diff --git a/.gitignore b/.gitignore
index 4f71bcf8f9950763281db837800ca68d2e7a828e..a08f77a8f4f125fb4bcc9fbd65cef2bd498e8299 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz
+SOURCES/go1.18.0-1-openssl-fips.tar.gz
diff --git a/.golang.metadata b/.golang.metadata
index fde600851c0a6c2a545c1d864074c1a6144df448..46de8e5dc91fa9bef7d8a33978170faa84105770 100644
--- a/.golang.metadata
+++ b/.golang.metadata
@@ -1 +1 @@
-139fe29f985b3feda50c407d194f1a102352388a SOURCES/go-go-1.17.7-1-openssl-fips.tar.gz
+c1c1dfe3d4fd1c653f0a4eeeb01e2a07d3d06b1c SOURCES/go1.18.0-1-openssl-fips.tar.gz
diff --git a/SOURCES/disable_static_external_tests.patch b/SOURCES/disable_static_external_tests.patch
new file mode 100644
index 0000000000000000000000000000000000000000..55181cab19287e702b9f48f37fb5a71912aa47c9
--- /dev/null
+++ b/SOURCES/disable_static_external_tests.patch
@@ -0,0 +1,310 @@
+diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
+index d9eb9c3..506f979 100644
+--- a/src/cmd/dist/test.go
++++ b/src/cmd/dist/test.go
+@@ -1180,18 +1180,20 @@ func (t *tester) cgoTest(dt *distTest) error {
+ fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
+ } else {
+ if goos != "android" {
+- t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
++ t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
+ }
+ t.addCmd(dt, "misc/cgo/nocgo", t.goTest())
+ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`)
+ if goos != "android" {
+- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
++ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
++ /*
+ t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
+ // -static in CGO_LDFLAGS triggers a different code path
+ // than -static in -extldflags, so test both.
+ // See issue #16651.
+ cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static")
+ setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
++ */
+ }
+ }
+
+@@ -1201,7 +1203,7 @@ func (t *tester) cgoTest(dt *distTest) error {
+ t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie")
+ }
+ t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie")
+- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie")
++ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
+ }
+ }
+ }
+diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
+index a495bd7..2c6107b 100644
+--- a/src/crypto/internal/boring/aes.go
++++ b/src/crypto/internal/boring/aes.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package boring
+
+diff --git a/src/crypto/internal/boring/aes_test.go b/src/crypto/internal/boring/aes_test.go
+index 3b4c364..371bc20 100644
+--- a/src/crypto/internal/boring/aes_test.go
++++ b/src/crypto/internal/boring/aes_test.go
+@@ -1,9 +1,5 @@
+-// +build linux
+-// +build !android
+-// +build !no_openssl
+-// +build !cmd_go_bootstrap
+-// +build !msan
+-// +build cgo
++//go:build linux && !android && !no_openssl && !cmd_go_bootstrap && !msan && cgo && !static
++// +build linux,!android,!no_openssl,!cmd_go_bootstrap,!msan,cgo,!static
+
+ package boring
+
+diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
+index ec6e80c..05431b1 100644
+--- a/src/crypto/internal/boring/boring.go
++++ b/src/crypto/internal/boring/boring.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package boring
+
+diff --git a/src/crypto/internal/boring/ecdsa.go b/src/crypto/internal/boring/ecdsa.go
+index f72da41..33ee442 100644
+--- a/src/crypto/internal/boring/ecdsa.go
++++ b/src/crypto/internal/boring/ecdsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package boring
+
+diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
+index 4547ade..b8aaae4 100644
+--- a/src/crypto/internal/boring/goboringcrypto.h
++++ b/src/crypto/internal/boring/goboringcrypto.h
+@@ -1,6 +1,12 @@
+ // Copyright 2017 The Go Authors. All rights reserved.
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
++// +build linux
++// +build !android
++// +build !no_openssl
++// +build !cmd_go_bootstrap
++// +build !msan
++// +build !static
+
+ // This header file describes the BoringCrypto ABI as built for use in Go.
+ // The BoringCrypto build for Go (which generates goboringcrypto_*.syso)
+diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
+index 4820385..ac41482 100644
+--- a/src/crypto/internal/boring/goopenssl.h
++++ b/src/crypto/internal/boring/goopenssl.h
+@@ -6,6 +6,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ // This header file describes the OpenSSL ABI as built for use in Go.
+
+diff --git a/src/crypto/internal/boring/hmac.go b/src/crypto/internal/boring/hmac.go
+index 4e913c3..10cfbb3 100644
+--- a/src/crypto/internal/boring/hmac.go
++++ b/src/crypto/internal/boring/hmac.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package boring
+
+diff --git a/src/crypto/internal/boring/notboring.go b/src/crypto/internal/boring/notboring.go
+index e513834..08c5245 100644
+--- a/src/crypto/internal/boring/notboring.go
++++ b/src/crypto/internal/boring/notboring.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
+-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
++//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
+
+ package boring
+
+diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
+index 710d074..853be3d 100644
+--- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
++++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ #include "goboringcrypto.h"
+
+diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c
+index 36be702..331dfd3 100644
+--- a/src/crypto/internal/boring/openssl_evp.c
++++ b/src/crypto/internal/boring/openssl_evp.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ #include "goboringcrypto.h"
+
+diff --git a/src/crypto/internal/boring/openssl_lock_setup.c b/src/crypto/internal/boring/openssl_lock_setup.c
+index 955924e..c0f3435 100644
+--- a/src/crypto/internal/boring/openssl_lock_setup.c
++++ b/src/crypto/internal/boring/openssl_lock_setup.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ #include "goboringcrypto.h"
+ #include <stdio.h>
+diff --git a/src/crypto/internal/boring/openssl_port_aead_gcm.c b/src/crypto/internal/boring/openssl_port_aead_gcm.c
+index b39bf54..80c933a 100644
+--- a/src/crypto/internal/boring/openssl_port_aead_gcm.c
++++ b/src/crypto/internal/boring/openssl_port_aead_gcm.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ #include "goboringcrypto.h"
+ #include <openssl/err.h>
+diff --git a/src/crypto/internal/boring/openssl_port_ctr128.c b/src/crypto/internal/boring/openssl_port_ctr128.c
+index abaff5c..e2263a5 100644
+--- a/src/crypto/internal/boring/openssl_port_ctr128.c
++++ b/src/crypto/internal/boring/openssl_port_ctr128.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ #include "goboringcrypto.h"
+
+diff --git a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
+index 8418c38..39bf3ae 100644
+--- a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
++++ b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ // The following is a partial backport of crypto/evp/m_md5_sha1.c,
+ // commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the
+diff --git a/src/crypto/internal/boring/openssl_port_hmac.c b/src/crypto/internal/boring/openssl_port_hmac.c
+index be7c71a..35e1860 100644
+--- a/src/crypto/internal/boring/openssl_port_hmac.c
++++ b/src/crypto/internal/boring/openssl_port_hmac.c
+@@ -4,6 +4,8 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
++
+
+ #include "goboringcrypto.h"
+
+diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
+index 5174f66..a8008e9 100644
+--- a/src/crypto/internal/boring/openssl_port_rsa.c
++++ b/src/crypto/internal/boring/openssl_port_rsa.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ #include "goboringcrypto.h"
+
+diff --git a/src/crypto/internal/boring/openssl_stub_rand.c b/src/crypto/internal/boring/openssl_stub_rand.c
+index 18d6777..e8ac53b 100644
+--- a/src/crypto/internal/boring/openssl_stub_rand.c
++++ b/src/crypto/internal/boring/openssl_stub_rand.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+
+ #include "goboringcrypto.h"
+ #include <openssl/rand.h>
+diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go
+index e9c334f..3adbd4d 100644
+--- a/src/crypto/internal/boring/rand.go
++++ b/src/crypto/internal/boring/rand.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package boring
+
+diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
+index b1a2f57..0cabadb 100644
+--- a/src/crypto/internal/boring/rsa.go
++++ b/src/crypto/internal/boring/rsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package boring
+
+diff --git a/src/crypto/internal/boring/sha.go b/src/crypto/internal/boring/sha.go
+index bdcc782..6184d6c 100644
+--- a/src/crypto/internal/boring/sha.go
++++ b/src/crypto/internal/boring/sha.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package boring
+
diff --git a/SOURCES/fix_TestScript_list_std.patch b/SOURCES/fix_TestScript_list_std.patch
index 1387cb71ca3f9caf033b87d05c22b22a1fee407b..ade3711c6807083c4076be5015919c9b1b641d72 100644
--- a/SOURCES/fix_TestScript_list_std.patch
+++ b/SOURCES/fix_TestScript_list_std.patch
@@ -1,5 +1,5 @@
diff --git a/src/cmd/go/testdata/script/list_std.txt b/src/cmd/go/testdata/script/list_std.txt
-index 6ab1bd1674..4a00e436fd 100644
+index 6ab1bd1..4a00e43 100644
--- a/src/cmd/go/testdata/script/list_std.txt
+++ b/src/cmd/go/testdata/script/list_std.txt
@@ -6,7 +6,7 @@ env GO111MODULE=off
diff --git a/SOURCES/go1.5-zoneinfo_testing_only.patch b/SOURCES/go1.5-zoneinfo_testing_only.patch
index 581cb948848ef8a78bbd8642c3c7dd6e00b09fb9..5f0046ecb843d50e0e8dd733a6714bab59834eef 100644
--- a/SOURCES/go1.5-zoneinfo_testing_only.patch
+++ b/SOURCES/go1.5-zoneinfo_testing_only.patch
@@ -1,6 +1,7 @@
-diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go
---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.time 2017-12-05 01:10:10.000000000 +0100
-+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go 2017-12-05 14:55:10.574637475 +0100
+diff --git a/src/time/internal_test.go b/src/time/internal_test.go
+index f0dddb7..415949a 100644
+--- a/src/time/internal_test.go
++++ b/src/time/internal_test.go
@@ -4,13 +4,15 @@
package time
@@ -16,7 +17,7 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.t
- z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:])
+ z, err := loadLocation("America/Los_Angeles", zoneSources)
if err != nil {
- panic("cannot load America/Los_Angeles for testing: " + err.Error())
+ panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata")
}
@@ -21,8 +23,9 @@ func initTestingZone() {
var OrigZoneSources = zoneSources
@@ -29,10 +30,11 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/internal_test.go.t
if zipOnly {
zoneSources = zoneSources[len(zoneSources)-1:]
}
-diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go
---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.time 2017-12-05 01:10:10.000000000 +0100
-+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go 2017-12-05 14:58:09.823109248 +0100
-@@ -8,6 +8,7 @@ import (
+diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go
+index f032aa7..e3e5547 100644
+--- a/src/time/zoneinfo_test.go
++++ b/src/time/zoneinfo_test.go
+@@ -9,6 +9,7 @@ import (
"fmt"
"os"
"reflect"
@@ -40,7 +42,7 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.t
"testing"
"time"
)
-@@ -128,7 +129,7 @@ func TestLoadLocationFromTZData(t *testi
+@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) {
t.Fatal(err)
}
@@ -49,9 +51,10 @@ diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_test.go.t
if err != nil {
t.Fatal(err)
}
-diff -up go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go.time go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go
---- go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go.time 2017-12-05 01:10:10.000000000 +0100
-+++ go-dd7cbf3a846c2cb125ac65173abaf6a8b9f903ff/src/time/zoneinfo_unix.go 2017-12-05 14:55:10.574637475 +0100
+diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go
+index 23f8b3c..228db1b 100644
+--- a/src/time/zoneinfo_unix.go
++++ b/src/time/zoneinfo_unix.go
@@ -12,7 +12,6 @@
package time
diff --git a/SOURCES/relax_sha1_restriction.patch b/SOURCES/relax_sha1_restriction.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a620b277a58493a24e99a2238c77c0feff9bc75e
--- /dev/null
+++ b/SOURCES/relax_sha1_restriction.patch
@@ -0,0 +1,224 @@
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 98778fe..71ab62a 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -736,6 +736,9 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
+ // list. (While this is not specified, it is common practice in order to limit
+ // the types of certificates a CA can issue.)
+ //
++// Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported,
++// and will not be used to build chains.
++//
+ // WARNING: this function doesn't do any revocation checking.
+ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) {
+ // Platform-specific verification needs the ASN.1 contents so
+diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
+index 47be77d..85720b3 100644
+--- a/src/crypto/x509/x509.go
++++ b/src/crypto/x509/x509.go
+@@ -184,13 +184,13 @@ const (
+
+ MD2WithRSA // Unsupported.
+ MD5WithRSA // Only supported for signing, not verification.
+- SHA1WithRSA // Only supported for signing, not verification.
++ SHA1WithRSA // Only supported for signing, and verification of CRLs, CSRs, and OCSP responses.
+ SHA256WithRSA
+ SHA384WithRSA
+ SHA512WithRSA
+ DSAWithSHA1 // Unsupported.
+ DSAWithSHA256 // Unsupported.
+- ECDSAWithSHA1 // Only supported for signing, not verification.
++ ECDSAWithSHA1 // Only supported for signing, and verification of CRLs, CSRs, and OCSP responses.
+ ECDSAWithSHA256
+ ECDSAWithSHA384
+ ECDSAWithSHA512
+@@ -770,7 +770,7 @@ func (c *Certificate) hasSANExtension() bool {
+ }
+
+ // CheckSignatureFrom verifies that the signature on c is a valid signature
+-// from parent.
++// from parent. SHA1WithRSA and ECDSAWithSHA1 signatures are not supported.
+ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
+ // RFC 5280, 4.2.1.9:
+ // "If the basic constraints extension is not present in a version 3
+@@ -792,13 +792,13 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
+
+ // TODO(agl): don't ignore the path length constraint.
+
+- return parent.CheckSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature)
++ return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature, parent.PublicKey, debugAllowSHA1)
+ }
+
+ // CheckSignature verifies that signature is a valid signature over signed from
+ // c's public key.
+ func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
+- return checkSignature(algo, signed, signature, c.PublicKey)
++ return checkSignature(algo, signed, signature, c.PublicKey, true)
+ }
+
+ func (c *Certificate) hasNameConstraints() bool {
+@@ -818,9 +818,9 @@ func signaturePublicKeyAlgoMismatchError(expectedPubKeyAlgo PublicKeyAlgorithm,
+ return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
+ }
+
+-// CheckSignature verifies that signature is a valid signature over signed from
++// checkSignature verifies that signature is a valid signature over signed from
+ // a crypto.PublicKey.
+-func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey) (err error) {
++func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey crypto.PublicKey, allowSHA1 bool) (err error) {
+ var hashType crypto.Hash
+ var pubKeyAlgo PublicKeyAlgorithm
+
+@@ -839,7 +839,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey
+ case crypto.MD5:
+ return InsecureAlgorithmError(algo)
+ case crypto.SHA1:
+- if !debugAllowSHA1 {
++ if !allowSHA1 {
+ return InsecureAlgorithmError(algo)
+ }
+ fallthrough
+@@ -1599,11 +1599,11 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
+ // Check the signature to ensure the crypto.Signer behaved correctly.
+ sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm)
+ switch sigAlg {
+- case MD5WithRSA, SHA1WithRSA, ECDSAWithSHA1:
++ case MD5WithRSA:
+ // We skip the check if the signature algorithm is only supported for
+ // signing, not verification.
+ default:
+- if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil {
++ if err := checkSignature(sigAlg, c.Raw, signature, key.Public(), true); err != nil {
+ return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
+ }
+ }
+@@ -2082,7 +2082,7 @@ func parseCertificateRequest(in *certificateRequest) (*CertificateRequest, error
+
+ // CheckSignature reports whether the signature on c is valid.
+ func (c *CertificateRequest) CheckSignature() error {
+- return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey)
++ return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificateRequest, c.Signature, c.PublicKey, true)
+ }
+
+ // RevocationList contains the fields used to create an X.509 v2 Certificate
+diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
+index f3e2a77..d31f70d 100644
+--- a/src/crypto/x509/x509_test.go
++++ b/src/crypto/x509/x509_test.go
+@@ -13,6 +13,7 @@ import (
+ "crypto/elliptic"
+ "crypto/rand"
+ "crypto/rsa"
++ "crypto/boring"
+ _ "crypto/sha256"
+ _ "crypto/sha512"
+ "crypto/x509/pkix"
+@@ -2940,30 +2941,15 @@ func TestCreateCertificateBrokenSigner(t *testing.T) {
+ }
+
+ func TestCreateCertificateLegacy(t *testing.T) {
+- ecdsaPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+- if err != nil {
+- t.Fatalf("Failed to generate ECDSA key: %s", err)
++ sigAlg := MD5WithRSA
++ template := &Certificate{
++ SerialNumber: big.NewInt(10),
++ DNSNames: []string{"example.com"},
++ SignatureAlgorithm: sigAlg,
+ }
+-
+- for _, sigAlg := range []SignatureAlgorithm{
+- MD5WithRSA, SHA1WithRSA, ECDSAWithSHA1,
+- } {
+- template := &Certificate{
+- SerialNumber: big.NewInt(10),
+- DNSNames: []string{"example.com"},
+- SignatureAlgorithm: sigAlg,
+- }
+- var k crypto.Signer
+- switch sigAlg {
+- case MD5WithRSA, SHA1WithRSA:
+- k = testPrivateKey
+- case ECDSAWithSHA1:
+- k = ecdsaPriv
+- }
+- _, err := CreateCertificate(rand.Reader, template, template, k.Public(), &brokenSigner{k.Public()})
+- if err != nil {
+- t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err)
+- }
++ _, err := CreateCertificate(rand.Reader, template, template, testPrivateKey.Public(), &brokenSigner{testPrivateKey.Public()})
++ if err != nil {
++ t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err)
+ }
+ }
+
+@@ -3364,3 +3350,69 @@ func TestLargeOID(t *testing.T) {
+ t.Fatalf("ParseCertificate to failed to parse certificate with large OID: %s", err)
+ }
+ }
++
++func TestDisableSHA1ForCertOnly(t *testing.T) {
++ if boring.Enabled() {
++ t.Skip("not supported in boring mode")
++ }
++ defer func(old bool) { debugAllowSHA1 = old }(debugAllowSHA1)
++ debugAllowSHA1 = false
++
++ tmpl := &Certificate{
++ SerialNumber: big.NewInt(1),
++ NotBefore: time.Now().Add(-time.Hour),
++ NotAfter: time.Now().Add(time.Hour),
++ SignatureAlgorithm: SHA1WithRSA,
++ BasicConstraintsValid: true,
++ IsCA: true,
++ KeyUsage: KeyUsageCertSign | KeyUsageCRLSign,
++ }
++ certDER, err := CreateCertificate(rand.Reader, tmpl, tmpl, rsaPrivateKey.Public(), rsaPrivateKey)
++ if err != nil {
++ t.Fatalf("failed to generate test cert: %s", err)
++ }
++ cert, err := ParseCertificate(certDER)
++ if err != nil {
++ t.Fatalf("failed to parse test cert: %s", err)
++ }
++
++ err = cert.CheckSignatureFrom(cert)
++ if err == nil {
++ t.Error("expected CheckSignatureFrom to fail")
++ } else if _, ok := err.(InsecureAlgorithmError); !ok {
++ t.Errorf("expected InsecureAlgorithmError error, got %T", err)
++ }
++
++ crlDER, err := CreateRevocationList(rand.Reader, &RevocationList{
++ SignatureAlgorithm: SHA1WithRSA,
++ Number: big.NewInt(1),
++ ThisUpdate: time.Now().Add(-time.Hour),
++ NextUpdate: time.Now().Add(time.Hour),
++ }, cert, rsaPrivateKey)
++ if err != nil {
++ t.Fatalf("failed to generate test CRL: %s", err)
++ }
++ // TODO(rolandshoemaker): this should be ParseRevocationList once it lands
++ crl, err := ParseCRL(crlDER)
++ if err != nil {
++ t.Fatalf("failed to parse test CRL: %s", err)
++ }
++
++ if err = cert.CheckCRLSignature(crl); err != nil {
++ t.Errorf("unexpected error: %s", err)
++ }
++
++ // This is an unrelated OCSP response, which will fail signature verification
++ // but shouldn't return a InsecureAlgorithmError, since SHA1 should be allowed
++ // for OCSP.
++ ocspTBSHex := "30819fa2160414884451ff502a695e2d88f421bad90cf2cecbea7c180f32303133303631383037323434335a30743072304a300906052b0e03021a0500041448b60d38238df8456e4ee5843ea394111802979f0414884451ff502a695e2d88f421bad90cf2cecbea7c021100f78b13b946fc9635d8ab49de9d2148218000180f32303133303631383037323434335aa011180f32303133303632323037323434335a"
++ ocspTBS, err := hex.DecodeString(ocspTBSHex)
++ if err != nil {
++ t.Fatalf("failed to decode OCSP response TBS hex: %s", err)
++ }
++
++ err = cert.CheckSignature(SHA1WithRSA, ocspTBS, nil)
++ if err != rsa.ErrVerification {
++ t.Errorf("unexpected error: %s", err)
++ }
++}
diff --git a/SOURCES/remove_waitgroup_misuse_tests.patch b/SOURCES/remove_waitgroup_misuse_tests.patch
deleted file mode 100644
index b643563ff8abd8052c8724d08c7301c9ec3d9a31..0000000000000000000000000000000000000000
--- a/SOURCES/remove_waitgroup_misuse_tests.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-diff --git a/src/sync/waitgroup_test.go b/src/sync/waitgroup_test.go
-index c569e0faa2eb..4ded218d2d8d 100644
---- a/src/sync/waitgroup_test.go
-+++ b/src/sync/waitgroup_test.go
-@@ -5,8 +5,6 @@
- package sync_test
-
- import (
-- "internal/race"
-- "runtime"
- . "sync"
- "sync/atomic"
- "testing"
-@@ -48,12 +46,6 @@ func TestWaitGroup(t *testing.T) {
- }
- }
-
--func knownRacy(t *testing.T) {
-- if race.Enabled {
-- t.Skip("skipping known-racy test under the race detector")
-- }
--}
--
- func TestWaitGroupMisuse(t *testing.T) {
- defer func() {
- err := recover()
-@@ -68,124 +60,6 @@ func TestWaitGroupMisuse(t *testing.T) {
- t.Fatal("Should panic")
- }
-
--// pollUntilEqual blocks until v, loaded atomically, is
--// equal to the target.
--func pollUntilEqual(v *uint32, target uint32) {
-- for {
-- for i := 0; i < 1e3; i++ {
-- if atomic.LoadUint32(v) == target {
-- return
-- }
-- }
-- // yield to avoid deadlock with the garbage collector
-- // see issue #20072
-- runtime.Gosched()
-- }
--}
--
--func TestWaitGroupMisuse2(t *testing.T) {
-- knownRacy(t)
-- if runtime.NumCPU() <= 4 {
-- t.Skip("NumCPU<=4, skipping: this test requires parallelism")
-- }
-- defer func() {
-- err := recover()
-- if err != "sync: negative WaitGroup counter" &&
-- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
-- err != "sync: WaitGroup is reused before previous Wait has returned" {
-- t.Fatalf("Unexpected panic: %#v", err)
-- }
-- }()
-- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
-- done := make(chan interface{}, 2)
-- // The detection is opportunistic, so we want it to panic
-- // at least in one run out of a million.
-- for i := 0; i < 1e6; i++ {
-- var wg WaitGroup
-- var here uint32
-- wg.Add(1)
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- atomic.AddUint32(&here, 1)
-- pollUntilEqual(&here, 3)
-- wg.Wait()
-- }()
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- atomic.AddUint32(&here, 1)
-- pollUntilEqual(&here, 3)
-- wg.Add(1) // This is the bad guy.
-- wg.Done()
-- }()
-- atomic.AddUint32(&here, 1)
-- pollUntilEqual(&here, 3)
-- wg.Done()
-- for j := 0; j < 2; j++ {
-- if err := <-done; err != nil {
-- panic(err)
-- }
-- }
-- }
-- t.Fatal("Should panic")
--}
--
--func TestWaitGroupMisuse3(t *testing.T) {
-- knownRacy(t)
-- if runtime.NumCPU() <= 1 {
-- t.Skip("NumCPU==1, skipping: this test requires parallelism")
-- }
-- defer func() {
-- err := recover()
-- if err != "sync: negative WaitGroup counter" &&
-- err != "sync: WaitGroup misuse: Add called concurrently with Wait" &&
-- err != "sync: WaitGroup is reused before previous Wait has returned" {
-- t.Fatalf("Unexpected panic: %#v", err)
-- }
-- }()
-- defer runtime.GOMAXPROCS(runtime.GOMAXPROCS(4))
-- done := make(chan interface{}, 3)
-- // The detection is opportunistically, so we want it to panic
-- // at least in one run out of a million.
-- for i := 0; i < 1e6; i++ {
-- var wg WaitGroup
-- wg.Add(1)
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- wg.Done()
-- }()
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- wg.Wait()
-- // Start reusing the wg before waiting for the Wait below to return.
-- wg.Add(1)
-- go func() {
-- wg.Done()
-- }()
-- wg.Wait()
-- }()
-- go func() {
-- defer func() {
-- done <- recover()
-- }()
-- wg.Wait()
-- }()
-- for j := 0; j < 3; j++ {
-- if err := <-done; err != nil {
-- panic(err)
-- }
-- }
-- }
-- t.Fatal("Should panic")
--}
--
- func TestWaitGroupRace(t *testing.T) {
- // Run this test for about 1ms.
- for i := 0; i < 1000; i++ {
diff --git a/SOURCES/skip_test_rhbz1939923.patch b/SOURCES/skip_test_rhbz1939923.patch
index 80302d09405fedb227a0bce5e2d84f5c7c30f50c..e5d52eb7f81cf89d89740577b629bc658b1e2f90 100644
--- a/SOURCES/skip_test_rhbz1939923.patch
+++ b/SOURCES/skip_test_rhbz1939923.patch
@@ -1,8 +1,8 @@
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
-index 51dda16815..2d1e1b1e6e 100644
+index f3e2a77..57434b5 100644
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
-@@ -2880,6 +2880,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
+@@ -2922,6 +2922,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
}
func TestCreateCertificateBrokenSigner(t *testing.T) {
diff --git a/SPECS/golang.spec b/SPECS/golang.spec
index 06c5d7b05b1193dbece75c27179b56927f9f0d70..4fdb7295df75e60d5d2b08e8f613a4e248dceb55 100644
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@@ -95,18 +95,18 @@
%global gohostarch s390x
%endif
-%global go_api 1.17
-%global go_version 1.17.7
+%global go_api 1.18
+%global go_version 1.18.0
%global pkg_release 1
Name: golang
Version: %{go_version}
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: The Go Programming Language
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
License: BSD and Public Domain
URL: http://golang.org/
-Source0: https://pagure.io/go/archive/go-%{go_version}-%{pkg_release}-openssl-fips/go-go-%{go_version}-%{pkg_release}-openssl-fips.tar.gz
+Source0: https://github.com/golang-fips/go/archive/refs/tags/go%{go_version}-%{pkg_release}-openssl-fips.tar.gz
# make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
Source1: fedora.go
@@ -140,12 +140,12 @@ Patch215: go1.5-zoneinfo_testing_only.patch
# Proposed patch by jcajka https://golang.org/cl/86541
Patch221: fix_TestScript_list_std.patch
+# static linking of dlopen is unsupported
+Patch226: disable_static_external_tests.patch
+
Patch1939923: skip_test_rhbz1939923.patch
-# These tests has been removed upstream due to
-# nondeterministic flakiness
-# https://bugzilla.redhat.com/show_bug.cgi?id=2028662
-Patch2028662: remove_waitgroup_misuse_tests.patch
+Patch51852: relax_sha1_restriction.patch
# Having documentation separate was broken
Obsoletes: %{name}-docs < 1.1-4
@@ -234,15 +234,17 @@ Requires: %{name} = %{version}-%{release}
%endif
%prep
-%setup -q -n go-go-%{go_version}-%{pkg_release}-openssl-fips
+%setup -q -n go-go%{go_version}-%{pkg_release}-openssl-fips
%patch215 -p1
%patch221 -p1
+%patch226 -p1
+
%patch1939923 -p1
-%patch2028662 -p1
+%patch51852 -p1
cp %{SOURCE1} ./src/runtime/
@@ -517,6 +519,14 @@ cd ..
%endif
%changelog
+* Mon Apr 18 2022 David Benoit <dbenoit@redhat.com> - 1.18.0-2
+- Enable SHA1 in some contexts
+- Related: rhbz#2075162
+
+* Wed Apr 13 2022 David Benoit <dbenoit@redhat.com> - 1.18.0-1
+- Update Go to 1.18.0
+- Resolves: rhbz#2075162
+
* Thu Feb 17 2022 David Benoit <dbenoit@redhat.com> - 1.17.7-1
- Rebase to Go 1.17.7
- Remove fips memory leak patch (fixed in tree)