import golang-1.17.7-1.el9_0
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
a9fa186664
commit
0e0a7cdc0f
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/go-go-1.17.5-1-openssl-fips.tar.gz
|
||||
SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
f0b72c96855f50d91288f1226a7660b97c1fdd73 SOURCES/go-go-1.17.5-1-openssl-fips.tar.gz
|
||||
139fe29f985b3feda50c407d194f1a102352388a SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz
|
||||
|
||||
@ -1,3 +1,18 @@
|
||||
diff --git a/src/crypto/ecdsa/ecdsa_test.go b/src/crypto/ecdsa/ecdsa_test.go
|
||||
index d60fdb8..b90782a 100644
|
||||
--- a/src/crypto/ecdsa/ecdsa_test.go
|
||||
+++ b/src/crypto/ecdsa/ecdsa_test.go
|
||||
@@ -323,6 +323,10 @@ func TestVectors(t *testing.T) {
|
||||
h.Write(msg)
|
||||
hashed := h.Sum(hashed[:0])
|
||||
if boring.Enabled() {
|
||||
+ // SHA-1 signatures not supported in OpenSSL 3.0
|
||||
+ if ch == crypto.SHA1 {
|
||||
+ expected = false
|
||||
+ }
|
||||
if HashVerify(pub, msg, r, s, ch) != expected {
|
||||
t.Fatalf("incorrect result on line %d", lineNo)
|
||||
}
|
||||
diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
|
||||
index 457decf..961795a 100644
|
||||
--- a/src/crypto/internal/boring/aes.go
|
||||
@ -108,7 +123,7 @@ index e7ae80c..45c856b 100644
|
||||
|
||||
type fail string
|
||||
diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
|
||||
index 745e8a4..284e845 100644
|
||||
index 355638b..2737441 100644
|
||||
--- a/src/crypto/internal/boring/goopenssl.h
|
||||
+++ b/src/crypto/internal/boring/goopenssl.h
|
||||
@@ -14,6 +14,15 @@
|
||||
@ -202,7 +217,23 @@ index 745e8a4..284e845 100644
|
||||
|
||||
#include <openssl/rand.h>
|
||||
|
||||
@@ -735,6 +759,7 @@ static inline int
|
||||
@@ -711,12 +735,9 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(GO_EVP_PKEY_CTX* ctx, int pad) {
|
||||
#endif
|
||||
}
|
||||
|
||||
-static inline int
|
||||
-_goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(GO_EVP_PKEY_CTX *ctx, uint8_t *l, int llen)
|
||||
-{
|
||||
-
|
||||
- return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)l);
|
||||
-}
|
||||
+DEFINEFUNC(int, EVP_PKEY_CTX_set0_rsa_oaep_label,
|
||||
+ (GO_EVP_PKEY_CTX *ctx, uint8_t *l, int llen),
|
||||
+ (ctx, l, llen))
|
||||
|
||||
static inline int
|
||||
_goboringcrypto_EVP_PKEY_CTX_set_rsa_oaep_md(GO_EVP_PKEY_CTX *ctx, const GO_EVP_MD *md)
|
||||
@@ -736,6 +757,7 @@ static inline int
|
||||
_goboringcrypto_EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
|
||||
return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, 0, (void *)md);
|
||||
}
|
||||
@ -211,122 +242,98 @@ index 745e8a4..284e845 100644
|
||||
_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP_MD *md) {
|
||||
return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
|
||||
diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
|
||||
index a8d047d..1936d5d 100644
|
||||
index 92fbb36..781975c 100644
|
||||
--- a/src/crypto/internal/boring/openssl_port_rsa.c
|
||||
+++ b/src/crypto/internal/boring/openssl_port_rsa.c
|
||||
@@ -83,34 +83,51 @@ int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_
|
||||
return 0;
|
||||
@@ -91,31 +91,40 @@ int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_
|
||||
|
||||
if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0)
|
||||
- return 0;
|
||||
+ return -1;
|
||||
|
||||
goto err;
|
||||
-
|
||||
+
|
||||
ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */);
|
||||
if (!ctx)
|
||||
- return 0;
|
||||
+ return -2;
|
||||
|
||||
int ret = 0;
|
||||
goto err;
|
||||
|
||||
- if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0)
|
||||
- goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0)
|
||||
+ if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0) {
|
||||
+ ret = -3;
|
||||
goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0)
|
||||
+ }
|
||||
+ // This is moved earlier because openssl 3.0 alpha defaults
|
||||
+ // to sha1 in EVP_PKEY_CTRL_RSA_PADDING if unset and produces an error
|
||||
+ if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
|
||||
+ ret = -4;
|
||||
goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)
|
||||
+ }
|
||||
+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0) {
|
||||
+ ret = -5;
|
||||
goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0)
|
||||
+ }
|
||||
+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0) {
|
||||
+ ret = -6;
|
||||
goto err;
|
||||
-
|
||||
-
|
||||
+ }
|
||||
+ // doesnt take null anymore
|
||||
+ if (mgf1_md)
|
||||
+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0) {
|
||||
+ ret = -7;
|
||||
+ goto err;
|
||||
+ }
|
||||
/* Determine buffer length */
|
||||
- if (_goboringcrypto_EVP_PKEY_sign(ctx, NULL, &siglen, in, in_len) <= 0)
|
||||
+ if (_goboringcrypto_EVP_PKEY_sign(ctx, NULL, &siglen, in, in_len) <= 0) {
|
||||
+ ret = -8;
|
||||
goto err;
|
||||
-
|
||||
- if (max_out < siglen)
|
||||
+ }
|
||||
+ if (max_out < siglen) {
|
||||
+ ret = -9;
|
||||
goto err;
|
||||
-
|
||||
- if (_goboringcrypto_EVP_PKEY_sign(ctx, out, &siglen, in, in_len) <= 0)
|
||||
+ }
|
||||
+ if (_goboringcrypto_EVP_PKEY_sign(ctx, out, &siglen, in, in_len) <= 0) {
|
||||
+ ret = -10;
|
||||
goto err;
|
||||
+ }
|
||||
|
||||
*out_len = siglen;
|
||||
ret = 1;
|
||||
@@ -130,27 +147,41 @@ int _goboringcrypto_RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, unsigned i
|
||||
|
||||
pkey = _goboringcrypto_EVP_PKEY_new();
|
||||
if (!pkey)
|
||||
- return 0;
|
||||
+ return -1;
|
||||
@@ -142,23 +151,31 @@ int _goboringcrypto_RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, unsigned i
|
||||
|
||||
if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0)
|
||||
- return 0;
|
||||
+ return -2;
|
||||
|
||||
goto err;
|
||||
-
|
||||
+
|
||||
ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */);
|
||||
if (!ctx)
|
||||
- return 0;
|
||||
+ return -3;
|
||||
goto err;
|
||||
|
||||
- if (_goboringcrypto_EVP_PKEY_verify_init(ctx) <= 0)
|
||||
- goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0)
|
||||
+ if (_goboringcrypto_EVP_PKEY_verify_init(ctx) <= 0) {
|
||||
+ ret = -4;
|
||||
goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0)
|
||||
- goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0)
|
||||
+ }
|
||||
+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0) {
|
||||
+ ret = -5;
|
||||
goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)
|
||||
+ }
|
||||
+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0) {
|
||||
+ ret = -6;
|
||||
goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0)
|
||||
+ }
|
||||
+ if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
|
||||
+ ret = -7;
|
||||
goto err;
|
||||
- if (_goboringcrypto_EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len) <= 0)
|
||||
+ }
|
||||
+ // doesnt take null anymore
|
||||
+ if (mgf1_md)
|
||||
+ if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0) {
|
||||
+ ret = -8;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (_goboringcrypto_EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len) <= 0) {
|
||||
+ ret = -9;
|
||||
goto err;
|
||||
+ }
|
||||
|
||||
@ -346,10 +353,21 @@ index ff5c439..6047d65 100644
|
||||
return len(b), nil
|
||||
}
|
||||
diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
|
||||
index 0223243..b72af0d 100644
|
||||
index b3a907f..b74e7a9 100644
|
||||
--- a/src/crypto/internal/boring/rsa.go
|
||||
+++ b/src/crypto/internal/boring/rsa.go
|
||||
@@ -141,7 +141,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
@@ -120,7 +120,9 @@ func (k *PrivateKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int {
|
||||
|
||||
func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
|
||||
- init func(*C.GO_EVP_PKEY_CTX) C.int) (pkey *C.GO_EVP_PKEY, ctx *C.GO_EVP_PKEY_CTX, err error) {
|
||||
+ init func(*C.GO_EVP_PKEY_CTX) C.int) (_pkey *C.GO_EVP_PKEY, _ctx *C.GO_EVP_PKEY_CTX, err error) {
|
||||
+ var pkey *C.GO_EVP_PKEY
|
||||
+ var ctx *C.GO_EVP_PKEY_CTX
|
||||
defer func() {
|
||||
if err != nil {
|
||||
if pkey != nil {
|
||||
@@ -141,7 +143,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
if withKey(func(key *C.GO_RSA) C.int {
|
||||
return C._goboringcrypto_EVP_PKEY_set1_RSA(pkey, key)
|
||||
}) == 0 {
|
||||
@ -358,16 +376,36 @@ index 0223243..b72af0d 100644
|
||||
}
|
||||
ctx = C._goboringcrypto_EVP_PKEY_CTX_new(pkey, nil)
|
||||
if ctx == nil {
|
||||
@@ -164,7 +164,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
@@ -162,23 +164,12 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
return nil, nil, NewOpenSSLError("EVP_PKEY_set_rsa_oaep_md failed")
|
||||
}
|
||||
// ctx takes ownership of label, so malloc a copy for BoringCrypto to free.
|
||||
clabel := (*C.uint8_t)(C.malloc(C.size_t(len(label))))
|
||||
if clabel == nil {
|
||||
- return nil, nil, fail("OPENSSL_malloc")
|
||||
- var clabel *C.uint8_t
|
||||
- clabel = nil
|
||||
- // OpenSSL 1.1.1 does not take ownership of the label if the length is zero.
|
||||
- // Depending on the malloc implementation, if clabel is allocated with malloc(0),
|
||||
- // metadata for the size-zero allocation is never cleaned up, which is a memory leak.
|
||||
- // As such, we must only allocate clabel if the label is of non zero length.
|
||||
- if len(label) > 0 {
|
||||
- clabel = (*C.uint8_t)(C.malloc(C.size_t(len(label))))
|
||||
- if clabel == nil {
|
||||
- return nil, nil, fail("OPENSSL_malloc")
|
||||
- }
|
||||
- copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
|
||||
+ clabel := (*C.uint8_t)(C.malloc(C.size_t(len(label))))
|
||||
+ if clabel == nil {
|
||||
+ return nil, nil, NewOpenSSLError("OPENSSL_malloc")
|
||||
}
|
||||
copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
|
||||
if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) == 0 {
|
||||
@@ -265,12 +265,13 @@ func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int)
|
||||
- if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) != 1 {
|
||||
- if clabel != nil {
|
||||
- C.free(unsafe.Pointer(clabel))
|
||||
- }
|
||||
+ copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
|
||||
+ if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) == 0 {
|
||||
return nil, nil, NewOpenSSLError("EVP_PKEY_CTX_set0_rsa_oaep_label failed")
|
||||
}
|
||||
}
|
||||
@@ -276,12 +267,13 @@ func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int)
|
||||
}
|
||||
var out []byte
|
||||
var outLen C.uint
|
||||
@ -384,7 +422,7 @@ index 0223243..b72af0d 100644
|
||||
}
|
||||
|
||||
return out[:outLen], nil
|
||||
@@ -284,11 +285,12 @@ func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen
|
||||
@@ -295,11 +287,12 @@ func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen
|
||||
if saltLen == 0 {
|
||||
saltLen = -2 // auto-recover
|
||||
}
|
||||
@ -770,6 +808,27 @@ index 6a5a93f..2032b4b 100644
|
||||
}
|
||||
}
|
||||
}
|
||||
diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
|
||||
index 24e2d22..1fd5a9a 100644
|
||||
--- a/src/crypto/rsa/rsa.go
|
||||
+++ b/src/crypto/rsa/rsa.go
|
||||
@@ -35,6 +35,7 @@ import (
|
||||
"crypto/internal/boring"
|
||||
"crypto/internal/randutil"
|
||||
"unsafe"
|
||||
+ "fmt"
|
||||
)
|
||||
|
||||
var bigZero = big.NewInt(0)
|
||||
@@ -664,7 +665,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
|
||||
}
|
||||
out, err := boring.DecryptRSAOAEP(hash, bkey, ciphertext, label)
|
||||
if err != nil {
|
||||
- return nil, ErrDecryption
|
||||
+ return nil, fmt.Errorf("decryption error: %s", err)
|
||||
}
|
||||
return out, nil
|
||||
}
|
||||
diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
|
||||
index d9693a7..cfe020e 100644
|
||||
--- a/src/crypto/rsa/rsa_test.go
|
||||
@ -1048,7 +1107,7 @@ index 94a24ff..577bc73 100644
|
||||
block, _ := pem.Decode([]byte(`
|
||||
-----BEGIN CERTIFICATE-----
|
||||
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
|
||||
index a4053ab..aff4ff2 100644
|
||||
index 449379f..801a954 100644
|
||||
--- a/src/crypto/x509/x509_test.go
|
||||
+++ b/src/crypto/x509/x509_test.go
|
||||
@@ -151,6 +151,7 @@ func TestPKIXMismatchPublicKeyFormat(t *testing.T) {
|
||||
|
||||
@ -96,7 +96,7 @@
|
||||
%endif
|
||||
|
||||
%global go_api 1.17
|
||||
%global go_version 1.17.5
|
||||
%global go_version 1.17.7
|
||||
%global pkg_release 1
|
||||
|
||||
Name: golang
|
||||
@ -522,6 +522,12 @@ cd ..
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Feb 17 2022 David Benoit <dbenoit@redhat.com> - 1.17.7-1
|
||||
- Rebase to Go 1.17.7
|
||||
- Update ecdsa tests to reject SHA1 signatures in boring mode
|
||||
- Resolves: rhbz#2025637
|
||||
- Resolves: rhbz#1975396
|
||||
|
||||
* Mon Dec 13 2021 Alejandro Sáez <asm@redhat.com> - 1.17.5-1
|
||||
- Rebase to Go 1.17.5
|
||||
- Add remove_waitgroup_misuse_tests patch
|
||||
|
||||
Loading…
Reference in New Issue
Block a user