diff --git a/.gitignore b/.gitignore index 4f71bcf..a08f77a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz +SOURCES/go1.18.0-1-openssl-fips.tar.gz diff --git a/.golang.metadata b/.golang.metadata index fde6008..46de8e5 100644 --- a/.golang.metadata +++ b/.golang.metadata @@ -1 +1 @@ -139fe29f985b3feda50c407d194f1a102352388a SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz +c1c1dfe3d4fd1c653f0a4eeeb01e2a07d3d06b1c SOURCES/go1.18.0-1-openssl-fips.tar.gz diff --git a/SOURCES/disable_static_external_tests.patch b/SOURCES/disable_static_external_tests.patch new file mode 100644 index 0000000..55181ca --- /dev/null +++ b/SOURCES/disable_static_external_tests.patch @@ -0,0 +1,310 @@ +diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go +index d9eb9c3..506f979 100644 +--- a/src/cmd/dist/test.go ++++ b/src/cmd/dist/test.go +@@ -1180,18 +1180,20 @@ func (t *tester) cgoTest(dt *distTest) error { + fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.") + } else { + if goos != "android" { +- t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`) ++ t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl") + } + t.addCmd(dt, "misc/cgo/nocgo", t.goTest()) + t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`) + if goos != "android" { +- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`) ++ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl") ++ /* + t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`) + // -static in CGO_LDFLAGS triggers a different code path + // than -static in -extldflags, so test both. + // See issue #16651. + cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static") + setEnv(cmd, "CGO_LDFLAGS", "-static -pthread") ++ */ + } + } + +@@ -1201,7 +1203,7 @@ func (t *tester) cgoTest(dt *distTest) error { + t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie") + } + t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie") +- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie") ++ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl") + } + } + } +diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go +index a495bd7..2c6107b 100644 +--- a/src/crypto/internal/boring/aes.go ++++ b/src/crypto/internal/boring/aes.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static + + package boring + +diff --git a/src/crypto/internal/boring/aes_test.go b/src/crypto/internal/boring/aes_test.go +index 3b4c364..371bc20 100644 +--- a/src/crypto/internal/boring/aes_test.go ++++ b/src/crypto/internal/boring/aes_test.go +@@ -1,9 +1,5 @@ +-// +build linux +-// +build !android +-// +build !no_openssl +-// +build !cmd_go_bootstrap +-// +build !msan +-// +build cgo ++//go:build linux && !android && !no_openssl && !cmd_go_bootstrap && !msan && cgo && !static ++// +build linux,!android,!no_openssl,!cmd_go_bootstrap,!msan,cgo,!static + + package boring + +diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go +index ec6e80c..05431b1 100644 +--- a/src/crypto/internal/boring/boring.go ++++ b/src/crypto/internal/boring/boring.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static + + package boring + +diff --git a/src/crypto/internal/boring/ecdsa.go b/src/crypto/internal/boring/ecdsa.go +index f72da41..33ee442 100644 +--- a/src/crypto/internal/boring/ecdsa.go ++++ b/src/crypto/internal/boring/ecdsa.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static + + package boring + +diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h +index 4547ade..b8aaae4 100644 +--- a/src/crypto/internal/boring/goboringcrypto.h ++++ b/src/crypto/internal/boring/goboringcrypto.h +@@ -1,6 +1,12 @@ + // Copyright 2017 The Go Authors. All rights reserved. + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. ++// +build linux ++// +build !android ++// +build !no_openssl ++// +build !cmd_go_bootstrap ++// +build !msan ++// +build !static + + // This header file describes the BoringCrypto ABI as built for use in Go. + // The BoringCrypto build for Go (which generates goboringcrypto_*.syso) +diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h +index 4820385..ac41482 100644 +--- a/src/crypto/internal/boring/goopenssl.h ++++ b/src/crypto/internal/boring/goopenssl.h +@@ -6,6 +6,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + // This header file describes the OpenSSL ABI as built for use in Go. + +diff --git a/src/crypto/internal/boring/hmac.go b/src/crypto/internal/boring/hmac.go +index 4e913c3..10cfbb3 100644 +--- a/src/crypto/internal/boring/hmac.go ++++ b/src/crypto/internal/boring/hmac.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static + + package boring + +diff --git a/src/crypto/internal/boring/notboring.go b/src/crypto/internal/boring/notboring.go +index e513834..08c5245 100644 +--- a/src/crypto/internal/boring/notboring.go ++++ b/src/crypto/internal/boring/notboring.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl +-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl ++//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static ++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static + + package boring + +diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c +index 710d074..853be3d 100644 +--- a/src/crypto/internal/boring/openssl_ecdsa_signature.c ++++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c +@@ -3,6 +3,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + #include "goboringcrypto.h" + +diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c +index 36be702..331dfd3 100644 +--- a/src/crypto/internal/boring/openssl_evp.c ++++ b/src/crypto/internal/boring/openssl_evp.c +@@ -3,6 +3,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + #include "goboringcrypto.h" + +diff --git a/src/crypto/internal/boring/openssl_lock_setup.c b/src/crypto/internal/boring/openssl_lock_setup.c +index 955924e..c0f3435 100644 +--- a/src/crypto/internal/boring/openssl_lock_setup.c ++++ b/src/crypto/internal/boring/openssl_lock_setup.c +@@ -3,6 +3,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + #include "goboringcrypto.h" + #include +diff --git a/src/crypto/internal/boring/openssl_port_aead_gcm.c b/src/crypto/internal/boring/openssl_port_aead_gcm.c +index b39bf54..80c933a 100644 +--- a/src/crypto/internal/boring/openssl_port_aead_gcm.c ++++ b/src/crypto/internal/boring/openssl_port_aead_gcm.c +@@ -4,6 +4,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + #include "goboringcrypto.h" + #include +diff --git a/src/crypto/internal/boring/openssl_port_ctr128.c b/src/crypto/internal/boring/openssl_port_ctr128.c +index abaff5c..e2263a5 100644 +--- a/src/crypto/internal/boring/openssl_port_ctr128.c ++++ b/src/crypto/internal/boring/openssl_port_ctr128.c +@@ -3,6 +3,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + #include "goboringcrypto.h" + +diff --git a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c +index 8418c38..39bf3ae 100644 +--- a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c ++++ b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c +@@ -4,6 +4,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + // The following is a partial backport of crypto/evp/m_md5_sha1.c, + // commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the +diff --git a/src/crypto/internal/boring/openssl_port_hmac.c b/src/crypto/internal/boring/openssl_port_hmac.c +index be7c71a..35e1860 100644 +--- a/src/crypto/internal/boring/openssl_port_hmac.c ++++ b/src/crypto/internal/boring/openssl_port_hmac.c +@@ -4,6 +4,8 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static ++ + + #include "goboringcrypto.h" + +diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c +index 5174f66..a8008e9 100644 +--- a/src/crypto/internal/boring/openssl_port_rsa.c ++++ b/src/crypto/internal/boring/openssl_port_rsa.c +@@ -4,6 +4,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + #include "goboringcrypto.h" + +diff --git a/src/crypto/internal/boring/openssl_stub_rand.c b/src/crypto/internal/boring/openssl_stub_rand.c +index 18d6777..e8ac53b 100644 +--- a/src/crypto/internal/boring/openssl_stub_rand.c ++++ b/src/crypto/internal/boring/openssl_stub_rand.c +@@ -3,6 +3,7 @@ + // +build !no_openssl + // +build !cmd_go_bootstrap + // +build !msan ++// +build !static + + #include "goboringcrypto.h" + #include +diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go +index e9c334f..3adbd4d 100644 +--- a/src/crypto/internal/boring/rand.go ++++ b/src/crypto/internal/boring/rand.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static + + package boring + +diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go +index b1a2f57..0cabadb 100644 +--- a/src/crypto/internal/boring/rsa.go ++++ b/src/crypto/internal/boring/rsa.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static + + package boring + +diff --git a/src/crypto/internal/boring/sha.go b/src/crypto/internal/boring/sha.go +index bdcc782..6184d6c 100644 +--- a/src/crypto/internal/boring/sha.go ++++ b/src/crypto/internal/boring/sha.go +@@ -2,8 +2,8 @@ + // Use of this source code is governed by a BSD-style + // license that can be found in the LICENSE file. + +-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl +-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl ++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static ++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static + + package boring + diff --git a/SOURCES/fix_TestScript_list_std.patch b/SOURCES/fix_TestScript_list_std.patch index 1387cb7..ade3711 100644 --- a/SOURCES/fix_TestScript_list_std.patch +++ b/SOURCES/fix_TestScript_list_std.patch @@ -1,5 +1,5 @@ diff --git a/src/cmd/go/testdata/script/list_std.txt b/src/cmd/go/testdata/script/list_std.txt -index 6ab1bd1674..4a00e436fd 100644 +index 6ab1bd1..4a00e43 100644 --- a/src/cmd/go/testdata/script/list_std.txt +++ b/src/cmd/go/testdata/script/list_std.txt @@ -6,7 +6,7 @@ env GO111MODULE=off diff --git a/SOURCES/go1.5-zoneinfo_testing_only.patch b/SOURCES/go1.5-zoneinfo_testing_only.patch index 581cb94..5f0046e 100644 --- a/SOURCES/go1.5-zoneinfo_testing_only.patch +++ b/SOURCES/go1.5-zoneinfo_testing_only.patch @@ -1,6 +1,7 @@ -diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go ---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.time 2017-12-05 01:10:10.000000000 +0100 -+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go 2017-12-05 14:55:10.574637475 +0100 +diff --git a/src/time/internal_test.go b/src/time/internal_test.go +index f0dddb7..415949a 100644 +--- a/src/time/internal_test.go ++++ b/src/time/internal_test.go @@ -4,13 +4,15 @@ package time @@ -16,7 +17,7 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.t - z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:]) + z, err := loadLocation("America/Los_Angeles", zoneSources) if err != nil { - panic("cannot load America/Los_Angeles for testing: " + err.Error()) + panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata") } @@ -21,8 +23,9 @@ func initTestingZone() { var OrigZoneSources = zoneSources @@ -29,10 +30,11 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.t if zipOnly { zoneSources = zoneSources[len(zoneSources)-1:] } -diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go ---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.time 2017-12-05 01:10:10.000000000 +0100 -+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go 2017-12-05 14:58:09.823109248 +0100 -@@ -8,6 +8,7 @@ import ( +diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go +index f032aa7..e3e5547 100644 +--- a/src/time/zoneinfo_test.go ++++ b/src/time/zoneinfo_test.go +@@ -9,6 +9,7 @@ import ( "fmt" "os" "reflect" @@ -40,7 +42,7 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.t "testing" "time" ) -@@ -128,7 +129,7 @@ func TestLoadLocationFromTZData(t *testi +@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) { t.Fatal(err) } @@ -49,9 +51,10 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.t if err != nil { t.Fatal(err) } -diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go ---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go.time 2017-12-05 01:10:10.000000000 +0100 -+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go 2017-12-05 14:55:10.574637475 +0100 +diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go +index 23f8b3c..228db1b 100644 +--- a/src/time/zoneinfo_unix.go ++++ b/src/time/zoneinfo_unix.go @@ -12,7 +12,6 @@ package time diff --git a/SOURCES/relax_sha1_restriction.patch b/SOURCES/relax_sha1_restriction.patch new file mode 100644 index 0000000..a620b27 --- /dev/null +++ b/SOURCES/relax_sha1_restriction.patch @@ -0,0 +1,224 @@ +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 98778fe..71ab62a 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -736,6 +736,9 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V + // list. (While this is not specified, it is common practice in order to limit + // the types of certificates a CA can issue.) + // ++// Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported, ++// and will not be used to build chains. ++// + // WARNING: this function doesn't do any revocation checking. + func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) { + // Platform-specific verification needs the ASN.1 contents so +diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go +index 47be77d..85720b3 100644 +--- a/src/crypto/x509/x509.go ++++ b/src/crypto/x509/x509.go +@@ -184,13 +184,13 @@ const ( + + MD2WithRSA // Unsupported. + MD5WithRSA // Only supported for signing, not verification. +- SHA1WithRSA // Only supported for signing, not verification. ++ SHA1WithRSA // Only supported for signing, and verification of CRLs, CSRs, and OCSP responses. + SHA256WithRSA + SHA384WithRSA + SHA512WithRSA + DSAWithSHA1 // Unsupported. + DSAWithSHA256 // Unsupported. +- ECDSAWithSHA1 // Only supported for signing, not verification. ++ ECDSAWithSHA1 // Only supported for signing, and verification of CRLs, CSRs, and OCSP responses. + ECDSAWithSHA256 + ECDSAWithSHA384 + ECDSAWithSHA512 +@@ -770,7 +770,7 @@ func (c *Certificate) hasSANExtension() bool { + } + + // CheckSignatureFrom verifies that the signature on c is a valid signature +-// from parent. ++// from parent. SHA1WithRSA and ECDSAWithSHA1 signatures are not supported. + func (c *Certificate) CheckSignatureFrom(parent *Certificate) error { + // RFC 5280, 4.2.1.9: + // "If the basic constraints extension is not present in a version 3 +@@ -792,13 +792,13 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error { + + // TODO(agl): don't ignore the path length constraint. + +- return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature) ++ return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature, parent.PublicKey, debugAllowSHA1) + } + + // CheckSignature verifies that signature is a valid signature over signed from + // c's public key. + func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error { +- return checkSignature(algo, signed, signature, c.PublicKey) ++ return checkSignature(algo, signed, signature, c.PublicKey, true) + } + + func (c *Certificate) hasNameConstraints() bool { +@@ -818,9 +818,9 @@ func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm, + return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey) + } + +-// CheckSignature verifies that signature is a valid signature over signed from ++// checkSignature verifies that signature is a valid signature over signed from + // a crypto.PublicKey. +-func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) { ++func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey, allowSHA1 bool) (err error) { + var hashType crypto.Hash + var pubKeyAlgo PublicKeyAlgorithm + +@@ -839,7 +839,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey + case crypto.MD5: + return InsecureAlgorithmError(algo) + case crypto.SHA1: +- if !debugAllowSHA1 { ++ if !allowSHA1 { + return InsecureAlgorithmError(algo) + } + fallthrough +@@ -1599,11 +1599,11 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv + // Check the signature to ensure the crypto.Signer behaved correctly. + sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm) + switch sigAlg { +- case MD5WithRSA, SHA1WithRSA, ECDSAWithSHA1: ++ case MD5WithRSA: + // We skip the check if the signature algorithm is only supported for + // signing, not verification. + default: +- if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil { ++ if err := checkSignature(sigAlg, c.Raw, signature, key.Public(), true); err != nil { + return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err) + } + } +@@ -2082,7 +2082,7 @@ func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error + + // CheckSignature reports whether the signature on c is valid. + func (c *CertificateRequest) CheckSignature() error { +- return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey) ++ return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey, true) + } + + // RevocationList contains the fields used to create an X.509 v2 Certificate +diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go +index f3e2a77..d31f70d 100644 +--- a/src/crypto/x509/x509_test.go ++++ b/src/crypto/x509/x509_test.go +@@ -13,6 +13,7 @@ import ( + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" ++ "crypto/boring" + _ "crypto/sha256" + _ "crypto/sha512" + "crypto/x509/pkix" +@@ -2940,30 +2941,15 @@ func TestCreateCertificateBrokenSigner(t *testing.T) { + } + + func TestCreateCertificateLegacy(t *testing.T) { +- ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) +- if err != nil { +- t.Fatalf("Failed to generate ECDSA key: %s", err) ++ sigAlg := MD5WithRSA ++ template := &Certificate{ ++ SerialNumber: big.NewInt(10), ++ DNSNames: []string{"example.com"}, ++ SignatureAlgorithm: sigAlg, + } +- +- for _, sigAlg := range []SignatureAlgorithm{ +- MD5WithRSA, SHA1WithRSA, ECDSAWithSHA1, +- } { +- template := &Certificate{ +- SerialNumber: big.NewInt(10), +- DNSNames: []string{"example.com"}, +- SignatureAlgorithm: sigAlg, +- } +- var k crypto.Signer +- switch sigAlg { +- case MD5WithRSA, SHA1WithRSA: +- k = testPrivateKey +- case ECDSAWithSHA1: +- k = ecdsaPriv +- } +- _, err := CreateCertificate(rand.Reader, template, template, k.Public(), &brokenSigner{k.Public()}) +- if err != nil { +- t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err) +- } ++ _, err := CreateCertificate(rand.Reader, template, template, testPrivateKey.Public(), &brokenSigner{testPrivateKey.Public()}) ++ if err != nil { ++ t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err) + } + } + +@@ -3364,3 +3350,69 @@ func TestLargeOID(t *testing.T) { + t.Fatalf("ParseCertificate to failed to parse certificate with large OID: %s", err) + } + } ++ ++func TestDisableSHA1ForCertOnly(t *testing.T) { ++ if boring.Enabled() { ++ t.Skip("not supported in boring mode") ++ } ++ defer func(old bool) { debugAllowSHA1 = old }(debugAllowSHA1) ++ debugAllowSHA1 = false ++ ++ tmpl := &Certificate{ ++ SerialNumber: big.NewInt(1), ++ NotBefore: time.Now().Add(-time.Hour), ++ NotAfter: time.Now().Add(time.Hour), ++ SignatureAlgorithm: SHA1WithRSA, ++ BasicConstraintsValid: true, ++ IsCA: true, ++ KeyUsage: KeyUsageCertSign | KeyUsageCRLSign, ++ } ++ certDER, err := CreateCertificate(rand.Reader, tmpl, tmpl, rsaPrivateKey.Public(), rsaPrivateKey) ++ if err != nil { ++ t.Fatalf("failed to generate test cert: %s", err) ++ } ++ cert, err := ParseCertificate(certDER) ++ if err != nil { ++ t.Fatalf("failed to parse test cert: %s", err) ++ } ++ ++ err = cert.CheckSignatureFrom(cert) ++ if err == nil { ++ t.Error("expected CheckSignatureFrom to fail") ++ } else if _, ok := err.(InsecureAlgorithmError); !ok { ++ t.Errorf("expected InsecureAlgorithmError error, got %T", err) ++ } ++ ++ crlDER, err := CreateRevocationList(rand.Reader, &RevocationList{ ++ SignatureAlgorithm: SHA1WithRSA, ++ Number: big.NewInt(1), ++ ThisUpdate: time.Now().Add(-time.Hour), ++ NextUpdate: time.Now().Add(time.Hour), ++ }, cert, rsaPrivateKey) ++ if err != nil { ++ t.Fatalf("failed to generate test CRL: %s", err) ++ } ++ // TODO(rolandshoemaker): this should be ParseRevocationList once it lands ++ crl, err := ParseCRL(crlDER) ++ if err != nil { ++ t.Fatalf("failed to parse test CRL: %s", err) ++ } ++ ++ if err = cert.CheckCRLSignature(crl); err != nil { ++ t.Errorf("unexpected error: %s", err) ++ } ++ ++ // This is an unrelated OCSP response, which will fail signature verification ++ // but shouldn't return a InsecureAlgorithmError, since SHA1 should be allowed ++ // for OCSP. ++ ocspTBSHex := "30819fa2160414884451ff502a695e2d88f421bad90cf2cecbea7c180f32303133303631383037323434335a30743072304a300906052b0e03021a0500041448b60d38238df8456e4ee5843ea394111802979f0414884451ff502a695e2d88f421bad90cf2cecbea7c021100f78b13b946fc9635d8ab49de9d2148218000180f32303133303631383037323434335aa011180f32303133303632323037323434335a" ++ ocspTBS, err := hex.DecodeString(ocspTBSHex) ++ if err != nil { ++ t.Fatalf("failed to decode OCSP response TBS hex: %s", err) ++ } ++ ++ err = cert.CheckSignature(SHA1WithRSA, ocspTBS, nil) ++ if err != rsa.ErrVerification { ++ t.Errorf("unexpected error: %s", err) ++ } ++} diff --git a/SOURCES/remove_waitgroup_misuse_tests.patch b/SOURCES/remove_waitgroup_misuse_tests.patch deleted file mode 100644 index b643563..0000000 --- a/SOURCES/remove_waitgroup_misuse_tests.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go -index c569e0faa2eb..4ded218d2d8d 100644 ---- a/src/sync/waitgroup_test.go -+++ b/src/sync/waitgroup_test.go -@@ -5,8 +5,6 @@ - package sync_test - - import ( -- "internal/race" -- "runtime" - . "sync" - "sync/atomic" - "testing" -@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) { - } - } - --func knownRacy(t *testing.T) { -- if race.Enabled { -- t.Skip("skipping known-racy test under the race detector") -- } --} -- - func TestWaitGroupMisuse(t *testing.T) { - defer func() { - err := recover() -@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) { - t.Fatal("Should panic") - } - --// pollUntilEqual blocks until v, loaded atomically, is --// equal to the target. --func pollUntilEqual(v *uint32, target uint32) { -- for { -- for i := 0; i < 1e3; i++ { -- if atomic.LoadUint32(v) == target { -- return -- } -- } -- // yield to avoid deadlock with the garbage collector -- // see issue #20072 -- runtime.Gosched() -- } --} -- --func TestWaitGroupMisuse2(t *testing.T) { -- knownRacy(t) -- if runtime.NumCPU() <= 4 { -- t.Skip("NumCPU<=4, skipping: this test requires parallelism") -- } -- defer func() { -- err := recover() -- if err != "sync: negative WaitGroup counter" && -- err != "sync: WaitGroup misuse: Add called concurrently with Wait" && -- err != "sync: WaitGroup is reused before previous Wait has returned" { -- t.Fatalf("Unexpected panic: %#v", err) -- } -- }() -- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4)) -- done := make(chan interface{}, 2) -- // The detection is opportunistic, so we want it to panic -- // at least in one run out of a million. -- for i := 0; i < 1e6; i++ { -- var wg WaitGroup -- var here uint32 -- wg.Add(1) -- go func() { -- defer func() { -- done <- recover() -- }() -- atomic.AddUint32(&here, 1) -- pollUntilEqual(&here, 3) -- wg.Wait() -- }() -- go func() { -- defer func() { -- done <- recover() -- }() -- atomic.AddUint32(&here, 1) -- pollUntilEqual(&here, 3) -- wg.Add(1) // This is the bad guy. -- wg.Done() -- }() -- atomic.AddUint32(&here, 1) -- pollUntilEqual(&here, 3) -- wg.Done() -- for j := 0; j < 2; j++ { -- if err := <-done; err != nil { -- panic(err) -- } -- } -- } -- t.Fatal("Should panic") --} -- --func TestWaitGroupMisuse3(t *testing.T) { -- knownRacy(t) -- if runtime.NumCPU() <= 1 { -- t.Skip("NumCPU==1, skipping: this test requires parallelism") -- } -- defer func() { -- err := recover() -- if err != "sync: negative WaitGroup counter" && -- err != "sync: WaitGroup misuse: Add called concurrently with Wait" && -- err != "sync: WaitGroup is reused before previous Wait has returned" { -- t.Fatalf("Unexpected panic: %#v", err) -- } -- }() -- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4)) -- done := make(chan interface{}, 3) -- // The detection is opportunistically, so we want it to panic -- // at least in one run out of a million. -- for i := 0; i < 1e6; i++ { -- var wg WaitGroup -- wg.Add(1) -- go func() { -- defer func() { -- done <- recover() -- }() -- wg.Done() -- }() -- go func() { -- defer func() { -- done <- recover() -- }() -- wg.Wait() -- // Start reusing the wg before waiting for the Wait below to return. -- wg.Add(1) -- go func() { -- wg.Done() -- }() -- wg.Wait() -- }() -- go func() { -- defer func() { -- done <- recover() -- }() -- wg.Wait() -- }() -- for j := 0; j < 3; j++ { -- if err := <-done; err != nil { -- panic(err) -- } -- } -- } -- t.Fatal("Should panic") --} -- - func TestWaitGroupRace(t *testing.T) { - // Run this test for about 1ms. - for i := 0; i < 1000; i++ { diff --git a/SOURCES/skip_test_rhbz1939923.patch b/SOURCES/skip_test_rhbz1939923.patch index 80302d0..e5d52eb 100644 --- a/SOURCES/skip_test_rhbz1939923.patch +++ b/SOURCES/skip_test_rhbz1939923.patch @@ -1,8 +1,8 @@ diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go -index 51dda16815..2d1e1b1e6e 100644 +index f3e2a77..57434b5 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go -@@ -2880,6 +2880,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte +@@ -2922,6 +2922,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte } func TestCreateCertificateBrokenSigner(t *testing.T) { diff --git a/SPECS/golang.spec b/SPECS/golang.spec index 06c5d7b..4fdb729 100644 --- a/SPECS/golang.spec +++ b/SPECS/golang.spec @@ -95,18 +95,18 @@ %global gohostarch s390x %endif -%global go_api 1.17 -%global go_version 1.17.7 +%global go_api 1.18 +%global go_version 1.18.0 %global pkg_release 1 Name: golang Version: %{go_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Go Programming Language # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain License: BSD and Public Domain URL: http://golang.org/ -Source0: https://pagure.io/go/archive/go-%{go_version}-%{pkg_release}-openssl-fips/go-go-%{go_version}-%{pkg_release}-openssl-fips.tar.gz +Source0: https://github.com/golang-fips/go/archive/refs/tags/go%{go_version}-%{pkg_release}-openssl-fips.tar.gz # make possible to override default traceback level at build time by setting build tag rpm_crashtraceback Source1: fedora.go @@ -140,12 +140,12 @@ Patch215: go1.5-zoneinfo_testing_only.patch # Proposed patch by jcajka https://golang.org/cl/86541 Patch221: fix_TestScript_list_std.patch +# static linking of dlopen is unsupported +Patch226: disable_static_external_tests.patch + Patch1939923: skip_test_rhbz1939923.patch -# These tests has been removed upstream due to -# nondeterministic flakiness -# https://bugzilla.redhat.com/show_bug.cgi?id=2028662 -Patch2028662: remove_waitgroup_misuse_tests.patch +Patch51852: relax_sha1_restriction.patch # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -234,15 +234,17 @@ Requires: %{name} = %{version}-%{release} %endif %prep -%setup -q -n go-go-%{go_version}-%{pkg_release}-openssl-fips +%setup -q -n go-go%{go_version}-%{pkg_release}-openssl-fips %patch215 -p1 %patch221 -p1 +%patch226 -p1 + %patch1939923 -p1 -%patch2028662 -p1 +%patch51852 -p1 cp %{SOURCE1} ./src/runtime/ @@ -517,6 +519,14 @@ cd .. %endif %changelog +* Mon Apr 18 2022 David Benoit - 1.18.0-2 +- Enable SHA1 in some contexts +- Related: rhbz#2075162 + +* Wed Apr 13 2022 David Benoit - 1.18.0-1 +- Update Go to 1.18.0 +- Resolves: rhbz#2075162 + * Thu Feb 17 2022 David Benoit - 1.17.7-1 - Rebase to Go 1.17.7 - Remove fips memory leak patch (fixed in tree)