Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update go versions in CI and release #7971

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Update go versions in CI and release #7971

wants to merge 5 commits into from

Conversation

aarongable
Copy link
Contributor

Update from go1.23.1 to go1.23.3 for our primary CI and release builds. This brings in a few security fixes that aren't directly relevant to us.

Add go1.24rc2 to our matrix of CI and release versions, to prepare for the official release of go1.24 in February.

@aarongable
Copy link
Contributor Author

aarongable commented Jan 23, 2025
edited
Loading

Three classes of errors currently:

  1. Lint errors from typecheck, which is expected since golangci-lint doesn't actually support go1.24 yet
  2. The best worst kind of error: we're doing something bad in tests to ensure our code stops it, and now go itself won't even let us do the test setup:
--- FAIL: TestFermat (0.00s)
    --- FAIL: TestFermat/innsbruck_printer_(4096_bit,_1_round) (0.54s)
        bad_key_test.go:108: creating CSR: crypto/rsa: |p - q| too small
    --- FAIL: TestFermat/canon_printer_(2048_bit,_1_round) (0.53s)
        bad_key_test.go:108: creating CSR: crypto/rsa: |p - q| too small

--- FAIL: TestTLSALPN01FailIP (0.00s)
    tlsalpn_test.go:138: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestTLSALPN01Refused (0.00s)
    tlsalpn_test.go:250: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestTLSALPN01TalkingToHTTP (0.00s)
    tlsalpn_test.go:269: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestCertNames (0.00s)
    tlsalpn_test.go:376: Error creating certificate: crypto/rsa: p * q != n
--- FAIL: TestTLSALPN01Success (0.00s)
    tlsalpn_test.go:387: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestTLSALPN01ObsoleteFailure (0.00s)
    tlsalpn_test.go:412: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestValidateTLSALPN01BadChallenge (0.00s)
    tlsalpn_test.go:424: Error creating test server: crypto/rsa: p * q != n
  1. And two other things I don't wholly understand yet:
2025/01/23 00:36:53 httptest.Server blocked in Close after 5 seconds, waiting for connections:
  *net.TCPConn 0xc000064560 127.0.0.1:44046 in state active
2025/01/23 00:36:58 http: TLS handshake error from 127.0.0.1:32966: tls: failed to sign handshake: crypto/rsa: p * q != n
2025/01/23 00:36:58 http: TLS handshake error from 127.0.0.1:48694: tls: client requested unsupported application protocols ([acme-tls/1])
2025/01/23 00:36:58 http: TLS handshake error from 127.0.0.1:34920: tls: client requested unsupported application protocols ([acme-tls/1])
--- FAIL: TestValidateTLSALPN01UnawareSrv (0.00s)
panic: httptest: NewTLSServer: x509: malformed certificate [recovered]
	panic: httptest: NewTLSServer: x509: malformed certificate

goroutine 1295 [running]:
testing.tRunner.func1.2({0x116d4e0, 0xc000751430})
	/usr/local/go/src/testing/testing.go:1734 +0x3eb
testing.tRunner.func1()
	/usr/local/go/src/testing/testing.go:1737 +0x696
panic({0x116d4e0?, 0xc000751430?})
	/usr/local/go/src/runtime/panic.go:787 +0x132
net/http/httptest.(*Server).StartTLS(0xc000344620)
	/usr/local/go/src/net/http/httptest/server.go:172 +0xe49
github.com/letsencrypt/boulder/va.tlssniSrvWithNames(0xc0004baa80, {0xc0007512c0, 0x1, 0x1})
	/boulder/va/tlsalpn_test.go:74 +0x4e5
github.com/letsencrypt/boulder/va.TestValidateTLSALPN01UnawareSrv(0xc0004baa80)
	/boulder/va/tlsalpn_test.go:459 +0x87
testing.tRunner(0xc0004baa80, 0x134a110)
	/usr/local/go/src/testing/testing.go:1792 +0x226
created by testing.(*T).Run in goroutine 1
	/usr/local/go/src/testing/testing.go:1851 +0x8f3

--- FAIL: TestCertificatesTableContainsDuplicateSerials (0.11s)
    model_test.go:313: couldn't insert valid certificate: failed to insert *core.Certificate: Error 1048: Column 'der' cannot be null

@aarongable
Copy link
Contributor Author

I've fixed the |p - q| too small issues. As of https://go-review.googlesource.com/c/go/+/632476, go1.24's FIPS-compliant crypt/rsa package simply refuses to work with the degenerate keys that we were using to integration-test our Fermat code. So I've moved those integration test cases into the unit test instead, which still works.

@aarongable aarongable mentioned this pull request Jan 24, 2025
Merged
@aarongable
Update go versions in CI and release
00a4a03
@aarongable
Replace fermat integration test with more thorough unit test
9b00c97 
The new go1.24 FIPS-compliant crypto/rsa package refuses to work with
the integration test's keys with too-close-together factors. We can
still unit-test the underlying function, because that operates on big
ints rather than keys, but the integration test now errors during setup.
@aarongable
Rewrite VA tests to not use hardcoded key as certificate key
225a05c
@aarongable
Copy link
Contributor Author

I've fixed all the remaining code errors -- all that's left is the golangci-lint failure.

@aarongable aarongable marked this pull request as ready for review January 25, 2025 05:46
@aarongable aarongable requested a review from a team as a code owner January 25, 2025 05:46
@aarongable aarongable requested a review from jsha January 25, 2025 05:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsha jsha Awaiting requested review from jsha jsha is a code owner automatically assigned from letsencrypt/boulder-developers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@aarongable