diff --git a/.gitignore b/.gitignore index c4616f3..570c2b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/go-go-1.14.4-1-openssl-fips.tar.gz +SOURCES/go-go-1.15.7-1-openssl-fips.tar.gz diff --git a/.golang.metadata b/.golang.metadata index 4cbcc3d..a431e7e 100644 --- a/.golang.metadata +++ b/.golang.metadata @@ -1 +1 @@ -c68072d707cf093fba93bc2d7cda172cd3749120 SOURCES/go-go-1.14.4-1-openssl-fips.tar.gz +501d01d764310874ec20f3d7555c70948ef15fb2 SOURCES/go-go-1.15.7-1-openssl-fips.tar.gz diff --git a/SOURCES/golang-1.15-warnCN.patch b/SOURCES/golang-1.15-warnCN.patch new file mode 100644 index 0000000..5d9cf82 --- /dev/null +++ b/SOURCES/golang-1.15-warnCN.patch @@ -0,0 +1,25 @@ +diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go +index 50f4d4a..121fd1b 100644 +--- a/src/crypto/x509/verify.go ++++ b/src/crypto/x509/verify.go +@@ -20,6 +20,9 @@ import ( + + // ignoreCN disables interpreting Common Name as a hostname. See issue 24151. + var ignoreCN = !strings.Contains(os.Getenv("GODEBUG"), "x509ignoreCN=0") ++// if using Common Name as a hostname is enabled via x509ignoreCN=0, ++// warnCN enables a warning whenever Common Name is interpreted as a hostname. ++var warnCN = strings.Contains(os.Getenv("GODEBUG"), "x509warnCN=1") + + type InvalidReason int + +@@ -1078,6 +1081,10 @@ func (c *Certificate) VerifyHostname(h string) error { + names := c.DNSNames + if c.commonNameAsHostname() { + names = []string{c.Subject.CommonName} ++ if warnCN { ++ fmt.Fprintf(os.Stderr, "x509: Warning - certificate relies on legacy Common Name field. " + ++ "Using CN without SAN is deprecated and will not work in future versions.\n") ++ } + } + + candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. diff --git a/SOURCES/net-http-graceful-shutdown.patch b/SOURCES/net-http-graceful-shutdown.patch new file mode 100644 index 0000000..90dd711 --- /dev/null +++ b/SOURCES/net-http-graceful-shutdown.patch @@ -0,0 +1,157 @@ +diff --git a/src/net/http/export_test.go b/src/net/http/export_test.go +index 657ff9d..67a74ae 100644 +--- a/src/net/http/export_test.go ++++ b/src/net/http/export_test.go +@@ -274,6 +274,17 @@ func (s *Server) ExportAllConnsIdle() bool { + return true + } + ++func (s *Server) ExportAllConnsByState() map[ConnState]int { ++ states := map[ConnState]int{} ++ s.mu.Lock() ++ defer s.mu.Unlock() ++ for c := range s.activeConn { ++ st, _ := c.getState() ++ states[st] += 1 ++ } ++ return states ++} ++ + func (r *Request) WithT(t *testing.T) *Request { + return r.WithContext(context.WithValue(r.Context(), tLogKey{}, t.Logf)) + } +diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go +index 5f56932..806272b 100644 +--- a/src/net/http/serve_test.go ++++ b/src/net/http/serve_test.go +@@ -5519,16 +5519,23 @@ func TestServerSetKeepAlivesEnabledClosesConns(t *testing.T) { + } + } + +-func TestServerShutdown_h1(t *testing.T) { testServerShutdown(t, h1Mode) } +-func TestServerShutdown_h2(t *testing.T) { testServerShutdown(t, h2Mode) } ++func TestServerShutdown_h1(t *testing.T) { ++ testServerShutdown(t, h1Mode) ++} ++func TestServerShutdown_h2(t *testing.T) { ++ testServerShutdown(t, h2Mode) ++} + + func testServerShutdown(t *testing.T, h2 bool) { + setParallel(t) + defer afterTest(t) + var doShutdown func() // set later ++ var doStateCount func() + var shutdownRes = make(chan error, 1) ++ var statesRes = make(chan map[ConnState]int, 1) + var gotOnShutdown = make(chan struct{}, 1) + handler := HandlerFunc(func(w ResponseWriter, r *Request) { ++ doStateCount() + go doShutdown() + // Shutdown is graceful, so it should not interrupt + // this in-flight response. Add a tiny sleep here to +@@ -5545,6 +5552,9 @@ func testServerShutdown(t *testing.T, h2 bool) { + doShutdown = func() { + shutdownRes <- cst.ts.Config.Shutdown(context.Background()) + } ++ doStateCount = func() { ++ statesRes <- cst.ts.Config.ExportAllConnsByState() ++ } + get(t, cst.c, cst.ts.URL) // calls t.Fail on failure + + if err := <-shutdownRes; err != nil { +@@ -5556,6 +5566,10 @@ func testServerShutdown(t *testing.T, h2 bool) { + t.Errorf("onShutdown callback not called, RegisterOnShutdown broken?") + } + ++ if states := <-statesRes; states[StateActive] != 1 { ++ t.Errorf("connection in wrong state, %v", states) ++ } ++ + res, err := cst.c.Get(cst.ts.URL) + if err == nil { + res.Body.Close() +diff --git a/src/net/http/server.go b/src/net/http/server.go +index d41b5f6..14a6336 100644 +--- a/src/net/http/server.go ++++ b/src/net/http/server.go +@@ -324,7 +324,7 @@ func (c *conn) hijackLocked() (rwc net.Conn, buf *bufio.ReadWriter, err error) { + return nil, nil, fmt.Errorf("unexpected Peek failure reading buffered byte: %v", err) + } + } +- c.setState(rwc, StateHijacked) ++ c.setState(rwc, StateHijacked, runHooks) + return + } + +@@ -1737,7 +1737,12 @@ func validNextProto(proto string) bool { + return true + } + +-func (c *conn) setState(nc net.Conn, state ConnState) { ++const ( ++ runHooks = true ++ skipHooks = false ++) ++ ++func (c *conn) setState(nc net.Conn, state ConnState, runHook bool) { + srv := c.server + switch state { + case StateNew: +@@ -1750,6 +1755,9 @@ func (c *conn) setState(nc net.Conn, state ConnState) { + } + packedState := uint64(time.Now().Unix()<<8) | uint64(state) + atomic.StoreUint64(&c.curState.atomic, packedState) ++ if !runHook { ++ return ++ } + if hook := srv.ConnState; hook != nil { + hook(nc, state) + } +@@ -1803,7 +1811,7 @@ func (c *conn) serve(ctx context.Context) { + } + if !c.hijacked() { + c.close() +- c.setState(c.rwc, StateClosed) ++ c.setState(c.rwc, StateClosed, runHooks) + } + }() + +@@ -1831,6 +1839,10 @@ func (c *conn) serve(ctx context.Context) { + if proto := c.tlsState.NegotiatedProtocol; validNextProto(proto) { + if fn := c.server.TLSNextProto[proto]; fn != nil { + h := initALPNRequest{ctx, tlsConn, serverHandler{c.server}} ++ // Mark freshly created HTTP/2 as active and prevent any server state hooks ++ // from being run on these connections. This prevents closeIdleConns from ++ // closing such connections. See issue https://golang.org/issue/39776. ++ c.setState(c.rwc, StateActive, skipHooks) + fn(c.server, tlsConn, h) + } + return +@@ -1851,7 +1863,7 @@ func (c *conn) serve(ctx context.Context) { + w, err := c.readRequest(ctx) + if c.r.remain != c.server.initialReadLimitSize() { + // If we read any bytes off the wire, we're active. +- c.setState(c.rwc, StateActive) ++ c.setState(c.rwc, StateActive, runHooks) + } + if err != nil { + const errorHeaders = "\r\nContent-Type: text/plain; charset=utf-8\r\nConnection: close\r\n\r\n" +@@ -1934,7 +1946,7 @@ func (c *conn) serve(ctx context.Context) { + } + return + } +- c.setState(c.rwc, StateIdle) ++ c.setState(c.rwc, StateIdle, runHooks) + c.curReq.Store((*response)(nil)) + + if !w.conn.server.doKeepAlives() { +@@ -2965,7 +2977,7 @@ func (srv *Server) Serve(l net.Listener) error { + } + tempDelay = 0 + c := srv.newConn(rw) +- c.setState(c.rwc, StateNew) // before Serve can return ++ c.setState(c.rwc, StateNew, runHooks) // before Serve can return + go c.serve(connCtx) + } + } diff --git a/SOURCES/x-text-infinite-loop.patch b/SOURCES/x-text-infinite-loop.patch new file mode 100644 index 0000000..ee4fb0f --- /dev/null +++ b/SOURCES/x-text-infinite-loop.patch @@ -0,0 +1,24 @@ +diff --git a/src/vendor/golang.org/x/text/transform/transform.go b/src/vendor/golang.org/x/text/transform/transform.go +index 520b9ad..48ec64b 100644 +--- a/src/vendor/golang.org/x/text/transform/transform.go ++++ b/src/vendor/golang.org/x/text/transform/transform.go +@@ -648,7 +648,8 @@ func String(t Transformer, s string) (result string, n int, err error) { + // Transform the remaining input, growing dst and src buffers as necessary. + for { + n := copy(src, s[pSrc:]) +- nDst, nSrc, err := t.Transform(dst[pDst:], src[:n], pSrc+n == len(s)) ++ atEOF := pSrc+n == len(s) ++ nDst, nSrc, err := t.Transform(dst[pDst:], src[:n], atEOF) + pDst += nDst + pSrc += nSrc + +@@ -659,6 +660,9 @@ func String(t Transformer, s string) (result string, n int, err error) { + dst = grow(dst, pDst) + } + } else if err == ErrShortSrc { ++ if atEOF { ++ return string(dst[:pDst]), pSrc, err ++ } + if nSrc == 0 { + src = grow(src, 0) + } diff --git a/SPECS/golang.spec b/SPECS/golang.spec index e927429..57c6aa1 100644 --- a/SPECS/golang.spec +++ b/SPECS/golang.spec @@ -95,8 +95,8 @@ %global gohostarch s390x %endif -%global go_api 1.14 -%global go_version 1.14.4 +%global go_api 1.15 +%global go_version 1.15.7 %global pkg_release 1 Name: golang @@ -131,6 +131,7 @@ Provides: go = %{version}-%{release} Requires: %{name}-bin = %{version}-%{release} Requires: %{name}-src = %{version}-%{release} Requires: openssl-devel +Requires: diffutils # we had been just removing the zoneinfo.zip, but that caused tests to fail for users that # later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests. @@ -139,6 +140,28 @@ Patch215: ./go1.5-zoneinfo_testing_only.patch # Proposed patch by jcajka https://golang.org/cl/86541 Patch221: fix_TestScript_list_std.patch +# It seems this patch will be included in Go 1.14.5 +# https://github.com/golang/go/issues/39991 +# https://go-review.googlesource.com/c/go/+/240917 +#Patch240917: ppc64le_fix_missing_deferreturn.patch + +# Add an env var to optionally trigger a warning in x509 when +# Common Name is used as hostname +# rhbz#1889437 +Patch223: golang-1.15-warnCN.patch + +# Gracefully shut down http2 connections +# https://go-review.googlesource.com/c/go/+/240278 +# rhbz#1888673 +Patch224: net-http-graceful-shutdown.patch + +# Prevent transform from entering infinite loop. +# We're just picking the change from transform.go +# because the encoding module is not included +# as a vendor dependency. +# https://go-review.googlesource.com/c/text/+/238238 +Patch225: x-text-infinite-loop.patch + # Having documentation separate was broken Obsoletes: %{name}-docs < 1.1-4 @@ -232,6 +255,14 @@ Requires: %{name} = %{version}-%{release} %patch221 -p1 +#%patch240917 -p1 + +%patch223 -p1 + +%patch224 -p1 + +%patch225 -p1 + cp %{SOURCE1} ./src/runtime/ %build @@ -429,9 +460,9 @@ export GO_TEST_RUN="" export GOLANG_FIPS=1 pushd crypto # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later - go test $(go list | grep -v tls) -v + go test $(go list ./... | grep -v tls) -v # Check that signature functions have parity between boring and notboring - CGO_ENABLED=0 go test ./ecdsa + CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v popd # Run all FIPS specific TLS tests pushd crypto/tls @@ -498,6 +529,57 @@ cd .. %endif %changelog +* Fri Jan 22 2021 David Benoit - 1.15.7-1 +- Rebase to 1.15.7 +- Resolves: rhbz#1870531 +- Resolves: rhbz#1919261 + +* Tue Nov 24 2020 David Benoit - 1.15.5-1 +- Rebase to 1.15.5 +- Resolves: rhbz#1898652 +- Resolves: rhbz#1898660 +- Resolves: rhbz#1898649 + +* Mon Nov 16 2020 David Benoit - 1.15.3-2 +- fix typo in patch file name +- Related: rhbz#1881539 + +* Thu Nov 12 2020 David Benoit - 1.15.3-1 +- Rebase to 1.15.3 +- fix x/text infinite loop +- Resolves: rhbz#1881539 + +* Tue Nov 03 2020 Alejandro Sáez - 1.15.2-2 +- Resolves: rhbz#1850045 + +* Mon Oct 19 2020 David Benoit - 1.15.2-1 +- Rebase to 1.15.2 +- fix rhbz#1872622 in commit af9a1b1f6567a1c5273a134d395bfe7bb840b7f8 +- Resolves: rhbz#1872622 +- add net/http graceful shutdown patch +- Resolves: rhbz#1888673 +- add x509warnCN patch +- Resolves: rhbz#1889437 + +* Wed Sep 09 2020 Alejandro Sáez - 1.15.0-1 +- Rebase to 1.15.0 +- Related: rhbz#1870531 + +* Thu Aug 27 2020 Alejandro Sáez - 1.14.7-2 +- Improve test suite +- Resolves: rhbz#1854693 + +* Tue Aug 18 2020 Alejandro Sáez - 1.14.7-1 +- Rebase to 1.14.7 + +* Mon Aug 03 2020 Alejandro Sáez - 1.14.6-1 +- Rebase to 1.14.6 +- Resolves: rhbz#1820596 + +* Wed Jul 08 2020 Alejandro Sáez - 1.14.4-2 +- Include patch to fix missing deferreturn on linux/ppc64le +- Resolves: rhbz#1854836 + * Thu Jun 25 2020 Alejandro Sáez - 1.14.4-1 - Rebase to 1.14.4