Rebase to Go 1.17.5

Add remove_waitgroup_misuse_tests patch
Add remove_ed25519vectors_test.patch
Remove FIPS checks to avoid issues in the CI
Related: rhbz#2031116
Resolves: rhbz#2022829
Resolves: rhbz#2024687
Resolves: rhbz#2030851
Resolves: rhbz#2031253
This commit is contained in:
Alejandro Sáez 2021-12-13 19:46:53 +01:00
parent bf182b7c2e
commit 3a0f5dedeb
5 changed files with 304 additions and 48 deletions

1
.gitignore vendored
View File

@ -39,3 +39,4 @@
/go-go-1.16.6-2-openssl-fips.tar.gz
/go-go-1.16.6-3-openssl-fips.tar.gz
/go-go-1.17.2-1-openssl-fips.tar.gz
/go-go-1.17.5-1-openssl-fips.tar.gz

View File

@ -96,7 +96,7 @@
%endif
%global go_api 1.17
%global go_version 1.17.2
%global go_version 1.17.5
%global pkg_release 1
Name: golang
@ -147,6 +147,9 @@ Patch221: fix_TestScript_list_std.patch
# Port to openssl 3.0
Patch1952381: rhbz1952381.patch
Patch222: remove_waitgroup_misuse_tests.patch
Patch223: remove_ed25519vectors_test.patch
# Having documentation separate was broken
Obsoletes: %{name}-docs < 1.1-4
@ -242,6 +245,10 @@ Requires: %{name} = %{version}-%{release}
%patch1952381 -p1
%patch222 -p1
%patch223 -p1
cp %{SOURCE1} ./src/runtime/
%build
@ -440,61 +447,19 @@ export GO_TEST_RUN=""
%if %{fail_on_tests}
TEST_BORING_CONFIGS=`mktemp -d`
TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf
TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf
trap "rm -rf $TEST_BORING_CONFIGS" EXIT
cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF
openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF
cat > $TEST_BORING_CNF << EOM
openssl_conf = openssl_test
[openssl_test]
providers = provider_test
alg_section = algorithm_test
ssl_conf = ssl_module
[algorithm_test]
default_properties = fips=yes
[provider_test]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect
.include $TEST_BORING_FIPS_CNF
[default_sect]
activate = 1
[ ssl_module ]
system_default = crypto_policy
[ crypto_policy ]
.include = /etc/crypto-policies/back-ends/opensslcnf.config
[ new_oids ]
EOM
./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
export OPENSSL_CONF=$TEST_BORING_CNF
export OPENSSL_FORCE_FIPS_MODE=1
# Run tests with FIPS enabled.
export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$"
pushd crypto
# Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v
# Check that signature functions have parity between boring and notboring
CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
popd
# Run all FIPS specific TLS tests
pushd crypto/tls
GOLANG_FIPS=1 go test -v -run "Boring" $DISABLE_Ed25519_TEST
GOLANG_FIPS=1 go test -v -run "Boring"
popd
%else
./run.bash --no-rebuild -v -v -v -k || :
@ -557,6 +522,17 @@ cd ..
%endif
%changelog
* Mon Dec 13 2021 Alejandro Sáez <asm@redhat.com> - 1.17.5-1
- Rebase to Go 1.17.5
- Add remove_waitgroup_misuse_tests patch
- Add remove_ed25519vectors_test.patch
- Remove FIPS checks to avoid issues in the CI
- Related: rhbz#2031116
- Resolves: rhbz#2022829
- Resolves: rhbz#2024687
- Resolves: rhbz#2030851
- Resolves: rhbz#2031253
* Wed Nov 03 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-1
- Rebase to Go 1.17.2
- Related: rhbz#2014087

View File

@ -0,0 +1,128 @@
From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
Date: Wed, 15 Dec 2021 16:02:15 +0100
Subject: [PATCH] Remove ed25519vectors_test.go
---
src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
1 file changed, 109 deletions(-)
delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
deleted file mode 100644
index 74fcdcdf4e..0000000000
--- a/src/crypto/ed25519/ed25519vectors_test.go
+++ /dev/null
@@ -1,109 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ed25519_test
-
-import (
- "crypto/ed25519"
- "encoding/hex"
- "encoding/json"
- "internal/testenv"
- "os"
- "os/exec"
- "path/filepath"
- "testing"
-)
-
-// TestEd25519Vectors runs a very large set of test vectors that exercise all
-// combinations of low-order points, low-order components, and non-canonical
-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
-// edge cases that are not security relevant in most contexts, but that can
-// cause issues in consensus applications if changed.
-//
-// Our behavior matches the "classic" unwritten verification rules of the
-// "ref10" reference implementation.
-//
-// Note that although we test for these edge cases, they are not covered by the
-// Go 1 Compatibility Promise. Applications that need stable verification rules
-// should use github.com/hdevalence/ed25519consensus.
-//
-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
-func TestEd25519Vectors(t *testing.T) {
- jsonVectors := downloadEd25519Vectors(t)
- var vectors []struct {
- A, R, S, M string
- Flags []string
- }
- if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
- t.Fatal(err)
- }
- for i, v := range vectors {
- expectedToVerify := true
- for _, f := range v.Flags {
- switch f {
- // We use the simplified verification formula that doesn't multiply
- // by the cofactor, so any low order residue will cause the
- // signature not to verify.
- //
- // This is allowed, but not required, by RFC 8032.
- case "LowOrderResidue":
- expectedToVerify = false
- // Our point decoding allows non-canonical encodings (in violation
- // of RFC 8032) but R is not decoded: instead, R is recomputed and
- // compared bytewise against the canonical encoding.
- case "NonCanonicalR":
- expectedToVerify = false
- }
- }
-
- publicKey := decodeHex(t, v.A)
- signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
- message := []byte(v.M)
-
- didVerify := ed25519.Verify(publicKey, message, signature)
- if didVerify && !expectedToVerify {
- t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
- }
- if !didVerify && expectedToVerify {
- t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
- }
- }
-}
-
-func downloadEd25519Vectors(t *testing.T) []byte {
- testenv.MustHaveExternalNetwork(t)
-
- // Download the JSON test file from the GOPROXY with `go mod download`,
- // pinning the version so test and module caching works as expected.
- goTool := testenv.GoToolPath(t)
- path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
- cmd := exec.Command(goTool, "mod", "download", "-json", path)
- // TODO: enable the sumdb once the TryBots proxy supports it.
- cmd.Env = append(os.Environ(), "GONOSUMDB=*")
- output, err := cmd.Output()
- if err != nil {
- t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
- }
- var dm struct {
- Dir string // absolute path to cached source root directory
- }
- if err := json.Unmarshal(output, &dm); err != nil {
- t.Fatal(err)
- }
-
- jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
- if err != nil {
- t.Fatalf("failed to read ed25519vectors.json: %v", err)
- }
- return jsonVectors
-}
-
-func decodeHex(t *testing.T, s string) []byte {
- t.Helper()
- b, err := hex.DecodeString(s)
- if err != nil {
- t.Errorf("invalid hex: %v", err)
- }
- return b
-}
--
2.33.1

View File

@ -0,0 +1,151 @@
diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go
index c569e0faa2eb..4ded218d2d8d 100644
--- a/src/sync/waitgroup_test.go
+++ b/src/sync/waitgroup_test.go
@@ -5,8 +5,6 @@
package sync_test
import (
- "internal/race"
- "runtime"
. "sync"
"sync/atomic"
"testing"
@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) {
}
}
-func knownRacy(t *testing.T) {
- if race.Enabled {
- t.Skip("skipping known-racy test under the race detector")
- }
-}
-
func TestWaitGroupMisuse(t *testing.T) {
defer func() {
err := recover()
@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) {
t.Fatal("Should panic")
}
-// pollUntilEqual blocks until v, loaded atomically, is
-// equal to the target.
-func pollUntilEqual(v *uint32, target uint32) {
- for {
- for i := 0; i < 1e3; i++ {
- if atomic.LoadUint32(v) == target {
- return
- }
- }
- // yield to avoid deadlock with the garbage collector
- // see issue #20072
- runtime.Gosched()
- }
-}
-
-func TestWaitGroupMisuse2(t *testing.T) {
- knownRacy(t)
- if runtime.NumCPU() <= 4 {
- t.Skip("NumCPU<=4, skipping: this test requires parallelism")
- }
- defer func() {
- err := recover()
- if err != "sync: negative WaitGroup counter" &&
- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
- err != "sync: WaitGroup is reused before previous Wait has returned" {
- t.Fatalf("Unexpected panic: %#v", err)
- }
- }()
- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
- done := make(chan interface{}, 2)
- // The detection is opportunistic, so we want it to panic
- // at least in one run out of a million.
- for i := 0; i < 1e6; i++ {
- var wg WaitGroup
- var here uint32
- wg.Add(1)
- go func() {
- defer func() {
- done <- recover()
- }()
- atomic.AddUint32(&here, 1)
- pollUntilEqual(&here, 3)
- wg.Wait()
- }()
- go func() {
- defer func() {
- done <- recover()
- }()
- atomic.AddUint32(&here, 1)
- pollUntilEqual(&here, 3)
- wg.Add(1) // This is the bad guy.
- wg.Done()
- }()
- atomic.AddUint32(&here, 1)
- pollUntilEqual(&here, 3)
- wg.Done()
- for j := 0; j < 2; j++ {
- if err := <-done; err != nil {
- panic(err)
- }
- }
- }
- t.Fatal("Should panic")
-}
-
-func TestWaitGroupMisuse3(t *testing.T) {
- knownRacy(t)
- if runtime.NumCPU() <= 1 {
- t.Skip("NumCPU==1, skipping: this test requires parallelism")
- }
- defer func() {
- err := recover()
- if err != "sync: negative WaitGroup counter" &&
- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
- err != "sync: WaitGroup is reused before previous Wait has returned" {
- t.Fatalf("Unexpected panic: %#v", err)
- }
- }()
- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
- done := make(chan interface{}, 3)
- // The detection is opportunistically, so we want it to panic
- // at least in one run out of a million.
- for i := 0; i < 1e6; i++ {
- var wg WaitGroup
- wg.Add(1)
- go func() {
- defer func() {
- done <- recover()
- }()
- wg.Done()
- }()
- go func() {
- defer func() {
- done <- recover()
- }()
- wg.Wait()
- // Start reusing the wg before waiting for the Wait below to return.
- wg.Add(1)
- go func() {
- wg.Done()
- }()
- wg.Wait()
- }()
- go func() {
- defer func() {
- done <- recover()
- }()
- wg.Wait()
- }()
- for j := 0; j < 3; j++ {
- if err := <-done; err != nil {
- panic(err)
- }
- }
- }
- t.Fatal("Should panic")
-}
-
func TestWaitGroupRace(t *testing.T) {
// Run this test for about 1ms.
for i := 0; i < 1000; i++ {

View File

@ -1 +1 @@
SHA512 (go-go-1.17.2-1-openssl-fips.tar.gz) = dc0ff0b9cc85ec874bf48f42b61d8394ae16787d708c4b2255115d0f8d99bcc4ad2684392f79001a10dab803e6b7f7fee961ece415ad20176eab61bc7d9ee788
SHA512 (go-go-1.17.5-1-openssl-fips.tar.gz) = c73f0909b614fcc098c3bce48dbea97cc1638a69189d5326a4745c1a2120af290878e36f69391ab1b0c3c6f5fb23c7b179e7cf61e7db47372fa0d751b48345cc