diff --git a/.gitignore b/.gitignore
index 4217694..a14ac52 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/go-go-1.17.2-1-openssl-fips.tar.gz
+SOURCES/go-go-1.17.5-1-openssl-fips.tar.gz
diff --git a/.golang.metadata b/.golang.metadata
index 922df85..e1b760c 100644
--- a/.golang.metadata
+++ b/.golang.metadata
@@ -1 +1 @@
-583ddd5dc54fa694c25b6768ad80c9fff04d2bb5 SOURCES/go-go-1.17.2-1-openssl-fips.tar.gz
+f0b72c96855f50d91288f1226a7660b97c1fdd73 SOURCES/go-go-1.17.5-1-openssl-fips.tar.gz
diff --git a/SOURCES/remove_ed25519vectors_test.patch b/SOURCES/remove_ed25519vectors_test.patch
new file mode 100644
index 0000000..45e3182
--- /dev/null
+++ b/SOURCES/remove_ed25519vectors_test.patch
@@ -0,0 +1,128 @@
+From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Wed, 15 Dec 2021 16:02:15 +0100
+Subject: [PATCH] Remove ed25519vectors_test.go
+
+---
+ src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
+ 1 file changed, 109 deletions(-)
+ delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
+
+diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
+deleted file mode 100644
+index 74fcdcdf4e..0000000000
+--- a/src/crypto/ed25519/ed25519vectors_test.go
++++ /dev/null
+@@ -1,109 +0,0 @@
+-// Copyright 2021 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-package ed25519_test
+-
+-import (
+- "crypto/ed25519"
+- "encoding/hex"
+- "encoding/json"
+- "internal/testenv"
+- "os"
+- "os/exec"
+- "path/filepath"
+- "testing"
+-)
+-
+-// TestEd25519Vectors runs a very large set of test vectors that exercise all
+-// combinations of low-order points, low-order components, and non-canonical
+-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
+-// edge cases that are not security relevant in most contexts, but that can
+-// cause issues in consensus applications if changed.
+-//
+-// Our behavior matches the "classic" unwritten verification rules of the
+-// "ref10" reference implementation.
+-//
+-// Note that although we test for these edge cases, they are not covered by the
+-// Go 1 Compatibility Promise. Applications that need stable verification rules
+-// should use github.com/hdevalence/ed25519consensus.
+-//
+-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
+-func TestEd25519Vectors(t *testing.T) {
+- jsonVectors := downloadEd25519Vectors(t)
+- var vectors []struct {
+- A, R, S, M string
+- Flags []string
+- }
+- if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
+- t.Fatal(err)
+- }
+- for i, v := range vectors {
+- expectedToVerify := true
+- for _, f := range v.Flags {
+- switch f {
+- // We use the simplified verification formula that doesn't multiply
+- // by the cofactor, so any low order residue will cause the
+- // signature not to verify.
+- //
+- // This is allowed, but not required, by RFC 8032.
+- case "LowOrderResidue":
+- expectedToVerify = false
+- // Our point decoding allows non-canonical encodings (in violation
+- // of RFC 8032) but R is not decoded: instead, R is recomputed and
+- // compared bytewise against the canonical encoding.
+- case "NonCanonicalR":
+- expectedToVerify = false
+- }
+- }
+-
+- publicKey := decodeHex(t, v.A)
+- signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
+- message := []byte(v.M)
+-
+- didVerify := ed25519.Verify(publicKey, message, signature)
+- if didVerify && !expectedToVerify {
+- t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
+- }
+- if !didVerify && expectedToVerify {
+- t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
+- }
+- }
+-}
+-
+-func downloadEd25519Vectors(t *testing.T) []byte {
+- testenv.MustHaveExternalNetwork(t)
+-
+- // Download the JSON test file from the GOPROXY with `go mod download`,
+- // pinning the version so test and module caching works as expected.
+- goTool := testenv.GoToolPath(t)
+- path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
+- cmd := exec.Command(goTool, "mod", "download", "-json", path)
+- // TODO: enable the sumdb once the TryBots proxy supports it.
+- cmd.Env = append(os.Environ(), "GONOSUMDB=*")
+- output, err := cmd.Output()
+- if err != nil {
+- t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
+- }
+- var dm struct {
+- Dir string // absolute path to cached source root directory
+- }
+- if err := json.Unmarshal(output, &dm); err != nil {
+- t.Fatal(err)
+- }
+-
+- jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
+- if err != nil {
+- t.Fatalf("failed to read ed25519vectors.json: %v", err)
+- }
+- return jsonVectors
+-}
+-
+-func decodeHex(t *testing.T, s string) []byte {
+- t.Helper()
+- b, err := hex.DecodeString(s)
+- if err != nil {
+- t.Errorf("invalid hex: %v", err)
+- }
+- return b
+-}
+--
+2.33.1
+
diff --git a/SOURCES/remove_waitgroup_misuse_tests.patch b/SOURCES/remove_waitgroup_misuse_tests.patch
new file mode 100644
index 0000000..b643563
--- /dev/null
+++ b/SOURCES/remove_waitgroup_misuse_tests.patch
@@ -0,0 +1,151 @@
+diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go
+index c569e0faa2eb..4ded218d2d8d 100644
+--- a/src/sync/waitgroup_test.go
++++ b/src/sync/waitgroup_test.go
+@@ -5,8 +5,6 @@
+ package sync_test
+
+ import (
+- "internal/race"
+- "runtime"
+ . "sync"
+ "sync/atomic"
+ "testing"
+@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) {
+ }
+ }
+
+-func knownRacy(t *testing.T) {
+- if race.Enabled {
+- t.Skip("skipping known-racy test under the race detector")
+- }
+-}
+-
+ func TestWaitGroupMisuse(t *testing.T) {
+ defer func() {
+ err := recover()
+@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) {
+ t.Fatal("Should panic")
+ }
+
+-// pollUntilEqual blocks until v, loaded atomically, is
+-// equal to the target.
+-func pollUntilEqual(v *uint32, target uint32) {
+- for {
+- for i := 0; i < 1e3; i++ {
+- if atomic.LoadUint32(v) == target {
+- return
+- }
+- }
+- // yield to avoid deadlock with the garbage collector
+- // see issue #20072
+- runtime.Gosched()
+- }
+-}
+-
+-func TestWaitGroupMisuse2(t *testing.T) {
+- knownRacy(t)
+- if runtime.NumCPU() <= 4 {
+- t.Skip("NumCPU<=4, skipping: this test requires parallelism")
+- }
+- defer func() {
+- err := recover()
+- if err != "sync: negative WaitGroup counter" &&
+- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
+- err != "sync: WaitGroup is reused before previous Wait has returned" {
+- t.Fatalf("Unexpected panic: %#v", err)
+- }
+- }()
+- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
+- done := make(chan interface{}, 2)
+- // The detection is opportunistic, so we want it to panic
+- // at least in one run out of a million.
+- for i := 0; i < 1e6; i++ {
+- var wg WaitGroup
+- var here uint32
+- wg.Add(1)
+- go func() {
+- defer func() {
+- done <- recover()
+- }()
+- atomic.AddUint32(&here, 1)
+- pollUntilEqual(&here, 3)
+- wg.Wait()
+- }()
+- go func() {
+- defer func() {
+- done <- recover()
+- }()
+- atomic.AddUint32(&here, 1)
+- pollUntilEqual(&here, 3)
+- wg.Add(1) // This is the bad guy.
+- wg.Done()
+- }()
+- atomic.AddUint32(&here, 1)
+- pollUntilEqual(&here, 3)
+- wg.Done()
+- for j := 0; j < 2; j++ {
+- if err := <-done; err != nil {
+- panic(err)
+- }
+- }
+- }
+- t.Fatal("Should panic")
+-}
+-
+-func TestWaitGroupMisuse3(t *testing.T) {
+- knownRacy(t)
+- if runtime.NumCPU() <= 1 {
+- t.Skip("NumCPU==1, skipping: this test requires parallelism")
+- }
+- defer func() {
+- err := recover()
+- if err != "sync: negative WaitGroup counter" &&
+- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
+- err != "sync: WaitGroup is reused before previous Wait has returned" {
+- t.Fatalf("Unexpected panic: %#v", err)
+- }
+- }()
+- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
+- done := make(chan interface{}, 3)
+- // The detection is opportunistically, so we want it to panic
+- // at least in one run out of a million.
+- for i := 0; i < 1e6; i++ {
+- var wg WaitGroup
+- wg.Add(1)
+- go func() {
+- defer func() {
+- done <- recover()
+- }()
+- wg.Done()
+- }()
+- go func() {
+- defer func() {
+- done <- recover()
+- }()
+- wg.Wait()
+- // Start reusing the wg before waiting for the Wait below to return.
+- wg.Add(1)
+- go func() {
+- wg.Done()
+- }()
+- wg.Wait()
+- }()
+- go func() {
+- defer func() {
+- done <- recover()
+- }()
+- wg.Wait()
+- }()
+- for j := 0; j < 3; j++ {
+- if err := <-done; err != nil {
+- panic(err)
+- }
+- }
+- }
+- t.Fatal("Should panic")
+-}
+-
+ func TestWaitGroupRace(t *testing.T) {
+ // Run this test for about 1ms.
+ for i := 0; i < 1000; i++ {
diff --git a/SPECS/golang.spec b/SPECS/golang.spec
index bcc88b4..711a3a5 100644
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@@ -96,7 +96,7 @@
%endif
%global go_api 1.17
-%global go_version 1.17.2
+%global go_version 1.17.5
%global pkg_release 1
Name: golang
@@ -147,6 +147,9 @@ Patch221: fix_TestScript_list_std.patch
# Port to openssl 3.0
Patch1952381: rhbz1952381.patch
+Patch222: remove_waitgroup_misuse_tests.patch
+Patch223: remove_ed25519vectors_test.patch
+
# Having documentation separate was broken
Obsoletes: %{name}-docs < 1.1-4
@@ -242,6 +245,10 @@ Requires: %{name} = %{version}-%{release}
%patch1952381 -p1
+%patch222 -p1
+
+%patch223 -p1
+
cp %{SOURCE1} ./src/runtime/
%build
@@ -440,61 +447,19 @@ export GO_TEST_RUN=""
%if %{fail_on_tests}
-TEST_BORING_CONFIGS=`mktemp -d`
-TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf
-TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf
-trap "rm -rf $TEST_BORING_CONFIGS" EXIT
-
-cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF
-openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF
-
-cat > $TEST_BORING_CNF << EOM
-openssl_conf = openssl_test
-
-[openssl_test]
-providers = provider_test
-alg_section = algorithm_test
-ssl_conf = ssl_module
-
-[algorithm_test]
-default_properties = fips=yes
-
-[provider_test]
-default = default_sect
- # The fips section name should match the section name inside the
- # included fipsmodule.cnf.
-fips = fips_sect
-.include $TEST_BORING_FIPS_CNF
-
-[default_sect]
-activate = 1
-
-[ ssl_module ]
-
-system_default = crypto_policy
-
-[ crypto_policy ]
-
-.include = /etc/crypto-policies/back-ends/opensslcnf.config
-
-[ new_oids ]
-
-EOM
-
./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
-export OPENSSL_CONF=$TEST_BORING_CNF
+export OPENSSL_FORCE_FIPS_MODE=1
# Run tests with FIPS enabled.
-export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$"
pushd crypto
# Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
- GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
+ GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v
# Check that signature functions have parity between boring and notboring
- CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
+ CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
popd
# Run all FIPS specific TLS tests
pushd crypto/tls
- GOLANG_FIPS=1 go test -v -run "Boring" $DISABLE_Ed25519_TEST
+ GOLANG_FIPS=1 go test -v -run "Boring"
popd
%else
./run.bash --no-rebuild -v -v -v -k || :
@@ -557,6 +522,17 @@ cd ..
%endif
%changelog
+* Mon Dec 13 2021 Alejandro Sáez <asm@redhat.com> - 1.17.5-1
+- Rebase to Go 1.17.5
+- Add remove_waitgroup_misuse_tests patch
+- Add remove_ed25519vectors_test.patch
+- Remove FIPS checks to avoid issues in the CI
+- Related: rhbz#2031116
+- Resolves: rhbz#2022829
+- Resolves: rhbz#2024687
+- Resolves: rhbz#2030851
+- Resolves: rhbz#2031253
+
* Wed Nov 03 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-1
- Rebase to Go 1.17.2
- Related: rhbz#2014087