From 3a0f5dedeb8e66a0d2ae02f55f568cbe06b9da88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= Date: Mon, 13 Dec 2021 19:46:53 +0100 Subject: [PATCH] Rebase to Go 1.17.5 Add remove_waitgroup_misuse_tests patch Add remove_ed25519vectors_test.patch Remove FIPS checks to avoid issues in the CI Related: rhbz#2031116 Resolves: rhbz#2022829 Resolves: rhbz#2024687 Resolves: rhbz#2030851 Resolves: rhbz#2031253 --- .gitignore | 1 + golang.spec | 70 +++++-------- remove_ed25519vectors_test.patch | 128 +++++++++++++++++++++++ remove_waitgroup_misuse_tests.patch | 151 ++++++++++++++++++++++++++++ sources | 2 +- 5 files changed, 304 insertions(+), 48 deletions(-) create mode 100644 remove_ed25519vectors_test.patch create mode 100644 remove_waitgroup_misuse_tests.patch diff --git a/.gitignore b/.gitignore index 69db341..7efbb50 100644 --- a/.gitignore +++ b/.gitignore @@ -39,3 +39,4 @@ /go-go-1.16.6-2-openssl-fips.tar.gz /go-go-1.16.6-3-openssl-fips.tar.gz /go-go-1.17.2-1-openssl-fips.tar.gz +/go-go-1.17.5-1-openssl-fips.tar.gz diff --git a/golang.spec b/golang.spec index bcc88b4..711a3a5 100644 --- a/golang.spec +++ b/golang.spec @@ -96,7 +96,7 @@ %endif %global go_api 1.17 -%global go_version 1.17.2 +%global go_version 1.17.5 %global pkg_release 1 Name: golang @@ -147,6 +147,9 @@ Patch221: fix_TestScript_list_std.patch # Port to openssl 3.0 Patch1952381: rhbz1952381.patch +Patch222: remove_waitgroup_misuse_tests.patch +Patch223: remove_ed25519vectors_test.patch + # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -242,6 +245,10 @@ Requires: %{name} = %{version}-%{release} %patch1952381 -p1 +%patch222 -p1 + +%patch223 -p1 + cp %{SOURCE1} ./src/runtime/ %build @@ -440,61 +447,19 @@ export GO_TEST_RUN="" %if %{fail_on_tests} -TEST_BORING_CONFIGS=`mktemp -d` -TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf -TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf -trap "rm -rf $TEST_BORING_CONFIGS" EXIT - -cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF -openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF - -cat > $TEST_BORING_CNF << EOM -openssl_conf = openssl_test - -[openssl_test] -providers = provider_test -alg_section = algorithm_test -ssl_conf = ssl_module - -[algorithm_test] -default_properties = fips=yes - -[provider_test] -default = default_sect - # The fips section name should match the section name inside the - # included fipsmodule.cnf. -fips = fips_sect -.include $TEST_BORING_FIPS_CNF - -[default_sect] -activate = 1 - -[ ssl_module ] - -system_default = crypto_policy - -[ crypto_policy ] - -.include = /etc/crypto-policies/back-ends/opensslcnf.config - -[ new_oids ] - -EOM - ./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN -export OPENSSL_CONF=$TEST_BORING_CNF +export OPENSSL_FORCE_FIPS_MODE=1 # Run tests with FIPS enabled. -export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$" pushd crypto # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later - GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST + GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v # Check that signature functions have parity between boring and notboring - CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST + CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v popd # Run all FIPS specific TLS tests pushd crypto/tls - GOLANG_FIPS=1 go test -v -run "Boring" $DISABLE_Ed25519_TEST + GOLANG_FIPS=1 go test -v -run "Boring" popd %else ./run.bash --no-rebuild -v -v -v -k || : @@ -557,6 +522,17 @@ cd .. %endif %changelog +* Mon Dec 13 2021 Alejandro Sáez - 1.17.5-1 +- Rebase to Go 1.17.5 +- Add remove_waitgroup_misuse_tests patch +- Add remove_ed25519vectors_test.patch +- Remove FIPS checks to avoid issues in the CI +- Related: rhbz#2031116 +- Resolves: rhbz#2022829 +- Resolves: rhbz#2024687 +- Resolves: rhbz#2030851 +- Resolves: rhbz#2031253 + * Wed Nov 03 2021 Alejandro Sáez - 1.17.2-1 - Rebase to Go 1.17.2 - Related: rhbz#2014087 diff --git a/remove_ed25519vectors_test.patch b/remove_ed25519vectors_test.patch new file mode 100644 index 0000000..45e3182 --- /dev/null +++ b/remove_ed25519vectors_test.patch @@ -0,0 +1,128 @@ +From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= +Date: Wed, 15 Dec 2021 16:02:15 +0100 +Subject: [PATCH] Remove ed25519vectors_test.go + +--- + src/crypto/ed25519/ed25519vectors_test.go | 109 ---------------------- + 1 file changed, 109 deletions(-) + delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go + +diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go +deleted file mode 100644 +index 74fcdcdf4e..0000000000 +--- a/src/crypto/ed25519/ed25519vectors_test.go ++++ /dev/null +@@ -1,109 +0,0 @@ +-// Copyright 2021 The Go Authors. All rights reserved. +-// Use of this source code is governed by a BSD-style +-// license that can be found in the LICENSE file. +- +-package ed25519_test +- +-import ( +- "crypto/ed25519" +- "encoding/hex" +- "encoding/json" +- "internal/testenv" +- "os" +- "os/exec" +- "path/filepath" +- "testing" +-) +- +-// TestEd25519Vectors runs a very large set of test vectors that exercise all +-// combinations of low-order points, low-order components, and non-canonical +-// encodings. These vectors lock in unspecified and spec-divergent behaviors in +-// edge cases that are not security relevant in most contexts, but that can +-// cause issues in consensus applications if changed. +-// +-// Our behavior matches the "classic" unwritten verification rules of the +-// "ref10" reference implementation. +-// +-// Note that although we test for these edge cases, they are not covered by the +-// Go 1 Compatibility Promise. Applications that need stable verification rules +-// should use github.com/hdevalence/ed25519consensus. +-// +-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details. +-func TestEd25519Vectors(t *testing.T) { +- jsonVectors := downloadEd25519Vectors(t) +- var vectors []struct { +- A, R, S, M string +- Flags []string +- } +- if err := json.Unmarshal(jsonVectors, &vectors); err != nil { +- t.Fatal(err) +- } +- for i, v := range vectors { +- expectedToVerify := true +- for _, f := range v.Flags { +- switch f { +- // We use the simplified verification formula that doesn't multiply +- // by the cofactor, so any low order residue will cause the +- // signature not to verify. +- // +- // This is allowed, but not required, by RFC 8032. +- case "LowOrderResidue": +- expectedToVerify = false +- // Our point decoding allows non-canonical encodings (in violation +- // of RFC 8032) but R is not decoded: instead, R is recomputed and +- // compared bytewise against the canonical encoding. +- case "NonCanonicalR": +- expectedToVerify = false +- } +- } +- +- publicKey := decodeHex(t, v.A) +- signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...) +- message := []byte(v.M) +- +- didVerify := ed25519.Verify(publicKey, message, signature) +- if didVerify && !expectedToVerify { +- t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags) +- } +- if !didVerify && expectedToVerify { +- t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags) +- } +- } +-} +- +-func downloadEd25519Vectors(t *testing.T) []byte { +- testenv.MustHaveExternalNetwork(t) +- +- // Download the JSON test file from the GOPROXY with `go mod download`, +- // pinning the version so test and module caching works as expected. +- goTool := testenv.GoToolPath(t) +- path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94" +- cmd := exec.Command(goTool, "mod", "download", "-json", path) +- // TODO: enable the sumdb once the TryBots proxy supports it. +- cmd.Env = append(os.Environ(), "GONOSUMDB=*") +- output, err := cmd.Output() +- if err != nil { +- t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output) +- } +- var dm struct { +- Dir string // absolute path to cached source root directory +- } +- if err := json.Unmarshal(output, &dm); err != nil { +- t.Fatal(err) +- } +- +- jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json")) +- if err != nil { +- t.Fatalf("failed to read ed25519vectors.json: %v", err) +- } +- return jsonVectors +-} +- +-func decodeHex(t *testing.T, s string) []byte { +- t.Helper() +- b, err := hex.DecodeString(s) +- if err != nil { +- t.Errorf("invalid hex: %v", err) +- } +- return b +-} +-- +2.33.1 + diff --git a/remove_waitgroup_misuse_tests.patch b/remove_waitgroup_misuse_tests.patch new file mode 100644 index 0000000..b643563 --- /dev/null +++ b/remove_waitgroup_misuse_tests.patch @@ -0,0 +1,151 @@ +diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go +index c569e0faa2eb..4ded218d2d8d 100644 +--- a/src/sync/waitgroup_test.go ++++ b/src/sync/waitgroup_test.go +@@ -5,8 +5,6 @@ + package sync_test + + import ( +- "internal/race" +- "runtime" + . "sync" + "sync/atomic" + "testing" +@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) { + } + } + +-func knownRacy(t *testing.T) { +- if race.Enabled { +- t.Skip("skipping known-racy test under the race detector") +- } +-} +- + func TestWaitGroupMisuse(t *testing.T) { + defer func() { + err := recover() +@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) { + t.Fatal("Should panic") + } + +-// pollUntilEqual blocks until v, loaded atomically, is +-// equal to the target. +-func pollUntilEqual(v *uint32, target uint32) { +- for { +- for i := 0; i < 1e3; i++ { +- if atomic.LoadUint32(v) == target { +- return +- } +- } +- // yield to avoid deadlock with the garbage collector +- // see issue #20072 +- runtime.Gosched() +- } +-} +- +-func TestWaitGroupMisuse2(t *testing.T) { +- knownRacy(t) +- if runtime.NumCPU() <= 4 { +- t.Skip("NumCPU<=4, skipping: this test requires parallelism") +- } +- defer func() { +- err := recover() +- if err != "sync: negative WaitGroup counter" && +- err != "sync: WaitGroup misuse: Add called concurrently with Wait" && +- err != "sync: WaitGroup is reused before previous Wait has returned" { +- t.Fatalf("Unexpected panic: %#v", err) +- } +- }() +- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4)) +- done := make(chan interface{}, 2) +- // The detection is opportunistic, so we want it to panic +- // at least in one run out of a million. +- for i := 0; i < 1e6; i++ { +- var wg WaitGroup +- var here uint32 +- wg.Add(1) +- go func() { +- defer func() { +- done <- recover() +- }() +- atomic.AddUint32(&here, 1) +- pollUntilEqual(&here, 3) +- wg.Wait() +- }() +- go func() { +- defer func() { +- done <- recover() +- }() +- atomic.AddUint32(&here, 1) +- pollUntilEqual(&here, 3) +- wg.Add(1) // This is the bad guy. +- wg.Done() +- }() +- atomic.AddUint32(&here, 1) +- pollUntilEqual(&here, 3) +- wg.Done() +- for j := 0; j < 2; j++ { +- if err := <-done; err != nil { +- panic(err) +- } +- } +- } +- t.Fatal("Should panic") +-} +- +-func TestWaitGroupMisuse3(t *testing.T) { +- knownRacy(t) +- if runtime.NumCPU() <= 1 { +- t.Skip("NumCPU==1, skipping: this test requires parallelism") +- } +- defer func() { +- err := recover() +- if err != "sync: negative WaitGroup counter" && +- err != "sync: WaitGroup misuse: Add called concurrently with Wait" && +- err != "sync: WaitGroup is reused before previous Wait has returned" { +- t.Fatalf("Unexpected panic: %#v", err) +- } +- }() +- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4)) +- done := make(chan interface{}, 3) +- // The detection is opportunistically, so we want it to panic +- // at least in one run out of a million. +- for i := 0; i < 1e6; i++ { +- var wg WaitGroup +- wg.Add(1) +- go func() { +- defer func() { +- done <- recover() +- }() +- wg.Done() +- }() +- go func() { +- defer func() { +- done <- recover() +- }() +- wg.Wait() +- // Start reusing the wg before waiting for the Wait below to return. +- wg.Add(1) +- go func() { +- wg.Done() +- }() +- wg.Wait() +- }() +- go func() { +- defer func() { +- done <- recover() +- }() +- wg.Wait() +- }() +- for j := 0; j < 3; j++ { +- if err := <-done; err != nil { +- panic(err) +- } +- } +- } +- t.Fatal("Should panic") +-} +- + func TestWaitGroupRace(t *testing.T) { + // Run this test for about 1ms. + for i := 0; i < 1000; i++ { diff --git a/sources b/sources index 7267649..c7d62fe 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (go-go-1.17.2-1-openssl-fips.tar.gz) = dc0ff0b9cc85ec874bf48f42b61d8394ae16787d708c4b2255115d0f8d99bcc4ad2684392f79001a10dab803e6b7f7fee961ece415ad20176eab61bc7d9ee788 +SHA512 (go-go-1.17.5-1-openssl-fips.tar.gz) = c73f0909b614fcc098c3bce48dbea97cc1638a69189d5326a4745c1a2120af290878e36f69391ab1b0c3c6f5fb23c7b179e7cf61e7db47372fa0d751b48345cc