From f3069217d24e5cafd9f7e2454d044652562a63a9 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 16 May 2023 06:04:32 +0000
Subject: [PATCH] import golang-1.19.4-2.module+el8.8.0+17709+252fe516
---
.gitignore | 3 +-
.golang.metadata | 3 +-
SOURCES/big-endian.patch | 363 ------------------
SOURCES/disable_static_external_tests.patch | 310 ---------------
SOURCES/disable_static_tests_part1.patch | 288 ++++++++++++++
SOURCES/disable_static_tests_part2.patch | 36 ++
SOURCES/fix-memory-leak-evp-sign-verify.patch | 48 +++
SOURCES/fix-test-1024-leaf-certs.patch | 13 +
SOURCES/go1.5-zoneinfo_testing_only.patch | 73 ----
SOURCES/ppc64le-internal-linker-fix.patch | 122 ++++++
SOURCES/remove_ed25519vectors_test.patch | 128 ------
SOURCES/skip_test_rhbz1939923.patch | 12 +
SPECS/golang.spec | 120 +++---
13 files changed, 596 insertions(+), 923 deletions(-)
delete mode 100644 SOURCES/big-endian.patch
delete mode 100644 SOURCES/disable_static_external_tests.patch
create mode 100644 SOURCES/disable_static_tests_part1.patch
create mode 100644 SOURCES/disable_static_tests_part2.patch
create mode 100644 SOURCES/fix-memory-leak-evp-sign-verify.patch
create mode 100644 SOURCES/fix-test-1024-leaf-certs.patch
delete mode 100644 SOURCES/go1.5-zoneinfo_testing_only.patch
create mode 100644 SOURCES/ppc64le-internal-linker-fix.patch
delete mode 100644 SOURCES/remove_ed25519vectors_test.patch
create mode 100644 SOURCES/skip_test_rhbz1939923.patch
diff --git a/.gitignore b/.gitignore
index b00ba2b..a4a244e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-SOURCES/go1.18.10-1-openssl-fips.tar.gz
+SOURCES/go1.19.4-1-openssl-fips.tar.gz
+SOURCES/go1.19.4.tar.gz
diff --git a/.golang.metadata b/.golang.metadata
index 4671c5c..2d6b49a 100644
--- a/.golang.metadata
+++ b/.golang.metadata
@@ -1 +1,2 @@
-d12404b2ef5e4e0ed1d9f735cb487812c1c6ceb1 SOURCES/go1.18.10-1-openssl-fips.tar.gz
+9463e718b1a8daa61009caa6c113197cbefbe9eb SOURCES/go1.19.4-1-openssl-fips.tar.gz
+6debf76aa6fb97daff4d49502153a47093883c28 SOURCES/go1.19.4.tar.gz
diff --git a/SOURCES/big-endian.patch b/SOURCES/big-endian.patch
deleted file mode 100644
index 57e1d68..0000000
--- a/SOURCES/big-endian.patch
+++ /dev/null
@@ -1,363 +0,0 @@
-diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
-index 4820385f67..2415702b28 100644
---- a/src/crypto/internal/boring/goopenssl.h
-+++ b/src/crypto/internal/boring/goopenssl.h
-@@ -76,7 +76,7 @@ _goboringcrypto_DLOPEN_OPENSSL(void)
- #include <openssl/opensslv.h>
- #include <openssl/ssl.h>
-
--DEFINEFUNCINTERNAL(int, OPENSSL_init, (void), ())
-+DEFINEFUNCINTERNAL(void, OPENSSL_init, (void), ())
-
- static unsigned long _goboringcrypto_internal_OPENSSL_VERSION_NUMBER(void) {
- return OPENSSL_VERSION_NUMBER;
-@@ -97,35 +97,32 @@ DEFINEFUNCINTERNAL(void, ERR_error_string_n, (unsigned long e, unsigned char *bu
-
- #include <openssl/crypto.h>
-
--DEFINEFUNCINTERNAL(int, CRYPTO_num_locks, (void), ())
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNC(int, CRYPTO_num_locks, (void), ())
-+#else
- static inline int
- _goboringcrypto_CRYPTO_num_locks(void) {
-+ return CRYPTO_num_locks(); /* defined as macro */
-+}
-+#endif
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
-- return _goboringcrypto_internal_CRYPTO_num_locks();
-+DEFINEFUNC(void, CRYPTO_set_id_callback, (unsigned long (*id_function)(void)), (id_function))
- #else
-- return CRYPTO_num_locks();
--#endif
--}
--DEFINEFUNCINTERNAL(void, CRYPTO_set_id_callback, (unsigned long (*id_function)(void)), (id_function))
- static inline void
- _goboringcrypto_CRYPTO_set_id_callback(unsigned long (*id_function)(void)) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-- _goboringcrypto_internal_CRYPTO_set_id_callback(id_function);
--#else
-- CRYPTO_set_id_callback(id_function);
--#endif
-+ CRYPTO_set_id_callback(id_function); /* defined as macro */
- }
--DEFINEFUNCINTERNAL(void, CRYPTO_set_locking_callback,
-+#endif
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNC(void, CRYPTO_set_locking_callback,
- (void (*locking_function)(int mode, int n, const char *file, int line)),
- (locking_function))
-+#else
- static inline void
- _goboringcrypto_CRYPTO_set_locking_callback(void (*locking_function)(int mode, int n, const char *file, int line)) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-- _goboringcrypto_internal_CRYPTO_set_locking_callback(locking_function);
--#else
-- CRYPTO_set_locking_callback(locking_function);
--#endif
-+ CRYPTO_set_locking_callback(locking_function); /* defined as macro */
- }
-+#endif
-
- int _goboringcrypto_OPENSSL_thread_setup(void);
-
-@@ -206,10 +203,16 @@ DEFINEFUNC(const GO_EVP_MD *, EVP_sha384, (void), ())
- DEFINEFUNC(const GO_EVP_MD *, EVP_sha512, (void), ())
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
- DEFINEFUNCINTERNAL(int, EVP_MD_type, (const GO_EVP_MD *arg0), (arg0))
-+DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
-+static inline int
-+_goboringcrypto_EVP_MD_get_size(const GO_EVP_MD *arg0)
-+{
-+ return _goboringcrypto_internal_EVP_MD_size(arg0);
-+}
- #else
- DEFINEFUNCINTERNAL(int, EVP_MD_get_type, (const GO_EVP_MD *arg0), (arg0))
-+DEFINEFUNC(int, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
- #endif
--DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
- DEFINEFUNCINTERNAL(const GO_EVP_MD*, EVP_md5_sha1, (void), ())
-
- # include <openssl/md5.h>
-@@ -240,8 +243,6 @@ _goboringcrypto_EVP_md5_sha1(void) {
-
- typedef HMAC_CTX GO_HMAC_CTX;
-
--DEFINEFUNC(void, HMAC_CTX_init, (GO_HMAC_CTX * arg0), (arg0))
--DEFINEFUNC(void, HMAC_CTX_cleanup, (GO_HMAC_CTX * arg0), (arg0))
- DEFINEFUNC(int, HMAC_Init_ex,
- (GO_HMAC_CTX * arg0, const void *arg1, int arg2, const GO_EVP_MD *arg3, ENGINE *arg4),
- (arg0, arg1, arg2, arg3, arg4))
-@@ -249,59 +250,57 @@ DEFINEFUNC(int, HMAC_Update, (GO_HMAC_CTX * arg0, const uint8_t *arg1, size_t ar
- DEFINEFUNC(int, HMAC_Final, (GO_HMAC_CTX * arg0, uint8_t *arg1, unsigned int *arg2), (arg0, arg1, arg2))
- DEFINEFUNC(size_t, HMAC_CTX_copy, (GO_HMAC_CTX *dest, GO_HMAC_CTX *src), (dest, src))
-
--DEFINEFUNCINTERNAL(void, HMAC_CTX_free, (GO_HMAC_CTX * arg0), (arg0))
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNCINTERNAL(void, HMAC_CTX_cleanup, (GO_HMAC_CTX * arg0), (arg0))
- static inline void
- _goboringcrypto_HMAC_CTX_free(HMAC_CTX *ctx) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (ctx != NULL) {
-- _goboringcrypto_HMAC_CTX_cleanup(ctx);
-+ _goboringcrypto_internal_HMAC_CTX_cleanup(ctx);
- free(ctx);
- }
-+}
- #else
-- _goboringcrypto_internal_HMAC_CTX_free(ctx);
-+DEFINEFUNC(void, HMAC_CTX_free, (GO_HMAC_CTX * arg0), (arg0))
- #endif
--}
-
--DEFINEFUNCINTERNAL(EVP_MD*, HMAC_CTX_get_md, (const GO_HMAC_CTX* ctx), (ctx))
--DEFINEFUNCINTERNAL(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- static inline size_t
- _goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-- return _goboringcrypto_internal_EVP_MD_size(arg0->md);
--#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
-- const EVP_MD* md;
-- md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
-- return _goboringcrypto_internal_EVP_MD_get_size(md);
-+ return _goboringcrypto_EVP_MD_get_size(arg0->md);
-+}
- #else
-+DEFINEFUNCINTERNAL(const EVP_MD*, HMAC_CTX_get_md, (const GO_HMAC_CTX* ctx), (ctx))
-+static inline size_t
-+_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
- const EVP_MD* md;
- md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
-- return _goboringcrypto_internal_EVP_MD_size(md);
--#endif
-+ return _goboringcrypto_EVP_MD_get_size(md);
- }
-+#endif
-
--DEFINEFUNCINTERNAL(GO_HMAC_CTX*, HMAC_CTX_new, (void), ())
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNCINTERNAL(void, HMAC_CTX_init, (GO_HMAC_CTX * arg0), (arg0))
- static inline GO_HMAC_CTX*
- _goboringcrypto_HMAC_CTX_new(void) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
- GO_HMAC_CTX* ctx = malloc(sizeof(GO_HMAC_CTX));
- if (ctx != NULL)
-- _goboringcrypto_HMAC_CTX_init(ctx);
-+ _goboringcrypto_internal_HMAC_CTX_init(ctx);
- return ctx;
-+}
- #else
-- return _goboringcrypto_internal_HMAC_CTX_new();
-+DEFINEFUNC(GO_HMAC_CTX*, HMAC_CTX_new, (void), ())
- #endif
--}
-
--DEFINEFUNCINTERNAL(void, HMAC_CTX_reset, (GO_HMAC_CTX * arg0), (arg0))
--static inline void
--_goboringcrypto_HMAC_CTX_reset(GO_HMAC_CTX* ctx) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
-- _goboringcrypto_HMAC_CTX_cleanup(ctx);
-- _goboringcrypto_HMAC_CTX_init(ctx);
-+static inline int
-+_goboringcrypto_HMAC_CTX_reset(GO_HMAC_CTX* ctx) {
-+ _goboringcrypto_internal_HMAC_CTX_cleanup(ctx);
-+ _goboringcrypto_internal_HMAC_CTX_init(ctx);
-+ return 0;
-+}
- #else
-- _goboringcrypto_internal_HMAC_CTX_reset(ctx);
-+DEFINEFUNC(int, HMAC_CTX_reset, (GO_HMAC_CTX * arg0), (arg0))
- #endif
--}
-
- int _goboringcrypto_HMAC_CTX_copy_ex(GO_HMAC_CTX *dest, const GO_HMAC_CTX *src);
-
-@@ -408,16 +407,14 @@ DEFINEFUNCINTERNAL(int, ECDSA_verify,
- (int type, const unsigned char *dgst, size_t dgstlen, const unsigned char *sig, unsigned int siglen, EC_KEY *eckey),
- (type, dgst, dgstlen, sig, siglen, eckey))
-
--DEFINEFUNCINTERNAL(EVP_MD_CTX*, EVP_MD_CTX_new, (void), ())
--DEFINEFUNCINTERNAL(EVP_MD_CTX*, EVP_MD_CTX_create, (void), ())
--
--static inline EVP_MD_CTX* _goboringcrypto_EVP_MD_CTX_create(void) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
-- return _goboringcrypto_internal_EVP_MD_CTX_create();
-+DEFINEFUNC(EVP_MD_CTX*, EVP_MD_CTX_create, (void), ())
- #else
-+DEFINEFUNCINTERNAL(EVP_MD_CTX*, EVP_MD_CTX_new, (void), ())
-+static inline EVP_MD_CTX* _goboringcrypto_EVP_MD_CTX_create(void) {
- return _goboringcrypto_internal_EVP_MD_CTX_new();
--#endif
- }
-+#endif
-
- DEFINEFUNCINTERNAL(int, EVP_PKEY_assign,
- (EVP_PKEY *pkey, int type, void *eckey),
-@@ -441,7 +438,7 @@ DEFINEFUNC(int, EVP_DigestUpdate,
- (EVP_MD_CTX* ctx, const void *d, size_t cnt),
- (ctx, d, cnt))
- DEFINEFUNC(int, EVP_DigestSignFinal,
-- (EVP_MD_CTX* ctx, unsigned char *sig, unsigned int *siglen),
-+ (EVP_MD_CTX* ctx, unsigned char *sig, size_t *siglen),
- (ctx, sig, siglen))
-
- DEFINEFUNC(int, EVP_DigestVerifyInit,
-@@ -451,18 +448,17 @@ DEFINEFUNC(int, EVP_DigestVerifyFinal,
- (EVP_MD_CTX* ctx, const uint8_t *sig, unsigned int siglen),
- (ctx, sig, siglen))
-
--int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, EVP_PKEY *eckey);
-+int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *eckey);
- int _goboringcrypto_EVP_verify(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, const uint8_t *sig, unsigned int slen, EVP_PKEY *key);
-
--DEFINEFUNCINTERNAL(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- DEFINEFUNCINTERNAL(void, EVP_MD_CTX_destroy, (EVP_MD_CTX *ctx), (ctx))
- static inline void _goboringcrypto_EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
- return _goboringcrypto_internal_EVP_MD_CTX_destroy(ctx);
-+}
- #else
-- return _goboringcrypto_internal_EVP_MD_CTX_free(ctx);
-+DEFINEFUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
- #endif
--}
-
- int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, unsigned int *arg4, GO_EC_KEY *arg5);
- int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, const uint8_t *arg3, unsigned int arg4, GO_EC_KEY *arg5);
-@@ -473,7 +469,7 @@ int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, c
- typedef RSA GO_RSA;
- typedef BN_GENCB GO_BN_GENCB;
-
--int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa);
-+int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa);
- int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
-
- DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
-@@ -774,10 +770,10 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP
- }
-
- DEFINEFUNC(int, EVP_PKEY_decrypt,
-- (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
-+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, unsigned int arg4),
- (arg0, arg1, arg2, arg3, arg4))
- DEFINEFUNC(int, EVP_PKEY_encrypt,
-- (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
-+ (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, unsigned int arg4),
- (arg0, arg1, arg2, arg3, arg4))
- DEFINEFUNC(int, EVP_PKEY_decrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
- DEFINEFUNC(int, EVP_PKEY_encrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
-diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
-index 710d0744ff..9d0056c5f7 100644
---- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
-+++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
-@@ -18,7 +18,9 @@ _goboringcrypto_ECDSA_sign(EVP_MD* md, const uint8_t *msg, size_t msgLen, uint8_
- result = 0;
- goto err;
- }
-- result = _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, slen, key);
-+ size_t _slen;
-+ result = _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, &_slen, key);
-+ *slen = _slen;
- err:
- _goboringcrypto_EVP_PKEY_free(key);
- return result;
-diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c
-index 36be702224..8b81fd71f6 100644
---- a/src/crypto/internal/boring/openssl_evp.c
-+++ b/src/crypto/internal/boring/openssl_evp.c
-@@ -7,7 +7,7 @@
- #include "goboringcrypto.h"
-
- int
--_goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, EVP_PKEY *key) {
-+_goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *key) {
- EVP_MD_CTX *mdctx = NULL;
- int ret = 0;
-
-diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
-index 5174f662c9..3ad4e69e9d 100644
---- a/src/crypto/internal/boring/openssl_port_rsa.c
-+++ b/src/crypto/internal/boring/openssl_port_rsa.c
-@@ -19,7 +19,7 @@ int _goboringcrypto_RSA_generate_key_fips(GO_RSA *rsa, int size, GO_BN_GENCB *cb
- return ret;
- }
-
--int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_t *out, size_t max_out,
-+int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(GO_RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
- const uint8_t *in, size_t in_len, EVP_MD *md, const EVP_MD *mgf1_md, int salt_len)
- {
- EVP_PKEY_CTX *ctx;
-@@ -173,7 +173,7 @@ err:
- return ret;
- }
-
--int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa)
-+int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa)
- {
- int result;
- EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
-diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
-index b1a2f57abd..e47ca3bb63 100644
---- a/src/crypto/internal/boring/rsa.go
-+++ b/src/crypto/internal/boring/rsa.go
-@@ -200,7 +200,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
- init func(*C.GO_EVP_PKEY_CTX) C.int,
-- crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.uint, *C.uint8_t, C.uint) C.int,
-+ crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.size_t, *C.uint8_t, C.uint) C.int,
- in []byte) ([]byte, error) {
-
- pkey, ctx, err := setupRSA(withKey, padding, h, label, saltLen, ch, init)
-@@ -210,7 +210,7 @@ func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- defer C._goboringcrypto_EVP_PKEY_free(pkey)
- defer C._goboringcrypto_EVP_PKEY_CTX_free(ctx)
-
-- var outLen C.uint
-+ var outLen C.size_t
- if crypt(ctx, nil, &outLen, base(in), C.uint(len(in))) == 0 {
- return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
- }
-@@ -251,7 +251,7 @@ func decryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
- return C._goboringcrypto_EVP_PKEY_decrypt_init(ctx)
- }
-
--func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
-+func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.uint) C.int {
- return C._goboringcrypto_EVP_PKEY_decrypt(ctx, out, outLen, in, inLen)
- }
-
-@@ -259,7 +259,7 @@ func encryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
- return C._goboringcrypto_EVP_PKEY_encrypt_init(ctx)
- }
-
--func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
-+func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.uint) C.int {
- return C._goboringcrypto_EVP_PKEY_encrypt(ctx, out, outLen, in, inLen)
- }
-
-@@ -307,10 +307,9 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
- return nil, errors.New("crypto/rsa: unsupported hash function: " + strconv.Itoa(int(h)))
- }
-
-- var out []byte
-- var outLen C.uint
--
- if msgIsHashed {
-+ var out []byte
-+ var outLen C.uint
- PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 signing and use HashSignPKCS1v15 instead of SignPKCS1v15")
- nid := C._goboringcrypto_EVP_MD_type(md)
- if priv.withKey(func(key *C.GO_RSA) C.int {
-@@ -323,6 +322,9 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
- return out[:outLen], nil
- }
-
-+ var out []byte
-+ var outLen C.size_t
-+
- if priv.withKey(func(key *C.GO_RSA) C.int {
- return C._goboringcrypto_EVP_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
- }) == 0 {
diff --git a/SOURCES/disable_static_external_tests.patch b/SOURCES/disable_static_external_tests.patch
deleted file mode 100644
index 55181ca..0000000
--- a/SOURCES/disable_static_external_tests.patch
+++ /dev/null
@@ -1,310 +0,0 @@
-diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
-index d9eb9c3..506f979 100644
---- a/src/cmd/dist/test.go
-+++ b/src/cmd/dist/test.go
-@@ -1180,18 +1180,20 @@ func (t *tester) cgoTest(dt *distTest) error {
- fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
- } else {
- if goos != "android" {
-- t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
-+ t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
- }
- t.addCmd(dt, "misc/cgo/nocgo", t.goTest())
- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`)
- if goos != "android" {
-- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
-+ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
-+ /*
- t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
- // -static in CGO_LDFLAGS triggers a different code path
- // than -static in -extldflags, so test both.
- // See issue #16651.
- cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static")
- setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
-+ */
- }
- }
-
-@@ -1201,7 +1203,7 @@ func (t *tester) cgoTest(dt *distTest) error {
- t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie")
- }
- t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie")
-- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie")
-+ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
- }
- }
- }
-diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
-index a495bd7..2c6107b 100644
---- a/src/crypto/internal/boring/aes.go
-+++ b/src/crypto/internal/boring/aes.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
--// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
-
- package boring
-
-diff --git a/src/crypto/internal/boring/aes_test.go b/src/crypto/internal/boring/aes_test.go
-index 3b4c364..371bc20 100644
---- a/src/crypto/internal/boring/aes_test.go
-+++ b/src/crypto/internal/boring/aes_test.go
-@@ -1,9 +1,5 @@
--// +build linux
--// +build !android
--// +build !no_openssl
--// +build !cmd_go_bootstrap
--// +build !msan
--// +build cgo
-+//go:build linux && !android && !no_openssl && !cmd_go_bootstrap && !msan && cgo && !static
-+// +build linux,!android,!no_openssl,!cmd_go_bootstrap,!msan,cgo,!static
-
- package boring
-
-diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
-index ec6e80c..05431b1 100644
---- a/src/crypto/internal/boring/boring.go
-+++ b/src/crypto/internal/boring/boring.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
--// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
-
- package boring
-
-diff --git a/src/crypto/internal/boring/ecdsa.go b/src/crypto/internal/boring/ecdsa.go
-index f72da41..33ee442 100644
---- a/src/crypto/internal/boring/ecdsa.go
-+++ b/src/crypto/internal/boring/ecdsa.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
--// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
-
- package boring
-
-diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
-index 4547ade..b8aaae4 100644
---- a/src/crypto/internal/boring/goboringcrypto.h
-+++ b/src/crypto/internal/boring/goboringcrypto.h
-@@ -1,6 +1,12 @@
- // Copyright 2017 The Go Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-+// +build linux
-+// +build !android
-+// +build !no_openssl
-+// +build !cmd_go_bootstrap
-+// +build !msan
-+// +build !static
-
- // This header file describes the BoringCrypto ABI as built for use in Go.
- // The BoringCrypto build for Go (which generates goboringcrypto_*.syso)
-diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
-index 4820385..ac41482 100644
---- a/src/crypto/internal/boring/goopenssl.h
-+++ b/src/crypto/internal/boring/goopenssl.h
-@@ -6,6 +6,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- // This header file describes the OpenSSL ABI as built for use in Go.
-
-diff --git a/src/crypto/internal/boring/hmac.go b/src/crypto/internal/boring/hmac.go
-index 4e913c3..10cfbb3 100644
---- a/src/crypto/internal/boring/hmac.go
-+++ b/src/crypto/internal/boring/hmac.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
--// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
-
- package boring
-
-diff --git a/src/crypto/internal/boring/notboring.go b/src/crypto/internal/boring/notboring.go
-index e513834..08c5245 100644
---- a/src/crypto/internal/boring/notboring.go
-+++ b/src/crypto/internal/boring/notboring.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
--// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
-+//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
-+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
-
- package boring
-
-diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
-index 710d074..853be3d 100644
---- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
-+++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
-@@ -3,6 +3,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- #include "goboringcrypto.h"
-
-diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c
-index 36be702..331dfd3 100644
---- a/src/crypto/internal/boring/openssl_evp.c
-+++ b/src/crypto/internal/boring/openssl_evp.c
-@@ -3,6 +3,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- #include "goboringcrypto.h"
-
-diff --git a/src/crypto/internal/boring/openssl_lock_setup.c b/src/crypto/internal/boring/openssl_lock_setup.c
-index 955924e..c0f3435 100644
---- a/src/crypto/internal/boring/openssl_lock_setup.c
-+++ b/src/crypto/internal/boring/openssl_lock_setup.c
-@@ -3,6 +3,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- #include "goboringcrypto.h"
- #include <stdio.h>
-diff --git a/src/crypto/internal/boring/openssl_port_aead_gcm.c b/src/crypto/internal/boring/openssl_port_aead_gcm.c
-index b39bf54..80c933a 100644
---- a/src/crypto/internal/boring/openssl_port_aead_gcm.c
-+++ b/src/crypto/internal/boring/openssl_port_aead_gcm.c
-@@ -4,6 +4,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- #include "goboringcrypto.h"
- #include <openssl/err.h>
-diff --git a/src/crypto/internal/boring/openssl_port_ctr128.c b/src/crypto/internal/boring/openssl_port_ctr128.c
-index abaff5c..e2263a5 100644
---- a/src/crypto/internal/boring/openssl_port_ctr128.c
-+++ b/src/crypto/internal/boring/openssl_port_ctr128.c
-@@ -3,6 +3,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- #include "goboringcrypto.h"
-
-diff --git a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
-index 8418c38..39bf3ae 100644
---- a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
-+++ b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
-@@ -4,6 +4,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- // The following is a partial backport of crypto/evp/m_md5_sha1.c,
- // commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the
-diff --git a/src/crypto/internal/boring/openssl_port_hmac.c b/src/crypto/internal/boring/openssl_port_hmac.c
-index be7c71a..35e1860 100644
---- a/src/crypto/internal/boring/openssl_port_hmac.c
-+++ b/src/crypto/internal/boring/openssl_port_hmac.c
-@@ -4,6 +4,8 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-+
-
- #include "goboringcrypto.h"
-
-diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
-index 5174f66..a8008e9 100644
---- a/src/crypto/internal/boring/openssl_port_rsa.c
-+++ b/src/crypto/internal/boring/openssl_port_rsa.c
-@@ -4,6 +4,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- #include "goboringcrypto.h"
-
-diff --git a/src/crypto/internal/boring/openssl_stub_rand.c b/src/crypto/internal/boring/openssl_stub_rand.c
-index 18d6777..e8ac53b 100644
---- a/src/crypto/internal/boring/openssl_stub_rand.c
-+++ b/src/crypto/internal/boring/openssl_stub_rand.c
-@@ -3,6 +3,7 @@
- // +build !no_openssl
- // +build !cmd_go_bootstrap
- // +build !msan
-+// +build !static
-
- #include "goboringcrypto.h"
- #include <openssl/rand.h>
-diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go
-index e9c334f..3adbd4d 100644
---- a/src/crypto/internal/boring/rand.go
-+++ b/src/crypto/internal/boring/rand.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
--// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
-
- package boring
-
-diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
-index b1a2f57..0cabadb 100644
---- a/src/crypto/internal/boring/rsa.go
-+++ b/src/crypto/internal/boring/rsa.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
--// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
-
- package boring
-
-diff --git a/src/crypto/internal/boring/sha.go b/src/crypto/internal/boring/sha.go
-index bdcc782..6184d6c 100644
---- a/src/crypto/internal/boring/sha.go
-+++ b/src/crypto/internal/boring/sha.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
--//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
--// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
-+//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
-
- package boring
-
diff --git a/SOURCES/disable_static_tests_part1.patch b/SOURCES/disable_static_tests_part1.patch
new file mode 100644
index 0000000..5b99e48
--- /dev/null
+++ b/SOURCES/disable_static_tests_part1.patch
@@ -0,0 +1,288 @@
+diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
+index 5f258a2..5dbbc42 100644
+--- a/src/crypto/internal/backend/nobackend.go
++++ b/src/crypto/internal/backend/nobackend.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
+-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
++//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
+
+ package backend
+
+diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
+index d6d99b1..f2fe332 100644
+--- a/src/crypto/internal/boring/goboringcrypto.h
++++ b/src/crypto/internal/boring/goboringcrypto.h
+@@ -1,4 +1,5 @@
+ // Copyright 2017 The Go Authors. All rights reserved.
++// +build !static
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+diff --git a/src/crypto/internal/boring/syso/syso.go b/src/crypto/internal/boring/syso/syso.go
+index b338754..db5ea1e 100644
+--- a/src/crypto/internal/boring/syso/syso.go
++++ b/src/crypto/internal/boring/syso/syso.go
+@@ -2,7 +2,7 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build boringcrypto
++//go:build boringcrypto && !static
+
+ // This package only exists with GOEXPERIMENT=boringcrypto.
+ // It provides the actual syso file.
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
+index 079fc3c..e826d0b 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
+index 0b61e79..94d0c98 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
+index afec529..d822152 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+index 6d6a562..17cc314 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+@@ -1,4 +1,5 @@
+ // Copyright 2017 The Go Authors. All rights reserved.
++// +build !static
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ // +build linux
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
+index ae40b93..17bc075 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
+index 6f00177..f466b18 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
+index 7c0b5d6..262af07 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
+-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
++//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
+index d49194d..ff15054 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
+index 2349db1..57fbb04 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+index 4379019..5034c46 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
+index 49d40a7..3b3dbf8 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
+index 7eb645e..1c3225a 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
+@@ -1,4 +1,5 @@
+ // This file contains a port of the BoringSSL AEAD interface.
++// +build !static
+ // +build linux
+ // +build !android
+ // +build !no_openssl
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
+index df4ebe3..876393b 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
+index 2eedd5b..04510d3 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
+@@ -1,4 +1,5 @@
+ // This file contains a backport of the EVP_md5_sha1 method.
++// +build !static
+ // +build linux
+ // +build !android
+ // +build !no_openssl
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
+index 362d9e5..bebafef 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
+@@ -1,4 +1,5 @@
+ // This file contains HMAC portability wrappers.
++// +build !static
+ // +build linux
+ // +build !android
+ // +build !no_openssl
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
+index 2824147..8bc1d85 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
+@@ -1,4 +1,5 @@
+ // This file contains RSA portability wrappers.
++// +build !static
+ // +build linux
+ // +build !android
+ // +build !no_openssl
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
+index 22bd865..b7aa26b 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
+index b3668b8..dcdae70 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
+index 915c840..8623d9d 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
+index 0b55ced..57309c0 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+
+ package openssl
+
diff --git a/SOURCES/disable_static_tests_part2.patch b/SOURCES/disable_static_tests_part2.patch
new file mode 100644
index 0000000..6ad4e62
--- /dev/null
+++ b/SOURCES/disable_static_tests_part2.patch
@@ -0,0 +1,36 @@
+diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
+index da5b179..6a772df 100644
+--- a/src/cmd/dist/test.go
++++ b/src/cmd/dist/test.go
+@@ -1247,18 +1247,20 @@ func (t *tester) cgoTest(dt *distTest) error {
+ fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
+ } else {
+ if goos != "android" {
+- t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
++ t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
+ }
+ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), ".")
+ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`, ".")
+ if goos != "android" {
+- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
++ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
++ /*
+ t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
+ // -static in CGO_LDFLAGS triggers a different code path
+ // than -static in -extldflags, so test both.
+ // See issue #16651.
+ cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", ".")
+ setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
++ */
+ }
+ }
+
+@@ -1268,7 +1270,7 @@ func (t *tester) cgoTest(dt *distTest) error {
+ t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie", ".")
+ }
+ t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie", ".")
+- t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", ".")
++ t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
+ }
+ }
+ }
diff --git a/SOURCES/fix-memory-leak-evp-sign-verify.patch b/SOURCES/fix-memory-leak-evp-sign-verify.patch
new file mode 100644
index 0000000..ef231bf
--- /dev/null
+++ b/SOURCES/fix-memory-leak-evp-sign-verify.patch
@@ -0,0 +1,48 @@
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+index 2124978..1f853b4 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+@@ -44,7 +44,11 @@ int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *m
+ GO_RSA *rsa_key) {
+ int ret = 0;
+ GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
+- _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
++ if (!pk)
++ return 0;
++
++ if (!(_goboringcrypto_EVP_PKEY_set1_RSA(pk, rsa_key)))
++ goto err;
+
+ if (!ctx && !(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
+ goto err;
+@@ -64,6 +68,8 @@ int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *m
+ err:
+ if (ctx)
+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
++ if (pk)
++ _goboringcrypto_EVP_PKEY_free(pk);
+
+ return ret;
+ }
+@@ -104,7 +110,11 @@ int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
+ int ret = 0;
+ EVP_PKEY_CTX *ctx;
+ GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
+- _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
++ if (!pk)
++ return 0;
++
++ if (!(_goboringcrypto_EVP_PKEY_set1_RSA(pk, rsa_key)))
++ goto err;
+
+ if (!(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
+ goto err;
+@@ -124,6 +134,8 @@ int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
+ err:
+ if (ctx)
+ _goboringcrypto_EVP_PKEY_CTX_free(ctx);
++ if (pk)
++ _goboringcrypto_EVP_PKEY_free(pk);
+
+ return ret;
+ }
diff --git a/SOURCES/fix-test-1024-leaf-certs.patch b/SOURCES/fix-test-1024-leaf-certs.patch
new file mode 100644
index 0000000..ee6b25a
--- /dev/null
+++ b/SOURCES/fix-test-1024-leaf-certs.patch
@@ -0,0 +1,13 @@
+diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
+index 10d1cf0..51feb3b 100644
+--- a/src/crypto/tls/boring_test.go
++++ b/src/crypto/tls/boring_test.go
+@@ -326,7 +326,7 @@ func TestBoringCertAlgs(t *testing.T) {
+ I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK)
+
+ L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK)
+- L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf|boringCertNotBoring)
++ L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf)
+
+ // client verifying server cert
+ testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
diff --git a/SOURCES/go1.5-zoneinfo_testing_only.patch b/SOURCES/go1.5-zoneinfo_testing_only.patch
deleted file mode 100644
index 5f0046e..0000000
--- a/SOURCES/go1.5-zoneinfo_testing_only.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-diff --git a/src/time/internal_test.go b/src/time/internal_test.go
-index f0dddb7..415949a 100644
---- a/src/time/internal_test.go
-+++ b/src/time/internal_test.go
-@@ -4,13 +4,15 @@
-
- package time
-
-+import "runtime"
-+
- func init() {
- // force US/Pacific for time zone tests
- ForceUSPacificForTesting()
- }
-
- func initTestingZone() {
-- z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:])
-+ z, err := loadLocation("America/Los_Angeles", zoneSources)
- if err != nil {
- panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata")
- }
-@@ -21,8 +23,9 @@ func initTestingZone() {
- var OrigZoneSources = zoneSources
-
- func forceZipFileForTesting(zipOnly bool) {
-- zoneSources = make([]string, len(OrigZoneSources))
-+ zoneSources = make([]string, len(OrigZoneSources)+1)
- copy(zoneSources, OrigZoneSources)
-+ zoneSources = append(zoneSources, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
- if zipOnly {
- zoneSources = zoneSources[len(zoneSources)-1:]
- }
-diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go
-index f032aa7..e3e5547 100644
---- a/src/time/zoneinfo_test.go
-+++ b/src/time/zoneinfo_test.go
-@@ -9,6 +9,7 @@ import (
- "fmt"
- "os"
- "reflect"
-+ "runtime"
- "testing"
- "time"
- )
-@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) {
- t.Fatal(err)
- }
-
-- tzinfo, err := time.LoadTzinfo(locationName, time.OrigZoneSources[len(time.OrigZoneSources)-1])
-+ tzinfo, err := time.LoadTzinfo(locationName, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
- if err != nil {
- t.Fatal(err)
- }
-diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go
-index 23f8b3c..228db1b 100644
---- a/src/time/zoneinfo_unix.go
-+++ b/src/time/zoneinfo_unix.go
-@@ -12,7 +12,6 @@
- package time
-
- import (
-- "runtime"
- "syscall"
- )
-
-@@ -22,7 +21,6 @@ var zoneSources = []string{
- "/usr/share/zoneinfo/",
- "/usr/share/lib/zoneinfo/",
- "/usr/lib/locale/TZ/",
-- runtime.GOROOT() + "/lib/time/zoneinfo.zip",
- }
-
- func initLocal() {
diff --git a/SOURCES/ppc64le-internal-linker-fix.patch b/SOURCES/ppc64le-internal-linker-fix.patch
new file mode 100644
index 0000000..f54a83b
--- /dev/null
+++ b/SOURCES/ppc64le-internal-linker-fix.patch
@@ -0,0 +1,122 @@
+diff --git a/src/cmd/go/testdata/script/trampoline_reuse_test.txt b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
+new file mode 100644
+index 0000000000000..bca897c16d054
+--- /dev/null
++++ b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
+@@ -0,0 +1,100 @@
++# Verify PPC64 does not reuse a trampoline which is too far away.
++# This tests an edge case where the direct call relocation addend should
++# be ignored when computing the distance from the direct call to the
++# already placed trampoline
++[short] skip
++[!ppc64] [!ppc64le] skip
++[aix] skip
++
++# Note, this program does not run. Presumably, 'DWORD $0' is simpler to
++# assembly 2^26 or so times.
++#
++# We build something which should be laid out as such:
++#
++# bar.Bar
++# main.Func1
++# bar.Bar+400-tramp0
++# main.BigAsm
++# main.Func2
++# bar.Bar+400-tramp1
++#
++# bar.Bar needs to be placed far enough away to generate relocations
++# from main package calls. and main.Func1 and main.Func2 are placed
++# a bit more than the direct call limit apart, but not more than 0x400
++# bytes beyond it (to verify the reloc calc).
++
++go build
++
++-- go.mod --
++
++module foo
++
++go 1.19
++
++-- main.go --
++
++package main
++
++import "foo/bar"
++
++func Func1()
++
++func main() {
++ Func1()
++ bar.Bar2()
++}
++
++-- foo.s --
++
++TEXT main·Func1(SB),0,$0-0
++ CALL bar·Bar+0x400(SB)
++ CALL main·BigAsm(SB)
++// A trampoline will be placed here to bar.Bar
++
++// This creates a gap sufficiently large to prevent trampoline reuse
++#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
++#define NOP256 NOP64 NOP64 NOP64 NOP64
++#define NOP2S10 NOP256 NOP256 NOP256 NOP256
++#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
++#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
++#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
++#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
++#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
++#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
++#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
++#define BIGNOP NOP2S24 NOP2S24
++TEXT main·BigAsm(SB),0,$0-0
++ // Fill to the direct call limit so Func2 must generate a new trampoline.
++ // As the implicit trampoline above is just barely unreachable.
++ BIGNOP
++ MOVD $main·Func2(SB), R3
++
++TEXT main·Func2(SB),0,$0-0
++ CALL bar·Bar+0x400(SB)
++// Another trampoline should be placed here.
++
++-- bar/bar.s --
++
++#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
++#define NOP256 NOP64 NOP64 NOP64 NOP64
++#define NOP2S10 NOP256 NOP256 NOP256 NOP256
++#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
++#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
++#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
++#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
++#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
++#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
++#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
++#define BIGNOP NOP2S24 NOP2S24 NOP2S10
++// A very big not very interesting function.
++TEXT bar·Bar(SB),0,$0-0
++ BIGNOP
++
++-- bar/bar.go --
++
++package bar
++
++func Bar()
++
++func Bar2() {
++}
+diff --git a/src/cmd/link/internal/ppc64/asm.go b/src/cmd/link/internal/ppc64/asm.go
+index 5d5fbe2a97735..6313879da083c 100644
+--- a/src/cmd/link/internal/ppc64/asm.go
++++ b/src/cmd/link/internal/ppc64/asm.go
+@@ -900,8 +900,9 @@ func trampoline(ctxt *ld.Link, ldr *loader.Loader, ri int, rs, s loader.Sym) {
+ if ldr.SymValue(tramp) == 0 {
+ break
+ }
+-
+- t = ldr.SymValue(tramp) + r.Add() - (ldr.SymValue(s) + int64(r.Off()))
++ // Note, the trampoline is always called directly. The addend of the original relocation is accounted for in the
++ // trampoline itself.
++ t = ldr.SymValue(tramp) - (ldr.SymValue(s) + int64(r.Off()))
+
+ // With internal linking, the trampoline can be used if it is not too far.
+ // With external linking, the trampoline must be in this section for it to be reused.
diff --git a/SOURCES/remove_ed25519vectors_test.patch b/SOURCES/remove_ed25519vectors_test.patch
deleted file mode 100644
index 45e3182..0000000
--- a/SOURCES/remove_ed25519vectors_test.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
-Date: Wed, 15 Dec 2021 16:02:15 +0100
-Subject: [PATCH] Remove ed25519vectors_test.go
-
----
- src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
- 1 file changed, 109 deletions(-)
- delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
-
-diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
-deleted file mode 100644
-index 74fcdcdf4e..0000000000
---- a/src/crypto/ed25519/ed25519vectors_test.go
-+++ /dev/null
-@@ -1,109 +0,0 @@
--// Copyright 2021 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--package ed25519_test
--
--import (
-- "crypto/ed25519"
-- "encoding/hex"
-- "encoding/json"
-- "internal/testenv"
-- "os"
-- "os/exec"
-- "path/filepath"
-- "testing"
--)
--
--// TestEd25519Vectors runs a very large set of test vectors that exercise all
--// combinations of low-order points, low-order components, and non-canonical
--// encodings. These vectors lock in unspecified and spec-divergent behaviors in
--// edge cases that are not security relevant in most contexts, but that can
--// cause issues in consensus applications if changed.
--//
--// Our behavior matches the "classic" unwritten verification rules of the
--// "ref10" reference implementation.
--//
--// Note that although we test for these edge cases, they are not covered by the
--// Go 1 Compatibility Promise. Applications that need stable verification rules
--// should use github.com/hdevalence/ed25519consensus.
--//
--// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
--func TestEd25519Vectors(t *testing.T) {
-- jsonVectors := downloadEd25519Vectors(t)
-- var vectors []struct {
-- A, R, S, M string
-- Flags []string
-- }
-- if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
-- t.Fatal(err)
-- }
-- for i, v := range vectors {
-- expectedToVerify := true
-- for _, f := range v.Flags {
-- switch f {
-- // We use the simplified verification formula that doesn't multiply
-- // by the cofactor, so any low order residue will cause the
-- // signature not to verify.
-- //
-- // This is allowed, but not required, by RFC 8032.
-- case "LowOrderResidue":
-- expectedToVerify = false
-- // Our point decoding allows non-canonical encodings (in violation
-- // of RFC 8032) but R is not decoded: instead, R is recomputed and
-- // compared bytewise against the canonical encoding.
-- case "NonCanonicalR":
-- expectedToVerify = false
-- }
-- }
--
-- publicKey := decodeHex(t, v.A)
-- signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
-- message := []byte(v.M)
--
-- didVerify := ed25519.Verify(publicKey, message, signature)
-- if didVerify && !expectedToVerify {
-- t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
-- }
-- if !didVerify && expectedToVerify {
-- t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
-- }
-- }
--}
--
--func downloadEd25519Vectors(t *testing.T) []byte {
-- testenv.MustHaveExternalNetwork(t)
--
-- // Download the JSON test file from the GOPROXY with `go mod download`,
-- // pinning the version so test and module caching works as expected.
-- goTool := testenv.GoToolPath(t)
-- path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
-- cmd := exec.Command(goTool, "mod", "download", "-json", path)
-- // TODO: enable the sumdb once the TryBots proxy supports it.
-- cmd.Env = append(os.Environ(), "GONOSUMDB=*")
-- output, err := cmd.Output()
-- if err != nil {
-- t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
-- }
-- var dm struct {
-- Dir string // absolute path to cached source root directory
-- }
-- if err := json.Unmarshal(output, &dm); err != nil {
-- t.Fatal(err)
-- }
--
-- jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
-- if err != nil {
-- t.Fatalf("failed to read ed25519vectors.json: %v", err)
-- }
-- return jsonVectors
--}
--
--func decodeHex(t *testing.T, s string) []byte {
-- t.Helper()
-- b, err := hex.DecodeString(s)
-- if err != nil {
-- t.Errorf("invalid hex: %v", err)
-- }
-- return b
--}
---
-2.33.1
-
diff --git a/SOURCES/skip_test_rhbz1939923.patch b/SOURCES/skip_test_rhbz1939923.patch
new file mode 100644
index 0000000..555ed3b
--- /dev/null
+++ b/SOURCES/skip_test_rhbz1939923.patch
@@ -0,0 +1,12 @@
+diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
+index b1cdabb..09eaace 100644
+--- a/src/crypto/x509/x509_test.go
++++ b/src/crypto/x509/x509_test.go
+@@ -2993,6 +2993,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
+ }
+
+ func TestCreateCertificateBrokenSigner(t *testing.T) {
++ t.Skip("TODO Fix me: rhbz#1939923")
+ template := &Certificate{
+ SerialNumber: big.NewInt(10),
+ DNSNames: []string{"example.com"},
diff --git a/SPECS/golang.spec b/SPECS/golang.spec
index d1fcb0d..eb60a6d 100644
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@@ -56,7 +56,7 @@
%endif
# Controls what ever we fail on failed tests
-%ifarch x86_64 %{arm} aarch64 ppc64le
+%ifarch x86_64 %{arm} aarch64 ppc64le s390x
%global fail_on_tests 1
%else
%global fail_on_tests 0
@@ -95,20 +95,27 @@
%global gohostarch s390x
%endif
-%global go_api 1.18
-%global go_version 1.18.10
+%global go_api 1.19
+%global version 1.19.4
%global pkg_release 1
Name: golang
-Version: %{go_version}
-Release: 1%{?dist}
+Version: %{version}
+Release: 2%{?dist}
Summary: The Go Programming Language
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
License: BSD and Public Domain
URL: http://golang.org/
-Source0: https://github.com/golang-fips/go/archive/refs/tags/go%{go_version}-%{pkg_release}-openssl-fips.tar.gz
+Source0: https://github.com/golang/go/archive/refs/tags/go%{version}.tar.gz
+# Go's FIPS mode bindings are now provided as a standalone
+# module instead of in tree. This makes it easier to see
+# the actual changes vs upstream Go. The module source is
+# located at https://github.com/golang-fips/openssl-fips,
+# And pre-genetated patches to set up the module for a given
+# Go release are located at https://github.com/golang-fips/go.
+Source1: https://github.com/golang-fips/go/archive/refs/tags/go%{version}-%{pkg_release}-openssl-fips.tar.gz
# make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
-Source1: fedora.go
+Source2: fedora.go
# The compiler is written in Go. Needs go(1.4+) compiler for build.
# Actual Go based bootstrap compiler provided by above source.
@@ -133,22 +140,20 @@ Requires: %{name}-src = %{version}-%{release}
Requires: openssl-devel
Requires: diffutils
-# we had been just removing the zoneinfo.zip, but that caused tests to fail for users that
-# later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests.
-Patch215: go1.5-zoneinfo_testing_only.patch
# Proposed patch by jcajka https://golang.org/cl/86541
Patch221: fix_TestScript_list_std.patch
-# static linking of dlopen is unsupported
-Patch226: disable_static_external_tests.patch
+Patch1939923: skip_test_rhbz1939923.patch
-Patch223: remove_ed25519vectors_test.patch
+Patch2: disable_static_tests_part1.patch
+Patch3: disable_static_tests_part2.patch
+Patch4: ppc64le-internal-linker-fix.patch
+Patch5: fix-test-1024-leaf-certs.patch
+Patch6: fix-memory-leak-evp-sign-verify.patch
Patch227: cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
-Patch229: big-endian.patch
-
# Having documentation separate was broken
Obsoletes: %{name}-docs < 1.1-4
@@ -236,16 +241,26 @@ Requires: %{name} = %{version}-%{release}
%endif
%prep
-%setup -q -n go-go%{go_version}-%{pkg_release}-openssl-fips
+%setup -q -n go-go%{version}
+
+pushd ..
+tar -xf %{SOURCE1}
+popd
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
+
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
-%patch215 -p1
%patch221 -p1
-%patch223 -p1
-%patch226 -p1
+
+%patch1939923 -p1
%patch227 -p1
-%patch229 -p1
-cp %{SOURCE1} ./src/runtime/
+cp %{SOURCE2} ./src/runtime/
%build
set -xe
@@ -430,7 +445,7 @@ export CGO_ENABLED=0
%endif
# make sure to not timeout
-export GO_TEST_TIMEOUT_SCALE=10
+export GO_TEST_TIMEOUT_SCALE=2
export GO_TEST_RUN=""
%ifarch aarch64
@@ -441,21 +456,20 @@ export GO_TEST_RUN=""
# TestEd25519Vectors needs network connectivity but it should be cover by
# this test https://pkgs.devel.redhat.com/cgit/tests/golang/tree/Regression/internal-testsuite/runtest.sh#n127
-export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$"
-./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN $DISABLE_Ed25519_TEST
+./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
# Run tests with FIPS enabled.
export GOLANG_FIPS=1
pushd crypto
# Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
- go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
+ go test $(go list ./... | grep -v tls) -v
# Check that signature functions have parity between boring and notboring
- CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
+ CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
popd
# Run all FIPS specific TLS tests
pushd crypto/tls
- go test -v -run "Boring" $DISABLE_Ed25519_TEST
+ go test -v -run "Boring"
popd
%else
./run.bash --no-rebuild -v -v -v -k || :
@@ -464,7 +478,7 @@ cd ..
%files
-%doc AUTHORS CONTRIBUTORS LICENSE PATENTS
+%doc LICENSE PATENTS
# VERSION has to be present in the GOROOT, for `go install std` to work
%doc %{goroot}/VERSION
%dir %{goroot}/doc
@@ -518,25 +532,37 @@ cd ..
%endif
%changelog
-* Thu Mar 02 2023 Alejandro Sáez <asm@redhat.com> - 1.18.10-1
-- Update to Go 1.18.10
-- Remove ./do-not-reuse-far-trampolines.patch
-- Resolves: rhbz#2174417
-
-* Thu Dec 22 2022 Alejandro Sáez <asm@redhat.com> - 1.18.9-1
-- Update to Go 1.18.9
-- Add big-endian.patch
-- Increase GO_TEST_TIMEOUT_SCALE due to a Brew issue
-- Add do-not-reuse-far-trampolines.patch
-- Resolves: rhbz#2149313
-
-* Tue Oct 25 2022 David Benoit <dbenoit@redhat.com> - 1.18.7-2
-- Fix version mismatch from previous rebase
-- Related: rhbz#2136719
-
-* Fri Oct 21 2022 David Benoit <dbenoit@redhat.com> - 1.18.7-1
-- Update to Go 1.18.7
-- Resolves: rhbz#2136719
+* Tue Jan 3 2023 David Benoit <dbenoit@redhat.com> - 1.19.4-2
+- Fix memory leaks in EVP_{sign,verify}_raw
+- Resolves: rhbz#2132767
+
+* Wed Dec 21 2022 David Benoit <dbenoit@redhat.com> - 1.19.4-1
+- Rebase to Go 1.19.4
+- Fix ppc64le linker issue
+- Remove defunct patches
+- Remove downstream generated FIPS mode patches
+- Add golang-fips/go as the source for FIPS mode patches
+- Resolves: rhbz#2144542
+
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-4
+- Enable big endian support in FIPS mode
+- Resolves: rhbz#1969844
+
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-3
+- Restore old HashSign/HashVerify API
+- Resolves: rhbz#2132730
+
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-2
+- Add support for 4096 bit keys in x509
+- Resolves: rhbz#2132694
+
+* Thu Oct 13 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-1
+- Rebase to Go 1.19.2
+- Resolves: rhbz#2132730
+
+* Wed Sep 14 2022 David Benoit <dbenoit@redhat.com> - 1.19.1-2
+- Rebase to Go 1.19.1
+- Resolves: rhbz#2131026
* Wed Aug 03 2022 Alejandro Sáez <asm@redhat.com> - 1.18.4-2
- Adds patch for PIE mode issues on PPC64LE
--
GitLab