Port to OpenSSL 3.0

Resolves: rhbz#1952381

golang.spec

@@ -101,7 +101,7 @@
 
 Name:           golang
 Version:        %{go_version}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@@ -124,6 +124,10 @@ BuildRequires:  net-tools
 %endif
 # For OpenSSL FIPS
 BuildRequires:  openssl-devel
+
+# For openssl-fipsinstall
+BuildRequires:  openssl
+
 # for tests
 BuildRequires:  pcre-devel, glibc-static, perl
 
@@ -133,7 +137,7 @@ Requires:       %{name}-src = %{version}-%{release}
 Requires:       openssl-devel
 Requires:       diffutils
 
-# we had been just removing the zoneinfo.zip, but that caused tests to fail for users that 
+# we had been just removing the zoneinfo.zip, but that caused tests to fail for users that
 # later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests.
 Patch215:       go1.5-zoneinfo_testing_only.patch
 
@@ -155,6 +159,9 @@ Patch1957961:   rhbz1957961.patch
 # https://go-review.googlesource.com/c/go/+/314449/
 Patch1955035:   rhbz1955035.patch
 
+# Port to openssl 3.0
+Patch1952381:   rhbz1952381.patch
+
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
 
@@ -250,6 +257,8 @@ Requires:       %{name} = %{version}-%{release}
 
 %patch223 -p1
 
+%patch1952381 -p1
+
 %patch1939923 -p1
 
 %patch1957961 -p1
@@ -369,7 +378,7 @@ pushd $RPM_BUILD_ROOT%{goroot}
         echo "%%{goroot}/$file" >> $shared_list
         echo "%%{golibdir}/$(basename $file)" >> $shared_list
     done
-    
+
     find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list
     find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
 %endif
@@ -453,19 +462,60 @@ export GO_TEST_RUN=""
 
 %if %{fail_on_tests}
 
+TEST_BORING_CONFIGS=`mktemp -d`
+TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf
+TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf
+trap "rm -rf $TEST_BORING_CONFIGS" EXIT
+
+cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF
+openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF
+
+cat > $TEST_BORING_CNF << EOM
+openssl_conf = openssl_test
+
+[openssl_test]
+providers = provider_test
+alg_section = algorithm_test
+ssl_conf = ssl_module
+
+[algorithm_test]
+default_properties = fips=yes
+
+[provider_test]
+default = default_sect
+ # The fips section name should match the section name inside the
+ # included fipsmodule.cnf.
+fips = fips_sect
+.include $TEST_BORING_FIPS_CNF
+
+[default_sect]
+activate = 1
+
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
+
+[ new_oids ]
+
+EOM
+
 ./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
 
+export OPENSSL_CONF=$TEST_BORING_CNF
 # Run tests with FIPS enabled.
-export GOLANG_FIPS=1
 pushd crypto
   # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
-  go test $(go list ./... | grep -v tls) -v
+  GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v
   # Check that signature functions have parity between boring and notboring
   CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
 popd
 # Run all FIPS specific TLS tests
 pushd crypto/tls
-  go test -v -run "Boring"
+  GOLANG_FIPS=1 go test -v -run "Boring"
 popd
 %else
 ./run.bash --no-rebuild -v -v -v -k || :
@@ -528,7 +578,11 @@ cd ..
 %endif
 
 %changelog
-* Fri May 14 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-4
+* Fri May 28 2021 David Benoit <dbenoit@redhat.com> - 1.16.4-2
+- Port to OpenSSL 3.0
+- Resolves: rhbz#1952381
+
+* Fri May 14 2021 Alejandro Sáez <asm@redhat.com> - 1.16.4-1
 - Rebase to 1.16.4
 - Resolves: rhbz#1955035
 - Resolves: rhbz#1957961