From bf182b7c2e53a86c307a13eaa3b0513cdf43dbc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= Date: Wed, 3 Nov 2021 20:05:55 +0100 Subject: [PATCH] Rebase to Go 1.17.2 Related: rhbz#2014087 Remove favicon.ico and robots.txt references Exclude TestEd25519Vectors test Update patch rhbz1952381 Remove rhbz1904567 patch Remove rhbz1939923 patch --- .gitignore | 1 + golang-1.15-warnCN.patch | 25 ---- golang.spec | 44 +++--- ppc64le-vdso-segfault-fix.patch | 229 -------------------------------- rhbz1952381.patch | 44 +++--- sources | 4 +- 6 files changed, 39 insertions(+), 308 deletions(-) delete mode 100644 golang-1.15-warnCN.patch delete mode 100644 ppc64le-vdso-segfault-fix.patch diff --git a/.gitignore b/.gitignore index 3052c2f..69db341 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ /go-go-1.16.4-1-openssl-fips.tar.gz /go-go-1.16.6-2-openssl-fips.tar.gz /go-go-1.16.6-3-openssl-fips.tar.gz +/go-go-1.17.2-1-openssl-fips.tar.gz diff --git a/golang-1.15-warnCN.patch b/golang-1.15-warnCN.patch deleted file mode 100644 index 5d9cf82..0000000 --- a/golang-1.15-warnCN.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go -index 50f4d4a..121fd1b 100644 ---- a/src/crypto/x509/verify.go -+++ b/src/crypto/x509/verify.go -@@ -20,6 +20,9 @@ import ( - - // ignoreCN disables interpreting Common Name as a hostname. See issue 24151. - var ignoreCN = !strings.Contains(os.Getenv("GODEBUG"), "x509ignoreCN=0") -+// if using Common Name as a hostname is enabled via x509ignoreCN=0, -+// warnCN enables a warning whenever Common Name is interpreted as a hostname. -+var warnCN = strings.Contains(os.Getenv("GODEBUG"), "x509warnCN=1") - - type InvalidReason int - -@@ -1078,6 +1081,10 @@ func (c *Certificate) VerifyHostname(h string) error { - names := c.DNSNames - if c.commonNameAsHostname() { - names = []string{c.Subject.CommonName} -+ if warnCN { -+ fmt.Fprintf(os.Stderr, "x509: Warning - certificate relies on legacy Common Name field. " + -+ "Using CN without SAN is deprecated and will not work in future versions.\n") -+ } - } - - candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. diff --git a/golang.spec b/golang.spec index 7e9152a..bcc88b4 100644 --- a/golang.spec +++ b/golang.spec @@ -95,13 +95,13 @@ %global gohostarch s390x %endif -%global go_api 1.16 -%global go_version 1.16.6 -%global pkg_release 3 +%global go_api 1.17 +%global go_version 1.17.2 +%global pkg_release 1 Name: golang Version: %{go_version} -Release: 4%{?dist} +Release: 1%{?dist} Summary: The Go Programming Language # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain License: BSD and Public Domain @@ -144,19 +144,9 @@ Patch215: go1.5-zoneinfo_testing_only.patch # Proposed patch by jcajka https://golang.org/cl/86541 Patch221: fix_TestScript_list_std.patch -# Add an env var to optionally trigger a warning in x509 when -# Common Name is used as hostname -# rhbz#1889437 -Patch223: golang-1.15-warnCN.patch - -Patch1939923: skip_test_rhbz1939923.patch - # Port to openssl 3.0 Patch1952381: rhbz1952381.patch -Patch1904567: cgo-lto-fix.patch -Patch334410: ppc64le-vdso-segfault-fix.patch - # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -250,15 +240,8 @@ Requires: %{name} = %{version}-%{release} %patch221 -p1 -%patch223 -p1 - %patch1952381 -p1 -%patch1939923 -p1 - -%patch1904567 -p1 -%patch334410 -p1 - cp %{SOURCE1} ./src/runtime/ %build @@ -328,7 +311,7 @@ rm -rf pkg/bootstrap/bin # install everything into libdir (until symlink problems are fixed) # https://code.google.com/p/go/issues/detail?id=5830 -cp -apv api bin doc favicon.ico lib pkg robots.txt src misc test VERSION \ +cp -apv api bin doc lib pkg src misc test VERSION \ $RPM_BUILD_ROOT%{goroot} # bz1099206 @@ -415,6 +398,7 @@ cp -av %{SOURCE100} $RPM_BUILD_ROOT%{_sysconfdir}/gdbinit.d/golang.gdb # prelink blacklist mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d cp -av %{SOURCE101} $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d/golang.conf +sed -i 's/const defaultGO_LDSO = `.*`/const defaultGO_LDSO = ``/' $RPM_BUILD_ROOT%{goroot}/src/internal/buildcfg/zbootstrap.go %check export GOROOT=$(pwd -P) @@ -501,15 +485,16 @@ EOM export OPENSSL_CONF=$TEST_BORING_CNF # Run tests with FIPS enabled. +export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$" pushd crypto # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later - GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v + GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST # Check that signature functions have parity between boring and notboring - CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v + CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST popd # Run all FIPS specific TLS tests pushd crypto/tls - GOLANG_FIPS=1 go test -v -run "Boring" + GOLANG_FIPS=1 go test -v -run "Boring" $DISABLE_Ed25519_TEST popd %else ./run.bash --no-rebuild -v -v -v -k || : @@ -572,6 +557,15 @@ cd .. %endif %changelog +* Wed Nov 03 2021 Alejandro Sáez - 1.17.2-1 +- Rebase to Go 1.17.2 +- Related: rhbz#2014087 +- Remove favicon.ico and robots.txt references +- Exclude TestEd25519Vectors test +- Update patch rhbz1952381 +- Remove rhbz1904567 patch +- Remove rhbz1939923 patch + * Mon Aug 09 2021 Mohan Boddu - 1.16.6-4 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 diff --git a/ppc64le-vdso-segfault-fix.patch b/ppc64le-vdso-segfault-fix.patch deleted file mode 100644 index 09dd101..0000000 --- a/ppc64le-vdso-segfault-fix.patch +++ /dev/null @@ -1,229 +0,0 @@ -From 16ab7e49d4070c4f68e88836b123dbe6da8bb015 Mon Sep 17 00:00:00 2001 -From: Derek Parker -Date: Thu, 17 Jun 2021 20:22:40 +0000 -Subject: [PATCH] [release-branch.go1.16] runtime: fix crash during VDSO calls on PowerPC - -This patch reinstates a fix for PowerPC with regard to making VDSO calls -while receiving a signal, and subsequently crashing. The crash happens -because certain VDSO calls can modify the r30 register, which is where g -is stored. This change was reverted for PowerPC because r30 is supposed -to be a non-volatile register. This is true, but that only makes a -guarantee across function calls, but not "within" a function call. This -patch was seemingly fine before because the Linux kernel still had hand -rolled assembly VDSO function calls, however with a recent change to C -function calls it seems the compiler used can generate instructions -which temporarily clobber r30. This means that when we receive a signal -during one of these calls the value of r30 will not be the g as the -runtime expects, causing a segfault. - -You can see from this assembly dump how the register is clobbered during -the call: - -(the following is from a 5.13rc2 kernel) - -``` -Dump of assembler code for function __cvdso_clock_gettime_data: - 0x00007ffff7ff0700 <+0>: cmplwi r4,15 - 0x00007ffff7ff0704 <+4>: bgt 0x7ffff7ff07f0 <__cvdso_clock_gettime_data+240> - 0x00007ffff7ff0708 <+8>: li r9,1 - 0x00007ffff7ff070c <+12>: slw r9,r9,r4 - 0x00007ffff7ff0710 <+16>: andi. r10,r9,2179 - 0x00007ffff7ff0714 <+20>: beq 0x7ffff7ff0810 <__cvdso_clock_gettime_data+272> - 0x00007ffff7ff0718 <+24>: rldicr r10,r4,4,59 - 0x00007ffff7ff071c <+28>: lis r9,32767 - 0x00007ffff7ff0720 <+32>: std r30,-16(r1) - 0x00007ffff7ff0724 <+36>: std r31,-8(r1) - 0x00007ffff7ff0728 <+40>: add r6,r3,r10 - 0x00007ffff7ff072c <+44>: ori r4,r9,65535 - 0x00007ffff7ff0730 <+48>: lwz r8,0(r3) - 0x00007ffff7ff0734 <+52>: andi. r9,r8,1 - 0x00007ffff7ff0738 <+56>: bne 0x7ffff7ff07d0 <__cvdso_clock_gettime_data+208> - 0x00007ffff7ff073c <+60>: lwsync - 0x00007ffff7ff0740 <+64>: mftb r30 <---- RIGHT HERE -=> 0x00007ffff7ff0744 <+68>: ld r12,40(r6) -``` - -What I believe is happening is that the kernel changed the PowerPC VDSO -calls to use standard C calls instead of using hand rolled assembly. The -hand rolled assembly calls never touched r30, so this change was safe to -roll back. That does not seem to be the case anymore as on the 5.13rc2 -kernel the compiler *is* generating assembly which modifies r30, making -this change again unsafe and causing a crash when the program receives a -signal during these calls (which will happen often due to async -preempt). This change happened here: -https://lwn.net/ml/linux-kernel/235e5571959cfa89ced081d7e838ed5ff38447d2.1601365870.git.christophe.leroy@csgroup.eu/. - -I realize this was reverted due to unexplained hangs in PowerPC -builders, but I think we should reinstate this change and investigate -those issues separately: -https://github.com/golang/go/commit/f4ca3c1e0a2066ca4f7bd6203866d282ed34acf2 - -Fixes #46858 - -Change-Id: Ib18d7bbfc80a1a9cb558f0098878d41081324b52 -GitHub-Last-Rev: c3002bcfca3ef58b27485e31328e6297b7a9dfe7 -GitHub-Pull-Request: golang/go#46767 -Reviewed-on: https://go-review.googlesource.com/c/go/+/328110 -Run-TryBot: Lynn Boger -TryBot-Result: Go Bot -Reviewed-by: Cherry Mui -Trust: Lynn Boger -(cherry picked from commit 16e82be454cbf41299e6a055d54d489ca4612ee0) -Reviewed-on: https://go-review.googlesource.com/c/go/+/334410 -Run-TryBot: Cherry Mui ---- - -diff --git a/src/runtime/signal_unix.go b/src/runtime/signal_unix.go -index 3f70707..89f936e 100644 ---- a/src/runtime/signal_unix.go -+++ b/src/runtime/signal_unix.go -@@ -381,7 +381,7 @@ - //go:nosplit - func sigFetchG(c *sigctxt) *g { - switch GOARCH { -- case "arm", "arm64": -+ case "arm", "arm64", "ppc64", "ppc64le": - if !iscgo && inVDSOPage(c.sigpc()) { - // When using cgo, we save the g on TLS and load it from there - // in sigtramp. Just use that. -diff --git a/src/runtime/sys_linux_ppc64x.s b/src/runtime/sys_linux_ppc64x.s -index fd69ee7..7be8c4c 100644 ---- a/src/runtime/sys_linux_ppc64x.s -+++ b/src/runtime/sys_linux_ppc64x.s -@@ -215,15 +215,45 @@ - MOVD (g_sched+gobuf_sp)(R7), R1 // Set SP to g0 stack - - noswitch: -- SUB $16, R1 // Space for results -- RLDICR $0, R1, $59, R1 // Align for C code -+ SUB $16, R1 // Space for results -+ RLDICR $0, R1, $59, R1 // Align for C code - MOVD R12, CTR - MOVD R1, R4 -- BL (CTR) // Call from VDSO -- MOVD $0, R0 // Restore R0 -- MOVD 0(R1), R3 // sec -- MOVD 8(R1), R5 // nsec -- MOVD R15, R1 // Restore SP -+ -+ // Store g on gsignal's stack, so if we receive a signal -+ // during VDSO code we can find the g. -+ // If we don't have a signal stack, we won't receive signal, -+ // so don't bother saving g. -+ // When using cgo, we already saved g on TLS, also don't save -+ // g here. -+ // Also don't save g if we are already on the signal stack. -+ // We won't get a nested signal. -+ MOVBZ runtime·iscgo(SB), R22 -+ CMP R22, $0 -+ BNE nosaveg -+ MOVD m_gsignal(R21), R22 // g.m.gsignal -+ CMP R22, $0 -+ BEQ nosaveg -+ -+ CMP g, R22 -+ BEQ nosaveg -+ MOVD (g_stack+stack_lo)(R22), R22 // g.m.gsignal.stack.lo -+ MOVD g, (R22) -+ -+ BL (CTR) // Call from VDSO -+ -+ MOVD $0, (R22) // clear g slot, R22 is unchanged by C code -+ -+ JMP finish -+ -+nosaveg: -+ BL (CTR) // Call from VDSO -+ -+finish: -+ MOVD $0, R0 // Restore R0 -+ MOVD 0(R1), R3 // sec -+ MOVD 8(R1), R5 // nsec -+ MOVD R15, R1 // Restore SP - - // Restore vdsoPC, vdsoSP - // We don't worry about being signaled between the two stores. -@@ -235,7 +265,7 @@ - MOVD 32(R1), R6 - MOVD R6, m_vdsoPC(R21) - --finish: -+return: - MOVD R3, sec+0(FP) - MOVW R5, nsec+8(FP) - RET -@@ -246,7 +276,7 @@ - SYSCALL $SYS_clock_gettime - MOVD 32(R1), R3 - MOVD 40(R1), R5 -- JMP finish -+ JMP return - - TEXT runtime·nanotime1(SB),NOSPLIT,$16-8 - MOVD $1, R3 // CLOCK_MONOTONIC -@@ -282,7 +312,37 @@ - RLDICR $0, R1, $59, R1 // Align for C code - MOVD R12, CTR - MOVD R1, R4 -- BL (CTR) // Call from VDSO -+ -+ // Store g on gsignal's stack, so if we receive a signal -+ // during VDSO code we can find the g. -+ // If we don't have a signal stack, we won't receive signal, -+ // so don't bother saving g. -+ // When using cgo, we already saved g on TLS, also don't save -+ // g here. -+ // Also don't save g if we are already on the signal stack. -+ // We won't get a nested signal. -+ MOVBZ runtime·iscgo(SB), R22 -+ CMP R22, $0 -+ BNE nosaveg -+ MOVD m_gsignal(R21), R22 // g.m.gsignal -+ CMP R22, $0 -+ BEQ nosaveg -+ -+ CMP g, R22 -+ BEQ nosaveg -+ MOVD (g_stack+stack_lo)(R22), R22 // g.m.gsignal.stack.lo -+ MOVD g, (R22) -+ -+ BL (CTR) // Call from VDSO -+ -+ MOVD $0, (R22) // clear g slot, R22 is unchanged by C code -+ -+ JMP finish -+ -+nosaveg: -+ BL (CTR) // Call from VDSO -+ -+finish: - MOVD $0, R0 // Restore R0 - MOVD 0(R1), R3 // sec - MOVD 8(R1), R5 // nsec -@@ -298,7 +358,7 @@ - MOVD 32(R1), R6 - MOVD R6, m_vdsoPC(R21) - --finish: -+return: - // sec is in R3, nsec in R5 - // return nsec in R3 - MOVD $1000000000, R4 -@@ -313,7 +373,7 @@ - SYSCALL $SYS_clock_gettime - MOVD 32(R1), R3 - MOVD 40(R1), R5 -- JMP finish -+ JMP return - - TEXT runtime·rtsigprocmask(SB),NOSPLIT|NOFRAME,$0-28 - MOVW how+0(FP), R3 -@@ -366,7 +426,7 @@ - // this might be called in external code context, - // where g is not set. - MOVBZ runtime·iscgo(SB), R6 -- CMP R6, $0 -+ CMP R6, $0 - BEQ 2(PC) - BL runtime·load_g(SB) - diff --git a/rhbz1952381.patch b/rhbz1952381.patch index 1e70af8..8aa92cc 100644 --- a/rhbz1952381.patch +++ b/rhbz1952381.patch @@ -1,5 +1,5 @@ diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go -index 2ca64bf..8111b6d 100644 +index 457decf..961795a 100644 --- a/src/crypto/internal/boring/aes.go +++ b/src/crypto/internal/boring/aes.go @@ -130,7 +130,11 @@ func (c *aesCipher) Decrypt(dst, src []byte) { @@ -15,7 +15,7 @@ index 2ca64bf..8111b6d 100644 outlen := C.int(0) C._goboringcrypto_EVP_CipherUpdate(c.dec_ctx, (*C.uchar)(unsafe.Pointer(&dst[0])), &outlen, (*C.uchar)(unsafe.Pointer(&src[0])), C.int(aesBlockSize)) runtime.KeepAlive(c) -@@ -165,6 +169,11 @@ func (x *aesCBC) CryptBlocks(dst, src []byte) { +@@ -157,6 +161,11 @@ func (x *aesCBC) CryptBlocks(dst, src []byte) { } if len(src) > 0 { outlen := C.int(0) @@ -108,7 +108,7 @@ index e7ae80c..45c856b 100644 type fail string diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h -index 3585458..0762c95 100644 +index 745e8a4..284e845 100644 --- a/src/crypto/internal/boring/goopenssl.h +++ b/src/crypto/internal/boring/goopenssl.h @@ -14,6 +14,15 @@ @@ -202,7 +202,7 @@ index 3585458..0762c95 100644 #include -@@ -716,6 +741,7 @@ static inline int +@@ -735,6 +759,7 @@ static inline int _goboringcrypto_EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, 0, (void *)md); } @@ -346,7 +346,7 @@ index ff5c439..6047d65 100644 return len(b), nil } diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go -index 2eefc27..668c12f 100644 +index 0223243..b72af0d 100644 --- a/src/crypto/internal/boring/rsa.go +++ b/src/crypto/internal/boring/rsa.go @@ -141,7 +141,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int, @@ -677,18 +677,10 @@ index 3dd1ec9..60c769c 100644 pub := &PublicKey{ E: 65537, diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go -index 497dd62..d83e7e0 100644 +index 6a5a93f..2032b4b 100644 --- a/src/crypto/rsa/pss_test.go +++ b/src/crypto/rsa/pss_test.go -@@ -10,6 +10,7 @@ import ( - "compress/bzip2" - "crypto" - "crypto/rand" -+ "crypto/boring" - "crypto/sha1" - _ "crypto/sha256" - "encoding/hex" -@@ -131,7 +132,6 @@ func TestPSSGolden(t *testing.T) { +@@ -132,7 +132,6 @@ func TestPSSGolden(t *testing.T) { opts := &PSSOptions{ SaltLength: PSSSaltLengthEqualsHash, } @@ -696,7 +688,7 @@ index 497dd62..d83e7e0 100644 for marker := range values { switch marker { case newKeyMarker: -@@ -173,18 +173,13 @@ func TestPSSOpenSSL(t *testing.T) { +@@ -174,18 +173,13 @@ func TestPSSOpenSSL(t *testing.T) { h.Write(hashed) hashed = h.Sum(nil) @@ -718,7 +710,7 @@ index 497dd62..d83e7e0 100644 t.Error(err) } } -@@ -211,24 +206,47 @@ func TestPSSSigning(t *testing.T) { +@@ -212,24 +206,47 @@ func TestPSSSigning(t *testing.T) { {8, 8, true}, } @@ -934,7 +926,7 @@ index d9693a7..cfe020e 100644 label := []byte(fmt.Sprintf("hi#%d", j)) enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, message.in, label) diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go -index 5485080..575b99f 100644 +index 94a24ff..577bc73 100644 --- a/src/crypto/tls/boring_test.go +++ b/src/crypto/tls/boring_test.go @@ -26,7 +26,7 @@ import ( @@ -964,7 +956,7 @@ index 5485080..575b99f 100644 serverConfig.Certificates = make([]Certificate, 1) serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey -@@ -203,7 +203,7 @@ func TestBoringServerSignatureAndHash(t *testing.T) { +@@ -204,7 +204,7 @@ func TestBoringServerSignatureAndHash(t *testing.T) { for _, sigHash := range defaultSupportedSignatureAlgorithms { t.Run(fmt.Sprintf("%#x", sigHash), func(t *testing.T) { @@ -973,7 +965,7 @@ index 5485080..575b99f 100644 serverConfig.Certificates = make([]Certificate, 1) testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash} -@@ -262,7 +262,7 @@ func TestBoringClientHello(t *testing.T) { +@@ -263,7 +263,7 @@ func TestBoringClientHello(t *testing.T) { defer c.Close() defer s.Close() @@ -982,7 +974,7 @@ index 5485080..575b99f 100644 // All sorts of traps for the client to avoid. clientConfig.MinVersion = VersionSSL30 clientConfig.MaxVersion = VersionTLS13 -@@ -336,12 +336,12 @@ func TestBoringCertAlgs(t *testing.T) { +@@ -337,12 +337,12 @@ func TestBoringCertAlgs(t *testing.T) { // client verifying server cert testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { @@ -997,7 +989,7 @@ index 5485080..575b99f 100644 serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} serverConfig.BuildNameToCertificate() -@@ -364,11 +364,11 @@ func TestBoringCertAlgs(t *testing.T) { +@@ -365,11 +365,11 @@ func TestBoringCertAlgs(t *testing.T) { // server verifying client cert testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { @@ -1011,7 +1003,7 @@ index 5485080..575b99f 100644 serverConfig.ClientCAs = pool serverConfig.ClientAuth = RequireAndVerifyClientCert -@@ -393,8 +393,13 @@ func TestBoringCertAlgs(t *testing.T) { +@@ -394,8 +394,13 @@ func TestBoringCertAlgs(t *testing.T) { // exhaustive test with computed answers. r1pool := x509.NewCertPool() r1pool.AddCert(R1.cert) @@ -1027,7 +1019,7 @@ index 5485080..575b99f 100644 fipstls.Force() testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) -@@ -457,6 +462,10 @@ func TestBoringCertAlgs(t *testing.T) { +@@ -458,6 +463,10 @@ func TestBoringCertAlgs(t *testing.T) { addRoot(r&1, R1) addRoot(r&2, R2) rootName = rootName[1:] // strip leading comma @@ -1038,7 +1030,7 @@ index 5485080..575b99f 100644 testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify) testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify) fipstls.Force() -@@ -576,6 +585,16 @@ var ( +@@ -577,6 +586,16 @@ var ( testRSA2048PrivateKey *rsa.PrivateKey ) @@ -1056,7 +1048,7 @@ index 5485080..575b99f 100644 block, _ := pem.Decode([]byte(` -----BEGIN CERTIFICATE----- diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go -index 51dda16..31723b6 100644 +index a4053ab..aff4ff2 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -151,6 +151,7 @@ func TestPKIXMismatchPublicKeyFormat(t *testing.T) { diff --git a/sources b/sources index 32376a9..7267649 100644 --- a/sources +++ b/sources @@ -1,3 +1 @@ -SHA512 (go-go-1.16.4-1-openssl-fips.tar.gz) = c99957801440519fa5145a6901fd513baa087584a7d51c726e2ac61094cf65e81798b2773c4a74fa7e904934452709a97c91e3d9cd1695b8537e4858e15b5e47 -SHA512 (go-go-1.16.6-2-openssl-fips.tar.gz) = 8398c1860c7277ac61a7957fe702f0d869d291b45f08e031364c35a68319d25cbef62755c1dc790d24d080017163e469251e0fb70e68d1cbd04390b9a6c540dd -SHA512 (go-go-1.16.6-3-openssl-fips.tar.gz) = 2cf8da0ba5c35e5d319c15505a146e00a256233b9f3a2f5bd88e9524a738d7a8ed1bbeeaaa01e3a9e0fce3b24b326e10171c1e588dfbd87959ff29abf2a68dc2 +SHA512 (go-go-1.17.2-1-openssl-fips.tar.gz) = dc0ff0b9cc85ec874bf48f42b61d8394ae16787d708c4b2255115d0f8d99bcc4ad2684392f79001a10dab803e6b7f7fee961ece415ad20176eab61bc7d9ee788