Import rpm: ec522a5d51384d88d0ee6bcc4755dee91a61007c

This commit is contained in:
James Antill 2022-08-08 12:28:34 -04:00
commit 719e8af442
16 changed files with 2305 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/go1.18.2-1-openssl-fips.tar.gz

65
README.md Normal file
View File

@ -0,0 +1,65 @@
# Golang
## Introduction
This package holds the spec file and related patches for the Golang package.
The golang package is part of the larger go-toolset meta package.
## Sources
This particular branch provides Go 1.16.x. The sources for this branch can be
found at https://pagure.io/go/tree/go1.16-openssl-fips. The reason the source is
coming from a pagure fork as opposed to an upstream tarball is due to certain
patches we have written and currently maintain in order to claim FIPS compliance
by calling into OpenSSL. Shipping a forked version of the toolchain is not the
ideal scenario, and there is work in progress with upstream to enable us to
instead ship a pure upstream toolchain and include a crypto module in go-toolset
which will satisfy our FIPS requirements.
The current fork is based on an upstream branch[[0]] which uses
boringcrypto[[1]] instead of OpenSSL.
If you need to make changes to the source for a rebase or bug fix, check out the
pagure repo and switch to the branch listed above. Once you have made your
changes you can test them locally with `./all.bash`. You may want to export
`GOLANG_FIPS=1` before running that if you want to verify the FIPS codepaths are
correct. Please note however that the test suite does not fully expect FIPS
compliance, and will attempt to test non FIPS compliant code paths. The easiest
way to test your changes correctly is to create a tarball locally and execute a
mockbuild using this packge, which knows how to correctly run the testsuite in
both FIPS and non-FIPS modes.
NOTE: The way pagure previously handled uploaded releases has changed, and
releases must be tagged in the appropriate branch, from which pagure will
generate source tarballs.
## Testing & building changes
The first test you should run is a local mockbuild. This can be done with the
rhpkg command:
```
rhpkg mockbuild
```
Once everything builds and passes locally you'll likely want to perform a
scratch build. This will ensure that the changes you made build and run
correctly on all architectures that this package supports. The best way to do
this is to run a scratch build from your local sources without first having to
push them. This ensures your changes are correct before commiting them to the
repo. This can also be done via the following rhpkg command:
```
rhpkg scratch-build --srpm
```
Once your scratch build has passed you can execute a real build:
```
rhpkg build
```
---
[0] https://github.com/golang/go/tree/dev.boringcrypto
[1] https://opensource.google.com/projects/boringssl

289
cgo-lto-fix.patch Normal file
View File

@ -0,0 +1,289 @@
From 24e9707cbfa6b1ed6abdd4b11f9ddaf3aac5ad88 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Tue, 25 May 2021 16:31:41 -0700
Subject: [PATCH] cmd/link, cmd/cgo: support -flto in CFLAGS
The linker now accepts unrecognized object files in external linking mode.
These objects will simply be passed to the external linker.
This permits using -flto which can generate pure byte code objects,
whose symbol table the linker does not know how to read.
The cgo tool now passes -fno-lto when generating objects whose symbols
it needs to read. The cgo tool now emits matching types in different
objects, so that the lto linker does not report a mismatch.
This is based on https://golang.org/cl/293290 by Derek Parker.
For #43505
Fixes #43830
Fixes #46295
Change-Id: I6787de213417466784ddef5af8899e453b4ae1ad
Reviewed-on: https://go-review.googlesource.com/c/go/+/322614
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
---
diff --git a/src/cmd/cgo/gcc.go b/src/cmd/cgo/gcc.go
index ae61725..a73e998 100644
--- a/src/cmd/cgo/gcc.go
+++ b/src/cmd/cgo/gcc.go
@@ -1638,6 +1638,8 @@
c = append(c, "-maix64")
c = append(c, "-mcmodel=large")
}
+ // disable LTO so we get an object whose symbols we can read
+ c = append(c, "-fno-lto")
c = append(c, "-") //read input from standard input
return c
}
diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
index 8c31d5b..94152f4 100644
--- a/src/cmd/cgo/out.go
+++ b/src/cmd/cgo/out.go
@@ -168,8 +168,18 @@
if *gccgo {
fmt.Fprintf(fc, "extern byte *%s;\n", n.C)
} else {
- fmt.Fprintf(fm, "extern char %s[];\n", n.C)
- fmt.Fprintf(fm, "void *_cgohack_%s = %s;\n\n", n.C, n.C)
+ // Force a reference to all symbols so that
+ // the external linker will add DT_NEEDED
+ // entries as needed on ELF systems.
+ // Treat function variables differently
+ // to avoid type confict errors from LTO
+ // (Link Time Optimization).
+ if n.Kind == "fpvar" {
+ fmt.Fprintf(fm, "extern void %s();\n", n.C)
+ } else {
+ fmt.Fprintf(fm, "extern char %s[];\n", n.C)
+ fmt.Fprintf(fm, "void *_cgohack_%s = %s;\n\n", n.C, n.C)
+ }
fmt.Fprintf(fgo2, "//go:linkname __cgo_%s %s\n", n.C, n.C)
fmt.Fprintf(fgo2, "//go:cgo_import_static %s\n", n.C)
fmt.Fprintf(fgo2, "var __cgo_%s byte\n", n.C)
@@ -1042,7 +1052,7 @@
fmt.Fprintf(fgo2, "//go:cgo_export_static _cgoexp%s_%s\n", cPrefix, exp.ExpName)
fmt.Fprintf(fgo2, "func _cgoexp%s_%s(a *%s) {\n", cPrefix, exp.ExpName, gotype)
- fmt.Fprintf(fm, "int _cgoexp%s_%s;\n", cPrefix, exp.ExpName)
+ fmt.Fprintf(fm, "void _cgoexp%s_%s(void* p){}\n", cPrefix, exp.ExpName)
if gccResult != "void" {
// Write results back to frame.
diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
index 50bf80b..bc49c6d 100644
--- a/src/cmd/dist/test.go
+++ b/src/cmd/dist/test.go
@@ -722,14 +722,29 @@
},
})
if t.hasCxx() {
- t.tests = append(t.tests, distTest{
- name: "swig_callback",
- heading: "../misc/swig/callback",
- fn: func(dt *distTest) error {
- t.addCmd(dt, "misc/swig/callback", t.goTest())
- return nil
+ t.tests = append(t.tests,
+ distTest{
+ name: "swig_callback",
+ heading: "../misc/swig/callback",
+ fn: func(dt *distTest) error {
+ t.addCmd(dt, "misc/swig/callback", t.goTest())
+ return nil
+ },
},
- })
+ distTest{
+ name: "swig_callback_lto",
+ heading: "../misc/swig/callback",
+ fn: func(dt *distTest) error {
+ cmd := t.addCmd(dt, "misc/swig/callback", t.goTest())
+ cmd.Env = append(os.Environ(),
+ "CGO_CFLAGS=-flto",
+ "CGO_CXXFLAGS=-flto",
+ "CGO_LDFLAGS=-flto",
+ )
+ return nil
+ },
+ },
+ )
}
}
}
diff --git a/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt b/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt
new file mode 100644
index 0000000..e2483ba
--- /dev/null
+++ b/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt
@@ -0,0 +1,33 @@
+# tests golang.org/issue/43830
+
+[!cgo] skip 'skipping test without cgo'
+[openbsd] env CC='clang'
+[openbsd] [!exec:clang] skip 'skipping test without clang present'
+[!openbsd] env CC='gcc'
+[!openbsd] [!exec:gcc] skip 'skipping test without gcc present'
+
+env CGO_CFLAGS='-Wno-ignored-optimization-argument -flto -ffat-lto-objects'
+
+go build main.go
+
+-- main.go --
+
+package main
+
+import "fmt"
+
+// #include "hello.h"
+import "C"
+
+func main() {
+ hello := C.hello
+ fmt.Printf("%v\n", hello)
+}
+
+-- hello.h --
+
+#include <stdio.h>
+
+void hello(void) {
+ printf("hello\n");
+}
diff --git a/src/cmd/go/testdata/script/cgo_lto_issue43830.txt b/src/cmd/go/testdata/script/cgo_lto_issue43830.txt
new file mode 100644
index 0000000..06ab2f3
--- /dev/null
+++ b/src/cmd/go/testdata/script/cgo_lto_issue43830.txt
@@ -0,0 +1,39 @@
+# tests golang.org/issue/43830
+
+[!cgo] skip 'skipping test without cgo'
+[openbsd] env CC='clang'
+[openbsd] [!exec:clang] skip 'skipping test without clang present'
+[!openbsd] env CC='gcc'
+[!openbsd] [!exec:gcc] skip 'skipping test without gcc present'
+
+env CGO_CFLAGS='-Wno-ignored-optimization-argument -flto -ffat-lto-objects'
+
+go build main.go add.go
+
+-- main.go --
+
+package main
+
+/*
+int c_add(int a, int b) {
+ return myadd(a, b);
+}
+*/
+import "C"
+
+func main() {
+ println(C.c_add(1, 2))
+}
+
+-- add.go --
+
+package main
+
+import "C"
+
+/* test */
+
+//export myadd
+func myadd(a C.int, b C.int) C.int {
+ return a + b
+}
diff --git a/src/cmd/link/internal/ld/ar.go b/src/cmd/link/internal/ld/ar.go
index 22f53a4..23915f9 100644
--- a/src/cmd/link/internal/ld/ar.go
+++ b/src/cmd/link/internal/ld/ar.go
@@ -124,6 +124,10 @@
libgcc := sym.Library{Pkg: "libgcc"}
h := ldobj(ctxt, f, &libgcc, l, pname, name)
+ if h.ld == nil {
+ Errorf(nil, "%s unrecognized object file at offset %d", name, off)
+ continue
+ }
f.MustSeek(h.off, 0)
h.ld(ctxt, f, h.pkg, h.length, h.pn)
}
diff --git a/src/cmd/link/internal/ld/config.go b/src/cmd/link/internal/ld/config.go
index ae0d752..20f1d0b 100644
--- a/src/cmd/link/internal/ld/config.go
+++ b/src/cmd/link/internal/ld/config.go
@@ -241,6 +241,10 @@
return true, "dynamically linking with a shared library"
}
+ if unknownObjFormat {
+ return true, "some input objects have an unrecognized file format"
+ }
+
return false, ""
}
@@ -248,7 +252,7 @@
//
// It is called after flags are processed and inputs are processed,
// so the ctxt.LinkMode variable has an initial value from the -linkmode
-// flag and the iscgo externalobj variables are set.
+// flag and the iscgo, externalobj, and unknownObjFormat variables are set.
func determineLinkMode(ctxt *Link) {
extNeeded, extReason := mustLinkExternal(ctxt)
via := ""
diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
index e8f001b..644faeb 100644
--- a/src/cmd/link/internal/ld/lib.go
+++ b/src/cmd/link/internal/ld/lib.go
@@ -343,10 +343,16 @@
const pkgdef = "__.PKGDEF"
var (
- // Set if we see an object compiled by the host compiler that is not
- // from a package that is known to support internal linking mode.
+ // externalobj is set to true if we see an object compiled by
+ // the host compiler that is not from a package that is known
+ // to support internal linking mode.
externalobj = false
- theline string
+
+ // unknownObjFormat is set to true if we see an object whose
+ // format we don't recognize.
+ unknownObjFormat = false
+
+ theline string
)
func Lflag(ctxt *Link, arg string) {
@@ -1065,6 +1071,10 @@
}
f.MustSeek(h.off, 0)
+ if h.ld == nil {
+ Errorf(nil, "%s: unrecognized object file format", h.pn)
+ continue
+ }
h.ld(ctxt, f, h.pkg, h.length, h.pn)
f.Close()
}
@@ -1855,6 +1865,14 @@
return ldhostobj(ldxcoff, ctxt.HeadType, f, pkg, length, pn, file)
}
+ if c1 != 'g' || c2 != 'o' || c3 != ' ' || c4 != 'o' {
+ // An unrecognized object is just passed to the external linker.
+ // If we try to read symbols from this object, we will
+ // report an error at that time.
+ unknownObjFormat = true
+ return ldhostobj(nil, ctxt.HeadType, f, pkg, length, pn, file)
+ }
+
/* check the header */
line, err := f.ReadString('\n')
if err != nil {

View File

@ -0,0 +1,310 @@
diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
index d9eb9c3..506f979 100644
--- a/src/cmd/dist/test.go
+++ b/src/cmd/dist/test.go
@@ -1180,18 +1180,20 @@ func (t *tester) cgoTest(dt *distTest) error {
fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
} else {
if goos != "android" {
- t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
+ t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
}
t.addCmd(dt, "misc/cgo/nocgo", t.goTest())
t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`)
if goos != "android" {
- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
+ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
+ /*
t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
// -static in CGO_LDFLAGS triggers a different code path
// than -static in -extldflags, so test both.
// See issue #16651.
cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static")
setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
+ */
}
}
@@ -1201,7 +1203,7 @@ func (t *tester) cgoTest(dt *distTest) error {
t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie")
}
t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie")
- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie")
+ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
}
}
}
diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
index a495bd7..2c6107b 100644
--- a/src/crypto/internal/boring/aes.go
+++ b/src/crypto/internal/boring/aes.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
package boring
diff --git a/src/crypto/internal/boring/aes_test.go b/src/crypto/internal/boring/aes_test.go
index 3b4c364..371bc20 100644
--- a/src/crypto/internal/boring/aes_test.go
+++ b/src/crypto/internal/boring/aes_test.go
@@ -1,9 +1,5 @@
-// +build linux
-// +build !android
-// +build !no_openssl
-// +build !cmd_go_bootstrap
-// +build !msan
-// +build cgo
+//go:build linux && !android && !no_openssl && !cmd_go_bootstrap && !msan && cgo && !static
+// +build linux,!android,!no_openssl,!cmd_go_bootstrap,!msan,cgo,!static
package boring
diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
index ec6e80c..05431b1 100644
--- a/src/crypto/internal/boring/boring.go
+++ b/src/crypto/internal/boring/boring.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
package boring
diff --git a/src/crypto/internal/boring/ecdsa.go b/src/crypto/internal/boring/ecdsa.go
index f72da41..33ee442 100644
--- a/src/crypto/internal/boring/ecdsa.go
+++ b/src/crypto/internal/boring/ecdsa.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
package boring
diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
index 4547ade..b8aaae4 100644
--- a/src/crypto/internal/boring/goboringcrypto.h
+++ b/src/crypto/internal/boring/goboringcrypto.h
@@ -1,6 +1,12 @@
// Copyright 2017 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
+// +build linux
+// +build !android
+// +build !no_openssl
+// +build !cmd_go_bootstrap
+// +build !msan
+// +build !static
// This header file describes the BoringCrypto ABI as built for use in Go.
// The BoringCrypto build for Go (which generates goboringcrypto_*.syso)
diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
index 4820385..ac41482 100644
--- a/src/crypto/internal/boring/goopenssl.h
+++ b/src/crypto/internal/boring/goopenssl.h
@@ -6,6 +6,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
// This header file describes the OpenSSL ABI as built for use in Go.
diff --git a/src/crypto/internal/boring/hmac.go b/src/crypto/internal/boring/hmac.go
index 4e913c3..10cfbb3 100644
--- a/src/crypto/internal/boring/hmac.go
+++ b/src/crypto/internal/boring/hmac.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
package boring
diff --git a/src/crypto/internal/boring/notboring.go b/src/crypto/internal/boring/notboring.go
index e513834..08c5245 100644
--- a/src/crypto/internal/boring/notboring.go
+++ b/src/crypto/internal/boring/notboring.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
+//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
package boring
diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
index 710d074..853be3d 100644
--- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
+++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
@@ -3,6 +3,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
#include "goboringcrypto.h"
diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c
index 36be702..331dfd3 100644
--- a/src/crypto/internal/boring/openssl_evp.c
+++ b/src/crypto/internal/boring/openssl_evp.c
@@ -3,6 +3,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
#include "goboringcrypto.h"
diff --git a/src/crypto/internal/boring/openssl_lock_setup.c b/src/crypto/internal/boring/openssl_lock_setup.c
index 955924e..c0f3435 100644
--- a/src/crypto/internal/boring/openssl_lock_setup.c
+++ b/src/crypto/internal/boring/openssl_lock_setup.c
@@ -3,6 +3,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
#include "goboringcrypto.h"
#include <stdio.h>
diff --git a/src/crypto/internal/boring/openssl_port_aead_gcm.c b/src/crypto/internal/boring/openssl_port_aead_gcm.c
index b39bf54..80c933a 100644
--- a/src/crypto/internal/boring/openssl_port_aead_gcm.c
+++ b/src/crypto/internal/boring/openssl_port_aead_gcm.c
@@ -4,6 +4,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
#include "goboringcrypto.h"
#include <openssl/err.h>
diff --git a/src/crypto/internal/boring/openssl_port_ctr128.c b/src/crypto/internal/boring/openssl_port_ctr128.c
index abaff5c..e2263a5 100644
--- a/src/crypto/internal/boring/openssl_port_ctr128.c
+++ b/src/crypto/internal/boring/openssl_port_ctr128.c
@@ -3,6 +3,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
#include "goboringcrypto.h"
diff --git a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
index 8418c38..39bf3ae 100644
--- a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
+++ b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
@@ -4,6 +4,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
// The following is a partial backport of crypto/evp/m_md5_sha1.c,
// commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the
diff --git a/src/crypto/internal/boring/openssl_port_hmac.c b/src/crypto/internal/boring/openssl_port_hmac.c
index be7c71a..35e1860 100644
--- a/src/crypto/internal/boring/openssl_port_hmac.c
+++ b/src/crypto/internal/boring/openssl_port_hmac.c
@@ -4,6 +4,8 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
+
#include "goboringcrypto.h"
diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
index 5174f66..a8008e9 100644
--- a/src/crypto/internal/boring/openssl_port_rsa.c
+++ b/src/crypto/internal/boring/openssl_port_rsa.c
@@ -4,6 +4,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
#include "goboringcrypto.h"
diff --git a/src/crypto/internal/boring/openssl_stub_rand.c b/src/crypto/internal/boring/openssl_stub_rand.c
index 18d6777..e8ac53b 100644
--- a/src/crypto/internal/boring/openssl_stub_rand.c
+++ b/src/crypto/internal/boring/openssl_stub_rand.c
@@ -3,6 +3,7 @@
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan
+// +build !static
#include "goboringcrypto.h"
#include <openssl/rand.h>
diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go
index e9c334f..3adbd4d 100644
--- a/src/crypto/internal/boring/rand.go
+++ b/src/crypto/internal/boring/rand.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
package boring
diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
index b1a2f57..0cabadb 100644
--- a/src/crypto/internal/boring/rsa.go
+++ b/src/crypto/internal/boring/rsa.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
package boring
diff --git a/src/crypto/internal/boring/sha.go b/src/crypto/internal/boring/sha.go
index bdcc782..6184d6c 100644
--- a/src/crypto/internal/boring/sha.go
+++ b/src/crypto/internal/boring/sha.go
@@ -2,8 +2,8 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
package boring

7
fedora.go Normal file
View File

@ -0,0 +1,7 @@
// +build rpm_crashtraceback
package runtime
func init() {
setTraceback("crash")
}

View File

@ -0,0 +1,13 @@
diff --git a/src/cmd/go/testdata/script/list_std.txt b/src/cmd/go/testdata/script/list_std.txt
index 6ab1bd1..4a00e43 100644
--- a/src/cmd/go/testdata/script/list_std.txt
+++ b/src/cmd/go/testdata/script/list_std.txt
@@ -6,7 +6,7 @@ env GO111MODULE=off
# Listing GOROOT should only find standard packages.
cd $GOROOT/src
go list -f '{{if not .Standard}}{{.ImportPath}}{{end}}' ./...
-! stdout .
+stdout _$GOROOT
# Standard packages should include cmd, but not cmd/vendor.
go list ./...

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

View File

@ -0,0 +1,73 @@
diff --git a/src/time/internal_test.go b/src/time/internal_test.go
index f0dddb7..415949a 100644
--- a/src/time/internal_test.go
+++ b/src/time/internal_test.go
@@ -4,13 +4,15 @@
package time
+import "runtime"
+
func init() {
// force US/Pacific for time zone tests
ForceUSPacificForTesting()
}
func initTestingZone() {
- z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:])
+ z, err := loadLocation("America/Los_Angeles", zoneSources)
if err != nil {
panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata")
}
@@ -21,8 +23,9 @@ func initTestingZone() {
var OrigZoneSources = zoneSources
func forceZipFileForTesting(zipOnly bool) {
- zoneSources = make([]string, len(OrigZoneSources))
+ zoneSources = make([]string, len(OrigZoneSources)+1)
copy(zoneSources, OrigZoneSources)
+ zoneSources = append(zoneSources, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
if zipOnly {
zoneSources = zoneSources[len(zoneSources)-1:]
}
diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go
index f032aa7..e3e5547 100644
--- a/src/time/zoneinfo_test.go
+++ b/src/time/zoneinfo_test.go
@@ -9,6 +9,7 @@ import (
"fmt"
"os"
"reflect"
+ "runtime"
"testing"
"time"
)
@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) {
t.Fatal(err)
}
- tzinfo, err := time.LoadTzinfo(locationName, time.OrigZoneSources[len(time.OrigZoneSources)-1])
+ tzinfo, err := time.LoadTzinfo(locationName, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
if err != nil {
t.Fatal(err)
}
diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go
index 23f8b3c..228db1b 100644
--- a/src/time/zoneinfo_unix.go
+++ b/src/time/zoneinfo_unix.go
@@ -12,7 +12,6 @@
package time
import (
- "runtime"
"syscall"
)
@@ -22,7 +21,6 @@ var zoneSources = []string{
"/usr/share/zoneinfo/",
"/usr/share/lib/zoneinfo/",
"/usr/lib/locale/TZ/",
- runtime.GOROOT() + "/lib/time/zoneinfo.zip",
}
func initLocal() {

1
golang-gdbinit Normal file
View File

@ -0,0 +1 @@
add-auto-load-safe-path /usr/lib/golang/src/pkg/runtime/runtime-gdb.py

3
golang-prelink.conf Normal file
View File

@ -0,0 +1,3 @@
# there are ELF files in src which are testdata and shouldn't be modified
-b /usr/lib/golang/src
-b /usr/lib64/golang/src

1242
golang.spec Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,112 @@
diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
index a4f2e2dbbe..76701d2e2b 100644
--- a/src/crypto/rsa/pkcs1v15_test.go
+++ b/src/crypto/rsa/pkcs1v15_test.go
@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
}
func TestDecryptPKCS1v15(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
decryptionFuncs := []func([]byte) ([]byte, error){
func(ciphertext []byte) (plaintext []byte, err error) {
return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
}
func TestEncryptPKCS1v15(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
random := rand.Reader
k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
}
func TestEncryptPKCS1v15SessionKey(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
for i, test := range decryptPKCS1v15SessionKeyTests {
key := []byte("FAIL")
err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
}
func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
for i, test := range decryptPKCS1v15SessionKeyTests {
plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
if err != nil {
@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
}
func TestShortSessionKey(t *testing.T) {
+ t.Skip("not supported in FIPS mode")
// This tests that attempting to decrypt a session key where the
// ciphertext is too small doesn't run outside the array bounds.
ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
index b547a87c71..99e7882866 100644
--- a/src/crypto/rsa/pss_test.go
+++ b/src/crypto/rsa/pss_test.go
@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
// TestPSSGolden tests all the test vectors in pss-vect.txt from
// ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
func TestPSSGolden(t *testing.T) {
+ t.Skip("SHA1 not supported in boring mode")
inFile, err := os.Open("testdata/pss-vect.txt.bz2")
if err != nil {
t.Fatalf("Failed to open input file: %s", err)
diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
index 9aa67655ab..2f4e666abb 100644
--- a/src/crypto/rsa/rsa_test.go
+++ b/src/crypto/rsa/rsa_test.go
@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
t.Errorf("private exponent too large")
}
- if boring.Enabled() {
- // Cannot call encrypt/decrypt directly. Test via PKCS1v15.
- msg := []byte("hi!")
- if priv.Size() >= 256 {
- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
- if err != nil {
- t.Errorf("EncryptPKCS1v15: %v", err)
- return
- }
- dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
- if err != nil {
- t.Errorf("DecryptPKCS1v15: %v", err)
- return
- }
- if !bytes.Equal(dec, msg) {
- t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
- }
- } else {
- t.Logf("skipping check for unsupported key less than 2048 bits")
- }
- return
- }
+ if boring.Enabled() {
+ // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
+ sha256 := sha256.New()
+ msg := []byte("hi!")
+ if priv.Size() >= 256 {
+ enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
+ if err != nil {
+ t.Errorf("EncryptOAEP: %v", err)
+ return
+ }
+ dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
+ if err != nil {
+ t.Errorf("DecryptOAEP: %v", err)
+ return
+ }
+ if !bytes.Equal(dec, msg) {
+ t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
+ }
+ } else {
+ t.Logf("skipping check for unsupported key less than 2048 bits")
+ }
+ return
+ }
pub := &priv.PublicKey
m := big.NewInt(42)

View File

@ -0,0 +1,128 @@
From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
Date: Wed, 15 Dec 2021 16:02:15 +0100
Subject: [PATCH] Remove ed25519vectors_test.go
---
src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
1 file changed, 109 deletions(-)
delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
deleted file mode 100644
index 74fcdcdf4e..0000000000
--- a/src/crypto/ed25519/ed25519vectors_test.go
+++ /dev/null
@@ -1,109 +0,0 @@
-// Copyright 2021 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ed25519_test
-
-import (
- "crypto/ed25519"
- "encoding/hex"
- "encoding/json"
- "internal/testenv"
- "os"
- "os/exec"
- "path/filepath"
- "testing"
-)
-
-// TestEd25519Vectors runs a very large set of test vectors that exercise all
-// combinations of low-order points, low-order components, and non-canonical
-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
-// edge cases that are not security relevant in most contexts, but that can
-// cause issues in consensus applications if changed.
-//
-// Our behavior matches the "classic" unwritten verification rules of the
-// "ref10" reference implementation.
-//
-// Note that although we test for these edge cases, they are not covered by the
-// Go 1 Compatibility Promise. Applications that need stable verification rules
-// should use github.com/hdevalence/ed25519consensus.
-//
-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
-func TestEd25519Vectors(t *testing.T) {
- jsonVectors := downloadEd25519Vectors(t)
- var vectors []struct {
- A, R, S, M string
- Flags []string
- }
- if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
- t.Fatal(err)
- }
- for i, v := range vectors {
- expectedToVerify := true
- for _, f := range v.Flags {
- switch f {
- // We use the simplified verification formula that doesn't multiply
- // by the cofactor, so any low order residue will cause the
- // signature not to verify.
- //
- // This is allowed, but not required, by RFC 8032.
- case "LowOrderResidue":
- expectedToVerify = false
- // Our point decoding allows non-canonical encodings (in violation
- // of RFC 8032) but R is not decoded: instead, R is recomputed and
- // compared bytewise against the canonical encoding.
- case "NonCanonicalR":
- expectedToVerify = false
- }
- }
-
- publicKey := decodeHex(t, v.A)
- signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
- message := []byte(v.M)
-
- didVerify := ed25519.Verify(publicKey, message, signature)
- if didVerify && !expectedToVerify {
- t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
- }
- if !didVerify && expectedToVerify {
- t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
- }
- }
-}
-
-func downloadEd25519Vectors(t *testing.T) []byte {
- testenv.MustHaveExternalNetwork(t)
-
- // Download the JSON test file from the GOPROXY with `go mod download`,
- // pinning the version so test and module caching works as expected.
- goTool := testenv.GoToolPath(t)
- path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
- cmd := exec.Command(goTool, "mod", "download", "-json", path)
- // TODO: enable the sumdb once the TryBots proxy supports it.
- cmd.Env = append(os.Environ(), "GONOSUMDB=*")
- output, err := cmd.Output()
- if err != nil {
- t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
- }
- var dm struct {
- Dir string // absolute path to cached source root directory
- }
- if err := json.Unmarshal(output, &dm); err != nil {
- t.Fatal(err)
- }
-
- jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
- if err != nil {
- t.Fatalf("failed to read ed25519vectors.json: %v", err)
- }
- return jsonVectors
-}
-
-func decodeHex(t *testing.T, s string) []byte {
- t.Helper()
- b, err := hex.DecodeString(s)
- if err != nil {
- t.Errorf("invalid hex: %v", err)
- }
- return b
-}
--
2.33.1

42
rhbz1955035.patch Normal file
View File

@ -0,0 +1,42 @@
From 4ec78a579cc3c83a7d0afc7483fb3e69e2fd87a7 Mon Sep 17 00:00:00 2001
From: "Paul E. Murphy" <murp@ibm.com>
Date: Tue, 27 Apr 2021 15:05:51 -0500
Subject: [PATCH] cmd/link: disable plugin support if cgo is disabled
Functional plugin support requires cgo to be enabled. Disable
it if the environment has disabled cgo.
This prevents unexpected linker failures when linking large
binaries with cgo disabled which use the plugin package.
Fixes #45564
Change-Id: Ib71f0e089f7373b7b3e3cd53da3612291e7bc473
Reviewed-on: https://go-review.googlesource.com/c/go/+/314449
Run-TryBot: Paul Murphy <murp@ibm.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Lynn Boger <laboger@linux.vnet.ibm.com>
---
src/cmd/link/internal/ld/lib.go | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
index 0e77424884..f7a32aebae 100644
--- a/src/cmd/link/internal/ld/lib.go
+++ b/src/cmd/link/internal/ld/lib.go
@@ -533,7 +533,10 @@ func (ctxt *Link) loadlib() {
// up symbol by name may not get expected result.
iscgo = ctxt.LibraryByPkg["runtime/cgo"] != nil
- ctxt.canUsePlugins = ctxt.LibraryByPkg["plugin"] != nil
+
+ // Plugins a require cgo support to function. Similarly, plugins may require additional
+ // internal linker support on some platforms which may not be implemented.
+ ctxt.canUsePlugins = ctxt.LibraryByPkg["plugin"] != nil && iscgo
// We now have enough information to determine the link mode.
determineLinkMode(ctxt)
--
2.30.2

View File

@ -0,0 +1,12 @@
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 51dda16815..2d1e1b1e6e 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -2880,6 +2880,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
}
func TestCreateCertificateBrokenSigner(t *testing.T) {
+ t.Skip("TODO Fix me: rhbz#1939923")
template := &Certificate{
SerialNumber: big.NewInt(10),
DNSNames: []string{"example.com"},

1
sources Normal file
View File

@ -0,0 +1 @@
SHA1 (go1.18.2-1-openssl-fips.tar.gz) = 2982f1fe39b59089eab5469bb6b3bb9f462abe45