import golang-1.19.1-2.module+el8.8.0+16778+5fbb74f5

2022-10-15 18:32:57 +00:00 · 2022-10-15 18:32:57 +00:00 · 61f37f55ca
commit 61f37f55ca
parent 7e95abf9d9
12 changed files with 6268 additions and 533 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/go1.18.4-1-openssl-fips.tar.gz
+SOURCES/go1.19.1.tar.gz
--- a/.golang.metadata
+++ b/.golang.metadata
@ -1 +1 @@
-3798a6b5b37624922f5da08860f39da457caa856 SOURCES/go1.18.4-1-openssl-fips.tar.gz
+564d4664e5fafb4da637a01aa62501336d79135f SOURCES/go1.19.1.tar.gz
--- a/SOURCES/000-initial-setup.patch
+++ b/SOURCES/000-initial-setup.patch
@ -0,0 +1,427 @@
 diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt
 index a0a41a5..208aa70 100644
 --- a/src/cmd/go/testdata/script/gopath_std_vendor.txt
 +++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt
@@ -21,11 +21,11 @@ go build .
 go list -deps -f '{{.ImportPath}} {{.Dir}}' .
 stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
 -! stdout $GOROOT[/\\]src[/\\]vendor
 +! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
 go list -test -deps -f '{{.ImportPath}} {{.Dir}}' .
 stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
 -! stdout $GOROOT[/\\]src[/\\]vendor
 +! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
 -- issue16333/issue16333.go --
 package vendoring17
 diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go
 index 7c51817..102c4e5 100644
 --- a/src/crypto/ed25519/ed25519_test.go
 +++ b/src/crypto/ed25519/ed25519_test.go
@@ -187,6 +187,7 @@ func TestMalleability(t *testing.T) {
 }
 func TestAllocations(t *testing.T) {
 +	t.Skip("Allocations test broken with openssl linkage")
 	if boring.Enabled {
 		t.Skip("skipping allocations test with BoringCrypto")
 	}
 diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
 index f933f28..223ce04 100644
 --- a/src/crypto/ed25519/ed25519vectors_test.go
 +++ b/src/crypto/ed25519/ed25519vectors_test.go
@@ -72,6 +72,7 @@ func TestEd25519Vectors(t *testing.T) {
 }
 func downloadEd25519Vectors(t *testing.T) []byte {
 +	t.Skip("skipping test that downloads external data")
 	testenv.MustHaveExternalNetwork(t)
 	// Create a temp dir and modcache subdir.
 diff --git a/src/crypto/internal/backend/bbig/big.go b/src/crypto/internal/backend/bbig/big.go
 new file mode 100644
 index 0000000..c0800df
 --- /dev/null
 +++ b/src/crypto/internal/backend/bbig/big.go
@@ -0,0 +1,38 @@
 +// Copyright 2022 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +// This is a mirror of crypto/internal/boring/bbig/big.go.
 +
 +package bbig
 +
 +import (
 +	"math/big"
 +	"unsafe"
 +
 +	"github.com/golang-fips/openssl-fips/openssl"
 +)
 +
 +func Enc(b *big.Int) openssl.BigInt {
 +	if b == nil {
 +		return nil
 +	}
 +	x := b.Bits()
 +	if len(x) == 0 {
 +		return openssl.BigInt{}
 +	}
 +	// TODO: Use unsafe.Slice((*uint)(&x[0]), len(x)) once go1.16 is no longer supported.
 +	return (*(*[]uint)(unsafe.Pointer(&x)))[:len(x)]
 +}
 +
 +func Dec(b openssl.BigInt) *big.Int {
 +	if b == nil {
 +		return nil
 +	}
 +	if len(b) == 0 {
 +		return new(big.Int)
 +	}
 +	// TODO: Use unsafe.Slice((*uint)(&b[0]), len(b)) once go1.16 is no longer supported.
 +	x := (*(*[]big.Word)(unsafe.Pointer(&b)))[:len(b)]
 +	return new(big.Int).SetBits(x)
 +}
 diff --git a/src/crypto/internal/backend/dummy.s b/src/crypto/internal/backend/dummy.s
 new file mode 100644
 index 0000000..e69de29
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 new file mode 100644
 index 0000000..1d75287
 --- /dev/null
 +++ b/src/crypto/internal/backend/nobackend.go
@@ -0,0 +1,140 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
 +// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
 +
 +package backend
 +
 +import (
 +	"crypto"
 +	"crypto/cipher"
 +	"crypto/internal/boring/sig"
 +	"github.com/golang-fips/openssl-fips/openssl"
 +	"hash"
 +)
 +
 +var enabled = false
 +
 +// Unreachable marks code that should be unreachable
 +// when BoringCrypto is in use. It is a no-op without BoringCrypto.
 +func Unreachable() {
 +	// Code that's unreachable when using BoringCrypto
 +	// is exactly the code we want to detect for reporting
 +	// standard Go crypto.
 +	sig.StandardCrypto()
 +}
 +
 +// UnreachableExceptTests marks code that should be unreachable
 +// when BoringCrypto is in use. It is a no-op without BoringCrypto.
 +func UnreachableExceptTests() {}
 +
 +func ExecutingTest() bool { return false }
 +
 +// This is a noop withotu BoringCrytpo.
 +func PanicIfStrictFIPS(v interface{}) {}
 +
 +type randReader int
 +
 +func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") }
 +
 +const RandReader = randReader(0)
 +
 +func Enabled() bool   { return false }
 +func NewSHA1() hash.Hash   { panic("boringcrypto: not available") }
 +func NewSHA224() hash.Hash { panic("boringcrypto: not available") }
 +func NewSHA256() hash.Hash { panic("boringcrypto: not available") }
 +func NewSHA384() hash.Hash { panic("boringcrypto: not available") }
 +func NewSHA512() hash.Hash { panic("boringcrypto: not available") }
 +func SHA1(_ []byte) [20]byte { panic("boringcrypto: not available") }
 +func SHA224(_ []byte) [28]byte { panic("boringcrypto: not available") }
 +func SHA256(_ []byte) [32]byte { panic("boringcrypto: not available") }
 +func SHA384(_ []byte) [48]byte { panic("boringcrypto: not available") }
 +func SHA512(_ []byte) [64]byte { panic("boringcrypto: not available") }
 +
 +func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") }
 +
 +func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
 +
 +type PublicKeyECDSA struct{ _ int }
 +type PrivateKeyECDSA struct{ _ int }
 +
 +func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
 +	panic("boringcrypto: not available")
 +}
 +func GenerateKeyECDSA(curve string) (X, Y, D openssl.BigInt, err error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPrivateKeyECDSA(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDSA, error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPublicKeyECDSA(curve string, X, Y openssl.BigInt) (*PublicKeyECDSA, error) {
 +	panic("boringcrypto: not available")
 +}
 +func SignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (r, s openssl.BigInt, err error) {
 +	panic("boringcrypto: not available")
 +}
 +func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func VerifyECDSA(pub *PublicKeyECDSA, hash, sig []byte) bool {
 +	panic("boringcrypto: not available")
 +}
 +
 +type PublicKeyECDH struct{ _ int }
 +type PrivateKeyECDH struct{ _ int }
 +
 +func GenerateKeyECDH(curve string) (X, Y, D openssl.BigInt, err error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPrivateKeyECDH(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDH, error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPublicKeyECDH(curve string, X, Y openssl.BigInt) (*PublicKeyECDH, error) {
 +	panic("boringcrypto: not available")
 +}
 +func SharedKeyECDH(priv *PrivateKeyECDH, peerPublicKey []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +
 +type PublicKeyRSA struct{ _ int }
 +type PrivateKeyRSA struct{ _ int }
 +
 +func DecryptRSAOAEP(h hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func EncryptRSAOAEP(h hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt, err error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt) (*PrivateKeyRSA, error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPublicKeyRSA(N, E openssl.BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") }
 +func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, msgHashed bool) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, msgHashed bool) error {
 +	panic("boringcrypto: not available")
 +}
 +func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
 +	panic("boringcrypto: not available")
 +}
 diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
 new file mode 100644
 index 0000000..4c327e0
 --- /dev/null
 +++ b/src/crypto/internal/backend/openssl.go
@@ -0,0 +1,92 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
 +// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
 +
 +// Package openssl provides access to OpenSSLCrypto implementation functions.
 +// Check the variable Enabled to find out whether OpenSSLCrypto is available.
 +// If OpenSSLCrypto is not available, the functions in this package all panic.
 +package backend
 +
 +import (
 +	"github.com/golang-fips/openssl-fips/openssl"
 +)
 +
 +// Enabled controls whether FIPS crypto is enabled.
 +var Enabled = openssl.Enabled
 +
 +// Unreachable marks code that should be unreachable
 +// when OpenSSLCrypto is in use. It panics only when
 +// the system is in FIPS mode.
 +func Unreachable() {
 +	if Enabled() {
 +		panic("opensslcrypto: invalid code execution")
 +	}
 +}
 +
 +// Provided by runtime.crypto_backend_runtime_arg0 to avoid os import.
 +func runtime_arg0() string
 +
 +func hasSuffix(s, t string) bool {
 +	return len(s) > len(t) && s[len(s)-len(t):] == t
 +}
 +
 +// UnreachableExceptTests marks code that should be unreachable
 +// when OpenSSLCrypto is in use. It panics.
 +func UnreachableExceptTests() {
 +	name := runtime_arg0()
 +	// If OpenSSLCrypto ran on Windows we'd need to allow _test.exe and .test.exe as well.
 +	if Enabled() && !hasSuffix(name, "_test") && !hasSuffix(name, ".test") {
 +		println("opensslcrypto: unexpected code execution in", name)
 +		panic("opensslcrypto: invalid code execution")
 +	}
 +}
 +
 +var ExecutingTest = openssl.ExecutingTest
 +
 +const RandReader = openssl.RandReader
 +
 +var NewGCMTLS = openssl.NewGCMTLS
 +var NewSHA1 = openssl.NewSHA1
 +var NewSHA224 = openssl.NewSHA224
 +var NewSHA256 = openssl.NewSHA256
 +var NewSHA384 = openssl.NewSHA384
 +var NewSHA512 = openssl.NewSHA512
 +
 +var SHA1 = openssl.SHA1
 +var SHA224 = openssl.SHA224
 +var SHA256 = openssl.SHA256
 +var SHA384 = openssl.SHA384
 +var SHA512 = openssl.SHA512
 +
 +var NewHMAC = openssl.NewHMAC
 +
 +var NewAESCipher = openssl.NewAESCipher
 +
 +type PublicKeyECDSA = openssl.PublicKeyECDSA
 +type PrivateKeyECDSA = openssl.PrivateKeyECDSA
 +
 +var GenerateKeyECDSA = openssl.GenerateKeyECDSA
 +var NewPrivateKeyECDSA = openssl.NewPrivateKeyECDSA
 +var NewPublicKeyECDSA = openssl.NewPublicKeyECDSA
 +var SignMarshalECDSA = openssl.SignMarshalECDSA
 +var VerifyECDSA = openssl.VerifyECDSA
 +
 +type PublicKeyRSA = openssl.PublicKeyRSA
 +type PrivateKeyRSA = openssl.PrivateKeyRSA
 +
 +var DecryptRSAOAEP = openssl.DecryptRSAOAEP
 +var DecryptRSAPKCS1 = openssl.DecryptRSAPKCS1
 +var DecryptRSANoPadding = openssl.DecryptRSANoPadding
 +var EncryptRSAOAEP = openssl.EncryptRSAOAEP
 +var EncryptRSAPKCS1 = openssl.EncryptRSAPKCS1
 +var EncryptRSANoPadding = openssl.EncryptRSANoPadding
 +var GenerateKeyRSA = openssl.GenerateKeyRSA
 +var NewPrivateKeyRSA = openssl.NewPrivateKeyRSA
 +var NewPublicKeyRSA = openssl.NewPublicKeyRSA
 +var SignRSAPKCS1v15 = openssl.SignRSAPKCS1v15
 +var SignRSAPSS = openssl.SignRSAPSS
 +var VerifyRSAPKCS1v15 = openssl.VerifyRSAPKCS1v15
 +var VerifyRSAPSS = openssl.VerifyRSAPSS
 diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
 index 1827f76..239e6a2 100644
 --- a/src/crypto/tls/boring.go
 +++ b/src/crypto/tls/boring.go
@@ -8,8 +8,15 @@ package tls
 import (
 	"crypto/internal/boring/fipstls"
 +	boring "crypto/internal/backend"
 )
 +func init() {
 +       if boring.Enabled && !boring.ExecutingTest() {
 +               fipstls.Force()
 +       }
 +}
 +
 // needFIPS returns fipstls.Required(); it avoids a new import in common.go.
 func needFIPS() bool {
 	return fipstls.Required()
 diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
 index 380de9f..02b4ac8 100644
 --- a/src/crypto/tls/handshake_client_test.go
 +++ b/src/crypto/tls/handshake_client_test.go
@@ -2135,6 +2135,7 @@ func testBuffering(t *testing.T, version uint16) {
 }
 func TestAlertFlushing(t *testing.T) {
 +       t.Skip("unsupported in FIPS mode, different error returned")
 	c, s := localPipe(t)
 	done := make(chan bool)
 diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
 index 141fdb9..71434f2 100644
 --- a/src/go/build/deps_test.go
 +++ b/src/go/build/deps_test.go
@@ -414,19 +414,23 @@ var depsRules = `
 	< crypto/internal/edwards25519
 	< crypto/cipher;
 -	crypto/cipher,
 +	fmt, crypto/cipher,
 	crypto/internal/boring/bcache
 	< crypto/internal/boring
 +	< github.com/golang-fips/openssl-fips/openssl
 +	< crypto/internal/backend
 	< crypto/boring
 	< crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
 	  crypto/sha1, crypto/sha256, crypto/sha512
 	< CRYPTO;
 -	CGO, fmt, net !< CRYPTO;
 +	CGO, net !< CRYPTO;
 	# CRYPTO-MATH is core bignum-based crypto - no cgo, net; fmt now ok.
 	CRYPTO, FMT, math/big, embed
 +	< github.com/golang-fips/openssl-fips/openssl/bbig
 	< crypto/internal/boring/bbig
 +	< crypto/internal/backend/bbig
 	< crypto/internal/randutil
 	< crypto/rand
 	< crypto/ed25519
@@ -644,7 +648,7 @@ var buildIgnore = []byte("\n//go:build ignore")
 func findImports(pkg string) ([]string, error) {
 	vpkg := pkg
 -	if strings.HasPrefix(pkg, "golang.org") {
 +	if strings.HasPrefix(pkg, "golang.org") || strings.HasPrefix(pkg, "github.com") {
 		vpkg = "vendor/" + pkg
 	}
 	dir := filepath.Join(Default.GOROOT, "src", vpkg)
@@ -654,7 +658,7 @@ func findImports(pkg string) ([]string, error) {
 	}
 	var imports []string
 	var haveImport = map[string]bool{}
 -	if pkg == "crypto/internal/boring" {
 +	if pkg == "crypto/internal/boring" || pkg == "github.com/golang-fips/openssl-fips/openssl" {
 		haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports
 	}
 	fset := token.NewFileSet()
 diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go
 index 5a98b20..dc25cdc 100644
 --- a/src/runtime/runtime_boring.go
 +++ b/src/runtime/runtime_boring.go
@@ -17,3 +17,8 @@ func boring_runtime_arg0() string {
 //go:linkname fipstls_runtime_arg0 crypto/internal/boring/fipstls.runtime_arg0
 func fipstls_runtime_arg0() string { return boring_runtime_arg0() }
 +
 +//go:linkname crypto_backend_runtime_arg0 crypto/internal/backend.runtime_arg0
 +func crypto_backend_runtime_arg0() string {
 +	return boring_runtime_arg0()
 +}
 \ No newline at end of file
--- a/SOURCES/001-initial-openssl-for-fips.patch
+++ b/SOURCES/001-initial-openssl-for-fips.patch
--- a/SOURCES/disable_static_external_tests.patch
+++ b/SOURCES/disable_static_external_tests.patch
@ -1,310 +0,0 @@
 diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
 index d9eb9c3..506f979 100644
 --- a/src/cmd/dist/test.go
 +++ b/src/cmd/dist/test.go
@@ -1180,18 +1180,20 @@ func (t *tester) cgoTest(dt *distTest) error {
 				fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
 			} else {
 				if goos != "android" {
 -					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
 +					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
 				}
 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest())
 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`)
 				if goos != "android" {
 -					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
 +					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
 +					/*
 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
 					// -static in CGO_LDFLAGS triggers a different code path
 					// than -static in -extldflags, so test both.
 					// See issue #16651.
 					cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static")
 					setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
 +					*/
 				}
 			}
@@ -1201,7 +1203,7 @@ func (t *tester) cgoTest(dt *distTest) error {
 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie")
 				}
 				t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie")
 -				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie")
 +				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
 			}
 		}
 	}
 diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
 index a495bd7..2c6107b 100644
 --- a/src/crypto/internal/boring/aes.go
 +++ b/src/crypto/internal/boring/aes.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package boring
 diff --git a/src/crypto/internal/boring/aes_test.go b/src/crypto/internal/boring/aes_test.go
 index 3b4c364..371bc20 100644
 --- a/src/crypto/internal/boring/aes_test.go
 +++ b/src/crypto/internal/boring/aes_test.go
@@ -1,9 +1,5 @@
 -// +build linux
 -// +build !android
 -// +build !no_openssl
 -// +build !cmd_go_bootstrap
 -// +build !msan
 -// +build cgo
 +//go:build linux && !android && !no_openssl && !cmd_go_bootstrap && !msan && cgo && !static
 +// +build linux,!android,!no_openssl,!cmd_go_bootstrap,!msan,cgo,!static
 package boring
 diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
 index ec6e80c..05431b1 100644
 --- a/src/crypto/internal/boring/boring.go
 +++ b/src/crypto/internal/boring/boring.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package boring
 diff --git a/src/crypto/internal/boring/ecdsa.go b/src/crypto/internal/boring/ecdsa.go
 index f72da41..33ee442 100644
 --- a/src/crypto/internal/boring/ecdsa.go
 +++ b/src/crypto/internal/boring/ecdsa.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package boring
 diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
 index 4547ade..b8aaae4 100644
 --- a/src/crypto/internal/boring/goboringcrypto.h
 +++ b/src/crypto/internal/boring/goboringcrypto.h
@@ -1,6 +1,12 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 +// +build linux
 +// +build !android
 +// +build !no_openssl
 +// +build !cmd_go_bootstrap
 +// +build !msan
 +// +build !static
 // This header file describes the BoringCrypto ABI as built for use in Go.
 // The BoringCrypto build for Go (which generates goboringcrypto_*.syso)
 diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
 index 4820385..ac41482 100644
 --- a/src/crypto/internal/boring/goopenssl.h
 +++ b/src/crypto/internal/boring/goopenssl.h
@@ -6,6 +6,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 // This header file describes the OpenSSL ABI as built for use in Go.
 diff --git a/src/crypto/internal/boring/hmac.go b/src/crypto/internal/boring/hmac.go
 index 4e913c3..10cfbb3 100644
 --- a/src/crypto/internal/boring/hmac.go
 +++ b/src/crypto/internal/boring/hmac.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package boring
 diff --git a/src/crypto/internal/boring/notboring.go b/src/crypto/internal/boring/notboring.go
 index e513834..08c5245 100644
 --- a/src/crypto/internal/boring/notboring.go
 +++ b/src/crypto/internal/boring/notboring.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
 -// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
 +//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
 +// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
 package boring
 diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
 index 710d074..853be3d 100644
 --- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
 +++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
@@ -3,6 +3,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 #include "goboringcrypto.h"
 diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c
 index 36be702..331dfd3 100644
 --- a/src/crypto/internal/boring/openssl_evp.c
 +++ b/src/crypto/internal/boring/openssl_evp.c
@@ -3,6 +3,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 #include "goboringcrypto.h"
 diff --git a/src/crypto/internal/boring/openssl_lock_setup.c b/src/crypto/internal/boring/openssl_lock_setup.c
 index 955924e..c0f3435 100644
 --- a/src/crypto/internal/boring/openssl_lock_setup.c
 +++ b/src/crypto/internal/boring/openssl_lock_setup.c
@@ -3,6 +3,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 #include "goboringcrypto.h"
 #include <stdio.h>
 diff --git a/src/crypto/internal/boring/openssl_port_aead_gcm.c b/src/crypto/internal/boring/openssl_port_aead_gcm.c
 index b39bf54..80c933a 100644
 --- a/src/crypto/internal/boring/openssl_port_aead_gcm.c
 +++ b/src/crypto/internal/boring/openssl_port_aead_gcm.c
@@ -4,6 +4,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 #include "goboringcrypto.h"
 #include <openssl/err.h>
 diff --git a/src/crypto/internal/boring/openssl_port_ctr128.c b/src/crypto/internal/boring/openssl_port_ctr128.c
 index abaff5c..e2263a5 100644
 --- a/src/crypto/internal/boring/openssl_port_ctr128.c
 +++ b/src/crypto/internal/boring/openssl_port_ctr128.c
@@ -3,6 +3,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 #include "goboringcrypto.h"
 diff --git a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
 index 8418c38..39bf3ae 100644
 --- a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
 +++ b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
@@ -4,6 +4,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 // The following is a partial backport of crypto/evp/m_md5_sha1.c,
 // commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the
 diff --git a/src/crypto/internal/boring/openssl_port_hmac.c b/src/crypto/internal/boring/openssl_port_hmac.c
 index be7c71a..35e1860 100644
 --- a/src/crypto/internal/boring/openssl_port_hmac.c
 +++ b/src/crypto/internal/boring/openssl_port_hmac.c
@@ -4,6 +4,8 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 +
 #include "goboringcrypto.h"
 diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
 index 5174f66..a8008e9 100644
 --- a/src/crypto/internal/boring/openssl_port_rsa.c
 +++ b/src/crypto/internal/boring/openssl_port_rsa.c
@@ -4,6 +4,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 #include "goboringcrypto.h"
 diff --git a/src/crypto/internal/boring/openssl_stub_rand.c b/src/crypto/internal/boring/openssl_stub_rand.c
 index 18d6777..e8ac53b 100644
 --- a/src/crypto/internal/boring/openssl_stub_rand.c
 +++ b/src/crypto/internal/boring/openssl_stub_rand.c
@@ -3,6 +3,7 @@
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 // +build !msan
 +// +build !static
 #include "goboringcrypto.h"
 #include <openssl/rand.h>
 diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go
 index e9c334f..3adbd4d 100644
 --- a/src/crypto/internal/boring/rand.go
 +++ b/src/crypto/internal/boring/rand.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package boring
 diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
 index b1a2f57..0cabadb 100644
 --- a/src/crypto/internal/boring/rsa.go
 +++ b/src/crypto/internal/boring/rsa.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package boring
 diff --git a/src/crypto/internal/boring/sha.go b/src/crypto/internal/boring/sha.go
 index bdcc782..6184d6c 100644
 --- a/src/crypto/internal/boring/sha.go
 +++ b/src/crypto/internal/boring/sha.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package boring
--- a/SOURCES/disable_static_tests_part1.patch
+++ b/SOURCES/disable_static_tests_part1.patch
@ -0,0 +1,303 @@
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 index 1d75287..2b99ea2 100644
 --- a/src/crypto/internal/backend/nobackend.go
 +++ b/src/crypto/internal/backend/nobackend.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
 -// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
 +//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
 +// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
 package backend
 diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
 index 4c327e0..6786c1f 100644
 --- a/src/crypto/internal/backend/openssl.go
 +++ b/src/crypto/internal/backend/openssl.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl,!static
 // Package openssl provides access to OpenSSLCrypto implementation functions.
 // Check the variable Enabled to find out whether OpenSSLCrypto is available.
 diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
 index d6d99b1..f2fe332 100644
 --- a/src/crypto/internal/boring/goboringcrypto.h
 +++ b/src/crypto/internal/boring/goboringcrypto.h
@@ -1,4 +1,5 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 +// +build !static
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 diff --git a/src/crypto/internal/boring/syso/syso.go b/src/crypto/internal/boring/syso/syso.go
 index b338754..db5ea1e 100644
 --- a/src/crypto/internal/boring/syso/syso.go
 +++ b/src/crypto/internal/boring/syso/syso.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build boringcrypto
 +//go:build boringcrypto && !static
 // This package only exists with GOEXPERIMENT=boringcrypto.
 // It provides the actual syso file.
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
 index 079fc3c..e826d0b 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
 index 0b61e79..94d0c98 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 index eb63507..a3aeed1 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
 index 6d6a562..17cc314 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
@@ -1,4 +1,5 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 +// +build !static
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // +build linux
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
 index ae40b93..17bc075 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
 index 6f00177..f466b18 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
 index 7c0b5d6..262af07 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
 -// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
 +//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
 +// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
 index d49194d..ff15054 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
 index 2349db1..57fbb04 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
@@ -1,4 +1,5 @@
 // +build linux
 +// +build !static
 // +build !android
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
 index 4379019..5034c46 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
@@ -1,4 +1,5 @@
 // +build linux
 +// +build !static
 // +build !android
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
 index 49d40a7..3b3dbf8 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
@@ -1,4 +1,5 @@
 // +build linux
 +// +build !static
 // +build !android
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
 index 7eb645e..1c3225a 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
@@ -1,4 +1,5 @@
 // This file contains a port of the BoringSSL AEAD interface.
 +// +build !static
 // +build linux
 // +build !android
 // +build !no_openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
 index df4ebe3..876393b 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
@@ -1,4 +1,5 @@
 // +build linux
 +// +build !static
 // +build !android
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
 index 2eedd5b..04510d3 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
@@ -1,4 +1,5 @@
 // This file contains a backport of the EVP_md5_sha1 method.
 +// +build !static
 // +build linux
 // +build !android
 // +build !no_openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
 index 362d9e5..bebafef 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
@@ -1,4 +1,5 @@
 // This file contains HMAC portability wrappers.
 +// +build !static
 // +build linux
 // +build !android
 // +build !no_openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
 index 2824147..8bc1d85 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
@@ -1,4 +1,5 @@
 // This file contains RSA portability wrappers.
 +// +build !static
 // +build linux
 // +build !android
 // +build !no_openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
 index 22bd865..b7aa26b 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
@@ -1,4 +1,5 @@
 // +build linux
 +// +build !static
 // +build !android
 // +build !no_openssl
 // +build !cmd_go_bootstrap
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
 index b3668b8..dcdae70 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
 index 915c840..8623d9d 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
 index 0b55ced..57309c0 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
 -// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
 +//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
 package openssl
--- a/SOURCES/disable_static_tests_part2.patch
+++ b/SOURCES/disable_static_tests_part2.patch
@ -0,0 +1,36 @@
 diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
 index da5b179..6a772df 100644
 --- a/src/cmd/dist/test.go
 +++ b/src/cmd/dist/test.go
@@ -1247,18 +1247,20 @@ func (t *tester) cgoTest(dt *distTest) error {
 				fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
 			} else {
 				if goos != "android" {
 -					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
 +					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
 				}
 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), ".")
 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`, ".")
 				if goos != "android" {
 -					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
 +					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
 +					/*
 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
 					// -static in CGO_LDFLAGS triggers a different code path
 					// than -static in -extldflags, so test both.
 					// See issue #16651.
 					cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", ".")
 					setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
 +					*/
 				}
 			}
@@ -1268,7 +1270,7 @@ func (t *tester) cgoTest(dt *distTest) error {
 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie", ".")
 				}
 				t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie", ".")
 -				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", ".")
 +				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
 			}
 		}
 	}
--- a/SOURCES/go1.5-zoneinfo_testing_only.patch
+++ b/SOURCES/go1.5-zoneinfo_testing_only.patch
@ -1,73 +0,0 @@
 diff --git a/src/time/internal_test.go b/src/time/internal_test.go
 index f0dddb7..415949a 100644
 --- a/src/time/internal_test.go
 +++ b/src/time/internal_test.go
@@ -4,13 +4,15 @@
 package time
 +import "runtime"
 +
 func init() {
 	// force US/Pacific for time zone tests
 	ForceUSPacificForTesting()
 }
 func initTestingZone() {
 -	z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:])
 +	z, err := loadLocation("America/Los_Angeles", zoneSources)
 	if err != nil {
 		panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata")
 	}
@@ -21,8 +23,9 @@ func initTestingZone() {
 var OrigZoneSources = zoneSources
 func forceZipFileForTesting(zipOnly bool) {
 -	zoneSources = make([]string, len(OrigZoneSources))
 +	zoneSources = make([]string, len(OrigZoneSources)+1)
 	copy(zoneSources, OrigZoneSources)
 +	zoneSources = append(zoneSources, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
 	if zipOnly {
 		zoneSources = zoneSources[len(zoneSources)-1:]
 	}
 diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go
 index f032aa7..e3e5547 100644
 --- a/src/time/zoneinfo_test.go
 +++ b/src/time/zoneinfo_test.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"os"
 	"reflect"
 +	"runtime"
 	"testing"
 	"time"
 )
@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) {
 		t.Fatal(err)
 	}
 -	tzinfo, err := time.LoadTzinfo(locationName, time.OrigZoneSources[len(time.OrigZoneSources)-1])
 +	tzinfo, err := time.LoadTzinfo(locationName, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
 	if err != nil {
 		t.Fatal(err)
 	}
 diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go
 index 23f8b3c..228db1b 100644
 --- a/src/time/zoneinfo_unix.go
 +++ b/src/time/zoneinfo_unix.go
@@ -12,7 +12,6 @@
 package time
 import (
 -	"runtime"
 	"syscall"
 )
@@ -22,7 +21,6 @@ var zoneSources = []string{
 	"/usr/share/zoneinfo/",
 	"/usr/share/lib/zoneinfo/",
 	"/usr/lib/locale/TZ/",
 -	runtime.GOROOT() + "/lib/time/zoneinfo.zip",
 }
 func initLocal() {
--- a/SOURCES/openssl_cgo_build_tag.patch
+++ b/SOURCES/openssl_cgo_build_tag.patch
@ -0,0 +1,15 @@
 diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
 index 6786c1f..5a330cf 100644
 --- a/src/crypto/internal/backend/openssl.go
 +++ b/src/crypto/internal/backend/openssl.go
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 -//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl && !static
 -// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl,!static
 +//go:build linux && cgo && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl && !static
 +// +build linux,cgo,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl,!static
 // Package openssl provides access to OpenSSLCrypto implementation functions.
 // Check the variable Enabled to find out whether OpenSSLCrypto is available.
--- a/SOURCES/remove_ed25519vectors_test.patch
+++ b/SOURCES/remove_ed25519vectors_test.patch
@ -1,128 +0,0 @@
 From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
 Date: Wed, 15 Dec 2021 16:02:15 +0100
 Subject: [PATCH] Remove ed25519vectors_test.go
 ---
 src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
 1 file changed, 109 deletions(-)
 delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
 diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
 deleted file mode 100644
 index 74fcdcdf4e..0000000000
 --- a/src/crypto/ed25519/ed25519vectors_test.go
 +++ /dev/null
@@ -1,109 +0,0 @@
 -// Copyright 2021 The Go Authors. All rights reserved.
 -// Use of this source code is governed by a BSD-style
 -// license that can be found in the LICENSE file.
 -
 -package ed25519_test
 -
 -import (
 -	"crypto/ed25519"
 -	"encoding/hex"
 -	"encoding/json"
 -	"internal/testenv"
 -	"os"
 -	"os/exec"
 -	"path/filepath"
 -	"testing"
 -)
 -
 -// TestEd25519Vectors runs a very large set of test vectors that exercise all
 -// combinations of low-order points, low-order components, and non-canonical
 -// encodings. These vectors lock in unspecified and spec-divergent behaviors in
 -// edge cases that are not security relevant in most contexts, but that can
 -// cause issues in consensus applications if changed.
 -//
 -// Our behavior matches the "classic" unwritten verification rules of the
 -// "ref10" reference implementation.
 -//
 -// Note that although we test for these edge cases, they are not covered by the
 -// Go 1 Compatibility Promise. Applications that need stable verification rules
 -// should use github.com/hdevalence/ed25519consensus.
 -//
 -// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
 -func TestEd25519Vectors(t *testing.T) {
 -	jsonVectors := downloadEd25519Vectors(t)
 -	var vectors []struct {
 -		A, R, S, M string
 -		Flags      []string
 -	}
 -	if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
 -		t.Fatal(err)
 -	}
 -	for i, v := range vectors {
 -		expectedToVerify := true
 -		for _, f := range v.Flags {
 -			switch f {
 -			// We use the simplified verification formula that doesn't multiply
 -			// by the cofactor, so any low order residue will cause the
 -			// signature not to verify.
 -			//
 -			// This is allowed, but not required, by RFC 8032.
 -			case "LowOrderResidue":
 -				expectedToVerify = false
 -			// Our point decoding allows non-canonical encodings (in violation
 -			// of RFC 8032) but R is not decoded: instead, R is recomputed and
 -			// compared bytewise against the canonical encoding.
 -			case "NonCanonicalR":
 -				expectedToVerify = false
 -			}
 -		}
 -
 -		publicKey := decodeHex(t, v.A)
 -		signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
 -		message := []byte(v.M)
 -
 -		didVerify := ed25519.Verify(publicKey, message, signature)
 -		if didVerify && !expectedToVerify {
 -			t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
 -		}
 -		if !didVerify && expectedToVerify {
 -			t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
 -		}
 -	}
 -}
 -
 -func downloadEd25519Vectors(t *testing.T) []byte {
 -	testenv.MustHaveExternalNetwork(t)
 -
 -	// Download the JSON test file from the GOPROXY with `go mod download`,
 -	// pinning the version so test and module caching works as expected.
 -	goTool := testenv.GoToolPath(t)
 -	path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
 -	cmd := exec.Command(goTool, "mod", "download", "-json", path)
 -	// TODO: enable the sumdb once the TryBots proxy supports it.
 -	cmd.Env = append(os.Environ(), "GONOSUMDB=*")
 -	output, err := cmd.Output()
 -	if err != nil {
 -		t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
 -	}
 -	var dm struct {
 -		Dir string // absolute path to cached source root directory
 -	}
 -	if err := json.Unmarshal(output, &dm); err != nil {
 -		t.Fatal(err)
 -	}
 -
 -	jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
 -	if err != nil {
 -		t.Fatalf("failed to read ed25519vectors.json: %v", err)
 -	}
 -	return jsonVectors
 -}
 -
 -func decodeHex(t *testing.T, s string) []byte {
 -	t.Helper()
 -	b, err := hex.DecodeString(s)
 -	if err != nil {
 -		t.Errorf("invalid hex: %v", err)
 -	}
 -	return b
 -}
 -- 
 2.33.1
--- a/SOURCES/skip_test_rhbz1939923.patch
+++ b/SOURCES/skip_test_rhbz1939923.patch
@ -0,0 +1,12 @@
 diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
 index b1cdabb..09eaace 100644
 --- a/src/crypto/x509/x509_test.go
 +++ b/src/crypto/x509/x509_test.go
@@ -2993,6 +2993,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
 }
 func TestCreateCertificateBrokenSigner(t *testing.T) {
 +	t.Skip("TODO Fix me: rhbz#1939923")
 	template := &Certificate{
 		SerialNumber: big.NewInt(10),
 		DNSNames:     []string{"example.com"},
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@ -95,18 +95,18 @@
 %global gohostarch  s390x
 %endif
-%global go_api 1.18
+%global go_api 1.19
-%global go_version 1.18.4
+%global version 1.19.1
 %global pkg_release 1
 Name:           golang
-Version:        %{go_version}
+Version:        %{version}
 Release:        2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
 URL:            http://golang.org/
-Source0:	https://github.com/golang-fips/go/archive/refs/tags/go%{go_version}-%{pkg_release}-openssl-fips.tar.gz
+Source0:        https://github.com/golang/go/archive/refs/tags/go%{version}.tar.gz
 # make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
 Source1:        fedora.go
@ -133,17 +133,17 @@ Requires:       %{name}-src = %{version}-%{release}
 Requires:       openssl-devel
 Requires:       diffutils
 # we had been just removing the zoneinfo.zip, but that caused tests to fail for users that 
 # later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests.
 Patch215:       go1.5-zoneinfo_testing_only.patch
 # Proposed patch by jcajka https://golang.org/cl/86541
 Patch221:       fix_TestScript_list_std.patch
-# static linking of dlopen is unsupported
+Patch1939923:   skip_test_rhbz1939923.patch
 Patch226:	disable_static_external_tests.patch
-Patch223: remove_ed25519vectors_test.patch
+Patch0:		000-initial-setup.patch
 Patch1:		001-initial-openssl-for-fips.patch
 Patch2: 	disable_static_tests_part1.patch
 Patch3: 	disable_static_tests_part2.patch
 Patch4:		openssl_cgo_build_tag.patch
 Patch227: cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
@ -234,12 +234,17 @@ Requires:       %{name} = %{version}-%{release}
 %endif
 %prep
-%setup -q -n go-go%{go_version}-%{pkg_release}-openssl-fips
+%setup -q -n go-go1.19.1
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch215 -p1
 %patch221 -p1
-%patch223 -p1
+
-%patch226 -p1
+%patch1939923 -p1
 %patch227 -p1
 cp %{SOURCE1} ./src/runtime/
@ -438,21 +443,20 @@ export GO_TEST_RUN=""
 # TestEd25519Vectors needs network connectivity but it should be cover by
 # this test https://pkgs.devel.redhat.com/cgit/tests/golang/tree/Regression/internal-testsuite/runtest.sh#n127
 export DISABLE_Ed25519_TEST="-run=!^TestEd25519Vectors$"
-./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN $DISABLE_Ed25519_TEST
+./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
 # Run tests with FIPS enabled.
 export GOLANG_FIPS=1
 pushd crypto
  # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
-  go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
+  go test $(go list ./... | grep -v tls) -v
  # Check that signature functions have parity between boring and notboring
-  CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v $DISABLE_Ed25519_TEST
+  CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
 popd
 # Run all FIPS specific TLS tests
 pushd crypto/tls
-  go test -v -run "Boring" $DISABLE_Ed25519_TEST
+  go test -v -run "Boring"
 popd
 %else
 ./run.bash --no-rebuild -v -v -v -k || :
@ -461,7 +465,7 @@ cd ..
 %files
-%doc AUTHORS CONTRIBUTORS LICENSE PATENTS
+%doc LICENSE PATENTS
 # VERSION has to be present in the GOROOT, for `go install std` to work
 %doc %{goroot}/VERSION
 %dir %{goroot}/doc
@ -515,6 +519,10 @@ cd ..
 %endif
 %changelog
 * Wed Sep 14 2022 David Benoit <dbenoit@redhat.com> - 1.19.1-2
 - Rebase to Go 1.19.1
 - Resolves: rhbz#2131026
 * Wed Aug 03 2022 Alejandro Sáez <asm@redhat.com> - 1.18.4-2
 - Adds patch for PIE mode issues on PPC64LE
 - Resolves: rhbz#2111593
`@ -1 +1 @@`
	`SOURCES/go1.18.4-1-openssl-fips.tar.gz`	`SOURCES/go1.19.1.tar.gz`
`@ -1 +1 @@`
	`3798a6b5b37624922f5da08860f39da457caa856 SOURCES/go1.18.4-1-openssl-fips.tar.gz`	`564d4664e5fafb4da637a01aa62501336d79135f SOURCES/go1.19.1.tar.gz`