import golang-1.17.5-1.el9

2022-02-01 12:55:25 -05:00 · 2022-02-01 12:55:25 -05:00 · a9fa186664
commit a9fa186664
parent fcc4c2ec72
5 changed files with 304 additions and 49 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/go-go-1.17.2-1-openssl-fips.tar.gz
+SOURCES/go-go-1.17.5-1-openssl-fips.tar.gz
--- a/.golang.metadata
+++ b/.golang.metadata
@ -1 +1 @@
-583ddd5dc54fa694c25b6768ad80c9fff04d2bb5 SOURCES/go-go-1.17.2-1-openssl-fips.tar.gz
+f0b72c96855f50d91288f1226a7660b97c1fdd73 SOURCES/go-go-1.17.5-1-openssl-fips.tar.gz
--- a/SOURCES/remove_ed25519vectors_test.patch
+++ b/SOURCES/remove_ed25519vectors_test.patch
@ -0,0 +1,128 @@
+From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Wed, 15 Dec 2021 16:02:15 +0100
+Subject: [PATCH] Remove ed25519vectors_test.go
+
+---
+ src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
+ 1 file changed, 109 deletions(-)
+ delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
+
+diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
+deleted file mode 100644
+index 74fcdcdf4e..0000000000
+--- a/src/crypto/ed25519/ed25519vectors_test.go
+++ /dev/null
+@@ -1,109 +0,0 @@
+-// Copyright 2021 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-package ed25519_test
+-
+-import (
+-	"crypto/ed25519"
+-	"encoding/hex"
+-	"encoding/json"
+-	"internal/testenv"
+-	"os"
+-	"os/exec"
+-	"path/filepath"
+-	"testing"
+-)
+-
+-// TestEd25519Vectors runs a very large set of test vectors that exercise all
+-// combinations of low-order points, low-order components, and non-canonical
+-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
+-// edge cases that are not security relevant in most contexts, but that can
+-// cause issues in consensus applications if changed.
+-//
+-// Our behavior matches the "classic" unwritten verification rules of the
+-// "ref10" reference implementation.
+-//
+-// Note that although we test for these edge cases, they are not covered by the
+-// Go 1 Compatibility Promise. Applications that need stable verification rules
+-// should use github.com/hdevalence/ed25519consensus.
+-//
+-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
+-func TestEd25519Vectors(t *testing.T) {
+-	jsonVectors := downloadEd25519Vectors(t)
+-	var vectors []struct {
+-		A, R, S, M string
+-		Flags      []string
+-	}
+-	if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
+-		t.Fatal(err)
+-	}
+-	for i, v := range vectors {
+-		expectedToVerify := true
+-		for _, f := range v.Flags {
+-			switch f {
+-			// We use the simplified verification formula that doesn't multiply
+-			// by the cofactor, so any low order residue will cause the
+-			// signature not to verify.
+-			//
+-			// This is allowed, but not required, by RFC 8032.
+-			case "LowOrderResidue":
+-				expectedToVerify = false
+-			// Our point decoding allows non-canonical encodings (in violation
+-			// of RFC 8032) but R is not decoded: instead, R is recomputed and
+-			// compared bytewise against the canonical encoding.
+-			case "NonCanonicalR":
+-				expectedToVerify = false
+-			}
+-		}
+-
+-		publicKey := decodeHex(t, v.A)
+-		signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
+-		message := []byte(v.M)
+-
+-		didVerify := ed25519.Verify(publicKey, message, signature)
+-		if didVerify && !expectedToVerify {
+-			t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
+-		}
+-		if !didVerify && expectedToVerify {
+-			t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
+-		}
+-	}
+-}
+-
+-func downloadEd25519Vectors(t *testing.T) []byte {
+-	testenv.MustHaveExternalNetwork(t)
+-
+-	// Download the JSON test file from the GOPROXY with `go mod download`,
+-	// pinning the version so test and module caching works as expected.
+-	goTool := testenv.GoToolPath(t)
+-	path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
+-	cmd := exec.Command(goTool, "mod", "download", "-json", path)
+-	// TODO: enable the sumdb once the TryBots proxy supports it.
+-	cmd.Env = append(os.Environ(), "GONOSUMDB=*")
+-	output, err := cmd.Output()
+-	if err != nil {
+-		t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
+-	}
+-	var dm struct {
+-		Dir string // absolute path to cached source root directory
+-	}
+-	if err := json.Unmarshal(output, &dm); err != nil {
+-		t.Fatal(err)
+-	}
+-
+-	jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
+-	if err != nil {
+-		t.Fatalf("failed to read ed25519vectors.json: %v", err)
+-	}
+-	return jsonVectors
+-}
+-
+-func decodeHex(t *testing.T, s string) []byte {
+-	t.Helper()
+-	b, err := hex.DecodeString(s)
+-	if err != nil {
+-		t.Errorf("invalid hex: %v", err)
+-	}
+-	return b
+-}
+-- 
+2.33.1
+
--- a/SOURCES/remove_waitgroup_misuse_tests.patch
+++ b/SOURCES/remove_waitgroup_misuse_tests.patch
@ -0,0 +1,151 @@
+diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go
+index c569e0faa2eb..4ded218d2d8d 100644
+--- a/src/sync/waitgroup_test.go
+++ b/src/sync/waitgroup_test.go
+@@ -5,8 +5,6 @@
+ package sync_test
+ 
+ import (
+-	"internal/race"
+-	"runtime"
+ 	. "sync"
+ 	"sync/atomic"
+ 	"testing"
+@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) {
+ 	}
+ }
+ 
+-func knownRacy(t *testing.T) {
+-	if race.Enabled {
+-		t.Skip("skipping known-racy test under the race detector")
+-	}
+-}
+-
+ func TestWaitGroupMisuse(t *testing.T) {
+ 	defer func() {
+ 		err := recover()
+@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) {
+ 	t.Fatal("Should panic")
+ }
+ 
+-// pollUntilEqual blocks until v, loaded atomically, is
+-// equal to the target.
+-func pollUntilEqual(v *uint32, target uint32) {
+-	for {
+-		for i := 0; i < 1e3; i++ {
+-			if atomic.LoadUint32(v) == target {
+-				return
+-			}
+-		}
+-		// yield to avoid deadlock with the garbage collector
+-		// see issue #20072
+-		runtime.Gosched()
+-	}
+-}
+-
+-func TestWaitGroupMisuse2(t *testing.T) {
+-	knownRacy(t)
+-	if runtime.NumCPU() <= 4 {
+-		t.Skip("NumCPU<=4, skipping: this test requires parallelism")
+-	}
+-	defer func() {
+-		err := recover()
+-		if err != "sync: negative WaitGroup counter" &&
+-			err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
+-			err != "sync: WaitGroup is reused before previous Wait has returned" {
+-			t.Fatalf("Unexpected panic: %#v", err)
+-		}
+-	}()
+-	defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
+-	done := make(chan interface{}, 2)
+-	// The detection is opportunistic, so we want it to panic
+-	// at least in one run out of a million.
+-	for i := 0; i < 1e6; i++ {
+-		var wg WaitGroup
+-		var here uint32
+-		wg.Add(1)
+-		go func() {
+-			defer func() {
+-				done <- recover()
+-			}()
+-			atomic.AddUint32(&here, 1)
+-			pollUntilEqual(&here, 3)
+-			wg.Wait()
+-		}()
+-		go func() {
+-			defer func() {
+-				done <- recover()
+-			}()
+-			atomic.AddUint32(&here, 1)
+-			pollUntilEqual(&here, 3)
+-			wg.Add(1) // This is the bad guy.
+-			wg.Done()
+-		}()
+-		atomic.AddUint32(&here, 1)
+-		pollUntilEqual(&here, 3)
+-		wg.Done()
+-		for j := 0; j < 2; j++ {
+-			if err := <-done; err != nil {
+-				panic(err)
+-			}
+-		}
+-	}
+-	t.Fatal("Should panic")
+-}
+-
+-func TestWaitGroupMisuse3(t *testing.T) {
+-	knownRacy(t)
+-	if runtime.NumCPU() <= 1 {
+-		t.Skip("NumCPU==1, skipping: this test requires parallelism")
+-	}
+-	defer func() {
+-		err := recover()
+-		if err != "sync: negative WaitGroup counter" &&
+-			err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
+-			err != "sync: WaitGroup is reused before previous Wait has returned" {
+-			t.Fatalf("Unexpected panic: %#v", err)
+-		}
+-	}()
+-	defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
+-	done := make(chan interface{}, 3)
+-	// The detection is opportunistically, so we want it to panic
+-	// at least in one run out of a million.
+-	for i := 0; i < 1e6; i++ {
+-		var wg WaitGroup
+-		wg.Add(1)
+-		go func() {
+-			defer func() {
+-				done <- recover()
+-			}()
+-			wg.Done()
+-		}()
+-		go func() {
+-			defer func() {
+-				done <- recover()
+-			}()
+-			wg.Wait()
+-			// Start reusing the wg before waiting for the Wait below to return.
+-			wg.Add(1)
+-			go func() {
+-				wg.Done()
+-			}()
+-			wg.Wait()
+-		}()
+-		go func() {
+-			defer func() {
+-				done <- recover()
+-			}()
+-			wg.Wait()
+-		}()
+-		for j := 0; j < 3; j++ {
+-			if err := <-done; err != nil {
+-				panic(err)
+-			}
+-		}
+-	}
+-	t.Fatal("Should panic")
+-}
+-
+ func TestWaitGroupRace(t *testing.T) {
+ 	// Run this test for about 1ms.
+ 	for i := 0; i < 1000; i++ {
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@ -96,7 +96,7 @@
 %endif

 %global go_api 1.17
-%global go_version 1.17.2
+%global go_version 1.17.5
 %global pkg_release 1

 Name:           golang
@ -147,6 +147,9 @@ Patch221:       fix_TestScript_list_std.patch
 # Port to openssl 3.0
 Patch1952381:   rhbz1952381.patch

+Patch222: remove_waitgroup_misuse_tests.patch
+Patch223: remove_ed25519vectors_test.patch
+
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4

@ -242,6 +245,10 @@ Requires:       %{name} = %{version}-%{release}

 %patch1952381 -p1

+%patch222 -p1
+
+%patch223 -p1
+
 cp %{SOURCE1} ./src/runtime/

 %build
@ -440,61 +447,19 @@ export GO_TEST_RUN=""

 %if %{fail_on_tests}

-TEST_BORING_CONFIGS=`mktemp -d`
-TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf
-TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf
-trap "rm -rf $TEST_BORING_CONFIGS" EXIT
-
-cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF
-openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF
-
-cat > $TEST_BORING_CNF << EOM
-openssl_conf = openssl_test
-
-[openssl_test]
-providers = provider_test
-alg_section = algorithm_test
-ssl_conf = ssl_module
-
-[algorithm_test]
-default_properties = fips=yes
-
-[provider_test]
-default = default_sect
- # The fips section name should match the section name inside the
- # included fipsmodule.cnf.
-fips = fips_sect
-.include $TEST_BORING_FIPS_CNF
-
-[default_sect]
-activate = 1
-
-[ ssl_module ]
-
-system_default = crypto_policy
-
-[ crypto_policy ]
-
-.include = /etc/crypto-policies/back-ends/opensslcnf.config
-
-[ new_oids ]
-
-EOM
-
 ./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN

-export OPENSSL_CONF=$TEST_BORING_CNF
+export OPENSSL_FORCE_FIPS_MODE=1
 # Run tests with FIPS enabled.
-export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$"
 pushd crypto
  # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
-  GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
+  GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v
  # Check that signature functions have parity between boring and notboring
-  CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
+  CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
 popd
 # Run all FIPS specific TLS tests
 pushd crypto/tls
-  GOLANG_FIPS=1 go test -v -run "Boring" $DISABLE_Ed25519_TEST
+  GOLANG_FIPS=1 go test -v -run "Boring"
 popd
 %else
 ./run.bash --no-rebuild -v -v -v -k || :
@ -557,6 +522,17 @@ cd ..
 %endif

 %changelog
+* Mon Dec 13 2021 Alejandro Sáez <asm@redhat.com> - 1.17.5-1
+- Rebase to Go 1.17.5
+- Add remove_waitgroup_misuse_tests patch
+- Add remove_ed25519vectors_test.patch
+- Remove FIPS checks to avoid issues in the CI
+- Related: rhbz#2031116
+- Resolves: rhbz#2022829
+- Resolves: rhbz#2024687
+- Resolves: rhbz#2030851
+- Resolves: rhbz#2031253
+
 * Wed Nov 03 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-1
 - Rebase to Go 1.17.2
 - Related: rhbz#2014087