import golang-1.18.4-3.el9

.gitignore

@@ -1 +1 @@
-SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz
+SOURCES/go1.18.4-1-openssl-fips.tar.gz

.golang.metadata

@@ -1 +1 @@
-139fe29f985b3feda50c407d194f1a102352388a SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz
+3798a6b5b37624922f5da08860f39da457caa856 SOURCES/go1.18.4-1-openssl-fips.tar.gz

SOURCES/fix_TestScript_list_std.patch

@@ -1,5 +1,5 @@
 diff --git a/src/cmd/go/testdata/script/list_std.txt b/src/cmd/go/testdata/script/list_std.txt
-index 6ab1bd1674..4a00e436fd 100644
+index 6ab1bd1..4a00e43 100644
 --- a/src/cmd/go/testdata/script/list_std.txt
 +++ b/src/cmd/go/testdata/script/list_std.txt
 @@ -6,7 +6,7 @@ env GO111MODULE=off

SOURCES/go1.5-zoneinfo_testing_only.patch

@@ -1,6 +1,7 @@
-diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go
---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.time	2017-12-05 01:10:10.000000000 +0100
-+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go	2017-12-05 14:55:10.574637475 +0100
+diff --git a/src/time/internal_test.go b/src/time/internal_test.go
+index f0dddb7..415949a 100644
+--- a/src/time/internal_test.go
++++ b/src/time/internal_test.go
 @@ -4,13 +4,15 @@
  
  package time
@@ -16,7 +17,7 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.t
 -	z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:])
 +	z, err := loadLocation("America/Los_Angeles", zoneSources)
  	if err != nil {
- 		panic("cannot load America/Los_Angeles for testing: " + err.Error())
+ 		panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata")
  	}
 @@ -21,8 +23,9 @@ func initTestingZone() {
  var OrigZoneSources = zoneSources
@@ -29,10 +30,11 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.t
  	if zipOnly {
  		zoneSources = zoneSources[len(zoneSources)-1:]
  	}
-diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go
---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.time	2017-12-05 01:10:10.000000000 +0100
-+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go	2017-12-05 14:58:09.823109248 +0100
-@@ -8,6 +8,7 @@ import (
+diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go
+index f032aa7..e3e5547 100644
+--- a/src/time/zoneinfo_test.go
++++ b/src/time/zoneinfo_test.go
+@@ -9,6 +9,7 @@ import (
  	"fmt"
  	"os"
  	"reflect"
@@ -40,7 +42,7 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.t
  	"testing"
  	"time"
  )
-@@ -128,7 +129,7 @@ func TestLoadLocationFromTZData(t *testi
+@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) {
  		t.Fatal(err)
  	}
  
@@ -49,9 +51,10 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.t
  	if err != nil {
  		t.Fatal(err)
  	}
-diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go
---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go.time	2017-12-05 01:10:10.000000000 +0100
-+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go	2017-12-05 14:55:10.574637475 +0100
+diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go
+index 23f8b3c..228db1b 100644
+--- a/src/time/zoneinfo_unix.go
++++ b/src/time/zoneinfo_unix.go
 @@ -12,7 +12,6 @@
  package time
  

SOURCES/openssl_deprecated_algorithm_tests.patch

@@ -0,0 +1,124 @@
+diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
+index a4f2e2dbbe..76701d2e2b 100644
+--- a/src/crypto/rsa/pkcs1v15_test.go
++++ b/src/crypto/rsa/pkcs1v15_test.go
+@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
+ }
+ 
+ func TestDecryptPKCS1v15(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	decryptionFuncs := []func([]byte) ([]byte, error){
+ 		func(ciphertext []byte) (plaintext []byte, err error) {
+ 			return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
+@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
+ }
+ 
+ func TestEncryptPKCS1v15(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	random := rand.Reader
+ 	k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
+ 
+@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
+ }
+ 
+ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	for i, test := range decryptPKCS1v15SessionKeyTests {
+ 		key := []byte("FAIL")
+ 		err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
+@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
+ }
+ 
+ func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	for i, test := range decryptPKCS1v15SessionKeyTests {
+ 		plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
+ 		if err != nil {
+@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
+ }
+ 
+ func TestShortSessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	// This tests that attempting to decrypt a session key where the
+ 	// ciphertext is too small doesn't run outside the array bounds.
+ 	ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
+diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
+index b547a87c71..99e7882866 100644
+--- a/src/crypto/rsa/pss_test.go
++++ b/src/crypto/rsa/pss_test.go
+@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
+ // TestPSSGolden tests all the test vectors in pss-vect.txt from
+ // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
+ func TestPSSGolden(t *testing.T) {
++	t.Skip("SHA1 not supported in boring mode")
+ 	inFile, err := os.Open("testdata/pss-vect.txt.bz2")
+ 	if err != nil {
+ 		t.Fatalf("Failed to open input file: %s", err)
+diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
+index 9aa67655ab..2f4e666abb 100644
+--- a/src/crypto/rsa/rsa_test.go
++++ b/src/crypto/rsa/rsa_test.go
+@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
+ 		t.Errorf("private exponent too large")
+ 	}
+ 
+-	if boring.Enabled() {
+-		// Cannot call encrypt/decrypt directly. Test via PKCS1v15.
+-		msg := []byte("hi!")
+-		if priv.Size() >= 256 {
+-			enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
+-			if err != nil {
+-				t.Errorf("EncryptPKCS1v15: %v", err)
+-				return
+-			}
+-			dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
+-			if err != nil {
+-				t.Errorf("DecryptPKCS1v15: %v", err)
+-				return
+-			}
+-			if !bytes.Equal(dec, msg) {
+-				t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
+-			}
+-		} else {
+-			t.Logf("skipping check for unsupported key less than 2048 bits")
+-		}
+-		return
+-	}
++        if boring.Enabled() {
++                // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
++		sha256 := sha256.New()
++                msg := []byte("hi!")
++                if priv.Size() >= 256 {
++                        enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
++                        if err != nil {
++                                t.Errorf("EncryptOAEP: %v", err)
++                                return
++                        }
++                        dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
++                        if err != nil {
++                                t.Errorf("DecryptOAEP: %v", err)
++                                return
++                        }
++                        if !bytes.Equal(dec, msg) {
++                                t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
++                        }
++                } else {
++                        t.Logf("skipping check for unsupported key less than 2048 bits")
++                }
++                return
++        }
+ 
+ 	pub := &priv.PublicKey
+ 	m := big.NewInt(42)
+@@ -312,6 +312,11 @@ func TestDecryptOAEP(t *testing.T) {
+ 		private.PublicKey = PublicKey{N: n, E: test.e}
+ 		private.D = d
+ 
++		if boring.Enabled() && private.PublicKey.Size() < 256 {
++			t.Logf("skipping check for unsupported key less than 2048 bits")
++			continue
++		}
++		t.Logf("running check for supported key size")
+ 		for j, message := range test.msgs {
+ 			out, err := DecryptOAEP(sha1, nil, private, message.out, nil)
+ 			if err != nil {

SOURCES/remove_waitgroup_misuse_tests.patch

@@ -1,151 +0,0 @@
-diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go
-index c569e0faa2eb..4ded218d2d8d 100644
---- a/src/sync/waitgroup_test.go
-+++ b/src/sync/waitgroup_test.go
-@@ -5,8 +5,6 @@
- package sync_test
- 
- import (
--	"internal/race"
--	"runtime"
- 	. "sync"
- 	"sync/atomic"
- 	"testing"
-@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) {
- 	}
- }
- 
--func knownRacy(t *testing.T) {
--	if race.Enabled {
--		t.Skip("skipping known-racy test under the race detector")
--	}
--}
--
- func TestWaitGroupMisuse(t *testing.T) {
- 	defer func() {
- 		err := recover()
-@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) {
- 	t.Fatal("Should panic")
- }
- 
--// pollUntilEqual blocks until v, loaded atomically, is
--// equal to the target.
--func pollUntilEqual(v *uint32, target uint32) {
--	for {
--		for i := 0; i < 1e3; i++ {
--			if atomic.LoadUint32(v) == target {
--				return
--			}
--		}
--		// yield to avoid deadlock with the garbage collector
--		// see issue #20072
--		runtime.Gosched()
--	}
--}
--
--func TestWaitGroupMisuse2(t *testing.T) {
--	knownRacy(t)
--	if runtime.NumCPU() <= 4 {
--		t.Skip("NumCPU<=4, skipping: this test requires parallelism")
--	}
--	defer func() {
--		err := recover()
--		if err != "sync: negative WaitGroup counter" &&
--			err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
--			err != "sync: WaitGroup is reused before previous Wait has returned" {
--			t.Fatalf("Unexpected panic: %#v", err)
--		}
--	}()
--	defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
--	done := make(chan interface{}, 2)
--	// The detection is opportunistic, so we want it to panic
--	// at least in one run out of a million.
--	for i := 0; i < 1e6; i++ {
--		var wg WaitGroup
--		var here uint32
--		wg.Add(1)
--		go func() {
--			defer func() {
--				done <- recover()
--			}()
--			atomic.AddUint32(&here, 1)
--			pollUntilEqual(&here, 3)
--			wg.Wait()
--		}()
--		go func() {
--			defer func() {
--				done <- recover()
--			}()
--			atomic.AddUint32(&here, 1)
--			pollUntilEqual(&here, 3)
--			wg.Add(1) // This is the bad guy.
--			wg.Done()
--		}()
--		atomic.AddUint32(&here, 1)
--		pollUntilEqual(&here, 3)
--		wg.Done()
--		for j := 0; j < 2; j++ {
--			if err := <-done; err != nil {
--				panic(err)
--			}
--		}
--	}
--	t.Fatal("Should panic")
--}
--
--func TestWaitGroupMisuse3(t *testing.T) {
--	knownRacy(t)
--	if runtime.NumCPU() <= 1 {
--		t.Skip("NumCPU==1, skipping: this test requires parallelism")
--	}
--	defer func() {
--		err := recover()
--		if err != "sync: negative WaitGroup counter" &&
--			err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
--			err != "sync: WaitGroup is reused before previous Wait has returned" {
--			t.Fatalf("Unexpected panic: %#v", err)
--		}
--	}()
--	defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
--	done := make(chan interface{}, 3)
--	// The detection is opportunistically, so we want it to panic
--	// at least in one run out of a million.
--	for i := 0; i < 1e6; i++ {
--		var wg WaitGroup
--		wg.Add(1)
--		go func() {
--			defer func() {
--				done <- recover()
--			}()
--			wg.Done()
--		}()
--		go func() {
--			defer func() {
--				done <- recover()
--			}()
--			wg.Wait()
--			// Start reusing the wg before waiting for the Wait below to return.
--			wg.Add(1)
--			go func() {
--				wg.Done()
--			}()
--			wg.Wait()
--		}()
--		go func() {
--			defer func() {
--				done <- recover()
--			}()
--			wg.Wait()
--		}()
--		for j := 0; j < 3; j++ {
--			if err := <-done; err != nil {
--				panic(err)
--			}
--		}
--	}
--	t.Fatal("Should panic")
--}
--
- func TestWaitGroupRace(t *testing.T) {
- 	// Run this test for about 1ms.
- 	for i := 0; i < 1000; i++ {

SPECS/golang.spec

@@ -95,18 +95,18 @@
 %global gohostarch  s390x
 %endif
 
-%global go_api 1.17
-%global go_version 1.17.7
+%global go_api 1.18
+%global go_version 1.18.4
 %global pkg_release 1
 
 Name:           golang
 Version:        %{go_version}
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
 URL:            http://golang.org/
-Source0:        https://pagure.io/go/archive/go-%{go_version}-%{pkg_release}-openssl-fips/go-go-%{go_version}-%{pkg_release}-openssl-fips.tar.gz
+Source0:        https://github.com/golang-fips/go/archive/refs/tags/go%{go_version}-%{pkg_release}-openssl-fips.tar.gz
 # make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
 Source1:        fedora.go
 
@@ -144,12 +144,10 @@ Patch215:       go1.5-zoneinfo_testing_only.patch
 # Proposed patch by jcajka https://golang.org/cl/86541
 Patch221:       fix_TestScript_list_std.patch
 
-# Port to openssl 3.0
-Patch1952381:   rhbz1952381.patch
-
-Patch222: remove_waitgroup_misuse_tests.patch
 Patch223: remove_ed25519vectors_test.patch
 
+Patch224: openssl_deprecated_algorithm_tests.patch
+
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
 
@@ -237,17 +235,12 @@ Requires:       %{name} = %{version}-%{release}
 %endif
 
 %prep
-%setup -q -n go-go-%{go_version}-%{pkg_release}-openssl-fips
+%setup -q -n go-go%{go_version}-%{pkg_release}-openssl-fips
 
 %patch215 -p1
-
 %patch221 -p1
-
-%patch1952381 -p1
-
-%patch222 -p1
-
 %patch223 -p1
+%patch224 -p1
 
 cp %{SOURCE1} ./src/runtime/
 
@@ -431,12 +424,6 @@ export GO_LDFLAGS="-extldflags '$RPM_LD_FLAGS'"
 export CGO_ENABLED=0
 %endif
 
-# work around aarch64 issue
-# https://src.fedoraproject.org/rpms/golang/c/ea99ebaff6b9561243bb43039458771edb691eaf?branch=f32
-%ifarch aarch64
-export CGO_CFLAGS="-mno-outline-atomics"
-%endif
-
 # make sure to not timeout
 export GO_TEST_TIMEOUT_SCALE=2
 
@@ -449,6 +436,9 @@ export GO_TEST_RUN=""
 
 ./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
 
+# tests timeout on ppc64le due to
+# https://bugzilla.redhat.com/show_bug.cgi?id=2118776
+%ifnarch ppc64le
 export OPENSSL_FORCE_FIPS_MODE=1
 # Run tests with FIPS enabled.
 pushd crypto
@@ -461,6 +451,8 @@ popd
 pushd crypto/tls
   GOLANG_FIPS=1 go test -v -run "Boring"
 popd
+%endif
+
 %else
 ./run.bash --no-rebuild -v -v -v -k || :
 %endif
@@ -522,11 +514,34 @@ cd ..
 %endif
 
 %changelog
-* Thu Feb 17 2022 David Benoit <dbenoit@redhat.com> - 1.17.7-1
-- Rebase to Go 1.17.7
-- Update ecdsa tests to reject SHA1 signatures in boring mode
+* Tue Aug 16 2022 David Benoit <dbenoit@redhat.com> - 1.18.4-3
+- Temporarily disable crypto tests on ppc64le
+- Related: rhbz#2109180
+
+* Wed Aug 10 2022 Alejandro Sáez <asm@redhat.com> - 1.18.4-2
+- Update to Go 1.18.4
+- Resolves: rhbz#2109180
+- Deprecates keys smaller than 2048 bits in TestDecryptOAEP in boring mode
+
+* Fri Aug 05 2022 Alejandro Sáez <asm@redhat.com> - 1.18.4-1
+- Update to Go 1.18.4
+- Resolves: rhbz#2109180
+
+* Fri Jun 10 2022 David Benoit <dbenoit@redhat.com> - 1.18.2-2
+- Update deprecated openssl algorithms patch
+- Rebuild against openssl-3.0.1-33
+- Resolves: rhbz#2092136
+- Related: rhbz#2092016
+
+* Mon May 02 2022 David Benoit <dbenoit@redhat.com> - 1.18.2-1
+- Rebase to Go 1.18.2
+- Move to github.com/golang-fips/go
+- Resolves: rhbz#2075169
+- Resolves: rhbz#2060769
+- Resolves: rhbz#2067531
+- Resolves: rhbz#2067536
+- Resolves: rhbz#2067552
 - Resolves: rhbz#2025637
-- Resolves: rhbz#1975396
 
 * Mon Dec 13 2021 Alejandro Sáez <asm@redhat.com> - 1.17.5-1
 - Rebase to Go 1.17.5