patch + +Patch1904567: cgo-lto-fix.patch +Patch334410: ppc64le-vdso-segfault-fix.patch + +# Having documentation separate was broken +Obsoletes: %{name}-docs < 1.1-4 + +# RPM can't handle symlink -> dir with subpackages, so merge back +Obsoletes: %{name}-data < 1.1.1-4 + +# These are the only RHEL/Fedora architectures that we compile this package for +ExclusiveArch: %{golang_arches} + +Source100: golang-gdbinit +Source101: golang-prelink.conf + +%description +%{summary}. + +%package docs +Summary: Golang compiler docs +Requires: %{name} = %{version}-%{release} +BuildArch: noarch +Obsoletes: %{name}-docs < 1.1-4 + +%description docs +%{summary}. + +%package misc +Summary: Golang compiler miscellaneous sources +Requires: %{name} = %{version}-%{release} +BuildArch: noarch + +%description misc +%{summary}. + +%package tests +Summary: Golang compiler tests for stdlib +Requires: %{name} = %{version}-%{release} +BuildArch: noarch + +%description tests +%{summary}. + +%package src +Summary: Golang compiler source tree +BuildArch: noarch + +%description src +%{summary} + +%package bin +Summary: Golang core compiler tools +Requires: %{name} = %{version}-%{release} + +# We strip the meta dependency, but go does require glibc. +# This is an odd issue, still looking for a better fix. +Requires: glibc +Requires: /usr/bin/gcc +%description bin +%{summary} + +# Workaround old RPM bug of symlink-replaced-with-dir failure +%pretrans -p +for _,d in pairs({"api", "doc", "include", "lib", "src"}) do + path = "%{goroot}/" .. d + if posix.stat(path, "type") == "link" then + os.remove(path) + posix.mkdir(path) + end +end + +%if %{shared} +%package shared +Summary: Golang shared object libraries + +%description shared +%{summary}. +%endif + +%if %{race} +%package race +Summary: Golang std library with -race enabled + +Requires: %{name} = %{version}-%{release} + +%description race +%{summary} +%endif + +%prep +%setup -q -n go-go-%{go_version}-%{pkg_release}-openssl-fips + +%patch215 -p1 + +%patch221 -p1 + +%patch223 -p1 + +%patch1952381 -p1 + +%patch1939923 -p1 + +%patch1904567 -p1 +%patch334410 -p1 + +cp %{SOURCE1} ./src/runtime/ + +%build +set -xe +# print out system information +uname -a +cat /proc/cpuinfo +cat /proc/meminfo + +# bootstrap compiler GOROOT +%if !%{golang_bootstrap} +export GOROOT_BOOTSTRAP=/ +%else +export GOROOT_BOOTSTRAP=/opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang +%endif + +# set up final install location +export GOROOT_FINAL=%{goroot} + +export GOHOSTOS=linux +export GOHOSTARCH=%{gohostarch} + +pushd src +# use our gcc options for this build, but store gcc as default for compiler +export CFLAGS="$RPM_OPT_FLAGS" +export LDFLAGS="$RPM_LD_FLAGS" +export CC="gcc" +export CC_FOR_TARGET="gcc" +export GOOS=linux +export GOARCH=%{gohostarch} + +DEFAULT_GO_LD_FLAGS="" +%if !%{external_linker} +export GO_LDFLAGS="-linkmode internal $DEFAULT_GO_LD_FLAGS" +%else +# Only pass a select subset of the external hardening flags. We do not pass along +# the default $RPM_LD_FLAGS as on certain arches Go does not fully, correctly support +# building in PIE mode. +export GO_LDFLAGS="\"-extldflags=-Wl,-z,now,-z,relro\" $DEFAULT_GO_LD_FLAGS" +%endif +%if !%{cgo_enabled} +export CGO_ENABLED=0 +%endif +./make.bash --no-clean +popd + +# build shared std lib +%if %{shared} +GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -buildmode=shared std +%endif + +%if %{race} +GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -race std +%endif + + +%install + +rm -rf $RPM_BUILD_ROOT + +# create the top level directories +mkdir -p $RPM_BUILD_ROOT%{_bindir} +mkdir -p $RPM_BUILD_ROOT%{goroot} + +# remove bootstrap binaries +rm -rf pkg/bootstrap/bin + +# install everything into libdir (until symlink problems are fixed) +# https://code.google.com/p/go/issues/detail?id=5830 +cp -apv api bin doc favicon.ico lib pkg robots.txt src misc test VERSION \ + $RPM_BUILD_ROOT%{goroot} + +# bz1099206 +find $RPM_BUILD_ROOT%{goroot}/src -exec touch -r $RPM_BUILD_ROOT%{goroot}/VERSION "{}" \; +# and level out all the built archives +touch $RPM_BUILD_ROOT%{goroot}/pkg +find $RPM_BUILD_ROOT%{goroot}/pkg -exec touch -r $RPM_BUILD_ROOT%{goroot}/pkg "{}" \; +# generate the spec file ownership of this source tree and packages +cwd=$(pwd) +src_list=$cwd/go-src.list +pkg_list=$cwd/go-pkg.list +shared_list=$cwd/go-shared.list +race_list=$cwd/go-race.list +misc_list=$cwd/go-misc.list +docs_list=$cwd/go-docs.list +tests_list=$cwd/go-tests.list +rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list +touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list +pushd $RPM_BUILD_ROOT%{goroot} + find src/ -type d -a \( ! -name testdata -a ! -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $src_list + find src/ ! -type d -a \( ! -ipath '*/testdata/*' -a ! -name '*_test*.go' \) -printf '%{goroot}/%p\n' >> $src_list + + find bin/ pkg/ -type d -a ! -path '*_dynlink/*' -a ! -path '*_race/*' -printf '%%%dir %{goroot}/%p\n' >> $pkg_list + find bin/ pkg/ ! -type d -a ! -path '*_dynlink/*' -a ! -path '*_race/*' -printf '%{goroot}/%p\n' >> $pkg_list + + find doc/ -type d -printf '%%%dir %{goroot}/%p\n' >> $docs_list + find doc/ ! -type d -printf '%{goroot}/%p\n' >> $docs_list + + find misc/ -type d -printf '%%%dir %{goroot}/%p\n' >> $misc_list + find misc/ ! -type d -printf '%{goroot}/%p\n' >> $misc_list + +%if %{shared} + mkdir -p %{buildroot}/%{_libdir}/ + mkdir -p %{buildroot}/%{golibdir}/ + for file in $(find . -iname "*.so" ); do + chmod 755 $file + mv $file %{buildroot}/%{golibdir} + pushd $(dirname $file) + ln -fs %{golibdir}/$(basename $file) $(basename $file) + popd + echo "%%{goroot}/$file" >> $shared_list + echo "%%{golibdir}/$(basename $file)" >> $shared_list + done + + find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list + find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list +%endif + +%if %{race} + + find pkg/*_race/ -type d -printf '%%%dir %{goroot}/%p\n' >> $race_list + find pkg/*_race/ ! -type d -printf '%{goroot}/%p\n' >> $race_list + +%endif + + find test/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list + find test/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list + find src/ -type d -a \( -name testdata -o -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $tests_list + find src/ ! -type d -a \( -ipath '*/testdata/*' -o -name '*_test*.go' \) -printf '%{goroot}/%p\n' >> $tests_list + # this is only the zoneinfo.zip + find lib/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list + find lib/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list +popd + +# remove the doc Makefile +rm -rfv $RPM_BUILD_ROOT%{goroot}/doc/Makefile + +# put binaries to bindir, linked to the arch we're building, +# leave the arch independent pieces in {goroot} +mkdir -p $RPM_BUILD_ROOT%{goroot}/bin/linux_%{gohostarch} +ln -sf %{goroot}/bin/go $RPM_BUILD_ROOT%{_bindir}/go +ln -sf %{goroot}/bin/gofmt $RPM_BUILD_ROOT%{_bindir}/gofmt + +# ensure these exist and are owned +mkdir -p $RPM_BUILD_ROOT%{gopath}/src/github.com +mkdir -p $RPM_BUILD_ROOT%{gopath}/src/bitbucket.org +mkdir -p $RPM_BUILD_ROOT%{gopath}/src/code.google.com/p +mkdir -p $RPM_BUILD_ROOT%{gopath}/src/golang.org/x + +# gdbinit +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/gdbinit.d +cp -av %{SOURCE100} $RPM_BUILD_ROOT%{_sysconfdir}/gdbinit.d/golang.gdb + +# prelink blacklist +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d +cp -av %{SOURCE101} $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d/golang.conf + +%check +export GOROOT=$(pwd -P) +export PATH="$GOROOT"/bin:"$PATH" +cd src + +# Add some sanity checks. +echo "GO VERSION:" +go version + +echo "GO ENVIRONMENT:" +go env + +export CC="gcc" +export CFLAGS="$RPM_OPT_FLAGS" +export LDFLAGS="$RPM_LD_FLAGS" +%if !%{external_linker} +export GO_LDFLAGS="-linkmode internal" +%else +export GO_LDFLAGS="-extldflags '$RPM_LD_FLAGS'" +%endif +%if !%{cgo_enabled} || !%{external_linker} +export CGO_ENABLED=0 +%endif + +# work around aarch64 issue +# https://src.fedoraproject.org/rpms/golang/c/ea99ebaff6b9561243bb43039458771edb691eaf?branch=f32 +%ifarch aarch64 +export CGO_CFLAGS="-mno-outline-atomics" +%endif + +# make sure to not timeout +export GO_TEST_TIMEOUT_SCALE=2 + +export GO_TEST_RUN="" +%ifarch aarch64 + export GO_TEST_RUN="-run=!testshared" +%endif + +%if %{fail_on_tests} + +TEST_BORING_CONFIGS=`mktemp -d` +TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf +TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf +trap "rm -rf $TEST_BORING_CONFIGS" EXIT + +cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF +openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF + +cat > $TEST_BORING_CNF << EOM +openssl_conf = openssl_test + +[openssl_test] +providers = provider_test +alg_section = algorithm_test +ssl_conf = ssl_module + +[algorithm_test] +default_properties = fips=yes + +[provider_test] +default = default_sect + # The fips section name should match the section name inside the + # included fipsmodule.cnf. +fips = fips_sect +.include $TEST_BORING_FIPS_CNF + +[default_sect] +activate = 1 + +[ ssl_module ] + +system_default = crypto_policy + +[ crypto_policy ] + +.include = /etc/crypto-policies/back-ends/opensslcnf.config + +[ new_oids ] + +EOM + +./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN + +export OPENSSL_CONF=$TEST_BORING_CNF +# Run tests with FIPS enabled. +pushd crypto + # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later + GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v + # Check that signature functions have parity between boring and notboring + CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v +popd +# Run all FIPS specific TLS tests +pushd crypto/tls + GOLANG_FIPS=1 go test -v -run "Boring" +popd +%else +./run.bash --no-rebuild -v -v -v -k || : +%endif +cd .. + +%files + +%doc AUTHORS CONTRIBUTORS LICENSE PATENTS +# VERSION has to be present in the GOROOT, for `go install std` to work +%doc %{goroot}/VERSION +%dir %{goroot}/doc +%doc %{goroot}/doc/* + +# go files +%dir %{goroot} +%exclude %{goroot}/bin/ +%exclude %{goroot}/pkg/ +%exclude %{goroot}/src/ +%exclude %{goroot}/doc/ +%exclude %{goroot}/misc/ +%exclude %{goroot}/test/ +%{goroot}/* + +# ensure directory ownership, so they are cleaned up if empty +%dir %{gopath} +%dir %{gopath}/src +%dir %{gopath}/src/github.com/ +%dir %{gopath}/src/bitbucket.org/ +%dir %{gopath}/src/code.google.com/ +%dir %{gopath}/src/code.google.com/p/ +%dir %{gopath}/src/golang.org +%dir %{gopath}/src/golang.org/x + +# gdbinit (for gdb debugging) +%{_sysconfdir}/gdbinit.d + +# prelink blacklist +%{_sysconfdir}/prelink.conf.d + + +%files -f go-src.list src + +%files -f go-docs.list docs + +%files -f go-misc.list misc + +%files -f go-tests.list tests + +%files -f go-pkg.list bin +%{_bindir}/go +%{_bindir}/gofmt + +%if %{shared} +%files -f go-shared.list shared +%endif + +%if %{race} +%files -f go-race.list race +%endif + +%changelog +* Mon Aug 09 2021 Mohan Boddu - 1.16.6-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Aug 4 2021 Derek Parker - 1.16.6-3 +- Include ppc64le VDSO segfault backport fix +- Resolves: rhbz#1966622 + +* Mon Aug 2 2021 Derek Parker - 1.16.6-2 +- Bump release +- Resolves: rhbz#1904567 + +* Mon Aug 2 2021 Derek Parker - 1.16.6-2 +- Backport fix allowing LTO to be enabled on cgo sources +- Resolves: rhbz#1904567 + +* Tue Jul 20 2021 Derek Parker - 1.16.6-1 +- Rebase to 1.16.6 +- Resolves: rhbz#1984124 +- Replace symbols no longer present in OpenSSL 3.0 ABI +- Resolves: rhbz#1984110 +- Fix TestBoringServerCurves failing when ran by itself +- Resolves: rhbz#1977914 + +* Tue Jun 22 2021 Mohan Boddu - 1.16.4-3 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri May 28 2021 David Benoit - 1.16.4-2 +- Port to OpenSSL 3.0 +- Resolves: rhbz#1952381 + +* Fri May 14 2021 Alejandro Sáez - 1.16.4-1 +- Rebase to 1.16.4 +- Resolves: rhbz#1955035 +- Resolves: rhbz#1957961 + +* Thu Apr 15 2021 Mohan Boddu - 1.16.1-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Mar 30 2021 Alejandro Sáez - 1.16.1-2 +- Rebase to go-1.16.1-2-openssl-fips +- Resolves: rhbz#1922455 + +* Tue Mar 30 2021 Alejandro Sáez - 1.16.1-1 +- Rebase to go-1.16.1-2-openssl-fips +- Adds a workaround for rhbz#1939923 +- Removes Patch224, it's on upstream -> rhbz#1888673 +- Removes Patch225, it's on upstream -> https://go-review.googlesource.com/c/text/+/238238 +- Removes old patches for cleaning purposes +- Related: rhbz#1942898 + +* Fri Jan 22 2021 David Benoit - 1.15.7-1 +- Rebase to 1.15.7 +- Resolves: rhbz#1892207 +- Resolves: rhbz#1918755 + +* Tue Nov 24 2020 David Benoit - 1.15.5-1 +- Rebase to 1.15.5 +- Resolves: rhbz#1899184 +- Resolves: rhbz#1899185 +- Resolves: rhbz#1899186 + +* Thu Nov 12 2020 David Benoit - 1.15.3-2 +- Rebase to 1.15.3 +- fix x/text infinite loop +- Resolves: rhbz#1881539 + +* Tue Nov 03 2020 Alejandro Sáez - 1.15.2-2 +- Resolves: rhbz#1850045 + +* Mon Oct 19 2020 David Benoit - 1.15.2-1 +- Rebase to 1.15.2 +- fix rhbz#1872622 in commit af9a1b1f6567a1c5273a134d395bfe7bb840b7f8 +- Resolves: rhbz#1872622 +- add net/http graceful shutdown patch +- Resolves: rhbz#1888673 +- add x509warnCN patch +- Resolves: rhbz#1889437 + +* Wed Sep 09 2020 Alejandro Sáez - 1.15.0-1 +- Rebase to 1.15.0 +- Related: rhbz#1870531 + +* Thu Aug 27 2020 Alejandro Sáez - 1.14.7-2 +- Improve test suite +- Resolves: rhbz#1854693 + +* Tue Aug 18 2020 Alejandro Sáez - 1.14.7-1 +- Rebase to 1.14.7 + +* Mon Aug 03 2020 Alejandro Sáez - 1.14.6-1 +- Rebase to 1.14.6 +- Resolves: rhbz#1820596 + +* Wed Jul 08 2020 Alejandro Sáez - 1.14.4-2 +- Include patch to fix missing deferreturn on linux/ppc64le +- Resolves: rhbz#1854836 + +* Thu Jun 25 2020 Alejandro Sáez - 1.14.4-1 +- Rebase to 1.14.4 + +* Thu May 21 2020 Alejandro Sáez - 1.14.2-2 +- Remove i686 references +- Related: rhbz#1752991 + +* Wed May 06 2020 Alejandro Sáez - 1.14.2-1 +- Rebase to 1.14.2 +- Related: rhbz#1820596 + +* Wed Nov 27 2019 Alejandro Sáez - 1.13.4-2 +- Remove patches +- Related: rhbz#1747150 + +* Mon Nov 25 2019 Alejandro Sáez - 1.13.4-1 +- Rebase to 1.13.4 +- Related: rhbz#1747150 + +* Tue Sep 17 2019 Tom Stellard - 1.12.8-4 +- Reduce number of threads when testing on i686 + +* Wed Sep 11 2019 Tom Stellard - 1.12.8-3 +- Relax FIPS requirements to unblock OpenShift testing + +* Wed Aug 28 2019 Tom Stellard - 1.12.8-2 +- Rebase to 1.12.8 +- Resolves: rhbz#1745706 +- Resolves: rhbz#1745712 + +* Mon Aug 5 2019 Derek Parker - 1.12.6-3 +- Add README for more documentation +- Resolves: rhbz#1734788 + +* Fri Aug 2 2019 Derek Parker - 1.12.6-3 +- Revert some TLS FIPS changes for now +- Resolves: rhbz#1734788 + +* Thu Aug 1 2019 Derek Parker - 1.12.6-2 +- Updates to be less strict on key size in FIPS mode +- Resolves: rhbz#1734788 + +* Thu Jun 13 2019 Derek Parker - 1.12.6-1 +- Rebase to 1.12.6 +- Resolves: rhbz#1677819 + +* Thu Jun 13 2019 Derek Parker - 1.12.5-2 +- Remove macros present in go-compiler +- Resolves: rhbz#1700109 + +* Wed Jun 12 2019 Derek Parker - 1.12.5-1 +- Rebase to 1.12.5 +- Resolves: rhbz#1677819 + +* Wed May 29 2019 Derek Parker - 1.12.1-2 +- Lock OpenSSL to specific built version and include more initialization. +- Resolves: rhbz#1709603 + +* Fri May 10 2019 Derek Parker - 1.12.1-1 +- Rebase to 1.12.1 +- Include FIPS compliance updates +- Resolves: rhbz#1709603 + +* Thu Apr 4 2019 Derek Parker - 1.11.5-2 +- Include patch to fix CVE-2019-9741 +- Resolves: rhbz#1690443 + +* Mon Feb 18 2019 Derek Parker - 1.11.5-2 +- Switch to pagure fork for Go FIPS + +* Thu Feb 7 2019 Derek Parker - 1.11.5-1 +- Rebase to Go 1.11.5 +- Resolves: rhbz#1671277 +- Fixes CVE-2019-6486 + +* Thu Jan 3 2019 Derek Parker - 1.11.4-1 +- Rebase to Go 1.11.4 +- Fixes CVE-2018-16873, CVE-2018-16874, CVE-2018-16875 + +* Thu Dec 6 2018 Derek Parker - 1.11.2-1 +- Rebase to Go 1.11.2 + +* Fri Nov 16 2018 Derek Parker - 1.10.3-18 +- Remove SCL from macros + +* Wed Nov 7 2018 Derek Parker - 1.10.3-17 +- Prefer go-toolset over go-toolset-1.10 +- Resolves: rhbz#1630786 + +* Mon Nov 5 2018 Derek Parker - 1.10.3-16 +- Fix implicit syscall declaration warning + +* Mon Nov 5 2018 Derek Parker - 1.10.3-15 +- Remove usage of redhat hardening flag file, just pass a select few manually +- Resolves: rhbz#1642798 + +* Wed Oct 31 2018 Derek Parker - 1.10.3-14 +- Do not build toolchain in PIE mode +- Resolves: rhbz#1642798 + +* Fri Oct 26 2018 Derek Parker - 1.10.3-13 +- Fix setting of internal FIPS enabled flag +- Resolves: rhbz#1643653 + +* Wed Oct 10 2018 Derek Parker - 1.10.3-12 +- Pass external linker flags to fix annocheck errors +- Resolves: rhbz#1624421 + +* Wed Oct 10 2018 Derek Parker - 1.10.3-11 +- Fix UnreachableExceptTests false panic +- Resolves: rhbz#1634748 + +* Fri Oct 5 2018 Derek Parker - 1.10.3-10 +- Remove SCL, fix bug in boringcrypto with ecdsa +- Related: rhbz#1635066 +- Resolves: rhbz#1636221 + +* Wed Sep 26 2018 Derek Parker - 1.10.3-9 +- Add runtime FIPS detection patches +- Resolves: rhbz#1633351 + +* Fri Sep 21 2018 Derek Parker - 1.10.3-8 +- Add `gobuild` and `gotest` macros from go-compilers +- Resolves: rhbz#1631846 + +* Thu Sep 20 2018 Derek Parker - 1.10.3-7 +- Bootstrap package using old build of same package +- Resolves: rhbz#1630786 + +* Mon Aug 13 2018 Derek Parker - 1.10.3-6 +- Update stack allocation of OpenSSL type patch +- Resolves: rhbz#1615032 + +* Sat Aug 11 2018 Troy Dawson - 1.10.3-5 +- Build on i686 +- Related: bug#1614611 + +* Tue Aug 7 2018 Derek Parker - 1.10.3-4 +- Add patch fixing stack allocation of opaque OpenSSL type bug. +- Resolves: rhbz#1613538 + +* Thu Aug 2 2018 Derek Parker - 1.10.3-3 +- Add patch with tag to opt out of OpenSSL during build + +* Wed Jul 25 2018 Derek Parker - 1.10.3-2 +- Add runtime requirement for openssl-devel and misc updates + +* Tue Jul 24 2018 Derek Parker - 1.10.3-1 +- Bump to 1.10.3 + +* Tue Jul 24 2018 Derek Parker - 1.10.2-3 +- Prepare for module build + +* Wed Jun 27 2018 Derek Parker - 1.10.2-2 +- Include FIPS patches + +* Wed May 23 2018 Derek Parker - 1.10.2-1 +- Bump to Go 1.10.2 + +* Thu Mar 15 2018 Derek Parker - 1.10-1 +- Bump to Go 1.10 + +* Wed Oct 18 2017 Jakub Čajka - 1.8.5-1 +- Fix CVE-2017-15041 and CVE-2017-15042 +- Resolves: BZ#1499160, BZ#1498073, BZ#1512063 + +* Thu Aug 31 2017 Tom Stellard - 1.8.3-4 +- Explicitly require /usr/bin/gcc +- Resolves: #1487345 + +* Thu Jun 22 2017 Jakub Čajka - 1.8.3-3 +- apply asn1 patch +- add ppc64le trampolines patch + +* Wed Jun 14 2017 Jakub Čajka - 1.8.3-2 +- regular GTS build + +* Tue Jun 06 2017 Jakub Čajka - 1.8.3-1 +- initial GTS build + +* Fri Feb 10 2017 Fedora Release Engineering - 1.8-0.rc3.2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 27 2017 Jakub Čajka - 1.8-0.rc3.2 +- make possible to override default traceback level at build time +- add sub-package race containing std lib built with -race enabled +- Related: BZ#1411242 + +* Fri Jan 27 2017 Jakub Čajka - 1.8-0.rc3.1 +- rebase to go1.8rc3 +- Resolves: BZ#1411242 + +* Fri Jan 20 2017 Jakub Čajka - 1.7.4-2 +- Resolves: BZ#1404679 +- expose IfInfomsg.X__ifi_pad on s390x + +* Fri Dec 02 2016 Jakub Čajka - 1.7.4-1 +- Bump to 1.7.4 +- Resolves: BZ#1400732 + +* Thu Nov 17 2016 Tom Callaway - 1.7.3-2 +- re-enable the NIST P-224 curve + +* Thu Oct 20 2016 Jakub Čajka - 1.7.3-1 +- Resolves: BZ#1387067 - golang-1.7.3 is available +- added fix for tests failing with latest tzdata + +* Fri Sep 23 2016 Jakub Čajka - 1.7.1-2 +- fix link failure due to relocation overflows on PPC64X + +* Thu Sep 08 2016 Jakub Čajka - 1.7.1-1 +- rebase to 1.7.1 +- Resolves: BZ#1374103 + +* Tue Aug 23 2016 Jakub Čajka - 1.7-1 +- update to released version +- related: BZ#1342090, BZ#1357394 + +* Mon Aug 08 2016 Jakub Čajka - 1.7-0.3.rc5 +- Obsolete golang-vet and golang-cover from golang-googlecode-tools package + vet/cover binaries are provided by golang-bin rpm (thanks to jchaloup) +- clean up exclusive arch after s390x boostrap +- resolves: #1268206 + +* Wed Aug 03 2016 Jakub Čajka - 1.7-0.2.rc5 +- rebase to go1.7rc5 +- Resolves: BZ#1342090 + +* Thu Jul 21 2016 Fedora Release Engineering - 1.7-0.1.rc2 +- https://fedoraproject.org/wiki/Changes/golang1.7 + +* Tue Jul 19 2016 Jakub Čajka - 1.7-0.0.rc2 +- rebase to 1.7rc2 +- added s390x build +- improved shared lib packaging +- Resolves: bz1357602 - CVE-2016-5386 +- Resolves: bz1342090, bz1342090 + +* Tue Apr 26 2016 Jakub Čajka - 1.6.2-1 +- rebase to 1.6.2 +- Resolves: bz1329206 - golang-1.6.2.src is available + +* Wed Apr 13 2016 Jakub Čajka - 1.6.1-1 +- rebase to 1.6.1 +- Resolves: bz1324344 - CVE-2016-3959 +- Resolves: bz1324951 - prelink is gone, /etc/prelink.conf.d/* is no longer used +- Resolves: bz1326366 - wrong epoll_event struct for ppc64le/ppc64 + +* Mon Feb 22 2016 Jakub Čajka - 1.6-1 +- Resolves: bz1304701 - rebase to go1.6 release +- Resolves: bz1304591 - fix possible stack miss-alignment in callCgoMmap + +* Wed Feb 03 2016 Fedora Release Engineering - 1.6-0.3.rc1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jan 29 2016 Jakub Čajka - 1.6-0.2.rc1 +- disabled cgo and external linking on ppc64 + +* Thu Jan 28 2016 Jakub Čajka - 1.6-0.1.rc1 +- Resolves bz1292640, rebase to pre-release 1.6 +- bootstrap for PowerPC +- fix rpmlint errors/warning + +* Thu Jan 14 2016 Jakub Čajka - 1.5.3-1 +- rebase to 1.5.3 +- resolves bz1293451, CVE-2015-8618 +- apply timezone patch, avoid using bundled data +- print out rpm build system info + +* Fri Dec 11 2015 Jakub Čajka - 1.5.2-2 +- bz1290543 Accept x509 certs with negative serial + +* Tue Dec 08 2015 Jakub Čajka - 1.5.2-1 +- bz1288263 rebase to 1.5.2 +- spec file clean up +- added build options +- scrubbed "Project Gutenberg License" + +* Mon Oct 19 2015 Vincent Batts - 1.5.1-1 +- bz1271709 include patch from upstream fix + +* Wed Sep 09 2015 Vincent Batts - 1.5.1-0 +- update to go1.5.1 + +* Fri Sep 04 2015 Vincent Batts - 1.5-8 +- bz1258166 remove srpm macros, for go-srpm-macros + +* Thu Sep 03 2015 Vincent Batts - 1.5-7 +- bz1258166 remove srpm macros, for go-srpm-macros + +* Thu Aug 27 2015 Vincent Batts - 1.5-6 +- starting a shared object subpackage. This will be x86_64 only until upstream supports more arches shared objects. + +* Thu Aug 27 2015 Vincent Batts - 1.5-5 +- bz991759 gdb path fix + +* Wed Aug 26 2015 Vincent Batts - 1.5-4 +- disable shared object until linux/386 is ironned out +- including the test/ directory for tests + +* Tue Aug 25 2015 Vincent Batts - 1.5-3 +- bz1256910 only allow the golang zoneinfo.zip to be used in tests +- bz1166611 add golang.org/x directory +- bz1256525 include stdlib shared object. This will let other libraries and binaries + build with `go build -buildmode=shared -linkshared ...` or similar. + +* Sun Aug 23 2015 Peter Robinson 1.5-2 +- Enable aarch64 +- Minor cleanups + +* Thu Aug 20 2015 Vincent Batts - 1.5-1 +- updating to go1.5 + +* Thu Aug 06 2015 Vincent Batts - 1.5-0.11.rc1 +- fixing the sources reference + +* Thu Aug 06 2015 Vincent Batts - 1.5-0.10.rc1 +- updating to go1.5rc1 +- checks are back in place + +* Tue Aug 04 2015 Vincent Batts - 1.5-0.9.beta3 +- pull in upstream archive/tar fix + +* Thu Jul 30 2015 Vincent Batts - 1.5-0.8.beta3 +- updating to go1.5beta3 + +* Thu Jul 30 2015 Vincent Batts - 1.5-0.7.beta2 +- add the patch .. + +* Thu Jul 30 2015 Vincent Batts - 1.5-0.6.beta2 +- increase ELFRESERVE (bz1248071) + +* Tue Jul 28 2015 Lokesh Mandvekar - 1.5-0.5.beta2 +- correct package version and release tags as per naming guidelines + +* Fri Jul 17 2015 Vincent Batts - 1.4.99-4.1.5beta2 +- adding test output, for visibility + +* Fri Jul 10 2015 Vincent Batts - 1.4.99-3.1.5beta2 +- updating to go1.5beta2 + +* Fri Jul 10 2015 Vincent Batts - 1.4.99-2.1.5beta1 +- add checksum to sources and fixed one patch + +* Fri Jul 10 2015 Vincent Batts - 1.4.99-1.1.5beta1 +- updating to go1.5beta1 + +* Wed Jun 17 2015 Fedora Release Engineering - 1.4.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Mar 18 2015 Vincent Batts - 1.4.2-2 +- obsoleting deprecated packages + +* Wed Feb 18 2015 Vincent Batts - 1.4.2-1 +- updating to go1.4.2 + +* Fri Jan 16 2015 Vincent Batts - 1.4.1-1 +- updating to go1.4.1 + +* Fri Jan 02 2015 Vincent Batts - 1.4-2 +- doc organizing + +* Thu Dec 11 2014 Vincent Batts - 1.4-1 +- update to go1.4 release + +* Wed Dec 03 2014 Vincent Batts - 1.3.99-3.1.4rc2 +- update to go1.4rc2 + +* Mon Nov 17 2014 Vincent Batts - 1.3.99-2.1.4rc1 +- update to go1.4rc1 + +* Thu Oct 30 2014 Vincent Batts - 1.3.99-1.1.4beta1 +- update to go1.4beta1 + +* Thu Oct 30 2014 Vincent Batts - 1.3.3-3 +- macros will need to be in their own rpm + +* Fri Oct 24 2014 Vincent Batts - 1.3.3-2 +- split out rpm macros (bz1156129) +- progress on gccgo accomodation + +* Wed Oct 01 2014 Vincent Batts - 1.3.3-1 +- update to go1.3.3 (bz1146882) + +* Mon Sep 29 2014 Vincent Batts - 1.3.2-1 +- update to go1.3.2 (bz1147324) + +* Thu Sep 11 2014 Vincent Batts - 1.3.1-3 +- patching the tzinfo failure + +* Sat Aug 16 2014 Fedora Release Engineering - 1.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Aug 13 2014 Vincent Batts - 1.3.1-1 +- update to go1.3.1 + +* Wed Aug 13 2014 Vincent Batts - 1.3-11 +- merged a line wrong + +* Wed Aug 13 2014 Vincent Batts - 1.3-10 +- more work to get cgo.a timestamps to line up, due to build-env +- explicitly list all the files and directories for the source and packages trees +- touch all the built archives to be the same + +* Mon Aug 11 2014 Vincent Batts - 1.3-9 +- make golang-src 'noarch' again, since that was not a fix, and takes up more space + +* Mon Aug 11 2014 Vincent Batts - 1.3-8 +- update timestamps of source files during %%install bz1099206 + +* Fri Aug 08 2014 Vincent Batts - 1.3-7 +- update timestamps of source during %%install bz1099206 + +* Wed Aug 06 2014 Vincent Batts - 1.3-6 +- make the source subpackage arch'ed, instead of noarch + +* Mon Jul 21 2014 Vincent Batts - 1.3-5 +- fix the writing of pax headers + +* Tue Jul 15 2014 Vincent Batts - 1.3-4 +- fix the loading of gdb safe-path. bz981356 + +* Tue Jul 08 2014 Vincent Batts - 1.3-3 +- `go install std` requires gcc, to build cgo. bz1105901, bz1101508 + +* Mon Jul 07 2014 Vincent Batts - 1.3-2 +- archive/tar memory allocation improvements + +* Thu Jun 19 2014 Vincent Batts - 1.3-1 +- update to go1.3 + +* Fri Jun 13 2014 Vincent Batts - 1.3rc2-1 +- update to go1.3rc2 + +* Sat Jun 07 2014 Fedora Release Engineering - 1.3rc1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Jun 03 2014 Vincent Batts 1.3rc1-1 +- update to go1.3rc1 +- new arch file shuffling + +* Wed May 21 2014 Vincent Batts 1.3beta2-1 +- update to go1.3beta2 +- no longer provides go-mode for xemacs (emacs only) + +* Wed May 21 2014 Vincent Batts 1.2.2-7 +- bz1099206 ghost files are not what is needed + +* Tue May 20 2014 Vincent Batts 1.2.2-6 +- bz1099206 more fixing. The packages %%post need golang-bin present first + +* Tue May 20 2014 Vincent Batts 1.2.2-5 +- bz1099206 more fixing. Let go fix its own timestamps and freshness + +* Tue May 20 2014 Vincent Batts 1.2.2-4 +- fix the existence and alternatives of `go` and `gofmt` + +* Mon May 19 2014 Vincent Batts 1.2.2-3 +- bz1099206 fix timestamp issue caused by koji builders + +* Fri May 09 2014 Vincent Batts 1.2.2-2 +- more arch file shuffling + +* Fri May 09 2014 Vincent Batts 1.2.2-1 +- update to go1.2.2 + +* Thu May 08 2014 Vincent Batts 1.2.1-8 +- RHEL6 rpm macros can't %%exlude missing files + +* Wed May 07 2014 Vincent Batts 1.2.1-7 +- missed two arch-dependent src files + +* Wed May 07 2014 Vincent Batts 1.2.1-6 +- put generated arch-dependent src in their respective RPMs + +* Fri Apr 11 2014 Vincent Batts 1.2.1-5 +- skip test that is causing a SIGABRT on fc21 bz1086900 + +* Thu Apr 10 2014 Vincent Batts 1.2.1-4 +- fixing file and directory ownership bz1010713 + +* Wed Apr 09 2014 Vincent Batts 1.2.1-3 +- including more to macros (%%go_arches) +- set a standard goroot as /usr/lib/golang, regardless of arch +- include sub-packages for compiler toolchains, for all golang supported architectures + +* Wed Mar 26 2014 Vincent Batts 1.2.1-2 +- provide a system rpm macros. Starting with gopath + +* Tue Mar 04 2014 Adam Miller 1.2.1-1 +- Update to latest upstream + +* Thu Feb 20 2014 Adam Miller 1.2-7 +- Remove _BSD_SOURCE and _SVID_SOURCE, they are deprecated in recent + versions of glibc and aren't needed + +* Wed Feb 19 2014 Adam Miller 1.2-6 +- pull in upstream archive/tar implementation that supports xattr for + docker 0.8.1 + +* Tue Feb 18 2014 Vincent Batts 1.2-5 +- provide 'go', so users can yum install 'go' + +* Fri Jan 24 2014 Vincent Batts 1.2-4 +- skip a flaky test that is sporadically failing on the build server + +* Thu Jan 16 2014 Vincent Batts 1.2-3 +- remove golang-godoc dependency. cyclic dependency on compiling godoc + +* Wed Dec 18 2013 Vincent Batts - 1.2-2 +- removing P224 ECC curve + +* Mon Dec 2 2013 Vincent Batts - 1.2-1 +- Update to upstream 1.2 release +- remove the pax tar patches + +* Tue Nov 26 2013 Vincent Batts - 1.1.2-8 +- fix the rpmspec conditional for rhel and fedora + +* Thu Nov 21 2013 Vincent Batts - 1.1.2-7 +- patch tests for testing on rawhide +- let the same spec work for rhel and fedora + +* Wed Nov 20 2013 Vincent Batts - 1.1.2-6 +- don't symlink /usr/bin out to ../lib..., move the file +- seperate out godoc, to accomodate the go.tools godoc + +* Fri Sep 20 2013 Adam Miller - 1.1.2-5 +- Pull upstream patches for BZ#1010271 +- Add glibc requirement that got dropped because of meta dep fix + +* Fri Aug 30 2013 Adam Miller - 1.1.2-4 +- fix the libc meta dependency (thanks to vbatts [at] redhat.com for the fix) + +* Tue Aug 27 2013 Adam Miller - 1.1.2-3 +- Revert incorrect merged changelog + +* Tue Aug 27 2013 Adam Miller - 1.1.2-2 +- This was reverted, just a placeholder changelog entry for bad merge + +* Tue Aug 20 2013 Adam Miller - 1.1.2-1 +- Update to latest upstream + +* Sat Aug 03 2013 Fedora Release Engineering - 1.1.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Petr Pisar - 1.1.1-6 +- Perl 5.18 rebuild + +* Wed Jul 10 2013 Adam Goode - 1.1.1-5 +- Blacklist testdata files from prelink +- Again try to fix #973842 + +* Fri Jul 5 2013 Adam Goode - 1.1.1-4 +- Move src to libdir for now (#973842) (upstream issue https://code.google.com/p/go/issues/detail?id=5830) +- Eliminate noarch data package to work around RPM bug (#975909) +- Try to add runtime-gdb.py to the gdb safe-path (#981356) + +* Wed Jun 19 2013 Adam Goode - 1.1.1-3 +- Use lua for pretrans (http://fedoraproject.org/wiki/Packaging:Guidelines#The_.25pretrans_scriptlet) + +* Mon Jun 17 2013 Adam Goode - 1.1.1-2 +- Hopefully really fix #973842 +- Fix update from pre-1.1.1 (#974840) + +* Thu Jun 13 2013 Adam Goode - 1.1.1-1 +- Update to 1.1.1 +- Fix basically useless package (#973842) + +* Sat May 25 2013 Dan Horák - 1.1-3 +- set ExclusiveArch + +* Fri May 24 2013 Adam Goode - 1.1-2 +- Fix noarch package discrepancies + +* Fri May 24 2013 Adam Goode - 1.1-1 +- Initial Fedora release. +- Update to 1.1 + +* Thu May 9 2013 Adam Goode - 1.1-0.3.rc3 +- Update to rc3 + +* Thu Apr 11 2013 Adam Goode - 1.1-0.2.beta2 +- Update to beta2 + +* Tue Apr 9 2013 Adam Goode - 1.1-0.1.beta1 +- Initial packaging.