diff --git a/.gitignore b/.gitignore
index 4f71bcf..ce87de6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz
+SOURCES/go1.17.12-1-openssl-fips.tar.gz
diff --git a/.golang.metadata b/.golang.metadata
index fde6008..5e06ce1 100644
--- a/.golang.metadata
+++ b/.golang.metadata
@@ -1 +1 @@
-139fe29f985b3feda50c407d194f1a102352388a SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz
+ba529d47d6ee80a2ddca1a20dd5a5aa72ab9bdbd SOURCES/go1.17.12-1-openssl-fips.tar.gz
diff --git a/SOURCES/openssl_deprecated_algorithm_tests.patch b/SOURCES/openssl_deprecated_algorithm_tests.patch
new file mode 100644
index 0000000..581f326
--- /dev/null
+++ b/SOURCES/openssl_deprecated_algorithm_tests.patch
@@ -0,0 +1,134 @@
+diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
+index 60c769c..b8aae23 100644
+--- a/src/crypto/rsa/pkcs1v15_test.go
++++ b/src/crypto/rsa/pkcs1v15_test.go
+@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
+ }
+
+ func TestDecryptPKCS1v15(t *testing.T) {
++ t.Skip("not supported in FIPS mode")
+ decryptionFuncs := []func([]byte) ([]byte, error){
+ func(ciphertext []byte) (plaintext []byte, err error) {
+ return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
+@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
+ }
+
+ func TestEncryptPKCS1v15(t *testing.T) {
++ t.Skip("not supported in FIPS mode")
+ random := rand.Reader
+ k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
+
+@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
+ }
+
+ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
++ t.Skip("not supported in FIPS mode")
+ for i, test := range decryptPKCS1v15SessionKeyTests {
+ key := []byte("FAIL")
+ err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
+@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
+ }
+
+ func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
++ t.Skip("not supported in FIPS mode")
+ for i, test := range decryptPKCS1v15SessionKeyTests {
+ plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
+ if err != nil {
+@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
+ }
+
+ func TestShortSessionKey(t *testing.T) {
++ t.Skip("not supported in FIPS mode")
+ // This tests that attempting to decrypt a session key where the
+ // ciphertext is too small doesn't run outside the array bounds.
+ var keys []*PrivateKey
+diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
+index 2032b4b..fdddfab 100644
+--- a/src/crypto/rsa/pss_test.go
++++ b/src/crypto/rsa/pss_test.go
+@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
+ // TestPSSGolden tests all the test vectors in pss-vect.txt from
+ // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
+ func TestPSSGolden(t *testing.T) {
++ t.Skip("SHA1 not supported in boring mode")
+ inFile, err := os.Open("testdata/pss-vect.txt.bz2")
+ if err != nil {
+ t.Fatalf("Failed to open input file: %s", err)
+diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
+index cfe020e..d918841 100644
+--- a/src/crypto/rsa/rsa_test.go
++++ b/src/crypto/rsa/rsa_test.go
+@@ -123,38 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
+ t.Errorf("private exponent too large")
+ }
+
+- if boring.Enabled() {
+- // Cannot call encrypt/decrypt directly. Test via PKCS1v15.
+- msg := []byte("hi!")
+- // Should not accept keys smaller than 2048 bits (256 bytes)
+- if priv.Size() >= 256 {
+- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
+- if err != nil {
+- t.Errorf("EncryptPKCS1v15: %v", err)
+- return
+- }
+- dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
+- if err != nil {
+- t.Errorf("DecryptPKCS1v15: %v", err)
+- return
+- }
+- if !bytes.Equal(dec, msg) {
+- t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
+- }
+- } else {
+- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
+- if err == nil {
+- t.Errorf("EncryptPKCS1v15: Should not accept key of size %v", priv.Size() * 8)
+- return
+- }
+- _ , err = DecryptPKCS1v15(rand.Reader, priv, enc)
+- if err == nil {
+- t.Errorf("DecryptPKCS1v15: Should not accept key of size %v", priv.Size() * 8)
+- return
+- }
+- }
+- return
+- }
++ if boring.Enabled() {
++ // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
++ sha256 := sha256.New()
++ msg := []byte("hi!")
++ if priv.Size() >= 256 {
++ enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
++ if err != nil {
++ t.Errorf("EncryptOAEP: %v", err)
++ return
++ }
++ dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
++ if err != nil {
++ t.Errorf("DecryptOAEP: %v", err)
++ return
++ }
++ if !bytes.Equal(dec, msg) {
++ t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
++ }
++ } else {
++ t.Logf("skipping check for unsupported key less than 2048 bits")
++ }
++ return
++ }
+
+ pub := &priv.PublicKey
+ m := big.NewInt(42)
+@@ -323,6 +314,11 @@ func TestDecryptOAEP(t *testing.T) {
+ private.PublicKey = PublicKey{N: n, E: test.e}
+ private.D = d
+
++ if boring.Enabled() && private.PublicKey.Size() < 256 {
++ t.Logf("skipping check for unsupported key less than 2048 bits")
++ continue;
++ }
++ t.Logf("running check for supported key size")
+ for j, message := range test.msgs {
+ out, err := DecryptOAEP(sha1, nil, private, message.out, nil)
+ if err != nil {
diff --git a/SOURCES/remove_waitgroup_misuse_tests.patch b/SOURCES/remove_waitgroup_misuse_tests.patch
deleted file mode 100644
index b643563..0000000
--- a/SOURCES/remove_waitgroup_misuse_tests.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go
-index c569e0faa2eb..4ded218d2d8d 100644
---- a/src/sync/waitgroup_test.go
-+++ b/src/sync/waitgroup_test.go
-@@ -5,8 +5,6 @@
- package sync_test
-
- import (
-- "internal/race"
-- "runtime"
- . "sync"
- "sync/atomic"
- "testing"
-@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) {
- }
- }
-
--func knownRacy(t *testing.T) {
-- if race.Enabled {
-- t.Skip("skipping known-racy test under the race detector")
-- }
--}
--
- func TestWaitGroupMisuse(t *testing.T) {
- defer func() {
- err := recover()
-@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) {
- t.Fatal("Should panic")
- }
-
--// pollUntilEqual blocks until v, loaded atomically, is
--// equal to the target.
--func pollUntilEqual(v *uint32, target uint32) {
-- for {
-- for i := 0; i < 1e3; i++ {
-- if atomic.LoadUint32(v) == target {
-- return
-- }
-- }
-- // yield to avoid deadlock with the garbage collector
-- // see issue #20072
-- runtime.Gosched()
-- }
--}
--
--func TestWaitGroupMisuse2(t *testing.T) {
-- knownRacy(t)
-- if runtime.NumCPU() <= 4 {
-- t.Skip("NumCPU<=4, skipping: this test requires parallelism")
-- }
-- defer func() {
-- err := recover()
-- if err != "sync: negative WaitGroup counter" &&
-- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
-- err != "sync: WaitGroup is reused before previous Wait has returned" {
-- t.Fatalf("Unexpected panic: %#v", err)
-- }
-- }()
-- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
-- done := make(chan interface{}, 2)
-- // The detection is opportunistic, so we want it to panic
-- // at least in one run out of a million.
-- for i := 0; i < 1e6; i++ {
-- var wg WaitGroup
-- var here uint32
-- wg.Add(1)
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- atomic.AddUint32(&here, 1)
-- pollUntilEqual(&here, 3)
-- wg.Wait()
-- }()
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- atomic.AddUint32(&here, 1)
-- pollUntilEqual(&here, 3)
-- wg.Add(1) // This is the bad guy.
-- wg.Done()
-- }()
-- atomic.AddUint32(&here, 1)
-- pollUntilEqual(&here, 3)
-- wg.Done()
-- for j := 0; j < 2; j++ {
-- if err := <-done; err != nil {
-- panic(err)
-- }
-- }
-- }
-- t.Fatal("Should panic")
--}
--
--func TestWaitGroupMisuse3(t *testing.T) {
-- knownRacy(t)
-- if runtime.NumCPU() <= 1 {
-- t.Skip("NumCPU==1, skipping: this test requires parallelism")
-- }
-- defer func() {
-- err := recover()
-- if err != "sync: negative WaitGroup counter" &&
-- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
-- err != "sync: WaitGroup is reused before previous Wait has returned" {
-- t.Fatalf("Unexpected panic: %#v", err)
-- }
-- }()
-- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
-- done := make(chan interface{}, 3)
-- // The detection is opportunistically, so we want it to panic
-- // at least in one run out of a million.
-- for i := 0; i < 1e6; i++ {
-- var wg WaitGroup
-- wg.Add(1)
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- wg.Done()
-- }()
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- wg.Wait()
-- // Start reusing the wg before waiting for the Wait below to return.
-- wg.Add(1)
-- go func() {
-- wg.Done()
-- }()
-- wg.Wait()
-- }()
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- wg.Wait()
-- }()
-- for j := 0; j < 3; j++ {
-- if err := <-done; err != nil {
-- panic(err)
-- }
-- }
-- }
-- t.Fatal("Should panic")
--}
--
- func TestWaitGroupRace(t *testing.T) {
- // Run this test for about 1ms.
- for i := 0; i < 1000; i++ {
diff --git a/SPECS/golang.spec b/SPECS/golang.spec
index bbea5fb..6349c68 100644
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@@ -96,7 +96,7 @@
%endif
%global go_api 1.17
-%global go_version 1.17.7
+%global go_version 1.17.12
%global pkg_release 1
Name: golang
@@ -106,7 +106,8 @@ Summary: The Go Programming Language
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
License: BSD and Public Domain
URL: http://golang.org/
-Source0: https://pagure.io/go/archive/go-%{go_version}-%{pkg_release}-openssl-fips/go-go-%{go_version}-%{pkg_release}-openssl-fips.tar.gz
+Source0: https://github.com/golang-fips/go/archive/refs/tags/go%{go_version}-%{pkg_release}-openssl-fips.tar.gz
+
# make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
Source1: fedora.go
@@ -147,9 +148,10 @@ Patch221: fix_TestScript_list_std.patch
# Port to openssl 3.0
Patch1952381: rhbz1952381.patch
-Patch222: remove_waitgroup_misuse_tests.patch
Patch223: remove_ed25519vectors_test.patch
+Patch224: openssl_deprecated_algorithm_tests.patch
+
# Having documentation separate was broken
Obsoletes: %{name}-docs < 1.1-4
@@ -237,7 +239,8 @@ Requires: %{name} = %{version}-%{release}
%endif
%prep
-%setup -q -n go-go-%{go_version}-%{pkg_release}-openssl-fips
+%setup -q -n go-go%{go_version}-%{pkg_release}-openssl-fips
+
%patch215 -p1
@@ -245,10 +248,10 @@ Requires: %{name} = %{version}-%{release}
%patch1952381 -p1
-%patch222 -p1
-
%patch223 -p1
+%patch224 -p1
+
cp %{SOURCE1} ./src/runtime/
%build
@@ -522,6 +525,14 @@ cd ..
%endif
%changelog
+* Wed Jul 20 2022 David Benoit <dbenoit@redhat.com> - 1.17.12-1
+- Update Go to version 1.17.12
+- Resolves: rhbz#2109183
+
+* Wed Jul 20 2022 David Benoit <dbenoit@redhat.com> - 1.17.7-2
+- Clean up dist-git patches
+- Resolves: rhbz#2109174
+
* Thu Feb 17 2022 David Benoit <dbenoit@redhat.com> - 1.17.7-1
- Rebase to Go 1.17.7
- Update ecdsa tests to reject SHA1 signatures in boring mode