import golang-1.16.7-1.module+el8.5.0+12246+1aac4e3f
This commit is contained in:
parent
7061b2ef39
commit
cc55b2ba52
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/go-go-1.15.7-1-openssl-fips.tar.gz
|
||||
SOURCES/go-go-1.16.7-1-openssl-fips.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
501d01d764310874ec20f3d7555c70948ef15fb2 SOURCES/go-go-1.15.7-1-openssl-fips.tar.gz
|
||||
e693273f254789980a55720bd48ac8741d446f21 SOURCES/go-go-1.16.7-1-openssl-fips.tar.gz
|
||||
|
235
SOURCES/fix-crypto-memory-leaks.patch
Normal file
235
SOURCES/fix-crypto-memory-leaks.patch
Normal file
@ -0,0 +1,235 @@
|
||||
diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
|
||||
index 3585458..ae1607b 100644
|
||||
--- a/src/crypto/internal/boring/goopenssl.h
|
||||
+++ b/src/crypto/internal/boring/goopenssl.h
|
||||
@@ -667,6 +667,7 @@ typedef EVP_PKEY GO_EVP_PKEY;
|
||||
DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ())
|
||||
DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0))
|
||||
DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1))
|
||||
+DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1))
|
||||
DEFINEFUNC(int, EVP_PKEY_verify,
|
||||
(EVP_PKEY_CTX *ctx, const unsigned char *sig, unsigned int siglen, const unsigned char *tbs, size_t tbslen),
|
||||
(ctx, sig, siglen, tbs, tbslen))
|
||||
diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
|
||||
index 4c14cc9..daa1252 100644
|
||||
--- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
|
||||
+++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
|
||||
@@ -9,19 +9,32 @@
|
||||
int
|
||||
_goboringcrypto_ECDSA_sign(EVP_MD* md, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, GO_EC_KEY *eckey)
|
||||
{
|
||||
+ int result;
|
||||
EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
|
||||
- if (!_goboringcrypto_EVP_PKEY_assign_EC_KEY(key, eckey))
|
||||
- return 0;
|
||||
- return _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, slen, key);
|
||||
+ if (!_goboringcrypto_EVP_PKEY_set1_EC_KEY(key, eckey)) {
|
||||
+ result = 0;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ result = _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, slen, key);
|
||||
+err:
|
||||
+ _goboringcrypto_EVP_PKEY_free(key);
|
||||
+ return result;
|
||||
}
|
||||
|
||||
int
|
||||
_goboringcrypto_ECDSA_verify(EVP_MD* md, const uint8_t *msg, size_t msgLen, const uint8_t *sig, unsigned int slen, GO_EC_KEY *eckey)
|
||||
{
|
||||
|
||||
+ int result;
|
||||
EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
|
||||
- if (!_goboringcrypto_EVP_PKEY_assign_EC_KEY(key, eckey))
|
||||
- return 0;
|
||||
+ if (!_goboringcrypto_EVP_PKEY_set1_EC_KEY(key, eckey)) {
|
||||
+ result = 0;
|
||||
+ goto err;
|
||||
+ }
|
||||
|
||||
- return _goboringcrypto_EVP_verify(md, NULL, msg, msgLen, sig, slen, key);
|
||||
+ result = _goboringcrypto_EVP_verify(md, NULL, msg, msgLen, sig, slen, key);
|
||||
+
|
||||
+err:
|
||||
+ _goboringcrypto_EVP_PKEY_free(key);
|
||||
+ return result;
|
||||
}
|
||||
diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
|
||||
index a8d047d..2e56499 100644
|
||||
--- a/src/crypto/internal/boring/openssl_port_rsa.c
|
||||
+++ b/src/crypto/internal/boring/openssl_port_rsa.c
|
||||
@@ -25,14 +25,13 @@ int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_
|
||||
EVP_PKEY_CTX *ctx;
|
||||
unsigned int siglen;
|
||||
|
||||
+ int ret = 0;
|
||||
EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
|
||||
- if (!_goboringcrypto_EVP_PKEY_assign_RSA(key, rsa))
|
||||
- return 0;
|
||||
+ if (!_goboringcrypto_EVP_PKEY_set1_RSA(key, rsa))
|
||||
+ goto err;
|
||||
ctx = _goboringcrypto_EVP_PKEY_CTX_new(key, NULL /* no engine */);
|
||||
if (!ctx)
|
||||
- return 0;
|
||||
-
|
||||
- int ret = 0;
|
||||
+ goto err;
|
||||
|
||||
EVP_MD_CTX *mdctx = NULL;
|
||||
if (!(mdctx = _goboringcrypto_EVP_MD_CTX_create()))
|
||||
@@ -67,6 +66,10 @@ int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_
|
||||
err:
|
||||
if (mdctx)
|
||||
_goboringcrypto_EVP_MD_CTX_free(mdctx);
|
||||
+ if (ctx)
|
||||
+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
|
||||
+ if (key)
|
||||
+ _goboringcrypto_EVP_PKEY_free(key);
|
||||
|
||||
return ret;
|
||||
}
|
||||
@@ -78,18 +81,17 @@ int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_
|
||||
EVP_PKEY *pkey;
|
||||
size_t siglen;
|
||||
|
||||
+ int ret = 0;
|
||||
pkey = _goboringcrypto_EVP_PKEY_new();
|
||||
if (!pkey)
|
||||
- return 0;
|
||||
+ goto err;
|
||||
|
||||
if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0)
|
||||
- return 0;
|
||||
-
|
||||
+ goto err;
|
||||
+
|
||||
ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */);
|
||||
if (!ctx)
|
||||
- return 0;
|
||||
-
|
||||
- int ret = 0;
|
||||
+ goto err;
|
||||
|
||||
if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0)
|
||||
goto err;
|
||||
@@ -101,7 +103,7 @@ int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_
|
||||
goto err;
|
||||
if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0)
|
||||
goto err;
|
||||
-
|
||||
+
|
||||
/* Determine buffer length */
|
||||
if (_goboringcrypto_EVP_PKEY_sign(ctx, NULL, &siglen, in, in_len) <= 0)
|
||||
goto err;
|
||||
@@ -116,7 +118,10 @@ int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
- _goboringcrypto_EVP_PKEY_CTX_free(ctx);
|
||||
+ if (ctx)
|
||||
+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
|
||||
+ if (pkey)
|
||||
+ _goboringcrypto_EVP_PKEY_free(pkey);
|
||||
|
||||
return ret;
|
||||
}
|
||||
@@ -130,14 +135,14 @@ int _goboringcrypto_RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, unsigned i
|
||||
|
||||
pkey = _goboringcrypto_EVP_PKEY_new();
|
||||
if (!pkey)
|
||||
- return 0;
|
||||
+ goto err;
|
||||
|
||||
if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0)
|
||||
- return 0;
|
||||
-
|
||||
+ goto err;
|
||||
+
|
||||
ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */);
|
||||
if (!ctx)
|
||||
- return 0;
|
||||
+ goto err;
|
||||
|
||||
if (_goboringcrypto_EVP_PKEY_verify_init(ctx) <= 0)
|
||||
goto err;
|
||||
@@ -155,25 +160,40 @@ int _goboringcrypto_RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, unsigned i
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
- _goboringcrypto_EVP_PKEY_CTX_free(ctx);
|
||||
+ if (ctx)
|
||||
+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
|
||||
+ if (pkey)
|
||||
+ _goboringcrypto_EVP_PKEY_free(pkey);
|
||||
+
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa)
|
||||
{
|
||||
+ int result;
|
||||
EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
|
||||
- if (!_goboringcrypto_EVP_PKEY_assign_RSA(key, rsa))
|
||||
- return 0;
|
||||
- return _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, slen, key);
|
||||
+ if (!_goboringcrypto_EVP_PKEY_set1_RSA(key, rsa)) {
|
||||
+ result = 0;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ result = _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, slen, key);
|
||||
+err:
|
||||
+ _goboringcrypto_EVP_PKEY_free(key);
|
||||
+ return result;
|
||||
}
|
||||
|
||||
int _goboringcrypto_EVP_RSA_verify(EVP_MD *md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa)
|
||||
{
|
||||
+ int result;
|
||||
EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
|
||||
- if (!_goboringcrypto_EVP_PKEY_assign_RSA(key, rsa))
|
||||
- {
|
||||
- return 0;
|
||||
+ if (!_goboringcrypto_EVP_PKEY_set1_RSA(key, rsa)) {
|
||||
+ result = 0;
|
||||
+ goto err;
|
||||
}
|
||||
- return _goboringcrypto_EVP_verify(md, NULL, msg, msgLen, sig, slen, key);
|
||||
+ result = _goboringcrypto_EVP_verify(md, NULL, msg, msgLen, sig, slen, key);
|
||||
+err:
|
||||
+ _goboringcrypto_EVP_PKEY_free(key);
|
||||
+ return result;
|
||||
+
|
||||
}
|
||||
diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
|
||||
index 2eefc27..698c08e 100644
|
||||
--- a/src/crypto/internal/boring/rsa.go
|
||||
+++ b/src/crypto/internal/boring/rsa.go
|
||||
@@ -162,12 +162,23 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
|
||||
return nil, nil, NewOpenSSLError("EVP_PKEY_set_rsa_oaep_md failed")
|
||||
}
|
||||
// ctx takes ownership of label, so malloc a copy for BoringCrypto to free.
|
||||
- clabel := (*C.uint8_t)(C.malloc(C.size_t(len(label))))
|
||||
- if clabel == nil {
|
||||
- return nil, nil, fail("OPENSSL_malloc")
|
||||
+ var clabel *C.uint8_t
|
||||
+ clabel = nil
|
||||
+ // OpenSSL 1.1.1 does not take ownership of the label if the length is zero.
|
||||
+ // Depending on the malloc implementation, if clabel is allocated with malloc(0),
|
||||
+ // metadata for the size-zero allocation is never cleaned up, which is a memory leak.
|
||||
+ // As such, we must only allocate clabel if the label is of non zero length.
|
||||
+ if len(label) > 0 {
|
||||
+ clabel = (*C.uint8_t)(C.malloc(C.size_t(len(label))))
|
||||
+ if clabel == nil {
|
||||
+ return nil, nil, fail("OPENSSL_malloc")
|
||||
+ }
|
||||
+ copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
|
||||
}
|
||||
- copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
|
||||
- if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) == 0 {
|
||||
+ if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) != 1 {
|
||||
+ if clabel != nil {
|
||||
+ C.free(unsafe.Pointer(clabel))
|
||||
+ }
|
||||
return nil, nil, NewOpenSSLError("EVP_PKEY_CTX_set0_rsa_oaep_label failed")
|
||||
}
|
||||
}
|
@ -1,157 +0,0 @@
|
||||
diff --git a/src/net/http/export_test.go b/src/net/http/export_test.go
|
||||
index 657ff9d..67a74ae 100644
|
||||
--- a/src/net/http/export_test.go
|
||||
+++ b/src/net/http/export_test.go
|
||||
@@ -274,6 +274,17 @@ func (s *Server) ExportAllConnsIdle() bool {
|
||||
return true
|
||||
}
|
||||
|
||||
+func (s *Server) ExportAllConnsByState() map[ConnState]int {
|
||||
+ states := map[ConnState]int{}
|
||||
+ s.mu.Lock()
|
||||
+ defer s.mu.Unlock()
|
||||
+ for c := range s.activeConn {
|
||||
+ st, _ := c.getState()
|
||||
+ states[st] += 1
|
||||
+ }
|
||||
+ return states
|
||||
+}
|
||||
+
|
||||
func (r *Request) WithT(t *testing.T) *Request {
|
||||
return r.WithContext(context.WithValue(r.Context(), tLogKey{}, t.Logf))
|
||||
}
|
||||
diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
|
||||
index 5f56932..806272b 100644
|
||||
--- a/src/net/http/serve_test.go
|
||||
+++ b/src/net/http/serve_test.go
|
||||
@@ -5519,16 +5519,23 @@ func TestServerSetKeepAlivesEnabledClosesConns(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
-func TestServerShutdown_h1(t *testing.T) { testServerShutdown(t, h1Mode) }
|
||||
-func TestServerShutdown_h2(t *testing.T) { testServerShutdown(t, h2Mode) }
|
||||
+func TestServerShutdown_h1(t *testing.T) {
|
||||
+ testServerShutdown(t, h1Mode)
|
||||
+}
|
||||
+func TestServerShutdown_h2(t *testing.T) {
|
||||
+ testServerShutdown(t, h2Mode)
|
||||
+}
|
||||
|
||||
func testServerShutdown(t *testing.T, h2 bool) {
|
||||
setParallel(t)
|
||||
defer afterTest(t)
|
||||
var doShutdown func() // set later
|
||||
+ var doStateCount func()
|
||||
var shutdownRes = make(chan error, 1)
|
||||
+ var statesRes = make(chan map[ConnState]int, 1)
|
||||
var gotOnShutdown = make(chan struct{}, 1)
|
||||
handler := HandlerFunc(func(w ResponseWriter, r *Request) {
|
||||
+ doStateCount()
|
||||
go doShutdown()
|
||||
// Shutdown is graceful, so it should not interrupt
|
||||
// this in-flight response. Add a tiny sleep here to
|
||||
@@ -5545,6 +5552,9 @@ func testServerShutdown(t *testing.T, h2 bool) {
|
||||
doShutdown = func() {
|
||||
shutdownRes <- cst.ts.Config.Shutdown(context.Background())
|
||||
}
|
||||
+ doStateCount = func() {
|
||||
+ statesRes <- cst.ts.Config.ExportAllConnsByState()
|
||||
+ }
|
||||
get(t, cst.c, cst.ts.URL) // calls t.Fail on failure
|
||||
|
||||
if err := <-shutdownRes; err != nil {
|
||||
@@ -5556,6 +5566,10 @@ func testServerShutdown(t *testing.T, h2 bool) {
|
||||
t.Errorf("onShutdown callback not called, RegisterOnShutdown broken?")
|
||||
}
|
||||
|
||||
+ if states := <-statesRes; states[StateActive] != 1 {
|
||||
+ t.Errorf("connection in wrong state, %v", states)
|
||||
+ }
|
||||
+
|
||||
res, err := cst.c.Get(cst.ts.URL)
|
||||
if err == nil {
|
||||
res.Body.Close()
|
||||
diff --git a/src/net/http/server.go b/src/net/http/server.go
|
||||
index d41b5f6..14a6336 100644
|
||||
--- a/src/net/http/server.go
|
||||
+++ b/src/net/http/server.go
|
||||
@@ -324,7 +324,7 @@ func (c *conn) hijackLocked() (rwc net.Conn, buf *bufio.ReadWriter, err error) {
|
||||
return nil, nil, fmt.Errorf("unexpected Peek failure reading buffered byte: %v", err)
|
||||
}
|
||||
}
|
||||
- c.setState(rwc, StateHijacked)
|
||||
+ c.setState(rwc, StateHijacked, runHooks)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -1737,7 +1737,12 @@ func validNextProto(proto string) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
-func (c *conn) setState(nc net.Conn, state ConnState) {
|
||||
+const (
|
||||
+ runHooks = true
|
||||
+ skipHooks = false
|
||||
+)
|
||||
+
|
||||
+func (c *conn) setState(nc net.Conn, state ConnState, runHook bool) {
|
||||
srv := c.server
|
||||
switch state {
|
||||
case StateNew:
|
||||
@@ -1750,6 +1755,9 @@ func (c *conn) setState(nc net.Conn, state ConnState) {
|
||||
}
|
||||
packedState := uint64(time.Now().Unix()<<8) | uint64(state)
|
||||
atomic.StoreUint64(&c.curState.atomic, packedState)
|
||||
+ if !runHook {
|
||||
+ return
|
||||
+ }
|
||||
if hook := srv.ConnState; hook != nil {
|
||||
hook(nc, state)
|
||||
}
|
||||
@@ -1803,7 +1811,7 @@ func (c *conn) serve(ctx context.Context) {
|
||||
}
|
||||
if !c.hijacked() {
|
||||
c.close()
|
||||
- c.setState(c.rwc, StateClosed)
|
||||
+ c.setState(c.rwc, StateClosed, runHooks)
|
||||
}
|
||||
}()
|
||||
|
||||
@@ -1831,6 +1839,10 @@ func (c *conn) serve(ctx context.Context) {
|
||||
if proto := c.tlsState.NegotiatedProtocol; validNextProto(proto) {
|
||||
if fn := c.server.TLSNextProto[proto]; fn != nil {
|
||||
h := initALPNRequest{ctx, tlsConn, serverHandler{c.server}}
|
||||
+ // Mark freshly created HTTP/2 as active and prevent any server state hooks
|
||||
+ // from being run on these connections. This prevents closeIdleConns from
|
||||
+ // closing such connections. See issue https://golang.org/issue/39776.
|
||||
+ c.setState(c.rwc, StateActive, skipHooks)
|
||||
fn(c.server, tlsConn, h)
|
||||
}
|
||||
return
|
||||
@@ -1851,7 +1863,7 @@ func (c *conn) serve(ctx context.Context) {
|
||||
w, err := c.readRequest(ctx)
|
||||
if c.r.remain != c.server.initialReadLimitSize() {
|
||||
// If we read any bytes off the wire, we're active.
|
||||
- c.setState(c.rwc, StateActive)
|
||||
+ c.setState(c.rwc, StateActive, runHooks)
|
||||
}
|
||||
if err != nil {
|
||||
const errorHeaders = "\r\nContent-Type: text/plain; charset=utf-8\r\nConnection: close\r\n\r\n"
|
||||
@@ -1934,7 +1946,7 @@ func (c *conn) serve(ctx context.Context) {
|
||||
}
|
||||
return
|
||||
}
|
||||
- c.setState(c.rwc, StateIdle)
|
||||
+ c.setState(c.rwc, StateIdle, runHooks)
|
||||
c.curReq.Store((*response)(nil))
|
||||
|
||||
if !w.conn.server.doKeepAlives() {
|
||||
@@ -2965,7 +2977,7 @@ func (srv *Server) Serve(l net.Listener) error {
|
||||
}
|
||||
tempDelay = 0
|
||||
c := srv.newConn(rw)
|
||||
- c.setState(c.rwc, StateNew) // before Serve can return
|
||||
+ c.setState(c.rwc, StateNew, runHooks) // before Serve can return
|
||||
go c.serve(connCtx)
|
||||
}
|
||||
}
|
109
SOURCES/reject-leading-zeros.patch
Normal file
109
SOURCES/reject-leading-zeros.patch
Normal file
@ -0,0 +1,109 @@
|
||||
diff --git a/doc/go1.16.html b/doc/go1.16.html
|
||||
index 0beb62d..fc6b668 100644
|
||||
--- a/doc/go1.16.html
|
||||
+++ b/doc/go1.16.html
|
||||
@@ -891,6 +891,14 @@ func TestFoo(t *testing.T) {
|
||||
is missing; this is common on musl-based systems and makes
|
||||
Go programs match the behavior of C programs on those systems.
|
||||
</p>
|
||||
+ <p><!-- CL325829 -->
|
||||
+ The <a href="/pkg/net/#ParseIP"><code>ParseIP</code></a> and <a href="/pkg/net/#ParseCIDR"><code>ParseCIDR</code></a>
|
||||
+ functions now reject IPv4 addresses which contain decimal components with leading zeros.
|
||||
+ These components were always interpreted as decimal, but some operating systems treat them as octal.
|
||||
+ This mismatch could hypothetically lead to security issues if a Go application was used to validate IP addresses
|
||||
+ which were then used in their original form with non-Go applications which interpreted components as octal. Generally,
|
||||
+ it is advisable to always re-encoded values after validation, which avoids this class of parser misalignment issues.
|
||||
+ </p>
|
||||
</dd>
|
||||
</dl><!-- net -->
|
||||
|
||||
diff --git a/src/net/hosts_test.go b/src/net/hosts_test.go
|
||||
index f850e2f..19c4399 100644
|
||||
--- a/src/net/hosts_test.go
|
||||
+++ b/src/net/hosts_test.go
|
||||
@@ -36,7 +36,7 @@ var lookupStaticHostTests = []struct {
|
||||
},
|
||||
},
|
||||
{
|
||||
- "testdata/ipv4-hosts", // see golang.org/issue/8996
|
||||
+ "testdata/ipv4-hosts",
|
||||
[]staticHostEntry{
|
||||
{"localhost", []string{"127.0.0.1", "127.0.0.2", "127.0.0.3"}},
|
||||
{"localhost.localdomain", []string{"127.0.0.3"}},
|
||||
@@ -102,7 +102,7 @@ var lookupStaticAddrTests = []struct {
|
||||
},
|
||||
},
|
||||
{
|
||||
- "testdata/ipv4-hosts", // see golang.org/issue/8996
|
||||
+ "testdata/ipv4-hosts",
|
||||
[]staticHostEntry{
|
||||
{"127.0.0.1", []string{"localhost"}},
|
||||
{"127.0.0.2", []string{"localhost"}},
|
||||
diff --git a/src/net/ip.go b/src/net/ip.go
|
||||
index c00fe8e..007f3f7 100644
|
||||
--- a/src/net/ip.go
|
||||
+++ b/src/net/ip.go
|
||||
@@ -552,6 +552,10 @@ func parseIPv4(s string) IP {
|
||||
if !ok || n > 0xFF {
|
||||
return nil
|
||||
}
|
||||
+ if c > 1 && s[0] == '0' {
|
||||
+ // Reject non-zero components with leading zeroes.
|
||||
+ return nil
|
||||
+ }
|
||||
s = s[c:]
|
||||
p[i] = byte(n)
|
||||
}
|
||||
diff --git a/src/net/ip_test.go b/src/net/ip_test.go
|
||||
index a5fc5e6..585381d 100644
|
||||
--- a/src/net/ip_test.go
|
||||
+++ b/src/net/ip_test.go
|
||||
@@ -20,9 +20,7 @@ var parseIPTests = []struct {
|
||||
}{
|
||||
{"127.0.1.2", IPv4(127, 0, 1, 2)},
|
||||
{"127.0.0.1", IPv4(127, 0, 0, 1)},
|
||||
- {"127.001.002.003", IPv4(127, 1, 2, 3)},
|
||||
{"::ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
|
||||
- {"::ffff:127.001.002.003", IPv4(127, 1, 2, 3)},
|
||||
{"::ffff:7f01:0203", IPv4(127, 1, 2, 3)},
|
||||
{"0:0:0:0:0000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
|
||||
{"0:0:0:0:000000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
|
||||
@@ -42,6 +40,11 @@ var parseIPTests = []struct {
|
||||
{"fe80::1%911", nil},
|
||||
{"", nil},
|
||||
{"a1:a2:a3:a4::b1:b2:b3:b4", nil}, // Issue 6628
|
||||
+ {"127.001.002.003", nil},
|
||||
+ {"::ffff:127.001.002.003", nil},
|
||||
+ {"123.000.000.000", nil},
|
||||
+ {"1.2..4", nil},
|
||||
+ {"0123.0.0.1", nil},
|
||||
}
|
||||
|
||||
func TestParseIP(t *testing.T) {
|
||||
@@ -357,6 +360,7 @@ var parseCIDRTests = []struct {
|
||||
{"0.0.-2.0/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.-2.0/32"}},
|
||||
{"0.0.0.-3/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.-3/32"}},
|
||||
{"0.0.0.0/-0", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.0/-0"}},
|
||||
+ {"127.000.000.001/32", nil, nil, &ParseError{Type: "CIDR address", Text: "127.000.000.001/32"}},
|
||||
{"", nil, nil, &ParseError{Type: "CIDR address", Text: ""}},
|
||||
}
|
||||
|
||||
diff --git a/src/net/testdata/ipv4-hosts b/src/net/testdata/ipv4-hosts
|
||||
index 5208bb4..6b99675 100644
|
||||
--- a/src/net/testdata/ipv4-hosts
|
||||
+++ b/src/net/testdata/ipv4-hosts
|
||||
@@ -1,12 +1,8 @@
|
||||
# See https://tools.ietf.org/html/rfc1123.
|
||||
-#
|
||||
-# The literal IPv4 address parser in the net package is a relaxed
|
||||
-# one. It may accept a literal IPv4 address in dotted-decimal notation
|
||||
-# with leading zeros such as "001.2.003.4".
|
||||
|
||||
# internet address and host name
|
||||
127.0.0.1 localhost # inline comment separated by tab
|
||||
-127.000.000.002 localhost # inline comment separated by space
|
||||
+127.0.0.2 localhost # inline comment separated by space
|
||||
|
||||
# internet address, host name and aliases
|
||||
-127.000.000.003 localhost localhost.localdomain
|
||||
+127.0.0.3 localhost localhost.localdomain
|
12
SOURCES/skip_test_rhbz1939923.patch
Normal file
12
SOURCES/skip_test_rhbz1939923.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
|
||||
index 51dda16815..2d1e1b1e6e 100644
|
||||
--- a/src/crypto/x509/x509_test.go
|
||||
+++ b/src/crypto/x509/x509_test.go
|
||||
@@ -2880,6 +2880,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
|
||||
}
|
||||
|
||||
func TestCreateCertificateBrokenSigner(t *testing.T) {
|
||||
+ t.Skip("TODO Fix me: rhbz#1939923")
|
||||
template := &Certificate{
|
||||
SerialNumber: big.NewInt(10),
|
||||
DNSNames: []string{"example.com"},
|
@ -1,24 +0,0 @@
|
||||
diff --git a/src/vendor/golang.org/x/text/transform/transform.go b/src/vendor/golang.org/x/text/transform/transform.go
|
||||
index 520b9ad..48ec64b 100644
|
||||
--- a/src/vendor/golang.org/x/text/transform/transform.go
|
||||
+++ b/src/vendor/golang.org/x/text/transform/transform.go
|
||||
@@ -648,7 +648,8 @@ func String(t Transformer, s string) (result string, n int, err error) {
|
||||
// Transform the remaining input, growing dst and src buffers as necessary.
|
||||
for {
|
||||
n := copy(src, s[pSrc:])
|
||||
- nDst, nSrc, err := t.Transform(dst[pDst:], src[:n], pSrc+n == len(s))
|
||||
+ atEOF := pSrc+n == len(s)
|
||||
+ nDst, nSrc, err := t.Transform(dst[pDst:], src[:n], atEOF)
|
||||
pDst += nDst
|
||||
pSrc += nSrc
|
||||
|
||||
@@ -659,6 +660,9 @@ func String(t Transformer, s string) (result string, n int, err error) {
|
||||
dst = grow(dst, pDst)
|
||||
}
|
||||
} else if err == ErrShortSrc {
|
||||
+ if atEOF {
|
||||
+ return string(dst[:pDst]), pSrc, err
|
||||
+ }
|
||||
if nSrc == 0 {
|
||||
src = grow(src, 0)
|
||||
}
|
@ -95,8 +95,8 @@
|
||||
%global gohostarch s390x
|
||||
%endif
|
||||
|
||||
%global go_api 1.15
|
||||
%global go_version 1.15.7
|
||||
%global go_api 1.16
|
||||
%global go_version 1.16.7
|
||||
%global pkg_release 1
|
||||
|
||||
Name: golang
|
||||
@ -135,32 +135,25 @@ Requires: diffutils
|
||||
|
||||
# we had been just removing the zoneinfo.zip, but that caused tests to fail for users that
|
||||
# later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests.
|
||||
Patch215: ./go1.5-zoneinfo_testing_only.patch
|
||||
Patch215: go1.5-zoneinfo_testing_only.patch
|
||||
|
||||
# Proposed patch by jcajka https://golang.org/cl/86541
|
||||
Patch221: fix_TestScript_list_std.patch
|
||||
|
||||
# It seems this patch will be included in Go 1.14.5
|
||||
# https://github.com/golang/go/issues/39991
|
||||
# https://go-review.googlesource.com/c/go/+/240917
|
||||
#Patch240917: ppc64le_fix_missing_deferreturn.patch
|
||||
Patch221: fix_TestScript_list_std.patch
|
||||
|
||||
# Add an env var to optionally trigger a warning in x509 when
|
||||
# Common Name is used as hostname
|
||||
# rhbz#1889437
|
||||
Patch223: golang-1.15-warnCN.patch
|
||||
Patch223: golang-1.15-warnCN.patch
|
||||
|
||||
# Gracefully shut down http2 connections
|
||||
# https://go-review.googlesource.com/c/go/+/240278
|
||||
# rhbz#1888673
|
||||
Patch224: net-http-graceful-shutdown.patch
|
||||
# Fix incorrect parsing of extraneous zeros in net/ip
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1993316
|
||||
# https://go-review.googlesource.com/c/go/+/325829
|
||||
Patch1993316: reject-leading-zeros.patch
|
||||
|
||||
# Prevent transform from entering infinite loop.
|
||||
# We're just picking the change from transform.go
|
||||
# because the encoding module is not included
|
||||
# as a vendor dependency.
|
||||
# https://go-review.googlesource.com/c/text/+/238238
|
||||
Patch225: x-text-infinite-loop.patch
|
||||
Patch1939923: skip_test_rhbz1939923.patch
|
||||
|
||||
# Fix FIPS mode memory leaks
|
||||
Patch1951877: fix-crypto-memory-leaks.patch
|
||||
|
||||
# Having documentation separate was broken
|
||||
Obsoletes: %{name}-docs < 1.1-4
|
||||
@ -255,13 +248,14 @@ Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%patch221 -p1
|
||||
|
||||
#%patch240917 -p1
|
||||
|
||||
%patch223 -p1
|
||||
|
||||
%patch224 -p1
|
||||
%patch1939923 -p1
|
||||
|
||||
%patch1993316 -p1
|
||||
|
||||
%patch1951877 -p1
|
||||
|
||||
%patch225 -p1
|
||||
|
||||
cp %{SOURCE1} ./src/runtime/
|
||||
|
||||
@ -529,6 +523,53 @@ cd ..
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Aug 17 2021 David Benoit <dbenoit@redhat.com> - 1.16.7-1
|
||||
- Rebase to Go 1.16.7
|
||||
- Resolves: rhbz#1994079
|
||||
- Add reject leading zeros patch
|
||||
- Resolves: rhbz#1993314
|
||||
|
||||
* Wed Jul 21 2021 Derek Parker <deparker@redhat.com> - 1.16.6-2
|
||||
- Fix TestBoringServerCurves failure when run by itself
|
||||
- Resolves: rhbz#1976168
|
||||
|
||||
* Thu Jul 15 2021 David Benoit <dbenoit@redhat.com> - 1.16.6-1
|
||||
- Rebase to go-1.16.6-1-openssl-fips
|
||||
- Resolves: rhbz#1982281
|
||||
- Addresses CVE-2021-34558
|
||||
|
||||
* Tue Jul 06 2021 Alejandro Sáez <asm@redhat.com> - 1.16.5-1
|
||||
- Rebase to 1.16.5
|
||||
- Removes rhbz#1955032 patch, it's already included in this release
|
||||
- Removes rhbz#1956891 patch, it's already included in this release
|
||||
- Related: rhbz#1979677
|
||||
- Related: rhbz#1968738
|
||||
- Related: rhbz#1972420
|
||||
|
||||
* Thu Jun 17 2021 David Benoit <dbenoit@redhat.com> - 1.16.4-3
|
||||
- Fix zero-size allocation memory leak.
|
||||
- Related: rhbz#1951877
|
||||
|
||||
* Tue Jun 08 2021 David Benoit <dbenoit@redhat.com> - 1.16.4-2
|
||||
- Resolves: rhbz#1951877
|
||||
|
||||
* Mon May 24 2021 Alejandro Sáez <asm@redhat.com> - 1.16.4-1
|
||||
- Rebase to go-1.16.4-1-openssl-fips
|
||||
|
||||
* Tue May 04 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-3
|
||||
- Resolves: rhbz#1956891
|
||||
|
||||
* Thu Apr 29 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-2
|
||||
- Resolves: rhbz#1955032
|
||||
|
||||
* Wed Mar 17 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-1
|
||||
- Rebase to go-1.16.1-2-openssl-fips
|
||||
- Resolves: rhbz#1938071
|
||||
- Adds a workaround for rhbz#1939923
|
||||
- Removes Patch224, it's on upstream -> rhbz#1888673
|
||||
- Removes Patch225, it's on upstream -> https://go-review.googlesource.com/c/text/+/238238
|
||||
- Removes old patches for cleaning purposes
|
||||
|
||||
* Fri Jan 22 2021 David Benoit <dbenoit@redhat.com> - 1.15.7-1
|
||||
- Rebase to 1.15.7
|
||||
- Resolves: rhbz#1870531
|
||||
|
Loading…
Reference in New Issue
Block a user