Rebase to Go 1.17.5
Add remove_waitgroup_misuse_tests patch Add remove_ed25519vectors_test.patch Remove FIPS checks to avoid issues in the CI Related: rhbz#2031116 Resolves: rhbz#2022829 Resolves: rhbz#2024687 Resolves: rhbz#2030851 Resolves: rhbz#2031253
This commit is contained in:
parent
bf182b7c2e
commit
3a0f5dedeb
1
.gitignore
vendored
1
.gitignore
vendored
@ -39,3 +39,4 @@
|
|||||||
/go-go-1.16.6-2-openssl-fips.tar.gz
|
/go-go-1.16.6-2-openssl-fips.tar.gz
|
||||||
/go-go-1.16.6-3-openssl-fips.tar.gz
|
/go-go-1.16.6-3-openssl-fips.tar.gz
|
||||||
/go-go-1.17.2-1-openssl-fips.tar.gz
|
/go-go-1.17.2-1-openssl-fips.tar.gz
|
||||||
|
/go-go-1.17.5-1-openssl-fips.tar.gz
|
||||||
|
70
golang.spec
70
golang.spec
@ -96,7 +96,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%global go_api 1.17
|
%global go_api 1.17
|
||||||
%global go_version 1.17.2
|
%global go_version 1.17.5
|
||||||
%global pkg_release 1
|
%global pkg_release 1
|
||||||
|
|
||||||
Name: golang
|
Name: golang
|
||||||
@ -147,6 +147,9 @@ Patch221: fix_TestScript_list_std.patch
|
|||||||
# Port to openssl 3.0
|
# Port to openssl 3.0
|
||||||
Patch1952381: rhbz1952381.patch
|
Patch1952381: rhbz1952381.patch
|
||||||
|
|
||||||
|
Patch222: remove_waitgroup_misuse_tests.patch
|
||||||
|
Patch223: remove_ed25519vectors_test.patch
|
||||||
|
|
||||||
# Having documentation separate was broken
|
# Having documentation separate was broken
|
||||||
Obsoletes: %{name}-docs < 1.1-4
|
Obsoletes: %{name}-docs < 1.1-4
|
||||||
|
|
||||||
@ -242,6 +245,10 @@ Requires: %{name} = %{version}-%{release}
|
|||||||
|
|
||||||
%patch1952381 -p1
|
%patch1952381 -p1
|
||||||
|
|
||||||
|
%patch222 -p1
|
||||||
|
|
||||||
|
%patch223 -p1
|
||||||
|
|
||||||
cp %{SOURCE1} ./src/runtime/
|
cp %{SOURCE1} ./src/runtime/
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -440,61 +447,19 @@ export GO_TEST_RUN=""
|
|||||||
|
|
||||||
%if %{fail_on_tests}
|
%if %{fail_on_tests}
|
||||||
|
|
||||||
TEST_BORING_CONFIGS=`mktemp -d`
|
|
||||||
TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf
|
|
||||||
TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf
|
|
||||||
trap "rm -rf $TEST_BORING_CONFIGS" EXIT
|
|
||||||
|
|
||||||
cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF
|
|
||||||
openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF
|
|
||||||
|
|
||||||
cat > $TEST_BORING_CNF << EOM
|
|
||||||
openssl_conf = openssl_test
|
|
||||||
|
|
||||||
[openssl_test]
|
|
||||||
providers = provider_test
|
|
||||||
alg_section = algorithm_test
|
|
||||||
ssl_conf = ssl_module
|
|
||||||
|
|
||||||
[algorithm_test]
|
|
||||||
default_properties = fips=yes
|
|
||||||
|
|
||||||
[provider_test]
|
|
||||||
default = default_sect
|
|
||||||
# The fips section name should match the section name inside the
|
|
||||||
# included fipsmodule.cnf.
|
|
||||||
fips = fips_sect
|
|
||||||
.include $TEST_BORING_FIPS_CNF
|
|
||||||
|
|
||||||
[default_sect]
|
|
||||||
activate = 1
|
|
||||||
|
|
||||||
[ ssl_module ]
|
|
||||||
|
|
||||||
system_default = crypto_policy
|
|
||||||
|
|
||||||
[ crypto_policy ]
|
|
||||||
|
|
||||||
.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
|
||||||
|
|
||||||
[ new_oids ]
|
|
||||||
|
|
||||||
EOM
|
|
||||||
|
|
||||||
./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
|
./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
|
||||||
|
|
||||||
export OPENSSL_CONF=$TEST_BORING_CNF
|
export OPENSSL_FORCE_FIPS_MODE=1
|
||||||
# Run tests with FIPS enabled.
|
# Run tests with FIPS enabled.
|
||||||
export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$"
|
|
||||||
pushd crypto
|
pushd crypto
|
||||||
# Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
|
# Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
|
||||||
GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
|
GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v
|
||||||
# Check that signature functions have parity between boring and notboring
|
# Check that signature functions have parity between boring and notboring
|
||||||
CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
|
CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
|
||||||
popd
|
popd
|
||||||
# Run all FIPS specific TLS tests
|
# Run all FIPS specific TLS tests
|
||||||
pushd crypto/tls
|
pushd crypto/tls
|
||||||
GOLANG_FIPS=1 go test -v -run "Boring" $DISABLE_Ed25519_TEST
|
GOLANG_FIPS=1 go test -v -run "Boring"
|
||||||
popd
|
popd
|
||||||
%else
|
%else
|
||||||
./run.bash --no-rebuild -v -v -v -k || :
|
./run.bash --no-rebuild -v -v -v -k || :
|
||||||
@ -557,6 +522,17 @@ cd ..
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 13 2021 Alejandro Sáez <asm@redhat.com> - 1.17.5-1
|
||||||
|
- Rebase to Go 1.17.5
|
||||||
|
- Add remove_waitgroup_misuse_tests patch
|
||||||
|
- Add remove_ed25519vectors_test.patch
|
||||||
|
- Remove FIPS checks to avoid issues in the CI
|
||||||
|
- Related: rhbz#2031116
|
||||||
|
- Resolves: rhbz#2022829
|
||||||
|
- Resolves: rhbz#2024687
|
||||||
|
- Resolves: rhbz#2030851
|
||||||
|
- Resolves: rhbz#2031253
|
||||||
|
|
||||||
* Wed Nov 03 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-1
|
* Wed Nov 03 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-1
|
||||||
- Rebase to Go 1.17.2
|
- Rebase to Go 1.17.2
|
||||||
- Related: rhbz#2014087
|
- Related: rhbz#2014087
|
||||||
|
128
remove_ed25519vectors_test.patch
Normal file
128
remove_ed25519vectors_test.patch
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
|
||||||
|
Date: Wed, 15 Dec 2021 16:02:15 +0100
|
||||||
|
Subject: [PATCH] Remove ed25519vectors_test.go
|
||||||
|
|
||||||
|
---
|
||||||
|
src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
|
||||||
|
1 file changed, 109 deletions(-)
|
||||||
|
delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
|
||||||
|
|
||||||
|
diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
|
||||||
|
deleted file mode 100644
|
||||||
|
index 74fcdcdf4e..0000000000
|
||||||
|
--- a/src/crypto/ed25519/ed25519vectors_test.go
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,109 +0,0 @@
|
||||||
|
-// Copyright 2021 The Go Authors. All rights reserved.
|
||||||
|
-// Use of this source code is governed by a BSD-style
|
||||||
|
-// license that can be found in the LICENSE file.
|
||||||
|
-
|
||||||
|
-package ed25519_test
|
||||||
|
-
|
||||||
|
-import (
|
||||||
|
- "crypto/ed25519"
|
||||||
|
- "encoding/hex"
|
||||||
|
- "encoding/json"
|
||||||
|
- "internal/testenv"
|
||||||
|
- "os"
|
||||||
|
- "os/exec"
|
||||||
|
- "path/filepath"
|
||||||
|
- "testing"
|
||||||
|
-)
|
||||||
|
-
|
||||||
|
-// TestEd25519Vectors runs a very large set of test vectors that exercise all
|
||||||
|
-// combinations of low-order points, low-order components, and non-canonical
|
||||||
|
-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
|
||||||
|
-// edge cases that are not security relevant in most contexts, but that can
|
||||||
|
-// cause issues in consensus applications if changed.
|
||||||
|
-//
|
||||||
|
-// Our behavior matches the "classic" unwritten verification rules of the
|
||||||
|
-// "ref10" reference implementation.
|
||||||
|
-//
|
||||||
|
-// Note that although we test for these edge cases, they are not covered by the
|
||||||
|
-// Go 1 Compatibility Promise. Applications that need stable verification rules
|
||||||
|
-// should use github.com/hdevalence/ed25519consensus.
|
||||||
|
-//
|
||||||
|
-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
|
||||||
|
-func TestEd25519Vectors(t *testing.T) {
|
||||||
|
- jsonVectors := downloadEd25519Vectors(t)
|
||||||
|
- var vectors []struct {
|
||||||
|
- A, R, S, M string
|
||||||
|
- Flags []string
|
||||||
|
- }
|
||||||
|
- if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
|
||||||
|
- t.Fatal(err)
|
||||||
|
- }
|
||||||
|
- for i, v := range vectors {
|
||||||
|
- expectedToVerify := true
|
||||||
|
- for _, f := range v.Flags {
|
||||||
|
- switch f {
|
||||||
|
- // We use the simplified verification formula that doesn't multiply
|
||||||
|
- // by the cofactor, so any low order residue will cause the
|
||||||
|
- // signature not to verify.
|
||||||
|
- //
|
||||||
|
- // This is allowed, but not required, by RFC 8032.
|
||||||
|
- case "LowOrderResidue":
|
||||||
|
- expectedToVerify = false
|
||||||
|
- // Our point decoding allows non-canonical encodings (in violation
|
||||||
|
- // of RFC 8032) but R is not decoded: instead, R is recomputed and
|
||||||
|
- // compared bytewise against the canonical encoding.
|
||||||
|
- case "NonCanonicalR":
|
||||||
|
- expectedToVerify = false
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- publicKey := decodeHex(t, v.A)
|
||||||
|
- signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
|
||||||
|
- message := []byte(v.M)
|
||||||
|
-
|
||||||
|
- didVerify := ed25519.Verify(publicKey, message, signature)
|
||||||
|
- if didVerify && !expectedToVerify {
|
||||||
|
- t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
|
||||||
|
- }
|
||||||
|
- if !didVerify && expectedToVerify {
|
||||||
|
- t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-func downloadEd25519Vectors(t *testing.T) []byte {
|
||||||
|
- testenv.MustHaveExternalNetwork(t)
|
||||||
|
-
|
||||||
|
- // Download the JSON test file from the GOPROXY with `go mod download`,
|
||||||
|
- // pinning the version so test and module caching works as expected.
|
||||||
|
- goTool := testenv.GoToolPath(t)
|
||||||
|
- path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
|
||||||
|
- cmd := exec.Command(goTool, "mod", "download", "-json", path)
|
||||||
|
- // TODO: enable the sumdb once the TryBots proxy supports it.
|
||||||
|
- cmd.Env = append(os.Environ(), "GONOSUMDB=*")
|
||||||
|
- output, err := cmd.Output()
|
||||||
|
- if err != nil {
|
||||||
|
- t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
|
||||||
|
- }
|
||||||
|
- var dm struct {
|
||||||
|
- Dir string // absolute path to cached source root directory
|
||||||
|
- }
|
||||||
|
- if err := json.Unmarshal(output, &dm); err != nil {
|
||||||
|
- t.Fatal(err)
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
|
||||||
|
- if err != nil {
|
||||||
|
- t.Fatalf("failed to read ed25519vectors.json: %v", err)
|
||||||
|
- }
|
||||||
|
- return jsonVectors
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-func decodeHex(t *testing.T, s string) []byte {
|
||||||
|
- t.Helper()
|
||||||
|
- b, err := hex.DecodeString(s)
|
||||||
|
- if err != nil {
|
||||||
|
- t.Errorf("invalid hex: %v", err)
|
||||||
|
- }
|
||||||
|
- return b
|
||||||
|
-}
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
151
remove_waitgroup_misuse_tests.patch
Normal file
151
remove_waitgroup_misuse_tests.patch
Normal file
@ -0,0 +1,151 @@
|
|||||||
|
diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go
|
||||||
|
index c569e0faa2eb..4ded218d2d8d 100644
|
||||||
|
--- a/src/sync/waitgroup_test.go
|
||||||
|
+++ b/src/sync/waitgroup_test.go
|
||||||
|
@@ -5,8 +5,6 @@
|
||||||
|
package sync_test
|
||||||
|
|
||||||
|
import (
|
||||||
|
- "internal/race"
|
||||||
|
- "runtime"
|
||||||
|
. "sync"
|
||||||
|
"sync/atomic"
|
||||||
|
"testing"
|
||||||
|
@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-func knownRacy(t *testing.T) {
|
||||||
|
- if race.Enabled {
|
||||||
|
- t.Skip("skipping known-racy test under the race detector")
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
func TestWaitGroupMisuse(t *testing.T) {
|
||||||
|
defer func() {
|
||||||
|
err := recover()
|
||||||
|
@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) {
|
||||||
|
t.Fatal("Should panic")
|
||||||
|
}
|
||||||
|
|
||||||
|
-// pollUntilEqual blocks until v, loaded atomically, is
|
||||||
|
-// equal to the target.
|
||||||
|
-func pollUntilEqual(v *uint32, target uint32) {
|
||||||
|
- for {
|
||||||
|
- for i := 0; i < 1e3; i++ {
|
||||||
|
- if atomic.LoadUint32(v) == target {
|
||||||
|
- return
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- // yield to avoid deadlock with the garbage collector
|
||||||
|
- // see issue #20072
|
||||||
|
- runtime.Gosched()
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-func TestWaitGroupMisuse2(t *testing.T) {
|
||||||
|
- knownRacy(t)
|
||||||
|
- if runtime.NumCPU() <= 4 {
|
||||||
|
- t.Skip("NumCPU<=4, skipping: this test requires parallelism")
|
||||||
|
- }
|
||||||
|
- defer func() {
|
||||||
|
- err := recover()
|
||||||
|
- if err != "sync: negative WaitGroup counter" &&
|
||||||
|
- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
|
||||||
|
- err != "sync: WaitGroup is reused before previous Wait has returned" {
|
||||||
|
- t.Fatalf("Unexpected panic: %#v", err)
|
||||||
|
- }
|
||||||
|
- }()
|
||||||
|
- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
|
||||||
|
- done := make(chan interface{}, 2)
|
||||||
|
- // The detection is opportunistic, so we want it to panic
|
||||||
|
- // at least in one run out of a million.
|
||||||
|
- for i := 0; i < 1e6; i++ {
|
||||||
|
- var wg WaitGroup
|
||||||
|
- var here uint32
|
||||||
|
- wg.Add(1)
|
||||||
|
- go func() {
|
||||||
|
- defer func() {
|
||||||
|
- done <- recover()
|
||||||
|
- }()
|
||||||
|
- atomic.AddUint32(&here, 1)
|
||||||
|
- pollUntilEqual(&here, 3)
|
||||||
|
- wg.Wait()
|
||||||
|
- }()
|
||||||
|
- go func() {
|
||||||
|
- defer func() {
|
||||||
|
- done <- recover()
|
||||||
|
- }()
|
||||||
|
- atomic.AddUint32(&here, 1)
|
||||||
|
- pollUntilEqual(&here, 3)
|
||||||
|
- wg.Add(1) // This is the bad guy.
|
||||||
|
- wg.Done()
|
||||||
|
- }()
|
||||||
|
- atomic.AddUint32(&here, 1)
|
||||||
|
- pollUntilEqual(&here, 3)
|
||||||
|
- wg.Done()
|
||||||
|
- for j := 0; j < 2; j++ {
|
||||||
|
- if err := <-done; err != nil {
|
||||||
|
- panic(err)
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- t.Fatal("Should panic")
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-func TestWaitGroupMisuse3(t *testing.T) {
|
||||||
|
- knownRacy(t)
|
||||||
|
- if runtime.NumCPU() <= 1 {
|
||||||
|
- t.Skip("NumCPU==1, skipping: this test requires parallelism")
|
||||||
|
- }
|
||||||
|
- defer func() {
|
||||||
|
- err := recover()
|
||||||
|
- if err != "sync: negative WaitGroup counter" &&
|
||||||
|
- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
|
||||||
|
- err != "sync: WaitGroup is reused before previous Wait has returned" {
|
||||||
|
- t.Fatalf("Unexpected panic: %#v", err)
|
||||||
|
- }
|
||||||
|
- }()
|
||||||
|
- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
|
||||||
|
- done := make(chan interface{}, 3)
|
||||||
|
- // The detection is opportunistically, so we want it to panic
|
||||||
|
- // at least in one run out of a million.
|
||||||
|
- for i := 0; i < 1e6; i++ {
|
||||||
|
- var wg WaitGroup
|
||||||
|
- wg.Add(1)
|
||||||
|
- go func() {
|
||||||
|
- defer func() {
|
||||||
|
- done <- recover()
|
||||||
|
- }()
|
||||||
|
- wg.Done()
|
||||||
|
- }()
|
||||||
|
- go func() {
|
||||||
|
- defer func() {
|
||||||
|
- done <- recover()
|
||||||
|
- }()
|
||||||
|
- wg.Wait()
|
||||||
|
- // Start reusing the wg before waiting for the Wait below to return.
|
||||||
|
- wg.Add(1)
|
||||||
|
- go func() {
|
||||||
|
- wg.Done()
|
||||||
|
- }()
|
||||||
|
- wg.Wait()
|
||||||
|
- }()
|
||||||
|
- go func() {
|
||||||
|
- defer func() {
|
||||||
|
- done <- recover()
|
||||||
|
- }()
|
||||||
|
- wg.Wait()
|
||||||
|
- }()
|
||||||
|
- for j := 0; j < 3; j++ {
|
||||||
|
- if err := <-done; err != nil {
|
||||||
|
- panic(err)
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- t.Fatal("Should panic")
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
func TestWaitGroupRace(t *testing.T) {
|
||||||
|
// Run this test for about 1ms.
|
||||||
|
for i := 0; i < 1000; i++ {
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (go-go-1.17.2-1-openssl-fips.tar.gz) = dc0ff0b9cc85ec874bf48f42b61d8394ae16787d708c4b2255115d0f8d99bcc4ad2684392f79001a10dab803e6b7f7fee961ece415ad20176eab61bc7d9ee788
|
SHA512 (go-go-1.17.5-1-openssl-fips.tar.gz) = c73f0909b614fcc098c3bce48dbea97cc1638a69189d5326a4745c1a2120af290878e36f69391ab1b0c3c6f5fb23c7b179e7cf61e7db47372fa0d751b48345cc
|
||||||
|
Loading…
Reference in New Issue
Block a user