diff --git a/.gitignore b/.gitignore index 96a0ec6..1a16a92 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,5 @@ SOURCES/go1.19.4.tar.gz /go1.21.11-1-openssl-fips.tar.gz /go1.21.13.tar.gz /go1.21.13-1-openssl-fips.tar.gz +/go1.21.13-3-openssl-fips.tar.gz +/go1.21.13-4-openssl-fips.tar.gz diff --git a/disable_static_tests_part1.patch b/disable_static_tests_part1.patch index 5b99e48..4b27846 100644 --- a/disable_static_tests_part1.patch +++ b/disable_static_tests_part1.patch @@ -1,5 +1,18 @@ +diff --git a/src/crypto/boring/boring.go b/src/crypto/boring/boring.go +index 47618fe..d93784d 100644 +--- a/src/crypto/boring/boring.go ++++ b/src/crypto/boring/boring.go +@@ -2,7 +2,7 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build boringcrypto ++//go:build boringcrypto && !static + + // Package boring exposes functions that are only available when building with + // Go+BoringCrypto. This package is available on all targets as long as the diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go -index 5f258a2..5dbbc42 100644 +index 33a53a8..f630ea5 100644 --- a/src/crypto/internal/backend/nobackend.go +++ b/src/crypto/internal/backend/nobackend.go @@ -2,8 +2,8 @@ @@ -13,8 +26,33 @@ index 5f258a2..5dbbc42 100644 package backend +diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go +index 59370ec..eb81ef6 100644 +--- a/src/crypto/internal/backend/openssl.go ++++ b/src/crypto/internal/backend/openssl.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build linux && cgo && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,cgo,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && cgo && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,cgo,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl,!static + + // Package openssl provides access to OpenSSLCrypto implementation functions. + // Check the variable Enabled to find out whether OpenSSLCrypto is available. +diff --git a/src/crypto/internal/boring/div_test.c b/src/crypto/internal/boring/div_test.c +index f909cc9..8530533 100644 +--- a/src/crypto/internal/boring/div_test.c ++++ b/src/crypto/internal/boring/div_test.c +@@ -1,4 +1,5 @@ + // Copyright 2022 The Go Authors. All rights reserved. ++// +build !static + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h -index d6d99b1..f2fe332 100644 +index 2b11049..dec1cb2 100644 --- a/src/crypto/internal/boring/goboringcrypto.h +++ b/src/crypto/internal/boring/goboringcrypto.h @@ -1,4 +1,5 @@ @@ -36,10 +74,36 @@ index b338754..db5ea1e 100644 // This package only exists with GOEXPERIMENT=boringcrypto. // It provides the actual syso file. -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go +diff --git a/src/crypto/tls/fipsonly/fipsonly.go b/src/crypto/tls/fipsonly/fipsonly.go +index e5e4783..a0d9523 100644 +--- a/src/crypto/tls/fipsonly/fipsonly.go ++++ b/src/crypto/tls/fipsonly/fipsonly.go +@@ -2,7 +2,7 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build boringcrypto ++//go:build boringcrypto && !static + + // Package fipsonly restricts all TLS configuration to FIPS-approved settings. + // +diff --git a/src/crypto/tls/fipsonly/fipsonly_test.go b/src/crypto/tls/fipsonly/fipsonly_test.go +index f8485dc..6563ac4 100644 +--- a/src/crypto/tls/fipsonly/fipsonly_test.go ++++ b/src/crypto/tls/fipsonly/fipsonly_test.go +@@ -2,7 +2,7 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build boringcrypto ++//go:build boringcrypto && !static + + package fipsonly + +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/aes.go b/src/vendor/github.com/golang-fips/openssl/openssl/aes.go index 079fc3c..e826d0b 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go +--- a/src/vendor/github.com/golang-fips/openssl/openssl/aes.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/aes.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -51,10 +115,10 @@ index 079fc3c..e826d0b 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go -index 0b61e79..94d0c98 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl/openssl/ecdh.go +index 9537870..c491628 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/ecdh.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/ecdh.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -66,10 +130,10 @@ index 0b61e79..94d0c98 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go -index afec529..d822152 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl/openssl/ecdsa.go +index 9f46388..87feb18 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/ecdsa.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/ecdsa.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -81,20 +145,32 @@ index afec529..d822152 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h -index 6d6a562..17cc314 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/evp.go b/src/vendor/github.com/golang-fips/openssl/openssl/evp.go +index 46d2bdd..34f4a43 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/evp.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/evp.go +@@ -1,5 +1,5 @@ +-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static + + package openssl + +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h +index ac6c64f..5526db9 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h @@ -1,4 +1,5 @@ // Copyright 2017 The Go Authors. All rights reserved. +// +build !static // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // +build linux -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go -index ae40b93..17bc075 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/hkdf.go b/src/vendor/github.com/golang-fips/openssl/openssl/hkdf.go +index 2e21224..83da261 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/hkdf.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/hkdf.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -106,10 +182,10 @@ index ae40b93..17bc075 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go -index 6f00177..f466b18 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/hmac.go b/src/vendor/github.com/golang-fips/openssl/openssl/hmac.go +index 3af1924..57a525a 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/hmac.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/hmac.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -121,10 +197,10 @@ index 6f00177..f466b18 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go -index 7c0b5d6..262af07 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/notboring.go b/src/vendor/github.com/golang-fips/openssl/openssl/notboring.go +index 5093cde..0610495 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/notboring.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/notboring.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -136,10 +212,10 @@ index 7c0b5d6..262af07 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go -index d49194d..ff15054 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl/openssl/openssl.go +index 17a9034..db51ced 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -151,100 +227,110 @@ index d49194d..ff15054 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c -index 2349db1..57fbb04 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_ecdsa_signature.c +index 7ce9833..fe66288 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_ecdsa_signature.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_ecdsa_signature.c @@ -1,4 +1,5 @@ // +build linux +// +build !static // +build !android // +build !no_openssl // +build !cmd_go_bootstrap -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c -index 4379019..5034c46 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_evp.c +index a45ed60..2b541fd 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_evp.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_evp.c @@ -1,4 +1,5 @@ // +build linux +// +build !static // +build !android // +build !no_openssl // +build !cmd_go_bootstrap -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_lock_setup.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_lock_setup.c index 49d40a7..3b3dbf8 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_lock_setup.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_lock_setup.c @@ -1,4 +1,5 @@ // +build linux +// +build !static // +build !android // +build !no_openssl // +build !cmd_go_bootstrap -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_aead_gcm.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_aead_gcm.c index 7eb645e..1c3225a 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_aead_gcm.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_aead_gcm.c @@ -1,4 +1,5 @@ // This file contains a port of the BoringSSL AEAD interface. +// +build !static // +build linux // +build !android // +build !no_openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_ctr128.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_ctr128.c index df4ebe3..876393b 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_ctr128.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_ctr128.c @@ -1,4 +1,5 @@ // +build linux +// +build !static // +build !android // +build !no_openssl // +build !cmd_go_bootstrap -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_ecdh.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_ecdh.c +index 8205b04..dcd751d 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_ecdh.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_ecdh.c +@@ -1,4 +1,5 @@ + // +build linux ++// +build !static + // +build !android + // +build !no_openssl + // +build !cmd_go_bootstrap +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_evp_md5_sha1.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_evp_md5_sha1.c index 2eedd5b..04510d3 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_evp_md5_sha1.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_evp_md5_sha1.c @@ -1,4 +1,5 @@ // This file contains a backport of the EVP_md5_sha1 method. +// +build !static // +build linux // +build !android // +build !no_openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c -index 362d9e5..bebafef 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_hmac.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_hmac.c +index a5996d6..2552081 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_hmac.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_hmac.c @@ -1,4 +1,5 @@ // This file contains HMAC portability wrappers. +// +build !static // +build linux // +build !android // +build !no_openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c -index 2824147..8bc1d85 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_rsa.c +index e214929..c9f6887 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_rsa.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_port_rsa.c @@ -1,4 +1,5 @@ // This file contains RSA portability wrappers. +// +build !static // +build linux // +build !android // +build !no_openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_stub_rand.c b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_stub_rand.c index 22bd865..b7aa26b 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c +--- a/src/vendor/github.com/golang-fips/openssl/openssl/openssl_stub_rand.c ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/openssl_stub_rand.c @@ -1,4 +1,5 @@ // +build linux +// +build !static // +build !android // +build !no_openssl // +build !cmd_go_bootstrap -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/rand.go b/src/vendor/github.com/golang-fips/openssl/openssl/rand.go index b3668b8..dcdae70 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go +--- a/src/vendor/github.com/golang-fips/openssl/openssl/rand.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/rand.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -256,10 +342,10 @@ index b3668b8..dcdae70 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go -index 915c840..8623d9d 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl/openssl/rsa.go +index 7870b93..564db24 100644 +--- a/src/vendor/github.com/golang-fips/openssl/openssl/rsa.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/rsa.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. @@ -271,10 +357,10 @@ index 915c840..8623d9d 100644 package openssl -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go +diff --git a/src/vendor/github.com/golang-fips/openssl/openssl/sha.go b/src/vendor/github.com/golang-fips/openssl/openssl/sha.go index 0b55ced..57309c0 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go +--- a/src/vendor/github.com/golang-fips/openssl/openssl/sha.go ++++ b/src/vendor/github.com/golang-fips/openssl/openssl/sha.go @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. diff --git a/fix-memleak-setupRSA.patch b/fix-memleak-setupRSA.patch deleted file mode 100644 index ce70496..0000000 --- a/fix-memleak-setupRSA.patch +++ /dev/null @@ -1,172 +0,0 @@ -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go -index 56adf47bf6..9537870e3c 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go -@@ -22,22 +22,10 @@ var ( - type PublicKeyECDH struct { - _pkey *C.GO_EVP_PKEY - bytes []byte -- -- // priv is only set when PublicKeyECDH is derived from a private key, -- // in which case priv's finalizer is responsible for freeing _pkey. -- // This ensures priv is not finalized while the public key is alive, -- // which could cause use-after-free and double-free behavior. -- // -- // We could avoid this altogether by using EVP_PKEY_up_ref -- // when instantiating a derived public key, unfortunately -- // it is not available on OpenSSL 1.0.2. -- priv *PrivateKeyECDH - } - - func (k *PublicKeyECDH) finalize() { -- if k.priv == nil { -- C._goboringcrypto_EVP_PKEY_free(k._pkey) -- } -+ C._goboringcrypto_EVP_PKEY_free(k._pkey) - } - - type PrivateKeyECDH struct { -@@ -58,7 +46,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) { - if err != nil { - return nil, err - } -- k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...), nil} -+ k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...)} - runtime.SetFinalizer(k, (*PublicKeyECDH).finalize) - return k, nil - } -@@ -87,14 +75,22 @@ func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) { - var bytes []byte - var cbytes *C.uchar - -- n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(k._pkey, &cbytes) -+ pkey := C._goboringcrypto_EVP_PKEY_ref(k._pkey) -+ if pkey == nil { -+ return nil, NewOpenSSLError("EVP_PKEY_ref") -+ } -+ defer func() { -+ C._goboringcrypto_EVP_PKEY_free(pkey) -+ }() -+ n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(pkey, &cbytes) - if n == 0 { - return nil, NewOpenSSLError("EVP_PKEY_get1_encoded_ecdh_public_key") - } - bytes = C.GoBytes(unsafe.Pointer(cbytes), C.int(n)) - C.free(unsafe.Pointer(cbytes)) - -- pub := &PublicKeyECDH{k._pkey, bytes, k} -+ pub := &PublicKeyECDH{pkey, bytes} -+ pkey = nil - runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize) - return pub, nil - } -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h -index a900b3f9e7..03367d5520 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h -@@ -827,6 +827,9 @@ DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ()) - DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0)) - DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1)) - DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1)) -+DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey)) -+GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey); -+ - DEFINEFUNC(int, EVP_PKEY_verify, - (EVP_PKEY_CTX *ctx, const unsigned char *sig, unsigned int siglen, const unsigned char *tbs, size_t tbslen), - (ctx, sig, siglen, tbs, tbslen)) -@@ -1083,15 +1086,6 @@ enum { - #if OPENSSL_VERSION_NUMBER >= 0x10100000L - DEFINEFUNC(int, EVP_PKEY_set1_encoded_public_key, (GO_EVP_PKEY *pkey, const unsigned char *pub, size_t publen), (pkey, pub, publen)) - DEFINEFUNC(size_t, EVP_PKEY_get1_encoded_public_key, (GO_EVP_PKEY *pkey, unsigned char **ppub), (pkey, ppub)) -- --DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey)) --#else --DEFINEFUNCINTERNAL(void *, EVP_PKEY_get0, (const GO_EVP_PKEY *pkey), (pkey)) --static const GO_EC_KEY * --_goboringcrypto_EVP_PKEY_get0_EC_KEY(const GO_EVP_PKEY *pkey) --{ -- return _goboringcrypto_internal_EVP_PKEY_get0(pkey); --} - #endif - - GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_new_for_ecdh(int nid, const uint8_t *bytes, size_t len, int is_private); -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c -index 24a9615108..c6b23a984b 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c -@@ -5,6 +5,7 @@ - // +build !msan - - #include "goopenssl.h" -+#include - - int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg, - size_t msgLen, uint8_t *sig, size_t *slen, -@@ -138,3 +139,52 @@ err: - - return ret; - } -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+DEFINEFUNCINTERNAL(int, EVP_PKEY_up_ref, (GO_EVP_PKEY *pkey), (pkey)) -+ -+GO_EVP_PKEY * -+_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey) -+{ -+ if (_goboringcrypto_internal_EVP_PKEY_up_ref(pkey) != 1) -+ return NULL; -+ -+ return pkey; -+} -+ -+#else -+GO_EVP_PKEY * -+_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey) -+{ -+ GO_EVP_PKEY *result = NULL; -+ -+ if (pkey->type != EVP_PKEY_EC && pkey->type != EVP_PKEY_RSA) -+ return NULL; -+ -+ result = _goboringcrypto_EVP_PKEY_new(); -+ if (!result) -+ goto err; -+ -+ switch (pkey->type) { -+ case EVP_PKEY_EC: -+ if (_goboringcrypto_EVP_PKEY_set1_EC_KEY(result, _goboringcrypto_EVP_PKEY_get0_EC_KEY()) != 1) -+ goto err; -+ break; -+ -+ case EVP_PKEY_RSA: -+ if (_goboringcrypto_EVP_PKEY_set1_RSA_KEY(result, _goboringcrypto_EVP_PKEY_get0_RSA_KEY()) != 1) -+ goto err; -+ -+ break; -+ -+ default: -+ assert(0); -+ } -+ -+ return result; -+ -+err: -+ _goboringcrypto_EVP_PKEY_free(result); -+ return NULL; -+} -+#endif -diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go -index 75ba7a8a59..1e016676a0 100644 ---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go -+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go -@@ -116,7 +116,9 @@ func (k *PrivateKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int { - - func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int, - padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash, -- init func(*C.GO_EVP_PKEY_CTX) C.int) (pkey *C.GO_EVP_PKEY, ctx *C.GO_EVP_PKEY_CTX, err error) { -+ init func(*C.GO_EVP_PKEY_CTX) C.int) (_ *C.GO_EVP_PKEY,_ *C.GO_EVP_PKEY_CTX, err error) { -+ var pkey *C.GO_EVP_PKEY -+ var ctx *C.GO_EVP_PKEY_CTX - defer func() { - if err != nil { - if pkey != nil { diff --git a/golang.spec b/golang.spec index 2f0c84e..9ec6725 100644 --- a/golang.spec +++ b/golang.spec @@ -93,11 +93,11 @@ %global go_api 1.21 %global version 1.21.13 -%global pkg_release 1 +%global pkg_release 4 Name: golang Version: %{version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Go Programming Language # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain @@ -139,7 +139,6 @@ Requires: diffutils # Proposed patch by jcajka https://golang.org/cl/86541 Patch221: fix_TestScript_list_std.patch -Patch229: fix-memleak-setupRSA.patch Patch1939923: skip_test_rhbz1939923.patch @@ -520,6 +519,14 @@ cd .. %endif %changelog +* Mon Sep 16 2024 David Benoit - 1.21.13-2 +- Rebuild Go with CVE Fixes +- Remove fix-memleak-setupRSA.patch (exists upstream) +- Resolves: RHEL-58223 +- Resolves: RHEL-57961 +- Resolves: RHEL-57847 +- Resolves: RHEL-57860 + * Wed Aug 21 2024 Archana - 1.21.13-1 - Update to Go1.21.13 to fix CVE-2024-24791 - Resolves: RHEL-47198 diff --git a/sources b/sources index c8d7bbd..de966d7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ +SHA512 (go1.21.13-4-openssl-fips.tar.gz) = 0ea9bd46bea159444914653976e9bcd1e09b060b27618a1835ee8677a755fa64be5967a336a9705b6fb0569d4b0e048859e60b8ce68b4099f1b9e95c0648083b SHA512 (go1.21.13.tar.gz) = 1b26c7cbe4862a3a48f3c48418a43b6c946493b6673eae9eb6652b37a4114727c9c2271ee95da00c20db39292288af953f56da2b33e03d64ed1e26d90250cd05 -SHA512 (go1.21.13-1-openssl-fips.tar.gz) = 6c9137fb9bfccf44f1a3984cf07082799160d234fdc7ff588367bf2fc192d2271d81715d8f18a7679e810c7e4b2b4f8efd7779ac394ff607c6cc67572395d289