Rebase to Go 1.17.5
Add remove_waitgroup_misuse_tests patch Add remove_ed25519vectors_test.patch Remove FIPS checks to avoid issues in the CI Related: rhbz#2031116 Resolves: rhbz#2022829 Resolves: rhbz#2024687 Resolves: rhbz#2030851 Resolves: rhbz#2031253
This commit is contained in:
parent
bf182b7c2e
commit
3a0f5dedeb
1
.gitignore
vendored
1
.gitignore
vendored
@ -39,3 +39,4 @@
|
||||
/go-go-1.16.6-2-openssl-fips.tar.gz
|
||||
/go-go-1.16.6-3-openssl-fips.tar.gz
|
||||
/go-go-1.17.2-1-openssl-fips.tar.gz
|
||||
/go-go-1.17.5-1-openssl-fips.tar.gz
|
||||
|
70
golang.spec
70
golang.spec
@ -96,7 +96,7 @@
|
||||
%endif
|
||||
|
||||
%global go_api 1.17
|
||||
%global go_version 1.17.2
|
||||
%global go_version 1.17.5
|
||||
%global pkg_release 1
|
||||
|
||||
Name: golang
|
||||
@ -147,6 +147,9 @@ Patch221: fix_TestScript_list_std.patch
|
||||
# Port to openssl 3.0
|
||||
Patch1952381: rhbz1952381.patch
|
||||
|
||||
Patch222: remove_waitgroup_misuse_tests.patch
|
||||
Patch223: remove_ed25519vectors_test.patch
|
||||
|
||||
# Having documentation separate was broken
|
||||
Obsoletes: %{name}-docs < 1.1-4
|
||||
|
||||
@ -242,6 +245,10 @@ Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%patch1952381 -p1
|
||||
|
||||
%patch222 -p1
|
||||
|
||||
%patch223 -p1
|
||||
|
||||
cp %{SOURCE1} ./src/runtime/
|
||||
|
||||
%build
|
||||
@ -440,61 +447,19 @@ export GO_TEST_RUN=""
|
||||
|
||||
%if %{fail_on_tests}
|
||||
|
||||
TEST_BORING_CONFIGS=`mktemp -d`
|
||||
TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf
|
||||
TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf
|
||||
trap "rm -rf $TEST_BORING_CONFIGS" EXIT
|
||||
|
||||
cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF
|
||||
openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF
|
||||
|
||||
cat > $TEST_BORING_CNF << EOM
|
||||
openssl_conf = openssl_test
|
||||
|
||||
[openssl_test]
|
||||
providers = provider_test
|
||||
alg_section = algorithm_test
|
||||
ssl_conf = ssl_module
|
||||
|
||||
[algorithm_test]
|
||||
default_properties = fips=yes
|
||||
|
||||
[provider_test]
|
||||
default = default_sect
|
||||
# The fips section name should match the section name inside the
|
||||
# included fipsmodule.cnf.
|
||||
fips = fips_sect
|
||||
.include $TEST_BORING_FIPS_CNF
|
||||
|
||||
[default_sect]
|
||||
activate = 1
|
||||
|
||||
[ ssl_module ]
|
||||
|
||||
system_default = crypto_policy
|
||||
|
||||
[ crypto_policy ]
|
||||
|
||||
.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
EOM
|
||||
|
||||
./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
|
||||
|
||||
export OPENSSL_CONF=$TEST_BORING_CNF
|
||||
export OPENSSL_FORCE_FIPS_MODE=1
|
||||
# Run tests with FIPS enabled.
|
||||
export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$"
|
||||
pushd crypto
|
||||
# Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
|
||||
GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
|
||||
GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v
|
||||
# Check that signature functions have parity between boring and notboring
|
||||
CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
|
||||
CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
|
||||
popd
|
||||
# Run all FIPS specific TLS tests
|
||||
pushd crypto/tls
|
||||
GOLANG_FIPS=1 go test -v -run "Boring" $DISABLE_Ed25519_TEST
|
||||
GOLANG_FIPS=1 go test -v -run "Boring"
|
||||
popd
|
||||
%else
|
||||
./run.bash --no-rebuild -v -v -v -k || :
|
||||
@ -557,6 +522,17 @@ cd ..
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Dec 13 2021 Alejandro Sáez <asm@redhat.com> - 1.17.5-1
|
||||
- Rebase to Go 1.17.5
|
||||
- Add remove_waitgroup_misuse_tests patch
|
||||
- Add remove_ed25519vectors_test.patch
|
||||
- Remove FIPS checks to avoid issues in the CI
|
||||
- Related: rhbz#2031116
|
||||
- Resolves: rhbz#2022829
|
||||
- Resolves: rhbz#2024687
|
||||
- Resolves: rhbz#2030851
|
||||
- Resolves: rhbz#2031253
|
||||
|
||||
* Wed Nov 03 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-1
|
||||
- Rebase to Go 1.17.2
|
||||
- Related: rhbz#2014087
|
||||
|
128
remove_ed25519vectors_test.patch
Normal file
128
remove_ed25519vectors_test.patch
Normal file
@ -0,0 +1,128 @@
|
||||
From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
|
||||
Date: Wed, 15 Dec 2021 16:02:15 +0100
|
||||
Subject: [PATCH] Remove ed25519vectors_test.go
|
||||
|
||||
---
|
||||
src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
|
||||
1 file changed, 109 deletions(-)
|
||||
delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
|
||||
|
||||
diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
|
||||
deleted file mode 100644
|
||||
index 74fcdcdf4e..0000000000
|
||||
--- a/src/crypto/ed25519/ed25519vectors_test.go
|
||||
+++ /dev/null
|
||||
@@ -1,109 +0,0 @@
|
||||
-// Copyright 2021 The Go Authors. All rights reserved.
|
||||
-// Use of this source code is governed by a BSD-style
|
||||
-// license that can be found in the LICENSE file.
|
||||
-
|
||||
-package ed25519_test
|
||||
-
|
||||
-import (
|
||||
- "crypto/ed25519"
|
||||
- "encoding/hex"
|
||||
- "encoding/json"
|
||||
- "internal/testenv"
|
||||
- "os"
|
||||
- "os/exec"
|
||||
- "path/filepath"
|
||||
- "testing"
|
||||
-)
|
||||
-
|
||||
-// TestEd25519Vectors runs a very large set of test vectors that exercise all
|
||||
-// combinations of low-order points, low-order components, and non-canonical
|
||||
-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
|
||||
-// edge cases that are not security relevant in most contexts, but that can
|
||||
-// cause issues in consensus applications if changed.
|
||||
-//
|
||||
-// Our behavior matches the "classic" unwritten verification rules of the
|
||||
-// "ref10" reference implementation.
|
||||
-//
|
||||
-// Note that although we test for these edge cases, they are not covered by the
|
||||
-// Go 1 Compatibility Promise. Applications that need stable verification rules
|
||||
-// should use github.com/hdevalence/ed25519consensus.
|
||||
-//
|
||||
-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
|
||||
-func TestEd25519Vectors(t *testing.T) {
|
||||
- jsonVectors := downloadEd25519Vectors(t)
|
||||
- var vectors []struct {
|
||||
- A, R, S, M string
|
||||
- Flags []string
|
||||
- }
|
||||
- if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
|
||||
- t.Fatal(err)
|
||||
- }
|
||||
- for i, v := range vectors {
|
||||
- expectedToVerify := true
|
||||
- for _, f := range v.Flags {
|
||||
- switch f {
|
||||
- // We use the simplified verification formula that doesn't multiply
|
||||
- // by the cofactor, so any low order residue will cause the
|
||||
- // signature not to verify.
|
||||
- //
|
||||
- // This is allowed, but not required, by RFC 8032.
|
||||
- case "LowOrderResidue":
|
||||
- expectedToVerify = false
|
||||
- // Our point decoding allows non-canonical encodings (in violation
|
||||
- // of RFC 8032) but R is not decoded: instead, R is recomputed and
|
||||
- // compared bytewise against the canonical encoding.
|
||||
- case "NonCanonicalR":
|
||||
- expectedToVerify = false
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- publicKey := decodeHex(t, v.A)
|
||||
- signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
|
||||
- message := []byte(v.M)
|
||||
-
|
||||
- didVerify := ed25519.Verify(publicKey, message, signature)
|
||||
- if didVerify && !expectedToVerify {
|
||||
- t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
|
||||
- }
|
||||
- if !didVerify && expectedToVerify {
|
||||
- t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
|
||||
- }
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-func downloadEd25519Vectors(t *testing.T) []byte {
|
||||
- testenv.MustHaveExternalNetwork(t)
|
||||
-
|
||||
- // Download the JSON test file from the GOPROXY with `go mod download`,
|
||||
- // pinning the version so test and module caching works as expected.
|
||||
- goTool := testenv.GoToolPath(t)
|
||||
- path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
|
||||
- cmd := exec.Command(goTool, "mod", "download", "-json", path)
|
||||
- // TODO: enable the sumdb once the TryBots proxy supports it.
|
||||
- cmd.Env = append(os.Environ(), "GONOSUMDB=*")
|
||||
- output, err := cmd.Output()
|
||||
- if err != nil {
|
||||
- t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
|
||||
- }
|
||||
- var dm struct {
|
||||
- Dir string // absolute path to cached source root directory
|
||||
- }
|
||||
- if err := json.Unmarshal(output, &dm); err != nil {
|
||||
- t.Fatal(err)
|
||||
- }
|
||||
-
|
||||
- jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
|
||||
- if err != nil {
|
||||
- t.Fatalf("failed to read ed25519vectors.json: %v", err)
|
||||
- }
|
||||
- return jsonVectors
|
||||
-}
|
||||
-
|
||||
-func decodeHex(t *testing.T, s string) []byte {
|
||||
- t.Helper()
|
||||
- b, err := hex.DecodeString(s)
|
||||
- if err != nil {
|
||||
- t.Errorf("invalid hex: %v", err)
|
||||
- }
|
||||
- return b
|
||||
-}
|
||||
--
|
||||
2.33.1
|
||||
|
151
remove_waitgroup_misuse_tests.patch
Normal file
151
remove_waitgroup_misuse_tests.patch
Normal file
@ -0,0 +1,151 @@
|
||||
diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go
|
||||
index c569e0faa2eb..4ded218d2d8d 100644
|
||||
--- a/src/sync/waitgroup_test.go
|
||||
+++ b/src/sync/waitgroup_test.go
|
||||
@@ -5,8 +5,6 @@
|
||||
package sync_test
|
||||
|
||||
import (
|
||||
- "internal/race"
|
||||
- "runtime"
|
||||
. "sync"
|
||||
"sync/atomic"
|
||||
"testing"
|
||||
@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
-func knownRacy(t *testing.T) {
|
||||
- if race.Enabled {
|
||||
- t.Skip("skipping known-racy test under the race detector")
|
||||
- }
|
||||
-}
|
||||
-
|
||||
func TestWaitGroupMisuse(t *testing.T) {
|
||||
defer func() {
|
||||
err := recover()
|
||||
@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) {
|
||||
t.Fatal("Should panic")
|
||||
}
|
||||
|
||||
-// pollUntilEqual blocks until v, loaded atomically, is
|
||||
-// equal to the target.
|
||||
-func pollUntilEqual(v *uint32, target uint32) {
|
||||
- for {
|
||||
- for i := 0; i < 1e3; i++ {
|
||||
- if atomic.LoadUint32(v) == target {
|
||||
- return
|
||||
- }
|
||||
- }
|
||||
- // yield to avoid deadlock with the garbage collector
|
||||
- // see issue #20072
|
||||
- runtime.Gosched()
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-func TestWaitGroupMisuse2(t *testing.T) {
|
||||
- knownRacy(t)
|
||||
- if runtime.NumCPU() <= 4 {
|
||||
- t.Skip("NumCPU<=4, skipping: this test requires parallelism")
|
||||
- }
|
||||
- defer func() {
|
||||
- err := recover()
|
||||
- if err != "sync: negative WaitGroup counter" &&
|
||||
- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
|
||||
- err != "sync: WaitGroup is reused before previous Wait has returned" {
|
||||
- t.Fatalf("Unexpected panic: %#v", err)
|
||||
- }
|
||||
- }()
|
||||
- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
|
||||
- done := make(chan interface{}, 2)
|
||||
- // The detection is opportunistic, so we want it to panic
|
||||
- // at least in one run out of a million.
|
||||
- for i := 0; i < 1e6; i++ {
|
||||
- var wg WaitGroup
|
||||
- var here uint32
|
||||
- wg.Add(1)
|
||||
- go func() {
|
||||
- defer func() {
|
||||
- done <- recover()
|
||||
- }()
|
||||
- atomic.AddUint32(&here, 1)
|
||||
- pollUntilEqual(&here, 3)
|
||||
- wg.Wait()
|
||||
- }()
|
||||
- go func() {
|
||||
- defer func() {
|
||||
- done <- recover()
|
||||
- }()
|
||||
- atomic.AddUint32(&here, 1)
|
||||
- pollUntilEqual(&here, 3)
|
||||
- wg.Add(1) // This is the bad guy.
|
||||
- wg.Done()
|
||||
- }()
|
||||
- atomic.AddUint32(&here, 1)
|
||||
- pollUntilEqual(&here, 3)
|
||||
- wg.Done()
|
||||
- for j := 0; j < 2; j++ {
|
||||
- if err := <-done; err != nil {
|
||||
- panic(err)
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- t.Fatal("Should panic")
|
||||
-}
|
||||
-
|
||||
-func TestWaitGroupMisuse3(t *testing.T) {
|
||||
- knownRacy(t)
|
||||
- if runtime.NumCPU() <= 1 {
|
||||
- t.Skip("NumCPU==1, skipping: this test requires parallelism")
|
||||
- }
|
||||
- defer func() {
|
||||
- err := recover()
|
||||
- if err != "sync: negative WaitGroup counter" &&
|
||||
- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
|
||||
- err != "sync: WaitGroup is reused before previous Wait has returned" {
|
||||
- t.Fatalf("Unexpected panic: %#v", err)
|
||||
- }
|
||||
- }()
|
||||
- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
|
||||
- done := make(chan interface{}, 3)
|
||||
- // The detection is opportunistically, so we want it to panic
|
||||
- // at least in one run out of a million.
|
||||
- for i := 0; i < 1e6; i++ {
|
||||
- var wg WaitGroup
|
||||
- wg.Add(1)
|
||||
- go func() {
|
||||
- defer func() {
|
||||
- done <- recover()
|
||||
- }()
|
||||
- wg.Done()
|
||||
- }()
|
||||
- go func() {
|
||||
- defer func() {
|
||||
- done <- recover()
|
||||
- }()
|
||||
- wg.Wait()
|
||||
- // Start reusing the wg before waiting for the Wait below to return.
|
||||
- wg.Add(1)
|
||||
- go func() {
|
||||
- wg.Done()
|
||||
- }()
|
||||
- wg.Wait()
|
||||
- }()
|
||||
- go func() {
|
||||
- defer func() {
|
||||
- done <- recover()
|
||||
- }()
|
||||
- wg.Wait()
|
||||
- }()
|
||||
- for j := 0; j < 3; j++ {
|
||||
- if err := <-done; err != nil {
|
||||
- panic(err)
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- t.Fatal("Should panic")
|
||||
-}
|
||||
-
|
||||
func TestWaitGroupRace(t *testing.T) {
|
||||
// Run this test for about 1ms.
|
||||
for i := 0; i < 1000; i++ {
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (go-go-1.17.2-1-openssl-fips.tar.gz) = dc0ff0b9cc85ec874bf48f42b61d8394ae16787d708c4b2255115d0f8d99bcc4ad2684392f79001a10dab803e6b7f7fee961ece415ad20176eab61bc7d9ee788
|
||||
SHA512 (go-go-1.17.5-1-openssl-fips.tar.gz) = c73f0909b614fcc098c3bce48dbea97cc1638a69189d5326a4745c1a2120af290878e36f69391ab1b0c3c6f5fb23c7b179e7cf61e7db47372fa0d751b48345cc
|
||||
|
Loading…
Reference in New Issue
Block a user