Merge 'microsoft/main' into dev/dagood/doc-sys-req

microsoft · Jul 13, 2023 · 5d3dcd3 · 5d3dcd3
2 parents 6341a1d + 34d75f9
commit 5d3dcd3
Show file tree

Hide file tree

Showing 11 changed files with 194 additions and 127 deletions.
diff --git a/eng/_core/supportdata/supportdata.go b/eng/_core/supportdata/supportdata.go
@@ -24,6 +24,7 @@ const (
 	Archive   ArtifactKind = "archive"
 	Installer ArtifactKind = "installer"
 	Source    ArtifactKind = "source"
+	Manifest  ArtifactKind = "manifest"
 )
 
 type LatestLink struct {

diff --git a/eng/_util/cmd/updatelinktable/updatelinktable.go b/eng/_util/cmd/updatelinktable/updatelinktable.go
@@ -31,6 +31,7 @@ var supported = []version{
 			"linux-armv6l":  {},
 			"windows-amd64": {},
 			"src":           {},
+			"assets":        {},
 		},
 	},
 	{
@@ -42,12 +43,14 @@ var supported = []version{
 			"linux-armv6l":  {},
 			"windows-amd64": {},
 			"src":           {},
+			"assets":        {},
 		},
 	},
 }
 
 var platformPrettyNames = map[string]string{
-	"src": "Source code",
+	"src":    "Source code",
+	"assets": "Metadata",
 }
 
 type version struct {
@@ -86,6 +89,14 @@ var sourceFiles = []goFileType{
 	},
 }
 
+var assetsFiles = []goFileType{
+	{
+		Kind: supportdata.Manifest,
+		Name: "Asset manifest (json)",
+		Ext:  ".json",
+	},
+}
+
 type goFileType struct {
 	Kind      supportdata.ArtifactKind
 	Name      string
@@ -211,7 +222,7 @@ func data() (string, []supportdata.Branch) {
 	b.WriteString("\n|")
 	for _, p := range platforms() {
 		os, arch, _ := strings.Cut(p, "-")
-		if p == "src" {
+		if p == "src" || p == "assets" {
 			os = ""
 		}
 		b.WriteString(" ")
@@ -253,16 +264,16 @@ func platforms() []string {
 			platforms[p] = struct{}{}
 		}
 	}
-	// Sort the platforms, but keep "src" always on top because it's very different and shouldn't be
+	// Sort the platforms, but keep "src" and "assets" always on top because it's very different and shouldn't be
 	// mixed in with the others. (Upstream also does this at go.dev/dl.)
 	keys := make([]string, 0, len(platforms))
 	for k := range platforms {
-		if k != "src" {
+		if k != "src" && k != "assets" {
 			keys = append(keys, k)
 		}
 	}
 	sort.Strings(keys)
-	keys = append([]string{"src"}, keys...)
+	keys = append([]string{"src", "assets"}, keys...)
 	return keys
 }
 
@@ -283,5 +294,8 @@ func fileTypes(platform string) []goFileType {
 	if platform == "src" {
 		return sourceFiles
 	}
+	if platform == "assets" {
+		return assetsFiles
+	}
 	return nil
 }
diff --git a/eng/doc/Downloads.md b/eng/doc/Downloads.md
@@ -12,6 +12,7 @@ This document contains a list of links to the binary releases of the Microsoft b
 |   | 1.20 | 1.19 |
 | --- | --- | --- |
 | Source code | - [Source (tar.gz)](https://aka.ms/golang/release/latest/go1.20.src.tar.gz)<br/>- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.20.src.tar.gz.sha256)<br/>- [Signature<sup>1</sup>](https://aka.ms/golang/release/latest/go1.20.src.tar.gz.sig)<br/> | - [Source (tar.gz)](https://aka.ms/golang/release/latest/go1.19.src.tar.gz)<br/>- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.19.src.tar.gz.sha256)<br/>- [Signature<sup>1</sup>](https://aka.ms/golang/release/latest/go1.19.src.tar.gz.sig)<br/> |
+ Metadata | - [Asset manifest (json)](https://aka.ms/golang/release/latest/go1.20.assets.json)<br/> | - [Asset manifest (json)](https://aka.ms/golang/release/latest/go1.19.assets.json)<br/> |
  linux-amd64 | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.20.linux-amd64.tar.gz)<br/>- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.20.linux-amd64.tar.gz.sha256)<br/>- [Signature<sup>1</sup>](https://aka.ms/golang/release/latest/go1.20.linux-amd64.tar.gz.sig)<br/> | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.19.linux-amd64.tar.gz)<br/>- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.19.linux-amd64.tar.gz.sha256)<br/>- [Signature<sup>1</sup>](https://aka.ms/golang/release/latest/go1.19.linux-amd64.tar.gz.sig)<br/> |
  linux-arm64 | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.20.linux-arm64.tar.gz)<br/>- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.20.linux-arm64.tar.gz.sha256)<br/>- [Signature<sup>1</sup>](https://aka.ms/golang/release/latest/go1.20.linux-arm64.tar.gz.sig)<br/> | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.19.linux-arm64.tar.gz)<br/>- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.19.linux-arm64.tar.gz.sha256)<br/>- [Signature<sup>1</sup>](https://aka.ms/golang/release/latest/go1.19.linux-arm64.tar.gz.sig)<br/> |
  linux-armv6l | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.20.linux-armv6l.tar.gz)<br/>- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.20.linux-armv6l.tar.gz.sha256)<br/>- [Signature<sup>1</sup>](https://aka.ms/golang/release/latest/go1.20.linux-armv6l.tar.gz.sig)<br/> | - [Binaries (tar.gz)](https://aka.ms/golang/release/latest/go1.19.linux-armv6l.tar.gz)<br/>- [Checksum (SHA256)](https://aka.ms/golang/release/latest/go1.19.linux-armv6l.tar.gz.sha256)<br/>- [Signature<sup>1</sup>](https://aka.ms/golang/release/latest/go1.19.linux-armv6l.tar.gz.sig)<br/> |

diff --git a/eng/doc/fips/README.md b/eng/doc/fips/README.md
@@ -234,7 +234,10 @@ The `opensslcrypto` Go runtime automatically loads the OpenSSL shared library `l
 The `libcrypto` shared library file name varies among different platforms, so a best effort is done to find and load the right file:
 
 - The base name is always `libcrypto.so.`
-- Well-known version strings are appended to the base name, until the file is found, in the following order: `3` -> `1.1` -> `11` -> `111` -> `1.0.2` -> `1.0.0`.
+- Well-known version strings are appended to the base name in this order: `3` -> `1.1` -> `11` -> `111` -> `1.0.2` -> `1.0.0`.
+- This may find multiple libraries installed on the machine, so to pick one:
+  - A matching library with FIPS mode on by default (e.g. set by system configuration) is chosen immediately.
+  - If none have FIPS mode on by default, the first match is used.
 
 This algorithm can be overridden by setting the environment variable `GO_OPENSSL_VERSION_OVERRIDE` to the desired version string. For example, `GO_OPENSSL_VERSION_OVERRIDE="1.1.1k-fips"` makes the runtime look for the shared library `libcrypto.so.1.1.1k-fips` before running the checks for well-known versions.
 

diff --git a/eng/doc/release-branch-links.json b/eng/doc/release-branch-links.json
@@ -14,6 +14,14 @@
         "checksumURL": "https://aka.ms/golang/release/latest/go1.20.src.tar.gz.sha256",
         "signatureURL": "https://aka.ms/golang/release/latest/go1.20.src.tar.gz.sig"
       },
+      {
+        "filename": "go1.20.assets.json",
+        "os": "",
+        "arch": "",
+        "version": "go1.20",
+        "kind": "manifest",
+        "url": "https://aka.ms/golang/release/latest/go1.20.assets.json"
+      },
       {
         "filename": "go1.20.linux-amd64.tar.gz",
         "os": "linux",
@@ -70,6 +78,14 @@
         "checksumURL": "https://aka.ms/golang/release/latest/go1.19.src.tar.gz.sha256",
         "signatureURL": "https://aka.ms/golang/release/latest/go1.19.src.tar.gz.sig"
       },
+      {
+        "filename": "go1.19.assets.json",
+        "os": "",
+        "arch": "",
+        "version": "go1.19",
+        "kind": "manifest",
+        "url": "https://aka.ms/golang/release/latest/go1.19.assets.json"
+      },
       {
         "filename": "go1.19.linux-amd64.tar.gz",
         "os": "linux",

diff --git a/go b/go
diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch
@@ -4,47 +4,47 @@ Date: Thu, 30 Jun 2022 10:03:03 +0200
 Subject: [PATCH] Add crypto backend foundation
 
 ---
- src/crypto/aes/cipher.go                    |   2 +-
- src/crypto/aes/cipher_asm.go                |   2 +-
- src/crypto/boring/boring.go                 |   2 +-
- src/crypto/ecdh/ecdh.go                     |   2 +-
- src/crypto/ecdh/nist.go                     |   2 +-
- src/crypto/ecdsa/boring.go                  |   4 +-
- src/crypto/ecdsa/ecdsa.go                   |   4 +-
- src/crypto/ecdsa/notboring.go               |   2 +-
- src/crypto/ed25519/ed25519_test.go          |   2 +-
- src/crypto/hmac/hmac.go                     |   2 +-
- src/crypto/hmac/hmac_test.go                |   2 +-
- src/crypto/internal/backend/backend_test.go |  30 +++++
- src/crypto/internal/backend/bbig/big.go     |  17 +++
- src/crypto/internal/backend/common.go       |  65 +++++++++++
- src/crypto/internal/backend/iscgo.go        |  10 ++
- src/crypto/internal/backend/nobackend.go    | 116 ++++++++++++++++++++
- src/crypto/internal/backend/nocgo.go        |  10 ++
- src/crypto/internal/backend/stub.s          |  10 ++
- src/crypto/rand/rand_unix.go                |   2 +-
- src/crypto/rsa/boring.go                    |   4 +-
- src/crypto/rsa/notboring.go                 |   2 +-
- src/crypto/rsa/pkcs1v15.go                  |   2 +-
- src/crypto/rsa/pss.go                       |   2 +-
- src/crypto/rsa/rsa.go                       |   4 +-
- src/crypto/rsa/rsa_test.go                  |   2 +-
- src/crypto/sha1/boring.go                   |   2 +-
- src/crypto/sha1/sha1_test.go                |   2 +-
- src/crypto/sha256/sha256.go                 |   2 +-
- src/crypto/sha256/sha256_test.go            |   2 +-
- src/crypto/sha512/sha512.go                 |   2 +-
- src/crypto/sha512/sha512_test.go            |   2 +-
- src/crypto/tls/cipher_suites.go             |   2 +-
- src/go/build/deps_test.go                   |   2 +
- src/runtime/runtime_boring.go               |   5 +
- 34 files changed, 294 insertions(+), 29 deletions(-)
+ src/crypto/aes/cipher.go                     |   2 +-
+ src/crypto/aes/cipher_asm.go                 |   2 +-
+ src/crypto/boring/boring.go                  |   2 +-
+ src/crypto/ecdh/ecdh.go                      |   2 +-
+ src/crypto/ecdh/nist.go                      |   2 +-
+ src/crypto/ecdsa/boring.go                   |   4 +-
+ src/crypto/ecdsa/ecdsa.go                    |   4 +-
+ src/crypto/ecdsa/notboring.go                |   2 +-
+ src/crypto/ed25519/ed25519_test.go           |   2 +-
+ src/crypto/hmac/hmac.go                      |   2 +-
+ src/crypto/hmac/hmac_test.go                 |   2 +-
+ src/crypto/internal/backend/backend_test.go  |  30 +++++
+ src/crypto/internal/backend/bbig/big.go      |  17 +++
+ src/crypto/internal/backend/common.go        |  78 +++++++++++++
+ src/crypto/internal/backend/isrequirefips.go |   9 ++
+ src/crypto/internal/backend/nobackend.go     | 116 +++++++++++++++++++
+ src/crypto/internal/backend/norequirefips.go |   9 ++
+ src/crypto/internal/backend/stub.s           |  10 ++
+ src/crypto/rand/rand_unix.go                 |   2 +-
+ src/crypto/rsa/boring.go                     |   4 +-
+ src/crypto/rsa/notboring.go                  |   2 +-
+ src/crypto/rsa/pkcs1v15.go                   |   2 +-
+ src/crypto/rsa/pss.go                        |   2 +-
+ src/crypto/rsa/rsa.go                        |   4 +-
+ src/crypto/rsa/rsa_test.go                   |   2 +-
+ src/crypto/sha1/boring.go                    |   2 +-
+ src/crypto/sha1/sha1_test.go                 |   2 +-
+ src/crypto/sha256/sha256.go                  |   2 +-
+ src/crypto/sha256/sha256_test.go             |   2 +-
+ src/crypto/sha512/sha512.go                  |   2 +-
+ src/crypto/sha512/sha512_test.go             |   2 +-
+ src/crypto/tls/cipher_suites.go              |   2 +-
+ src/go/build/deps_test.go                    |   2 +
+ src/runtime/runtime_boring.go                |   5 +
+ 34 files changed, 305 insertions(+), 29 deletions(-)
  create mode 100644 src/crypto/internal/backend/backend_test.go
  create mode 100644 src/crypto/internal/backend/bbig/big.go
  create mode 100644 src/crypto/internal/backend/common.go
- create mode 100644 src/crypto/internal/backend/iscgo.go
+ create mode 100644 src/crypto/internal/backend/isrequirefips.go
  create mode 100644 src/crypto/internal/backend/nobackend.go
- create mode 100644 src/crypto/internal/backend/nocgo.go
+ create mode 100644 src/crypto/internal/backend/norequirefips.go
  create mode 100644 src/crypto/internal/backend/stub.s
 
 diff --git a/src/crypto/aes/cipher.go b/src/crypto/aes/cipher.go
@@ -256,10 +256,10 @@ index 00000000000000..85bd3ed083f5b2
 +}
 diff --git a/src/crypto/internal/backend/common.go b/src/crypto/internal/backend/common.go
 new file mode 100644
-index 00000000000000..007d8070538247
+index 00000000000000..efdd080a1b7708
 --- /dev/null
 +++ b/src/crypto/internal/backend/common.go
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,78 @@
 +// Copyright 2022 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
@@ -273,25 +273,38 @@ index 00000000000000..007d8070538247
 +)
 +
 +func init() {
-+	if v, _ := envGoFIPS(); v == "1" {
-+		if runtime.GOOS != "linux" {
-+			panic("FIPS mode requested (GOFIPS=1) but not supported on " + runtime.GOOS)
-+		} else if !iscgo {
-+			panic("FIPS mode requested (GOFIPS=1) but not supported with cgo disabled")
++	if v, r, ok := envGoFIPS(); ok && v == "1" {
++		if !Enabled {
++			if runtime.GOOS != "linux" && runtime.GOOS != "windows" {
++				panic("FIPS mode requested (" + r + ") but no crypto backend is supported on " + runtime.GOOS)
++			}
++			panic("FIPS mode requested (" + r + ") but no supported crypto backend is enabled")
 +		}
 +	}
 +}
 +
-+func envGoFIPS() (string, bool) {
-+	if v, ok := syscall.Getenv("GOFIPS"); ok {
-+		return v, true
-+	}
++func envGoFIPS() (value string, reason string, ok bool) {
 +	// TODO: Decide which environment variable to use.
 +	// See https://github.com/microsoft/go/issues/397.
-+	if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
-+		return v, true
++	var varName string
++	if value, ok = syscall.Getenv("GOFIPS"); ok {
++		varName = "GOFIPS"
++	} else if value, ok = syscall.Getenv("GOLANG_FIPS"); ok {
++		varName = "GOLANG_FIPS"
++	}
++	if isRequireFIPS {
++		if ok && value != "1" {
++			panic("the 'requirefips' build tag is enabled, but it conflicts " +
++				"with the detected env variable " +
++				varName + "=" + value +
++				" which would disable FIPS mode")
++		}
++		return "1", "requirefips tag set", true
 +	}
-+	return "", false
++	if ok {
++		return value, "environment variable " + varName + "=1", true
++	}
++	return "", "", false
 +}
 +
 +// Unreachable marks code that should be unreachable
@@ -325,22 +338,21 @@ index 00000000000000..007d8070538247
 +		}
 +	}
 +}
-diff --git a/src/crypto/internal/backend/iscgo.go b/src/crypto/internal/backend/iscgo.go
+diff --git a/src/crypto/internal/backend/isrequirefips.go b/src/crypto/internal/backend/isrequirefips.go
 new file mode 100644
-index 00000000000000..1e0d3cf8c18b55
+index 00000000000000..e5d7570d6d4363
 --- /dev/null
-+++ b/src/crypto/internal/backend/iscgo.go
-@@ -0,0 +1,10 @@
++++ b/src/crypto/internal/backend/isrequirefips.go
+@@ -0,0 +1,9 @@
 +// Copyright 2022 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
-+//go:build cgo
-+// +build cgo
++//go:build requirefips
 +
 +package backend
 +
-+const iscgo = true
++const isRequireFIPS = true
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 new file mode 100644
 index 00000000000000..ad6081552af15d
@@ -463,22 +475,21 @@ index 00000000000000..ad6081552af15d
 +func NewPublicKeyECDH(string, []byte) (*PublicKeyECDH, error) { panic("cryptobackend: not available") }
 +func (*PublicKeyECDH) Bytes() []byte                          { panic("cryptobackend: not available") }
 +func (*PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error)    { panic("cryptobackend: not available") }
-diff --git a/src/crypto/internal/backend/nocgo.go b/src/crypto/internal/backend/nocgo.go
+diff --git a/src/crypto/internal/backend/norequirefips.go b/src/crypto/internal/backend/norequirefips.go
 new file mode 100644
-index 00000000000000..63c13fc4b01cba
+index 00000000000000..26bfb5f6a643f3
 --- /dev/null
-+++ b/src/crypto/internal/backend/nocgo.go
-@@ -0,0 +1,10 @@
++++ b/src/crypto/internal/backend/norequirefips.go
+@@ -0,0 +1,9 @@
 +// Copyright 2022 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
-+//go:build !cgo
-+// +build !cgo
++//go:build !requirefips
 +
 +package backend
 +
-+const iscgo = false
++const isRequireFIPS = false
 diff --git a/src/crypto/internal/backend/stub.s b/src/crypto/internal/backend/stub.s
 new file mode 100644
 index 00000000000000..5e4b436554d44d

diff --git a/patches/0003-Add-BoringSSL-crypto-backend.patch b/patches/0003-Add-BoringSSL-crypto-backend.patch
@@ -30,15 +30,15 @@ index 00000000000000..0b62cef68546d0
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/boring_linux.go b/src/crypto/internal/backend/boring_linux.go
 new file mode 100644
-index 00000000000000..b22886bb6cc88f
+index 00000000000000..3b5504b6afc5c6
 --- /dev/null
 +++ b/src/crypto/internal/backend/boring_linux.go
 @@ -0,0 +1,135 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
-+//go:build goexperiment.boringcrypto && linux && cgo && amd64 && !android && !cmd_go_bootstrap && !msan
++//go:build goexperiment.boringcrypto && linux && cgo && (amd64 || arm64) && !android && !msan
 +
 +// Package boring provides access to BoringCrypto implementation functions.
 +// Check the variable Enabled to find out whether BoringCrypto is available.

diff --git a/patches/0004-Add-OpenSSL-crypto-backend.patch b/patches/0004-Add-OpenSSL-crypto-backend.patch
@@ -189,15 +189,15 @@ index 00000000000000..61ef3fdd90b607
 +var Dec = bbig.Dec
 diff --git a/src/crypto/internal/backend/openssl_linux.go b/src/crypto/internal/backend/openssl_linux.go
 new file mode 100644
-index 00000000000000..68ea43ea892e1d
+index 00000000000000..34c2b8a90c9526
 --- /dev/null
 +++ b/src/crypto/internal/backend/openssl_linux.go
 @@ -0,0 +1,203 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
-+//go:build goexperiment.opensslcrypto && linux && cgo && !android && !cmd_go_bootstrap && !msan
++//go:build goexperiment.opensslcrypto && linux && cgo && !android
 +
 +// Package openssl provides access to OpenSSLCrypto implementation functions.
 +// Check the variable Enabled to find out whether OpenSSLCrypto is available.
@@ -226,7 +226,7 @@ index 00000000000000..68ea43ea892e1d
 +	// 1: FIPS required: abort the process if it is not enabled and can't be enabled.
 +	// other values: do not override OpenSSL configured FIPS mode.
 +	var fips string
-+	if v, ok := envGoFIPS(); ok {
++	if v, _, ok := envGoFIPS(); ok {
 +		fips = v
 +	} else if systemFIPSMode() {
 +		// System configuration can only force FIPS mode.