From acf1d651134bee749cf98acf7e965d4aba6649d2 Mon Sep 17 00:00:00 2001 From: Gavin Inglis Date: Tue, 13 Aug 2024 22:22:10 +0000 Subject: [PATCH 1/2] go: add support for 1.23, drop 1.21 Signed-off-by: Gavin Inglis --- Dockerfile | 40 ++++++++--------- hashes/go-1.21 | 2 - hashes/go-1.23 | 2 + ...rict-boringcrypto-crypto-tls-to-FIPS.patch | 38 ---------------- ...ngcypto-build-compatible-with-aws-lc.patch | 0 ...rict-boringcrypto-crypto-tls-to-FIPS.patch | 44 +++++++++++++++++++ 6 files changed, 66 insertions(+), 60 deletions(-) delete mode 100644 hashes/go-1.21 create mode 100644 hashes/go-1.23 delete mode 100644 patches/go-1.21/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch rename patches/{go-1.21 => go-1.23}/0001-Make-boringcypto-build-compatible-with-aws-lc.patch (100%) create mode 100644 patches/go-1.23/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch diff --git a/Dockerfile b/Dockerfile index 24b19969..20a1c76c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -559,14 +559,14 @@ ENV AWS_LC_FIPS_VER="2.0.9" USER root RUN dnf -y install golang -ENV GO121VER="1.21.12" +ENV GO123VER="1.23.0" ENV GO122VER="1.22.5" # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= -FROM sdk-go-prep as sdk-go-1.21-prep +FROM sdk-go-prep as sdk-go-1.23-prep -ENV GOMAJOR="1.21" +ENV GOMAJOR="1.23" USER builder @@ -579,7 +579,7 @@ COPY ./patches/go-${GOMAJOR} /home/builder/patches-go COPY ./hashes/aws-lc /home/builder/hashes-aws-lc COPY ./patches/aws-lc /home/builder/patches-aws-lc -RUN ./prep-go.sh --go-version=${GO121VER} +RUN ./prep-go.sh --go-version=${GO123VER} WORKDIR /home/builder/aws-lc/build COPY ./configs/aws-lc/* . @@ -610,13 +610,13 @@ COPY ./helpers/aws-lc/* . # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= -FROM sdk-go-1.21-prep as sdk-go-1.21-aws-lc-x86_64 +FROM sdk-go-1.23-prep as sdk-go-1.23-aws-lc-x86_64 ENV ARCH="x86_64" RUN ./build-aws-lc.sh --arch="${ARCH}" --go-dir="${HOME}/sdk-go" # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= -FROM sdk-go-1.21-prep as sdk-go-1.21-aws-lc-aarch64 +FROM sdk-go-1.23-prep as sdk-go-1.23-aws-lc-aarch64 ENV ARCH="aarch64" RUN ./build-aws-lc.sh --arch="${ARCH}" --go-dir="${HOME}/sdk-go" @@ -634,20 +634,20 @@ RUN ./build-aws-lc.sh --arch="${ARCH}" --go-dir="${HOME}/sdk-go" # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= -FROM sdk-go-1.21-prep as sdk-go-1.21 +FROM sdk-go-1.23-prep as sdk-go-1.23 -COPY --from=sdk-go-1.21-aws-lc-x86_64 \ +COPY --from=sdk-go-1.23-aws-lc-x86_64 \ /home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \ /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso -COPY --from=sdk-go-1.21-aws-lc-aarch64 \ +COPY --from=sdk-go-1.23-aws-lc-aarch64 \ /home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \ /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso COPY ./helpers/go/* ./ # Build Go - finally! -RUN ./build-go.sh --go-version=${GO121VER} +RUN ./build-go.sh --go-version=${GO123VER} # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= @@ -1237,16 +1237,16 @@ COPY --chown=0:0 --from=sdk-rust \ /usr/share/licenses/rust/ # "sdk-go" has the Go toolchain and standard library builds. -COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/bin /usr/libexec/go-1.21/bin/ -COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/lib /usr/libexec/go-1.21/lib/ -COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/pkg /usr/libexec/go-1.21/pkg/ -COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/src /usr/libexec/go-1.21/src/ -COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/go.env /usr/libexec/go-1.21/go.env -COPY --chown=0:0 --from=sdk-go-1.21 \ +COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/bin /usr/libexec/go-1.23/bin/ +COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/lib /usr/libexec/go-1.23/lib/ +COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/pkg /usr/libexec/go-1.23/pkg/ +COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/src /usr/libexec/go-1.23/src/ +COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/go.env /usr/libexec/go-1.23/go.env +COPY --chown=0:0 --from=sdk-go-1.23 \ /home/builder/sdk-go/licenses/ \ - /usr/share/licenses/go-1.21/ + /usr/share/licenses/go-1.23/ -COPY --chown=0:0 --from=sdk-go-1.21 \ +COPY --chown=0:0 --from=sdk-go-1.23 \ /home/builder/aws-lc/LICENSE \ /usr/share/licenses/aws-lc/LICENSE @@ -1373,7 +1373,7 @@ COPY ./wrappers/go/gofips /usr/bin/gofips # Add Go programs to $PATH and sync timestamps to avoid rebuilds. RUN \ - find /usr/libexec/go-1.21 -type f -exec touch -r /usr/libexec/go-1.21/bin/go {} \+ && \ + find /usr/libexec/go-1.23 -type f -exec touch -r /usr/libexec/go-1.23/bin/go {} \+ && \ find /usr/libexec/go-1.22 -type f -exec touch -r /usr/libexec/go-1.22/bin/go {} \+ # Strip and add tools to the path. @@ -1424,7 +1424,7 @@ USER builder WORKDIR /home/builder # Set the default Go major version. -ENV GO_MAJOR="1.21" +ENV GO_MAJOR="1.23" # In NSS 3.101, lib::pkix was enabled as the default X.509 validator. # This causes signature checking of secureboot artifacts to fail during build. diff --git a/hashes/go-1.21 b/hashes/go-1.21 deleted file mode 100644 index acdd7d9e..00000000 --- a/hashes/go-1.21 +++ /dev/null @@ -1,2 +0,0 @@ -# https://go.dev/dl/go1.21.12.src.tar.gz -SHA512 (go1.21.12.src.tar.gz) = fb909b92e9dbcf022b9f9250c66a6681585e26aeaf7b8a16b4263082c137181c53966299aa8014983a0215d70e03d1e18b77d674ab32dcfaa5de8c9ed2c8020c diff --git a/hashes/go-1.23 b/hashes/go-1.23 new file mode 100644 index 00000000..5c791d8a --- /dev/null +++ b/hashes/go-1.23 @@ -0,0 +1,2 @@ +# https://go.dev/dl/go1.23.0.src.tar.gz +SHA512 (go1.23.0.src.tar.gz) = 5822124ca570662ac8dcec32a79196520ce355fe421d83372f8b8a97b3811de0739edcd7080a23f845cf700a6a26f3af6c93278f6ce485b93120afdd4f6c4f47 diff --git a/patches/go-1.21/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch b/patches/go-1.21/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch deleted file mode 100644 index fb872d55..00000000 --- a/patches/go-1.21/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 11e8de79f810f02dc426d184b6eb54c011f09aa6 Mon Sep 17 00:00:00 2001 -From: Ben Cressey -Date: Wed, 13 Mar 2024 18:16:53 +0000 -Subject: [PATCH] Always restrict boringcrypto crypto/tls to FIPS - -Signed-off-by: Ben Cressey ---- - src/crypto/tls/boring.go | 1 + - src/go/build/deps_test.go | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go -index 1827f76..625a67c 100644 ---- a/src/crypto/tls/boring.go -+++ b/src/crypto/tls/boring.go -@@ -8,6 +8,7 @@ package tls - - import ( - "crypto/internal/boring/fipstls" -+ _ "crypto/tls/fipsonly" - ) - - // needFIPS returns fipstls.Required(); it avoids a new import in common.go. -diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go -index 592f2fd..5584339 100644 ---- a/src/go/build/deps_test.go -+++ b/src/go/build/deps_test.go -@@ -482,6 +482,7 @@ var depsRules = ` - < crypto/x509/internal/macos - < crypto/x509/pkix; - -+ crypto/tls/fipsonly, - crypto/internal/boring/fipstls, crypto/x509/pkix - < crypto/x509 - < crypto/tls; --- -2.43.0 - diff --git a/patches/go-1.21/0001-Make-boringcypto-build-compatible-with-aws-lc.patch b/patches/go-1.23/0001-Make-boringcypto-build-compatible-with-aws-lc.patch similarity index 100% rename from patches/go-1.21/0001-Make-boringcypto-build-compatible-with-aws-lc.patch rename to patches/go-1.23/0001-Make-boringcypto-build-compatible-with-aws-lc.patch diff --git a/patches/go-1.23/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch b/patches/go-1.23/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch new file mode 100644 index 00000000..59c64e96 --- /dev/null +++ b/patches/go-1.23/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch @@ -0,0 +1,44 @@ +From 5256a813afbb9c0f7d7ae00544ae1cbaeafb7f1e Mon Sep 17 00:00:00 2001 +From: Gavin Inglis +Date: Tue, 13 Aug 2024 22:00:50 +0000 +Subject: [PATCH] Always restrict boringcrypto crypto/tls to FIPS + +Signed-off-by: Ben Cressey +[giinglis: update for Go 1.23] +Signed-off-by: Gavin Inglis +--- + src/crypto/tls/boring.go | 5 ++++- + src/go/build/deps_test.go | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go +index c44ae92f25..dae77b8f2e 100644 +--- a/src/crypto/tls/boring.go ++++ b/src/crypto/tls/boring.go +@@ -6,7 +6,10 @@ + + package tls + +-import "crypto/internal/boring/fipstls" ++import ( ++ "crypto/internal/boring/fipstls" ++ _ "crypto/tls/fipsonly" ++) + + // needFIPS returns fipstls.Required(), which is not available without the + // boringcrypto build tag. +diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go +index 441cf8d051..01aa89ff04 100644 +--- a/src/go/build/deps_test.go ++++ b/src/go/build/deps_test.go +@@ -521,6 +521,7 @@ var depsRules = ` + < crypto/x509/internal/macos + < crypto/x509/pkix; + ++ crypto/tls/fipsonly, + crypto/internal/boring/fipstls, crypto/x509/pkix + < crypto/x509 + < crypto/tls; +-- +2.43.0 + From e7a2c6767111811cc2186723bf6e080898372c27 Mon Sep 17 00:00:00 2001 From: Gavin Inglis Date: Tue, 13 Aug 2024 23:26:07 +0000 Subject: [PATCH 2/2] go: update Go 1.22 to 1.22.6 Signed-off-by: Gavin Inglis --- Dockerfile | 2 +- hashes/go-1.22 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 20a1c76c..3984ebd9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -560,7 +560,7 @@ USER root RUN dnf -y install golang ENV GO123VER="1.23.0" -ENV GO122VER="1.22.5" +ENV GO122VER="1.22.6" # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= diff --git a/hashes/go-1.22 b/hashes/go-1.22 index 68aba99a..3225fcbb 100644 --- a/hashes/go-1.22 +++ b/hashes/go-1.22 @@ -1,2 +1,2 @@ -# https://go.dev/dl/go1.22.5.src.tar.gz -SHA512 (go1.22.5.src.tar.gz) = 798c2bd5d59be1fb5d7af98893fa7bb68322117facfdee546a37175ec5e8be634f2bed2d8d0e7d4d0555b354c8e9d72b3829c39670d3be2d2328376a00a48576 +# https://go.dev/dl/go1.22.6.src.tar.gz +SHA512 (go1.22.6.src.tar.gz) = 59f84ba390203271d9fe2d3f04624449d54d3bb73c2b6e54b5f7dc9e9e2dce2192bae07ef56a2afee871cff84d457b90f8a00f4433e072028b97af987f3799e1