Fix panic in standard crypto mode without openssl

Resolves: RHEL-45359
2024-06-27 14:08:13 -04:00 · 2024-06-27 14:08:13 -04:00 · b626326825
commit b626326825
parent 0e5dbdbb54
2 changed files with 50 additions and 1 deletions
--- a/fix-standard-crypto-panic.patch
+++ b/fix-standard-crypto-panic.patch
@ -0,0 +1,44 @@
+diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
+index 3d3a9a36ee..8dc2d46b52 100644
+--- a/src/crypto/internal/backend/openssl.go
+++ b/src/crypto/internal/backend/openssl.go
+@@ -25,6 +25,22 @@ var enabled bool
+ var knownVersions = [...]string{"3", "1.1", "11", "111", "1.0.2", "1.0.0", "10"}
+ 
+ func init() {
+	// 0: FIPS opt-out: abort the process if it is enabled and can't be disabled.
+	// 1: FIPS required: abort the process if it is not enabled and can't be enabled.
+	// other values: do not override OpenSSL configured FIPS mode.
+	var fips string
+	if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
+		fips = v
+	} else if hostFIPSModeEnabled() {
+		// System configuration can only force FIPS mode.
+		fips = "1"
+	}
+
+	// Use Go standard crypto, do not load openssl
+	if (fips != "1") {
+		return
+	}
+
+ 	version, _ := syscall.Getenv("GO_OPENSSL_VERSION_OVERRIDE")
+ 	if version == "" {
+ 		var fallbackVersion string
+@@ -49,16 +65,6 @@ func init() {
+ 	if err := openssl.Init(version); err != nil {
+ 		panic("opensslcrypto: can't initialize OpenSSL " + version + ": " + err.Error())
+ 	}
+-	// 0: FIPS opt-out: abort the process if it is enabled and can't be disabled.
+-	// 1: FIPS required: abort the process if it is not enabled and can't be enabled.
+-	// other values: do not override OpenSSL configured FIPS mode.
+-	var fips string
+-	if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
+-		fips = v
+-	} else if hostFIPSModeEnabled() {
+-		// System configuration can only force FIPS mode.
+-		fips = "1"
+-	}
+ 	switch fips {
+ 	case "0":
+ 		if openssl.FIPS() {
--- a/golang.spec
+++ b/golang.spec
@ -99,7 +99,7 @@

 Name:           golang
 Version:        %{version}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@ -145,6 +145,7 @@ Patch1939923:   skip_test_rhbz1939923.patch

 Patch4:		modify_go.env.patch
 Patch6:		skip_TestCrashDumpsAllThreads.patch
+Patch7:		fix-standard-crypto-panic.patch

 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@ -529,6 +530,10 @@ cd ..
 %files -n go-toolset

 %changelog
+* Thu Jun 27 2024 David Benoit <dbenoit@redhat.com> - 1.22.4-2
+- Fix panic in standard crypto mode without openssl
+- Resolves: RHEL-45359
+
 * Thu Jun 6 2024 Archana Ravindar <aravinda@redhat.com> - 1.22.4-1
 - Rebase to Go1.22.4 that includes fixes for CVE-2024-24789 and CVE-2024-24790
 - Resolves: RHEL-40156