diff --git a/SOURCES/evp-digest-sign-final.patch b/SOURCES/evp-digest-sign-final.patch new file mode 100644 index 0000000..928f707 --- /dev/null +++ b/SOURCES/evp-digest-sign-final.patch @@ -0,0 +1,92 @@ +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h +index ac6c64f86d..5213b841dc 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h +@@ -264,7 +264,7 @@ int _goboringcrypto_HMAC_Update(GO_HMAC_CTX *ctx, + int _goboringcrypto_HMAC_CTX_reset(GO_HMAC_CTX *ctx); + void _goboringcrypto_HMAC_CTX_free(GO_HMAC_CTX *ctx); + int _goboringcrypto_HMAC_Final(GO_HMAC_CTX *ctx, +- unsigned char *md, unsigned int *len); ++ unsigned char *md, unsigned int len); + + #include + #include +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/hmac.go b/src/vendor/github.com/golang-fips/openssl/openssl/hmac.go +index 3af1924884..c76d6690aa 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/hmac.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/hmac.go +@@ -121,7 +121,9 @@ func (h *boringHMAC) finalize() { + + func (h *boringHMAC) Write(p []byte) (int, error) { + if len(p) > 0 { +- C._goboringcrypto_HMAC_Update(h.ctx, (*C.uint8_t)(unsafe.Pointer(&p[0])), C.size_t(len(p))) ++ if C._goboringcrypto_HMAC_Update(h.ctx, (*C.uint8_t)(unsafe.Pointer(&p[0])), C.size_t(len(p))) == 0 { ++ panic("boringcrypto: HMAC_Update failed") ++ } + } + runtime.KeepAlive(h) + return len(p), nil +@@ -136,10 +138,12 @@ func (h *boringHMAC) BlockSize() int { + } + + func (h *boringHMAC) Sum(in []byte) []byte { ++ size := h.Size() + if h.sum == nil { +- size := h.Size() + h.sum = make([]byte, size) + } +- C._goboringcrypto_HMAC_Final(h.ctx, (*C.uint8_t)(unsafe.Pointer(&h.sum[0])), nil) ++ if C._goboringcrypto_HMAC_Final(h.ctx, (*C.uint8_t)(unsafe.Pointer(&h.sum[0])), C.uint(size)) == 0 { ++ panic("boringcrypto: HMAC_Final failed") ++ } + return append(in, h.sum...) + } +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_hmac.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_hmac.c +index d26ce90c82..f7dabb25e0 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_hmac.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_hmac.c +@@ -115,10 +115,10 @@ void _goboringcrypto_HMAC_CTX_free(GO_HMAC_CTX *ctx) + } + + int _goboringcrypto_HMAC_Final(GO_HMAC_CTX *ctx, +- unsigned char *md, unsigned int *len) ++ unsigned char *md, unsigned int len) + { + EVP_MD_CTX *mdctx = NULL; +- size_t slen; ++ size_t slen = len; + int ret = 0; + + mdctx = _goboringcrypto_EVP_MD_CTX_create(); +@@ -128,9 +128,10 @@ int _goboringcrypto_HMAC_Final(GO_HMAC_CTX *ctx, + if (_goboringcrypto_internal_EVP_MD_CTX_copy_ex(mdctx, ctx->mdctx) != 1) + goto err; + +- ret = _goboringcrypto_EVP_DigestSignFinal(mdctx, md, &slen); +- if (ret == 1 && len) +- *len = slen; ++ if (_goboringcrypto_EVP_DigestSignFinal(mdctx, md, &slen) != 1) ++ goto err; ++ ++ ret = 1; + + err: + _goboringcrypto_EVP_MD_CTX_free(mdctx); +@@ -219,7 +220,7 @@ void _goboringcrypto_HMAC_CTX_free(GO_HMAC_CTX *ctx) + } + + int _goboringcrypto_HMAC_Final(GO_HMAC_CTX *ctx, +- unsigned char *md, unsigned int *len) ++ unsigned char *md, unsigned int len) + { + HMAC_CTX hctx; + int ret; +@@ -228,7 +229,7 @@ int _goboringcrypto_HMAC_Final(GO_HMAC_CTX *ctx, + if (ret != 1) + return ret; + +- ret = _goboringcrypto_internal_HMAC_Final(&hctx, md, len); ++ ret = _goboringcrypto_internal_HMAC_Final(&hctx, md, &len); + _goboringcrypto_internal_HMAC_CTX_cleanup(&hctx); + return ret; + } diff --git a/SPECS/golang.spec b/SPECS/golang.spec index def2388..ded470d 100644 --- a/SPECS/golang.spec +++ b/SPECS/golang.spec @@ -99,7 +99,7 @@ Name: golang Version: %{version} -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Go Programming Language # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain License: BSD and Public Domain @@ -141,6 +141,7 @@ Requires: diffutils # Proposed patch by jcajka https://golang.org/cl/86541 Patch221: fix_TestScript_list_std.patch Patch230: update-api-openssl3.patch +Patch231: evp-digest-sign-final.patch Patch1939923: skip_test_rhbz1939923.patch @@ -534,6 +535,10 @@ cd .. %files -n go-toolset %changelog +* Tue Oct 01 2024 David Benoit - 1.21.13-4 +- Fix CVE-2024-9355 +- Resolves: RHEL-61046 + * Tue Sep 17 2024 David Benoit - 1.21.13-3 - Related: RHEL-58226