[OSS] security: update go to 1.20.1 (#16263)

* security: update go to 1.20.1
This commit is contained in:
Dan Stough 2023-02-17 15:04:12 -05:00 committed by GitHub
parent 9027a9629d
commit 29497be7e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 81 additions and 124 deletions

4
.changelog/16263.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:security
Upgrade to use Go 1.20.1.
This resolves vulnerabilities [CVE-2022-41724](https://go.dev/issue/58001) in `crypto/tls` and [CVE-2022-41723](https://go.dev/issue/57855) in `net/http`.
```

View File

@ -21,7 +21,7 @@ references:
GIT_COMMITTER_NAME: circleci-consul
S3_ARTIFACT_BUCKET: consul-dev-artifacts-v2
BASH_ENV: .circleci/bash_env.sh
GO_VERSION: 1.19.4
GO_VERSION: 1.20.1
envoy-versions: &supported_envoy_versions
- &default_envoy_version "1.22.7"
- "1.23.4"
@ -39,7 +39,7 @@ references:
images:
# When updating the Go version, remember to also update the versions in the
# workflows section for go-test-lib jobs.
go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.19.4
go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.20.1
ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:14-browsers
ubuntu: &UBUNTU_CI_IMAGE ubuntu-2004:202201-02
cache:
@ -613,7 +613,7 @@ jobs:
- run: *notify-slack-failure
nomad-integration-test: &NOMAD_TESTS
docker:
- image: docker.mirror.hashicorp.services/cimg/go:1.19
- image: docker.mirror.hashicorp.services/cimg/go:1.20
parameters:
nomad-version:
type: enum
@ -1110,35 +1110,35 @@ workflows:
- go-test-lib:
name: "go-test-envoyextensions"
path: envoyextensions
go-version: "1.19"
go-version: "1.20"
requires: [dev-build]
<<: *filter-ignore-non-go-branches
- go-test-lib:
name: "go-test-troubleshoot"
path: troubleshoot
go-version: "1.19"
go-version: "1.20"
requires: [dev-build]
<<: *filter-ignore-non-go-branches
- go-test-lib:
name: "go-test-api go1.18"
path: api
go-version: "1.18"
requires: [dev-build]
- go-test-lib:
name: "go-test-api go1.19"
path: api
go-version: "1.19"
requires: [dev-build]
- go-test-lib:
name: "go-test-sdk go1.18"
path: sdk
go-version: "1.18"
<<: *filter-ignore-non-go-branches
name: "go-test-api go1.20"
path: api
go-version: "1.20"
requires: [dev-build]
- go-test-lib:
name: "go-test-sdk go1.19"
path: sdk
go-version: "1.19"
<<: *filter-ignore-non-go-branches
- go-test-lib:
name: "go-test-sdk go1.20"
path: sdk
go-version: "1.20"
<<: *filter-ignore-non-go-branches
- go-test-race: *filter-ignore-non-go-branches
- go-test-32bit: *filter-ignore-non-go-branches
- noop

View File

@ -79,15 +79,15 @@ jobs:
strategy:
matrix:
include:
- {go: "1.19.4", goos: "linux", goarch: "386"}
- {go: "1.19.4", goos: "linux", goarch: "amd64"}
- {go: "1.19.4", goos: "linux", goarch: "arm"}
- {go: "1.19.4", goos: "linux", goarch: "arm64"}
- {go: "1.19.4", goos: "freebsd", goarch: "386"}
- {go: "1.19.4", goos: "freebsd", goarch: "amd64"}
- {go: "1.19.4", goos: "windows", goarch: "386"}
- {go: "1.19.4", goos: "windows", goarch: "amd64"}
- {go: "1.19.4", goos: "solaris", goarch: "amd64"}
- {go: "1.20.1", goos: "linux", goarch: "386"}
- {go: "1.20.1", goos: "linux", goarch: "amd64"}
- {go: "1.20.1", goos: "linux", goarch: "arm"}
- {go: "1.20.1", goos: "linux", goarch: "arm64"}
- {go: "1.20.1", goos: "freebsd", goarch: "386"}
- {go: "1.20.1", goos: "freebsd", goarch: "amd64"}
- {go: "1.20.1", goos: "windows", goarch: "386"}
- {go: "1.20.1", goos: "windows", goarch: "amd64"}
- {go: "1.20.1", goos: "solaris", goarch: "amd64"}
fail-fast: true
name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@ -176,7 +176,7 @@ jobs:
matrix:
goos: [ darwin ]
goarch: [ "amd64", "arm64" ]
go: [ "1.19.4" ]
go: [ "1.20.1" ]
fail-fast: true
name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build

View File

@ -7,11 +7,11 @@ SHELL = bash
# These version variables can either be a valid string for "go install <module>@<version>"
# or the string @DEV to imply use what is currently installed locally.
###
GOLANGCI_LINT_VERSION='v1.50.1'
MOCKERY_VERSION='v2.15.0'
GOLANGCI_LINT_VERSION='v1.51.1'
MOCKERY_VERSION='v2.20.0'
BUF_VERSION='v1.4.0'
PROTOC_GEN_GO_GRPC_VERSION="v1.2.0"
MOG_VERSION='v0.3.0'
MOG_VERSION='v0.4.0'
PROTOC_GO_INJECT_TAG_VERSION='v1.3.0'
PROTOC_GEN_GO_BINARY_VERSION="v0.1.0"
DEEP_COPY_VERSION='bc3f5aa5735d8a54961580a3a24422c308c831c2'

View File

@ -4,12 +4,13 @@ import (
"bytes"
"context"
"crypto/md5"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/json"
"fmt"
"math/rand"
mathrand "math/rand"
"net"
"net/http"
"net/http/httptest"
@ -752,7 +753,7 @@ func testAgent_AddServices_AliasUpdateCheckNotReverted(t *testing.T, extraHCL st
func test_createAlias(t *testing.T, agent *TestAgent, chk *structs.CheckType, expectedResult string) func(r *retry.R) {
t.Helper()
serviceNum := rand.Int()
serviceNum := mathrand.Int()
srv := &structs.NodeService{
Service: fmt.Sprintf("serviceAlias-%d", serviceNum),
Tags: []string{"tag1"},

View File

@ -3,12 +3,11 @@ package consul
import (
"bytes"
"crypto"
crand "crypto/rand"
"crypto/rand"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"fmt"
"math/rand"
"net"
"net/url"
"os"
@ -884,7 +883,7 @@ func TestAutoConfig_parseAutoConfigCSR(t *testing.T) {
// customizations to allow for better unit testing.
createCSR := func(tmpl *x509.CertificateRequest, privateKey crypto.Signer) (string, error) {
connect.HackSANExtensionForCSR(tmpl)
bs, err := x509.CreateCertificateRequest(crand.Reader, tmpl, privateKey)
bs, err := x509.CreateCertificateRequest(rand.Reader, tmpl, privateKey)
require.NoError(t, err)
var csrBuf bytes.Buffer
err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})

View File

@ -1,9 +1,9 @@
package consul
import (
"crypto/rand"
"encoding/base64"
"fmt"
"math/rand"
"os"
"strings"
"testing"

View File

@ -478,7 +478,7 @@ func TestLeader_PeeringSync_FailsForTLSError(t *testing.T) {
t.Run("server-name-validation", func(t *testing.T) {
testLeader_PeeringSync_failsForTLSError(t, func(token *structs.PeeringToken) {
token.ServerName = "wrong.name"
}, `transport: authentication handshake failed: x509: certificate is valid for server.dc1.peering.11111111-2222-3333-4444-555555555555.consul, not wrong.name`)
}, `transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for server.dc1.peering.11111111-2222-3333-4444-555555555555.consul, not wrong.name`)
})
t.Run("bad-ca-roots", func(t *testing.T) {
wrongRoot, err := os.ReadFile("../../test/client_certs/rootca.crt")
@ -486,7 +486,7 @@ func TestLeader_PeeringSync_FailsForTLSError(t *testing.T) {
testLeader_PeeringSync_failsForTLSError(t, func(token *structs.PeeringToken) {
token.CA = []string{string(wrongRoot)}
}, `transport: authentication handshake failed: x509: certificate signed by unknown authority`)
}, `transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority`)
})
}

View File

@ -13,7 +13,6 @@ import (
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/lib"
"github.com/hashicorp/consul/proto/pbacl"
)
@ -3570,7 +3569,6 @@ func TestStateStore_ACLPolicies_Snapshot_Restore(t *testing.T) {
}
func TestTokenPoliciesIndex(t *testing.T) {
lib.SeedMathRand()
idIndex := &memdb.IndexSchema{
Name: "id",

View File

@ -40,9 +40,9 @@ func TestCoordinate_Disabled_Response(t *testing.T) {
req, _ := http.NewRequest("PUT", "/should/not/care", nil)
resp := httptest.NewRecorder()
obj, err := tt(resp, req)
if err, ok := err.(HTTPError); ok {
if err.StatusCode != 401 {
t.Fatalf("expected status 401 but got %d", err.StatusCode)
if httpErr, ok := err.(HTTPError); ok {
if httpErr.StatusCode != 401 {
t.Fatalf("expected status 401 but got %d", httpErr.StatusCode)
}
} else {
t.Fatalf("expected HTTP error but got %v", err)

View File

@ -8,12 +8,8 @@ import (
"time"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/lib"
)
func init() { lib.SeedMathRand() }
func TestSessionLimiter(t *testing.T) {
lim := NewSessionLimiter()

View File

@ -13,9 +13,10 @@ import (
"github.com/hashicorp/consul/testrpc"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/types"
"github.com/stretchr/testify/require"
)
// MockPreparedQuery is a fake endpoint that we inject into the Consul server
@ -628,9 +629,9 @@ func TestPreparedQuery_Execute(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/query/not-there/execute", body)
resp := httptest.NewRecorder()
_, err := a.srv.PreparedQuerySpecific(resp, req)
if err, ok := err.(HTTPError); ok {
if err.StatusCode != 404 {
t.Fatalf("expected status 404 but got %d", err.StatusCode)
if httpErr, ok := err.(HTTPError); ok {
if httpErr.StatusCode != 404 {
t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
}
} else {
t.Fatalf("expected HTTP error but got %v", err)
@ -768,9 +769,9 @@ func TestPreparedQuery_Explain(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/query/not-there/explain", body)
resp := httptest.NewRecorder()
_, err := a.srv.PreparedQuerySpecific(resp, req)
if err, ok := err.(HTTPError); ok {
if err.StatusCode != 404 {
t.Fatalf("expected status 404 but got %d", err.StatusCode)
if httpErr, ok := err.(HTTPError); ok {
if httpErr.StatusCode != 404 {
t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
}
} else {
t.Fatalf("expected HTTP error but got %v", err)
@ -862,9 +863,9 @@ func TestPreparedQuery_Get(t *testing.T) {
req, _ := http.NewRequest("GET", "/v1/query/f004177f-2c28-83b7-4229-eacc25fe55d1", body)
resp := httptest.NewRecorder()
_, err := a.srv.PreparedQuerySpecific(resp, req)
if err, ok := err.(HTTPError); ok {
if err.StatusCode != 404 {
t.Fatalf("expected status 404 but got %d", err.StatusCode)
if httpErr, ok := err.(HTTPError); ok {
if httpErr.StatusCode != 404 {
t.Fatalf("expected status 404 but got %d", httpErr.StatusCode)
}
} else {
t.Fatalf("expected HTTP error but got %v", err)

View File

@ -6,7 +6,6 @@ import (
"crypto/x509"
"fmt"
"io"
"math/rand"
"net"
"net/http/httptest"
"path/filepath"
@ -32,10 +31,6 @@ import (
"github.com/hashicorp/consul/tlsutil"
)
func init() {
rand.Seed(time.Now().UnixNano()) // seed random number generator
}
// TestAgent encapsulates an Agent with a default configuration and
// startup procedure suitable for testing. It panics if there are errors
// during creation or startup instead of returning errors. It manages a

View File

@ -67,9 +67,9 @@ func TestTxnEndpoint_Bad_Size_Item(t *testing.T) {
t.Fatalf("err: %v", err)
}
} else {
if err, ok := err.(HTTPError); ok {
if err.StatusCode != 413 {
t.Fatalf("expected 413 but got %d", err.StatusCode)
if httpErr, ok := err.(HTTPError); ok {
if httpErr.StatusCode != 413 {
t.Fatalf("expected 413 but got %d", httpErr.StatusCode)
}
} else {
t.Fatalf("excected HTTP error but got %v", err)
@ -150,9 +150,9 @@ func TestTxnEndpoint_Bad_Size_Net(t *testing.T) {
t.Fatalf("err: %v", err)
}
} else {
if err, ok := err.(HTTPError); ok {
if err.StatusCode != 413 {
t.Fatalf("expected 413 but got %d", err.StatusCode)
if httpErr, ok := err.(HTTPError); ok {
if httpErr.StatusCode != 413 {
t.Fatalf("expected 413 but got %d", httpErr.StatusCode)
}
} else {
t.Fatalf("excected HTTP error but got %v", err)
@ -220,9 +220,9 @@ func TestTxnEndpoint_Bad_Size_Ops(t *testing.T) {
resp := httptest.NewRecorder()
_, err := a.srv.Txn(resp, req)
if err, ok := err.(HTTPError); ok {
if err.StatusCode != 413 {
t.Fatalf("expected 413 but got %d", err.StatusCode)
if httpErr, ok := err.(HTTPError); ok {
if httpErr.StatusCode != 413 {
t.Fatalf("expected 413 but got %d", httpErr.StatusCode)
}
} else {
t.Fatalf("expected HTTP error but got %v", err)

View File

@ -1,6 +1,6 @@
module github.com/hashicorp/consul/api
go 1.18
go 1.20
replace github.com/hashicorp/consul/sdk => ../sdk

View File

@ -1,4 +1,4 @@
ARG GOLANG_VERSION=1.19.2
ARG GOLANG_VERSION=1.20.1
FROM golang:${GOLANG_VERSION}
WORKDIR /consul

View File

@ -13,7 +13,6 @@ import (
"github.com/hashicorp/consul/agent"
consulapi "github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/lib"
)
// TODO(partitions): split these tests
@ -206,8 +205,6 @@ func zip(t *testing.T, k, v []string) map[string]string {
}
func TestSortByMemberNamePartitionAndSegment(t *testing.T) {
lib.SeedMathRand()
// For the test data we'll give them names that would sort them backwards
// if we only sorted by name.
newData := func() []*consulapi.AgentMember {

View File

@ -1,6 +1,6 @@
module github.com/hashicorp/consul/envoyextensions
go 1.19
go 1.20
replace github.com/hashicorp/consul/api => ../api

2
go.mod
View File

@ -1,6 +1,6 @@
module github.com/hashicorp/consul
go 1.19
go 1.20
replace (
github.com/hashicorp/consul/api => ./api

View File

@ -1,34 +0,0 @@
package lib
import (
crand "crypto/rand"
"math"
"math/big"
"math/rand"
"sync"
"time"
)
var (
once sync.Once
// SeededSecurely is set to true if a cryptographically secure seed
// was used to initialize rand. When false, the start time is used
// as a seed.
SeededSecurely bool
)
// SeedMathRand provides weak, but guaranteed seeding, which is better than
// running with Go's default seed of 1. A call to SeedMathRand() is expected
// to be called via init(), but never a second time.
func SeedMathRand() {
once.Do(func() {
n, err := crand.Int(crand.Reader, big.NewInt(math.MaxInt64))
if err != nil {
rand.Seed(time.Now().UTC().UnixNano())
return
}
rand.Seed(n.Int64())
SeededSecurely = true
})
}

View File

@ -11,14 +11,9 @@ import (
"github.com/hashicorp/consul/command"
"github.com/hashicorp/consul/command/cli"
"github.com/hashicorp/consul/command/version"
"github.com/hashicorp/consul/lib"
_ "github.com/hashicorp/consul/service_os"
)
func init() {
lib.SeedMathRand()
}
func main() {
os.Exit(realMain())
}

View File

@ -1,4 +1,4 @@
// Code generated by mockery v2.15.0. DO NOT EDIT.
// Code generated by mockery v2.20.0. DO NOT EDIT.
package pbdns
@ -27,6 +27,10 @@ func (_m *MockDNSServiceClient) Query(ctx context.Context, in *QueryRequest, opt
ret := _m.Called(_ca...)
var r0 *QueryResponse
var r1 error
if rf, ok := ret.Get(0).(func(context.Context, *QueryRequest, ...grpc.CallOption) (*QueryResponse, error)); ok {
return rf(ctx, in, opts...)
}
if rf, ok := ret.Get(0).(func(context.Context, *QueryRequest, ...grpc.CallOption) *QueryResponse); ok {
r0 = rf(ctx, in, opts...)
} else {
@ -35,7 +39,6 @@ func (_m *MockDNSServiceClient) Query(ctx context.Context, in *QueryRequest, opt
}
}
var r1 error
if rf, ok := ret.Get(1).(func(context.Context, *QueryRequest, ...grpc.CallOption) error); ok {
r1 = rf(ctx, in, opts...)
} else {

View File

@ -1,4 +1,4 @@
// Code generated by mockery v2.15.0. DO NOT EDIT.
// Code generated by mockery v2.20.0. DO NOT EDIT.
package pbdns
@ -18,6 +18,10 @@ func (_m *MockDNSServiceServer) Query(_a0 context.Context, _a1 *QueryRequest) (*
ret := _m.Called(_a0, _a1)
var r0 *QueryResponse
var r1 error
if rf, ok := ret.Get(0).(func(context.Context, *QueryRequest) (*QueryResponse, error)); ok {
return rf(_a0, _a1)
}
if rf, ok := ret.Get(0).(func(context.Context, *QueryRequest) *QueryResponse); ok {
r0 = rf(_a0, _a1)
} else {
@ -26,7 +30,6 @@ func (_m *MockDNSServiceServer) Query(_a0 context.Context, _a1 *QueryRequest) (*
}
}
var r1 error
if rf, ok := ret.Get(1).(func(context.Context, *QueryRequest) error); ok {
r1 = rf(_a0, _a1)
} else {

View File

@ -1,4 +1,4 @@
// Code generated by mockery v2.15.0. DO NOT EDIT.
// Code generated by mockery v2.20.0. DO NOT EDIT.
package pbdns

View File

@ -114,7 +114,6 @@ func initialize() {
panic("freeport: block size too big or too many blocks requested")
}
rand.Seed(time.Now().UnixNano())
firstPort, lockLn = alloc()
condNotEmpty = sync.NewCond(&mu)

View File

@ -1,6 +1,6 @@
module github.com/hashicorp/consul/sdk
go 1.18
go 1.20
require (
github.com/hashicorp/go-cleanhttp v0.5.1

View File

@ -1,6 +1,6 @@
module github.com/hashicorp/consul/test/integration/consul-container
go 1.19
go 1.20
require (
github.com/avast/retry-go v3.0.0+incompatible

View File

@ -906,7 +906,7 @@ func TestConfigurator_outgoingWrapperALPN_serverHasNoNodeNameInSAN(t *testing.T)
_, err = wrap("dc1", "bob", "foo", client)
require.Error(t, err)
_, ok := err.(x509.HostnameError)
_, ok := err.(*tls.CertificateVerificationError)
require.True(t, ok)
client.Close()

View File

@ -1,6 +1,6 @@
module github.com/hashicorp/consul/troubleshoot
go 1.19
go 1.20
replace github.com/hashicorp/consul/api => ../api