rpms/golang
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix panic in standard crypto mode without openssl

Browse Source 
Resolves: RHEL-45359
This commit is contained in:
David Benoit 2024-06-27 14:08:13 -04:00
parent 0e5dbdbb54
commit b626326825
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
fix-standard-crypto-panic.patch Normal file
View File

@ -0,0 +1,44 @@
diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
index 3d3a9a36ee..8dc2d46b52 100644
--- a/src/crypto/internal/backend/openssl.go
+++ b/src/crypto/internal/backend/openssl.go
@@ -25,6 +25,22 @@ var enabled bool
var knownVersions = [...]string{"3", "1.1", "11", "111", "1.0.2", "1.0.0", "10"}
func init() {
+ // 0: FIPS opt-out: abort the process if it is enabled and can't be disabled.
+ // 1: FIPS required: abort the process if it is not enabled and can't be enabled.
+ // other values: do not override OpenSSL configured FIPS mode.
+ var fips string
+ if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
+ fips = v
+ } else if hostFIPSModeEnabled() {
+ // System configuration can only force FIPS mode.
+ fips = "1"
+ }
+
+ // Use Go standard crypto, do not load openssl
+ if (fips != "1") {
+ return
+ }
+
version, _ := syscall.Getenv("GO_OPENSSL_VERSION_OVERRIDE")
if version == "" {
var fallbackVersion string
@@ -49,16 +65,6 @@ func init() {
if err := openssl.Init(version); err != nil {
panic("opensslcrypto: can't initialize OpenSSL " + version + ": " + err.Error())
}
- // 0: FIPS opt-out: abort the process if it is enabled and can't be disabled.
- // 1: FIPS required: abort the process if it is not enabled and can't be enabled.
- // other values: do not override OpenSSL configured FIPS mode.
- var fips string
- if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
- fips = v
- } else if hostFIPSModeEnabled() {
- // System configuration can only force FIPS mode.
- fips = "1"
- }
switch fips {
case "0":
if openssl.FIPS() {

7
golang.spec
View File

@ -99,7 +99,7 @@
Name: golang Name: golang
Version: %{version} Version: %{version}
Release: 1%{?dist} Release: 2%{?dist}
Summary: The Go Programming Language Summary: The Go Programming Language
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
License: BSD and Public Domain License: BSD and Public Domain
@ -145,6 +145,7 @@ Patch1939923: skip_test_rhbz1939923.patch
Patch4: modify_go.env.patch Patch4: modify_go.env.patch
Patch6: skip_TestCrashDumpsAllThreads.patch Patch6: skip_TestCrashDumpsAllThreads.patch
Patch7: fix-standard-crypto-panic.patch
# Having documentation separate was broken # Having documentation separate was broken
Obsoletes: %{name}-docs < 1.1-4 Obsoletes: %{name}-docs < 1.1-4
@ -529,6 +530,10 @@ cd ..
%files -n go-toolset %files -n go-toolset
%changelog %changelog
* Thu Jun 27 2024 David Benoit <dbenoit@redhat.com> - 1.22.4-2
- Fix panic in standard crypto mode without openssl
- Resolves: RHEL-45359
* Thu Jun 6 2024 Archana Ravindar <aravinda@redhat.com> - 1.22.4-1 * Thu Jun 6 2024 Archana Ravindar <aravinda@redhat.com> - 1.22.4-1
- Rebase to Go1.22.4 that includes fixes for CVE-2024-24789 and CVE-2024-24790 - Rebase to Go1.22.4 that includes fixes for CVE-2024-24789 and CVE-2024-24790
- Resolves: RHEL-40156 - Resolves: RHEL-40156