import golang-1.18.2-1.module+el8.7.0+15682+45591987

.gitignore

@@ -1 +1 @@
-SOURCES/go1.18.0-1-openssl-fips.tar.gz
+SOURCES/go1.18.2-1-openssl-fips.tar.gz

.golang.metadata

@@ -1 +1 @@
-c1c1dfe3d4fd1c653f0a4eeeb01e2a07d3d06b1c SOURCES/go1.18.0-1-openssl-fips.tar.gz
+2982f1fe39b59089eab5469bb6b3bb9f462abe45 SOURCES/go1.18.2-1-openssl-fips.tar.gz

SOURCES/relax_sha1_restriction.patch

@@ -1,224 +0,0 @@
-diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
-index 98778fe..71ab62a 100644
---- a/src/crypto/x509/verify.go
-+++ b/src/crypto/x509/verify.go
-@@ -736,6 +736,9 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
- // list. (While this is not specified, it is common practice in order to limit
- // the types of certificates a CA can issue.)
- //
-+// Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported,
-+// and will not be used to build chains.
-+//
- // WARNING: this function doesn't do any revocation checking.
- func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) {
- 	// Platform-specific verification needs the ASN.1 contents so
-diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
-index 47be77d..85720b3 100644
---- a/src/crypto/x509/x509.go
-+++ b/src/crypto/x509/x509.go
-@@ -184,13 +184,13 @@ const (
- 
- 	MD2WithRSA  // Unsupported.
- 	MD5WithRSA  // Only supported for signing, not verification.
--	SHA1WithRSA // Only supported for signing, not verification.
-+	SHA1WithRSA // Only supported for signing, and verification of CRLs, CSRs, and OCSP responses.
- 	SHA256WithRSA
- 	SHA384WithRSA
- 	SHA512WithRSA
- 	DSAWithSHA1   // Unsupported.
- 	DSAWithSHA256 // Unsupported.
--	ECDSAWithSHA1 // Only supported for signing, not verification.
-+	ECDSAWithSHA1 // Only supported for signing, and verification of CRLs, CSRs, and OCSP responses.
- 	ECDSAWithSHA256
- 	ECDSAWithSHA384
- 	ECDSAWithSHA512
-@@ -770,7 +770,7 @@ func (c *Certificate) hasSANExtension() bool {
- }
- 
- // CheckSignatureFrom verifies that the signature on c is a valid signature
--// from parent.
-+// from parent. SHA1WithRSA and ECDSAWithSHA1 signatures are not supported.
- func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
- 	// RFC 5280, 4.2.1.9:
- 	// "If the basic constraints extension is not present in a version 3
-@@ -792,13 +792,13 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
- 
- 	// TODO(agl): don't ignore the path length constraint.
- 
--	return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
-+	return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature, parent.PublicKey, debugAllowSHA1)
- }
- 
- // CheckSignature verifies that signature is a valid signature over signed from
- // c's public key.
- func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
--	return checkSignature(algo, signed, signature, c.PublicKey)
-+	return checkSignature(algo, signed, signature, c.PublicKey, true)
- }
- 
- func (c *Certificate) hasNameConstraints() bool {
-@@ -818,9 +818,9 @@ func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm,
- 	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
- }
- 
--// CheckSignature verifies that signature is a valid signature over signed from
-+// checkSignature verifies that signature is a valid signature over signed from
- // a crypto.PublicKey.
--func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
-+func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey, allowSHA1 bool) (err error) {
- 	var hashType crypto.Hash
- 	var pubKeyAlgo PublicKeyAlgorithm
- 
-@@ -839,7 +839,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey
- 	case crypto.MD5:
- 		return InsecureAlgorithmError(algo)
- 	case crypto.SHA1:
--		if !debugAllowSHA1 {
-+		if !allowSHA1 {
- 			return InsecureAlgorithmError(algo)
- 		}
- 		fallthrough
-@@ -1599,11 +1599,11 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
- 	// Check the signature to ensure the crypto.Signer behaved correctly.
- 	sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm)
- 	switch sigAlg {
--	case MD5WithRSA, SHA1WithRSA, ECDSAWithSHA1:
-+	case MD5WithRSA:
- 		// We skip the check if the signature algorithm is only supported for
- 		// signing, not verification.
- 	default:
--		if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil {
-+		if err := checkSignature(sigAlg, c.Raw, signature, key.Public(), true); err != nil {
- 			return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
- 		}
- 	}
-@@ -2082,7 +2082,7 @@ func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error
- 
- // CheckSignature reports whether the signature on c is valid.
- func (c *CertificateRequest) CheckSignature() error {
--	return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
-+	return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey, true)
- }
- 
- // RevocationList contains the fields used to create an X.509 v2 Certificate
-diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
-index f3e2a77..d31f70d 100644
---- a/src/crypto/x509/x509_test.go
-+++ b/src/crypto/x509/x509_test.go
-@@ -13,6 +13,7 @@ import (
- 	"crypto/elliptic"
- 	"crypto/rand"
- 	"crypto/rsa"
-+	"crypto/boring"
- 	_ "crypto/sha256"
- 	_ "crypto/sha512"
- 	"crypto/x509/pkix"
-@@ -2940,30 +2941,15 @@ func TestCreateCertificateBrokenSigner(t *testing.T) {
- }
- 
- func TestCreateCertificateLegacy(t *testing.T) {
--	ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
--	if err != nil {
--		t.Fatalf("Failed to generate ECDSA key: %s", err)
-+	sigAlg := MD5WithRSA
-+	template := &Certificate{
-+		SerialNumber:       big.NewInt(10),
-+		DNSNames:           []string{"example.com"},
-+		SignatureAlgorithm: sigAlg,
- 	}
--
--	for _, sigAlg := range []SignatureAlgorithm{
--		MD5WithRSA, SHA1WithRSA, ECDSAWithSHA1,
--	} {
--		template := &Certificate{
--			SerialNumber:       big.NewInt(10),
--			DNSNames:           []string{"example.com"},
--			SignatureAlgorithm: sigAlg,
--		}
--		var k crypto.Signer
--		switch sigAlg {
--		case MD5WithRSA, SHA1WithRSA:
--			k = testPrivateKey
--		case ECDSAWithSHA1:
--			k = ecdsaPriv
--		}
--		_, err := CreateCertificate(rand.Reader, template, template, k.Public(), &brokenSigner{k.Public()})
--		if err != nil {
--			t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err)
--		}
-+	_, err := CreateCertificate(rand.Reader, template, template, testPrivateKey.Public(), &brokenSigner{testPrivateKey.Public()})
-+	if err != nil {
-+		t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err)
- 	}
- }
- 
-@@ -3364,3 +3350,69 @@ func TestLargeOID(t *testing.T) {
- 		t.Fatalf("ParseCertificate to failed to parse certificate with large OID: %s", err)
- 	}
- }
-+
-+func TestDisableSHA1ForCertOnly(t *testing.T) {
-+        if boring.Enabled() {
-+		t.Skip("not supported in boring mode")
-+	} 
-+	defer func(old bool) { debugAllowSHA1 = old }(debugAllowSHA1)
-+	debugAllowSHA1 = false
-+
-+	tmpl := &Certificate{
-+		SerialNumber:          big.NewInt(1),
-+		NotBefore:             time.Now().Add(-time.Hour),
-+		NotAfter:              time.Now().Add(time.Hour),
-+		SignatureAlgorithm:    SHA1WithRSA,
-+		BasicConstraintsValid: true,
-+		IsCA:                  true,
-+		KeyUsage:              KeyUsageCertSign | KeyUsageCRLSign,
-+	}
-+	certDER, err := CreateCertificate(rand.Reader, tmpl, tmpl, rsaPrivateKey.Public(), rsaPrivateKey)
-+	if err != nil {
-+		t.Fatalf("failed to generate test cert: %s", err)
-+	}
-+	cert, err := ParseCertificate(certDER)
-+	if err != nil {
-+		t.Fatalf("failed to parse test cert: %s", err)
-+	}
-+
-+	err = cert.CheckSignatureFrom(cert)
-+	if err == nil {
-+		t.Error("expected CheckSignatureFrom to fail")
-+	} else if _, ok := err.(InsecureAlgorithmError); !ok {
-+		t.Errorf("expected InsecureAlgorithmError error, got %T", err)
-+	}
-+
-+	crlDER, err := CreateRevocationList(rand.Reader, &RevocationList{
-+		SignatureAlgorithm: SHA1WithRSA,
-+		Number:             big.NewInt(1),
-+		ThisUpdate:         time.Now().Add(-time.Hour),
-+		NextUpdate:         time.Now().Add(time.Hour),
-+	}, cert, rsaPrivateKey)
-+	if err != nil {
-+		t.Fatalf("failed to generate test CRL: %s", err)
-+	}
-+	// TODO(rolandshoemaker): this should be ParseRevocationList once it lands
-+	crl, err := ParseCRL(crlDER)
-+	if err != nil {
-+		t.Fatalf("failed to parse test CRL: %s", err)
-+	}
-+
-+	if err = cert.CheckCRLSignature(crl); err != nil {
-+		t.Errorf("unexpected error: %s", err)
-+	}
-+
-+	// This is an unrelated OCSP response, which will fail signature verification
-+	// but shouldn't return a InsecureAlgorithmError, since SHA1 should be allowed
-+	// for OCSP.
-+	ocspTBSHex := "30819fa2160414884451ff502a695e2d88f421bad90cf2cecbea7c180f32303133303631383037323434335a30743072304a300906052b0e03021a0500041448b60d38238df8456e4ee5843ea394111802979f0414884451ff502a695e2d88f421bad90cf2cecbea7c021100f78b13b946fc9635d8ab49de9d2148218000180f32303133303631383037323434335aa011180f32303133303632323037323434335a"
-+	ocspTBS, err := hex.DecodeString(ocspTBSHex)
-+	if err != nil {
-+		t.Fatalf("failed to decode OCSP response TBS hex: %s", err)
-+	}
-+
-+	err = cert.CheckSignature(SHA1WithRSA, ocspTBS, nil)
-+	if err != rsa.ErrVerification {
-+		t.Errorf("unexpected error: %s", err)
-+	}
-+}

SOURCES/remove_ed25519vectors_test.patch

@@ -0,0 +1,128 @@
+From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Wed, 15 Dec 2021 16:02:15 +0100
+Subject: [PATCH] Remove ed25519vectors_test.go
+
+---
+ src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
+ 1 file changed, 109 deletions(-)
+ delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
+
+diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
+deleted file mode 100644
+index 74fcdcdf4e..0000000000
+--- a/src/crypto/ed25519/ed25519vectors_test.go
++++ /dev/null
+@@ -1,109 +0,0 @@
+-// Copyright 2021 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-package ed25519_test
+-
+-import (
+-	"crypto/ed25519"
+-	"encoding/hex"
+-	"encoding/json"
+-	"internal/testenv"
+-	"os"
+-	"os/exec"
+-	"path/filepath"
+-	"testing"
+-)
+-
+-// TestEd25519Vectors runs a very large set of test vectors that exercise all
+-// combinations of low-order points, low-order components, and non-canonical
+-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
+-// edge cases that are not security relevant in most contexts, but that can
+-// cause issues in consensus applications if changed.
+-//
+-// Our behavior matches the "classic" unwritten verification rules of the
+-// "ref10" reference implementation.
+-//
+-// Note that although we test for these edge cases, they are not covered by the
+-// Go 1 Compatibility Promise. Applications that need stable verification rules
+-// should use github.com/hdevalence/ed25519consensus.
+-//
+-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
+-func TestEd25519Vectors(t *testing.T) {
+-	jsonVectors := downloadEd25519Vectors(t)
+-	var vectors []struct {
+-		A, R, S, M string
+-		Flags      []string
+-	}
+-	if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
+-		t.Fatal(err)
+-	}
+-	for i, v := range vectors {
+-		expectedToVerify := true
+-		for _, f := range v.Flags {
+-			switch f {
+-			// We use the simplified verification formula that doesn't multiply
+-			// by the cofactor, so any low order residue will cause the
+-			// signature not to verify.
+-			//
+-			// This is allowed, but not required, by RFC 8032.
+-			case "LowOrderResidue":
+-				expectedToVerify = false
+-			// Our point decoding allows non-canonical encodings (in violation
+-			// of RFC 8032) but R is not decoded: instead, R is recomputed and
+-			// compared bytewise against the canonical encoding.
+-			case "NonCanonicalR":
+-				expectedToVerify = false
+-			}
+-		}
+-
+-		publicKey := decodeHex(t, v.A)
+-		signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
+-		message := []byte(v.M)
+-
+-		didVerify := ed25519.Verify(publicKey, message, signature)
+-		if didVerify && !expectedToVerify {
+-			t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
+-		}
+-		if !didVerify && expectedToVerify {
+-			t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
+-		}
+-	}
+-}
+-
+-func downloadEd25519Vectors(t *testing.T) []byte {
+-	testenv.MustHaveExternalNetwork(t)
+-
+-	// Download the JSON test file from the GOPROXY with `go mod download`,
+-	// pinning the version so test and module caching works as expected.
+-	goTool := testenv.GoToolPath(t)
+-	path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
+-	cmd := exec.Command(goTool, "mod", "download", "-json", path)
+-	// TODO: enable the sumdb once the TryBots proxy supports it.
+-	cmd.Env = append(os.Environ(), "GONOSUMDB=*")
+-	output, err := cmd.Output()
+-	if err != nil {
+-		t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
+-	}
+-	var dm struct {
+-		Dir string // absolute path to cached source root directory
+-	}
+-	if err := json.Unmarshal(output, &dm); err != nil {
+-		t.Fatal(err)
+-	}
+-
+-	jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
+-	if err != nil {
+-		t.Fatalf("failed to read ed25519vectors.json: %v", err)
+-	}
+-	return jsonVectors
+-}
+-
+-func decodeHex(t *testing.T, s string) []byte {
+-	t.Helper()
+-	b, err := hex.DecodeString(s)
+-	if err != nil {
+-		t.Errorf("invalid hex: %v", err)
+-	}
+-	return b
+-}
+-- 
+2.33.1
+

SOURCES/skip_test_rhbz1939923.patch

@@ -1,12 +0,0 @@
-diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
-index f3e2a77..57434b5 100644
---- a/src/crypto/x509/x509_test.go
-+++ b/src/crypto/x509/x509_test.go
-@@ -2922,6 +2922,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
- }
- 
- func TestCreateCertificateBrokenSigner(t *testing.T) {
-+	t.Skip("TODO Fix me: rhbz#1939923")
- 	template := &Certificate{
- 		SerialNumber: big.NewInt(10),
- 		DNSNames:     []string{"example.com"},

SPECS/golang.spec

@@ -96,12 +96,12 @@
 %endif
 
 %global go_api 1.18
-%global go_version 1.18.0
+%global go_version 1.18.2
 %global pkg_release 1
 
 Name:           golang
 Version:        %{go_version}
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@@ -143,9 +143,7 @@ Patch221:       fix_TestScript_list_std.patch
 # static linking of dlopen is unsupported
 Patch226:	disable_static_external_tests.patch
 
-Patch1939923:   skip_test_rhbz1939923.patch
+Patch223: remove_ed25519vectors_test.patch
-
-Patch51852:    relax_sha1_restriction.patch
 
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@@ -237,15 +235,10 @@ Requires:       %{name} = %{version}-%{release}
 %setup -q -n go-go%{go_version}-%{pkg_release}-openssl-fips
 
 %patch215 -p1
-
 %patch221 -p1
-
+%patch223 -p1
 %patch226 -p1
 
-%patch1939923 -p1
-
-%patch51852 -p1
-
 cp %{SOURCE1} ./src/runtime/
 
 %build
@@ -519,6 +512,10 @@ cd ..
 %endif
 
 %changelog
+* Thu Jun 16 2022 David Benoit <dbenoit@redhat.com> - 1.18.2-1
+- Update to Go 1.18.2
+- Related: rhbz#2075162
+
 * Mon Apr 18 2022 David Benoit <dbenoit@redhat.com> - 1.18.0-2
 - Enable SHA1 in some contexts
 - Related: rhbz#2075162