From 2d68bb23d6d7ca81fca76ab6a7b2c27159029a92 Mon Sep 17 00:00:00 2001 From: David Benoit Date: Wed, 1 Mar 2023 10:59:19 -0500 Subject: [PATCH] Rebase to Go 1.19.6 Resolves: rhbz#2174429 Apply missing patch Resolves: rhbz#2157602 Enable tests in check phase --- .gitignore | 2 ++ fix-memory-leak-evp-sign-verify.patch | 48 +++++++++++++++++++++++++++ golang.spec | 43 +++++++++++++++--------- sources | 4 +-- 4 files changed, 79 insertions(+), 18 deletions(-) create mode 100644 fix-memory-leak-evp-sign-verify.patch diff --git a/.gitignore b/.gitignore index 0998123..a13e508 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,5 @@ /go1.19.2.tar.gz /go1.19.4-1-openssl-fips.tar.gz /go1.19.4.tar.gz +/go1.19.6.tar.gz +/go1.19.6-1-openssl-fips.tar.gz diff --git a/fix-memory-leak-evp-sign-verify.patch b/fix-memory-leak-evp-sign-verify.patch new file mode 100644 index 0000000..ef231bf --- /dev/null +++ b/fix-memory-leak-evp-sign-verify.patch @@ -0,0 +1,48 @@ +diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c +index 2124978..1f853b4 100644 +--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c ++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c +@@ -44,7 +44,11 @@ int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *m + GO_RSA *rsa_key) { + int ret = 0; + GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new(); +- _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key); ++ if (!pk) ++ return 0; ++ ++ if (!(_goboringcrypto_EVP_PKEY_set1_RSA(pk, rsa_key))) ++ goto err; + + if (!ctx && !(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL))) + goto err; +@@ -64,6 +68,8 @@ int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *m + err: + if (ctx) + _goboringcrypto_EVP_PKEY_CTX_free(ctx); ++ if (pk) ++ _goboringcrypto_EVP_PKEY_free(pk); + + return ret; + } +@@ -104,7 +110,11 @@ int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen, + int ret = 0; + EVP_PKEY_CTX *ctx; + GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new(); +- _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key); ++ if (!pk) ++ return 0; ++ ++ if (!(_goboringcrypto_EVP_PKEY_set1_RSA(pk, rsa_key))) ++ goto err; + + if (!(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL))) + goto err; +@@ -124,6 +134,8 @@ int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen, + err: + if (ctx) + _goboringcrypto_EVP_PKEY_CTX_free(ctx); ++ if (pk) ++ _goboringcrypto_EVP_PKEY_free(pk); + + return ret; + } diff --git a/golang.spec b/golang.spec index acc4947..de60f6c 100644 --- a/golang.spec +++ b/golang.spec @@ -96,7 +96,7 @@ %endif %global go_api 1.19 -%global go_version 1.19.4 +%global go_version 1.19.6 %global version %{go_version} %global pkg_release 1 @@ -147,15 +147,12 @@ Patch221: fix_TestScript_list_std.patch Patch1939923: skip_test_rhbz1939923.patch - # Disables libc static linking tests which # are incompatible with dlopen in golang-fips Patch2: disable_static_tests_part1.patch Patch3: disable_static_tests_part2.patch -# https://github.com/golang/go/issues/56834 -# https://github.com/golang/go/commit/1b4db7e46365bbbba479d0689c5699e6c0ba1142 -Patch4: ppc64le-internal-linker-fix.patch +Patch4: fix-memory-leak-evp-sign-verify.patch # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -252,6 +249,12 @@ popd patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch +# Configure crypto tests +pushd ../go-go%{version}-%{pkg_release}-openssl-fips +ln -s ../go-go%{version} go +./scripts/configure-crypto-tests.sh +popd + %patch2 -p1 %patch3 -p1 %patch4 -p1 @@ -458,18 +461,19 @@ export GO_TEST_RUN="" # Run tests with FIPS enabled. export GOLANG_FIPS=1 -#pushd crypto -# # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later -# go test $(go list ./... | grep -v tls) -v -# # Check that signature functions have parity between boring and notboring -# CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v -#popd -## Run all FIPS specific TLS tests -#pushd crypto/tls -# go test -v -run "Boring" -#popd +export OPENSSL_FORCE_FIPS_MODE=1 +pushd crypto + # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later + go test $(go list ./... | grep -v tls) -v + # Check that signature functions have parity between boring and notboring + CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v +popd +# Run all FIPS specific TLS tests +pushd crypto/tls + go test -v -run "Boring" +popd %else -#./run.bash --no-rebuild -v -v -v -k || : +./run.bash --no-rebuild -v -v -v -k || : %endif cd .. @@ -529,6 +533,13 @@ cd .. %endif %changelog +* Wed Mar 01 2023 David Benoit - 1.19.6-1 +- Rebase to Go 1.19.6 +- Resolves: rhbz#2174429 +- Fix memory leak +- Resolves: rhbz#2157602 +- Enable tests in check phase + * Wed Dec 21 2022 David Benoit - 1.19.4-1 - Rebase to Go 1.19.4 - Fix ppc64le linker issue diff --git a/sources b/sources index 98757a0..b945b19 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (go1.19.4-1-openssl-fips.tar.gz) = 03b85de8a672205d2a48d0b316b90e72cc1200b8d307d3e5fefd3adf07033346fa7d78319ab279492a8cfa9ef058468baf1d5134f47bd79bd6c71a2ee62c6dbc -SHA512 (go1.19.4.tar.gz) = 7e60cbaa6332de2f269f28db17517b25ba954e2d8cd6b7aa9aeed8c396028d03e4b1fb1fa1d5bbbf62174e8bbbfac6f2de47e0c522d4f9c93712ec089fcdb4c7 +SHA512 (go1.19.6.tar.gz) = f8d5585f5ee9b6730eeb0251b482dd7b3858a0223fe841293546989667eb5018844c7fa20c4a533408fbc8276405886517588a17f618c40e95488ca9ecafba35 +SHA512 (go1.19.6-1-openssl-fips.tar.gz) = c60758adaaeba468d5e9cfa50c72b5155c85491c954d1cb75e03c7e3701a41577ccb92fe37681f04da60d57bfad4bcd7a19b233ce6cca944fe6ca076b4e81d90