Import rpm: ec522a5d51384d88d0ee6bcc4755dee91a61007c

.gitignore

@@ -0,0 +1 @@
+SOURCES/go1.18.2-1-openssl-fips.tar.gz

README.md

@@ -0,0 +1,65 @@
+# Golang
+
+## Introduction
+
+This package holds the spec file and related patches for the Golang package.
+The golang package is part of the larger go-toolset meta package.
+
+## Sources
+
+This particular branch provides Go 1.16.x. The sources for this branch can be
+found at https://pagure.io/go/tree/go1.16-openssl-fips. The reason the source is
+coming from a pagure fork as opposed to an upstream tarball is due to certain
+patches we have written and currently maintain in order to claim FIPS compliance
+by calling into OpenSSL. Shipping a forked version of the toolchain is not the
+ideal scenario, and there is work in progress with upstream to enable us to
+instead ship a pure upstream toolchain and include a crypto module in go-toolset
+which will satisfy our FIPS requirements.
+
+The current fork is based on an upstream branch[[0]] which uses
+boringcrypto[[1]] instead of OpenSSL.
+
+If you need to make changes to the source for a rebase or bug fix, check out the
+pagure repo and switch to the branch listed above. Once you have made your
+changes you can test them locally with `./all.bash`. You may want to export
+`GOLANG_FIPS=1` before running that if you want to verify the FIPS codepaths are
+correct. Please note however that the test suite does not fully expect FIPS
+compliance, and will attempt to test non FIPS compliant code paths. The easiest
+way to test your changes correctly is to create a tarball locally and execute a
+mockbuild using this packge, which knows how to correctly run the testsuite in
+both FIPS and non-FIPS modes.
+
+NOTE: The way pagure previously handled uploaded releases has changed, and
+releases must be tagged in the appropriate branch, from which pagure will
+generate source tarballs.
+
+## Testing & building changes
+
+The first test you should run is a local mockbuild. This can be done with the
+rhpkg command:
+
+```
+rhpkg mockbuild
+```
+
+Once everything builds and passes locally you'll likely want to perform a
+scratch build. This will ensure that the changes you made build and run
+correctly on all architectures that this package supports. The best way to do
+this is to run a scratch build from your local sources without first having to
+push them. This ensures your changes are correct before commiting them to the
+repo. This can also be done via the following rhpkg command:
+
+```
+rhpkg scratch-build --srpm
+```
+
+Once your scratch build has passed you can execute a real build:
+
+```
+rhpkg build
+```
+
+---
+
+[0] https://github.com/golang/go/tree/dev.boringcrypto 
+[1] https://opensource.google.com/projects/boringssl

cgo-lto-fix.patch

@@ -0,0 +1,289 @@
+From 24e9707cbfa6b1ed6abdd4b11f9ddaf3aac5ad88 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Tue, 25 May 2021 16:31:41 -0700
+Subject: [PATCH] cmd/link, cmd/cgo: support -flto in CFLAGS
+
+The linker now accepts unrecognized object files in external linking mode.
+These objects will simply be passed to the external linker.
+This permits using -flto which can generate pure byte code objects,
+whose symbol table the linker does not know how to read.
+
+The cgo tool now passes -fno-lto when generating objects whose symbols
+it needs to read. The cgo tool now emits matching types in different
+objects, so that the lto linker does not report a mismatch.
+
+This is based on https://golang.org/cl/293290 by Derek Parker.
+
+For #43505
+Fixes #43830
+Fixes #46295
+
+Change-Id: I6787de213417466784ddef5af8899e453b4ae1ad
+Reviewed-on: https://go-review.googlesource.com/c/go/+/322614
+Trust: Ian Lance Taylor <iant@golang.org>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
+---
+
+diff --git a/src/cmd/cgo/gcc.go b/src/cmd/cgo/gcc.go
+index ae61725..a73e998 100644
+--- a/src/cmd/cgo/gcc.go
++++ b/src/cmd/cgo/gcc.go
+@@ -1638,6 +1638,8 @@
+ 		c = append(c, "-maix64")
+ 		c = append(c, "-mcmodel=large")
+ 	}
++	// disable LTO so we get an object whose symbols we can read
++	c = append(c, "-fno-lto")
+ 	c = append(c, "-") //read input from standard input
+ 	return c
+ }
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index 8c31d5b..94152f4 100644
+--- a/src/cmd/cgo/out.go
++++ b/src/cmd/cgo/out.go
+@@ -168,8 +168,18 @@
+ 			if *gccgo {
+ 				fmt.Fprintf(fc, "extern byte *%s;\n", n.C)
+ 			} else {
+-				fmt.Fprintf(fm, "extern char %s[];\n", n.C)
+-				fmt.Fprintf(fm, "void *_cgohack_%s = %s;\n\n", n.C, n.C)
++				// Force a reference to all symbols so that
++				// the external linker will add DT_NEEDED
++				// entries as needed on ELF systems.
++				// Treat function variables differently
++				// to avoid type confict errors from LTO
++				// (Link Time Optimization).
++				if n.Kind == "fpvar" {
++					fmt.Fprintf(fm, "extern void %s();\n", n.C)
++				} else {
++					fmt.Fprintf(fm, "extern char %s[];\n", n.C)
++					fmt.Fprintf(fm, "void *_cgohack_%s = %s;\n\n", n.C, n.C)
++				}
+ 				fmt.Fprintf(fgo2, "//go:linkname __cgo_%s %s\n", n.C, n.C)
+ 				fmt.Fprintf(fgo2, "//go:cgo_import_static %s\n", n.C)
+ 				fmt.Fprintf(fgo2, "var __cgo_%s byte\n", n.C)
+@@ -1042,7 +1052,7 @@
+ 		fmt.Fprintf(fgo2, "//go:cgo_export_static _cgoexp%s_%s\n", cPrefix, exp.ExpName)
+ 		fmt.Fprintf(fgo2, "func _cgoexp%s_%s(a *%s) {\n", cPrefix, exp.ExpName, gotype)
+ 
+-		fmt.Fprintf(fm, "int _cgoexp%s_%s;\n", cPrefix, exp.ExpName)
++		fmt.Fprintf(fm, "void _cgoexp%s_%s(void* p){}\n", cPrefix, exp.ExpName)
+ 
+ 		if gccResult != "void" {
+ 			// Write results back to frame.
+diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
+index 50bf80b..bc49c6d 100644
+--- a/src/cmd/dist/test.go
++++ b/src/cmd/dist/test.go
+@@ -722,14 +722,29 @@
+ 				},
+ 			})
+ 			if t.hasCxx() {
+-				t.tests = append(t.tests, distTest{
+-					name:    "swig_callback",
+-					heading: "../misc/swig/callback",
+-					fn: func(dt *distTest) error {
+-						t.addCmd(dt, "misc/swig/callback", t.goTest())
+-						return nil
++				t.tests = append(t.tests,
++					distTest{
++						name:    "swig_callback",
++						heading: "../misc/swig/callback",
++						fn: func(dt *distTest) error {
++							t.addCmd(dt, "misc/swig/callback", t.goTest())
++							return nil
++						},
+ 					},
+-				})
++					distTest{
++						name:    "swig_callback_lto",
++						heading: "../misc/swig/callback",
++						fn: func(dt *distTest) error {
++							cmd := t.addCmd(dt, "misc/swig/callback", t.goTest())
++							cmd.Env = append(os.Environ(),
++								"CGO_CFLAGS=-flto",
++								"CGO_CXXFLAGS=-flto",
++								"CGO_LDFLAGS=-flto",
++							)
++							return nil
++						},
++					},
++				)
+ 			}
+ 		}
+ 	}
+diff --git a/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt b/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt
+new file mode 100644
+index 0000000..e2483ba
+--- /dev/null
++++ b/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt
+@@ -0,0 +1,33 @@
++# tests golang.org/issue/43830
++
++[!cgo] skip 'skipping test without cgo'
++[openbsd] env CC='clang'
++[openbsd] [!exec:clang] skip 'skipping test without clang present'
++[!openbsd] env CC='gcc'
++[!openbsd] [!exec:gcc] skip 'skipping test without gcc present'
++
++env CGO_CFLAGS='-Wno-ignored-optimization-argument -flto -ffat-lto-objects'
++
++go build main.go
++
++-- main.go --
++
++package main
++
++import "fmt"
++
++// #include "hello.h"
++import "C"
++
++func main() {
++	hello := C.hello
++	fmt.Printf("%v\n", hello)
++}
++
++-- hello.h --
++
++#include <stdio.h>
++
++void hello(void) {
++  printf("hello\n");
++}
+diff --git a/src/cmd/go/testdata/script/cgo_lto_issue43830.txt b/src/cmd/go/testdata/script/cgo_lto_issue43830.txt
+new file mode 100644
+index 0000000..06ab2f3
+--- /dev/null
++++ b/src/cmd/go/testdata/script/cgo_lto_issue43830.txt
+@@ -0,0 +1,39 @@
++# tests golang.org/issue/43830
++
++[!cgo] skip 'skipping test without cgo'
++[openbsd] env CC='clang'
++[openbsd] [!exec:clang] skip 'skipping test without clang present'
++[!openbsd] env CC='gcc'
++[!openbsd] [!exec:gcc] skip 'skipping test without gcc present'
++
++env CGO_CFLAGS='-Wno-ignored-optimization-argument -flto -ffat-lto-objects'
++
++go build main.go add.go
++
++-- main.go --
++
++package main
++
++/*
++int c_add(int a, int b) {
++	return myadd(a, b);
++}
++*/
++import "C"
++
++func main() {
++	println(C.c_add(1, 2))
++}
++
++-- add.go --
++
++package main
++
++import "C"
++
++/* test */
++
++//export myadd
++func myadd(a C.int, b C.int) C.int {
++	return a + b
++}
+diff --git a/src/cmd/link/internal/ld/ar.go b/src/cmd/link/internal/ld/ar.go
+index 22f53a4..23915f9 100644
+--- a/src/cmd/link/internal/ld/ar.go
++++ b/src/cmd/link/internal/ld/ar.go
+@@ -124,6 +124,10 @@
+ 
+ 			libgcc := sym.Library{Pkg: "libgcc"}
+ 			h := ldobj(ctxt, f, &libgcc, l, pname, name)
++			if h.ld == nil {
++				Errorf(nil, "%s unrecognized object file at offset %d", name, off)
++				continue
++			}
+ 			f.MustSeek(h.off, 0)
+ 			h.ld(ctxt, f, h.pkg, h.length, h.pn)
+ 		}
+diff --git a/src/cmd/link/internal/ld/config.go b/src/cmd/link/internal/ld/config.go
+index ae0d752..20f1d0b 100644
+--- a/src/cmd/link/internal/ld/config.go
++++ b/src/cmd/link/internal/ld/config.go
+@@ -241,6 +241,10 @@
+ 		return true, "dynamically linking with a shared library"
+ 	}
+ 
++	if unknownObjFormat {
++		return true, "some input objects have an unrecognized file format"
++	}
++
+ 	return false, ""
+ }
+ 
+@@ -248,7 +252,7 @@
+ //
+ // It is called after flags are processed and inputs are processed,
+ // so the ctxt.LinkMode variable has an initial value from the -linkmode
+-// flag and the iscgo externalobj variables are set.
++// flag and the iscgo, externalobj, and unknownObjFormat variables are set.
+ func determineLinkMode(ctxt *Link) {
+ 	extNeeded, extReason := mustLinkExternal(ctxt)
+ 	via := ""
+diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
+index e8f001b..644faeb 100644
+--- a/src/cmd/link/internal/ld/lib.go
++++ b/src/cmd/link/internal/ld/lib.go
+@@ -343,10 +343,16 @@
+ const pkgdef = "__.PKGDEF"
+ 
+ var (
+-	// Set if we see an object compiled by the host compiler that is not
+-	// from a package that is known to support internal linking mode.
++	// externalobj is set to true if we see an object compiled by
++	// the host compiler that is not from a package that is known
++	// to support internal linking mode.
+ 	externalobj = false
+-	theline     string
++
++	// unknownObjFormat is set to true if we see an object whose
++	// format we don't recognize.
++	unknownObjFormat = false
++
++	theline string
+ )
+ 
+ func Lflag(ctxt *Link, arg string) {
+@@ -1065,6 +1071,10 @@
+ 		}
+ 
+ 		f.MustSeek(h.off, 0)
++		if h.ld == nil {
++			Errorf(nil, "%s: unrecognized object file format", h.pn)
++			continue
++		}
+ 		h.ld(ctxt, f, h.pkg, h.length, h.pn)
+ 		f.Close()
+ 	}
+@@ -1855,6 +1865,14 @@
+ 		return ldhostobj(ldxcoff, ctxt.HeadType, f, pkg, length, pn, file)
+ 	}
+ 
++	if c1 != 'g' || c2 != 'o' || c3 != ' ' || c4 != 'o' {
++		// An unrecognized object is just passed to the external linker.
++		// If we try to read symbols from this object, we will
++		// report an error at that time.
++		unknownObjFormat = true
++		return ldhostobj(nil, ctxt.HeadType, f, pkg, length, pn, file)
++	}
++
+ 	/* check the header */
+ 	line, err := f.ReadString('\n')
+ 	if err != nil {

disable_static_external_tests.patch

@@ -0,0 +1,310 @@
+diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
+index d9eb9c3..506f979 100644
+--- a/src/cmd/dist/test.go
++++ b/src/cmd/dist/test.go
+@@ -1180,18 +1180,20 @@ func (t *tester) cgoTest(dt *distTest) error {
+ 				fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
+ 			} else {
+ 				if goos != "android" {
+-					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
++					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
+ 				}
+ 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest())
+ 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`)
+ 				if goos != "android" {
+-					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
++					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
++					/*
+ 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
+ 					// -static in CGO_LDFLAGS triggers a different code path
+ 					// than -static in -extldflags, so test both.
+ 					// See issue #16651.
+ 					cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static")
+ 					setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
++					*/
+ 				}
+ 			}
+ 
+@@ -1201,7 +1203,7 @@ func (t *tester) cgoTest(dt *distTest) error {
+ 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie")
+ 				}
+ 				t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie")
+-				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie")
++				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
+ 			}
+ 		}
+ 	}
+diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
+index a495bd7..2c6107b 100644
+--- a/src/crypto/internal/boring/aes.go
++++ b/src/crypto/internal/boring/aes.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/aes_test.go b/src/crypto/internal/boring/aes_test.go
+index 3b4c364..371bc20 100644
+--- a/src/crypto/internal/boring/aes_test.go
++++ b/src/crypto/internal/boring/aes_test.go
+@@ -1,9 +1,5 @@
+-// +build linux
+-// +build !android
+-// +build !no_openssl
+-// +build !cmd_go_bootstrap
+-// +build !msan
+-// +build cgo
++//go:build linux && !android && !no_openssl && !cmd_go_bootstrap && !msan && cgo && !static
++// +build linux,!android,!no_openssl,!cmd_go_bootstrap,!msan,cgo,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
+index ec6e80c..05431b1 100644
+--- a/src/crypto/internal/boring/boring.go
++++ b/src/crypto/internal/boring/boring.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/ecdsa.go b/src/crypto/internal/boring/ecdsa.go
+index f72da41..33ee442 100644
+--- a/src/crypto/internal/boring/ecdsa.go
++++ b/src/crypto/internal/boring/ecdsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
+index 4547ade..b8aaae4 100644
+--- a/src/crypto/internal/boring/goboringcrypto.h
++++ b/src/crypto/internal/boring/goboringcrypto.h
+@@ -1,6 +1,12 @@
+ // Copyright 2017 The Go Authors. All rights reserved.
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
++// +build linux
++// +build !android
++// +build !no_openssl
++// +build !cmd_go_bootstrap
++// +build !msan
++// +build !static
+ 
+ // This header file describes the BoringCrypto ABI as built for use in Go.
+ // The BoringCrypto build for Go (which generates goboringcrypto_*.syso)
+diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
+index 4820385..ac41482 100644
+--- a/src/crypto/internal/boring/goopenssl.h
++++ b/src/crypto/internal/boring/goopenssl.h
+@@ -6,6 +6,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ // This header file describes the OpenSSL ABI as built for use in Go.
+ 
+diff --git a/src/crypto/internal/boring/hmac.go b/src/crypto/internal/boring/hmac.go
+index 4e913c3..10cfbb3 100644
+--- a/src/crypto/internal/boring/hmac.go
++++ b/src/crypto/internal/boring/hmac.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/notboring.go b/src/crypto/internal/boring/notboring.go
+index e513834..08c5245 100644
+--- a/src/crypto/internal/boring/notboring.go
++++ b/src/crypto/internal/boring/notboring.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
+-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
++//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
+index 710d074..853be3d 100644
+--- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
++++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c
+index 36be702..331dfd3 100644
+--- a/src/crypto/internal/boring/openssl_evp.c
++++ b/src/crypto/internal/boring/openssl_evp.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_lock_setup.c b/src/crypto/internal/boring/openssl_lock_setup.c
+index 955924e..c0f3435 100644
+--- a/src/crypto/internal/boring/openssl_lock_setup.c
++++ b/src/crypto/internal/boring/openssl_lock_setup.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ #include <stdio.h>
+diff --git a/src/crypto/internal/boring/openssl_port_aead_gcm.c b/src/crypto/internal/boring/openssl_port_aead_gcm.c
+index b39bf54..80c933a 100644
+--- a/src/crypto/internal/boring/openssl_port_aead_gcm.c
++++ b/src/crypto/internal/boring/openssl_port_aead_gcm.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ #include <openssl/err.h>
+diff --git a/src/crypto/internal/boring/openssl_port_ctr128.c b/src/crypto/internal/boring/openssl_port_ctr128.c
+index abaff5c..e2263a5 100644
+--- a/src/crypto/internal/boring/openssl_port_ctr128.c
++++ b/src/crypto/internal/boring/openssl_port_ctr128.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
+index 8418c38..39bf3ae 100644
+--- a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
++++ b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ // The following is a partial backport of crypto/evp/m_md5_sha1.c,
+ // commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the
+diff --git a/src/crypto/internal/boring/openssl_port_hmac.c b/src/crypto/internal/boring/openssl_port_hmac.c
+index be7c71a..35e1860 100644
+--- a/src/crypto/internal/boring/openssl_port_hmac.c
++++ b/src/crypto/internal/boring/openssl_port_hmac.c
+@@ -4,6 +4,8 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
++
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
+index 5174f66..a8008e9 100644
+--- a/src/crypto/internal/boring/openssl_port_rsa.c
++++ b/src/crypto/internal/boring/openssl_port_rsa.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_stub_rand.c b/src/crypto/internal/boring/openssl_stub_rand.c
+index 18d6777..e8ac53b 100644
+--- a/src/crypto/internal/boring/openssl_stub_rand.c
++++ b/src/crypto/internal/boring/openssl_stub_rand.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ #include <openssl/rand.h>
+diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go
+index e9c334f..3adbd4d 100644
+--- a/src/crypto/internal/boring/rand.go
++++ b/src/crypto/internal/boring/rand.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
+index b1a2f57..0cabadb 100644
+--- a/src/crypto/internal/boring/rsa.go
++++ b/src/crypto/internal/boring/rsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/sha.go b/src/crypto/internal/boring/sha.go
+index bdcc782..6184d6c 100644
+--- a/src/crypto/internal/boring/sha.go
++++ b/src/crypto/internal/boring/sha.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 

fedora.go

@@ -0,0 +1,7 @@
+// +build rpm_crashtraceback
+
+package runtime
+
+func init() {
+	setTraceback("crash")
+}

fix_TestScript_list_std.patch

@@ -0,0 +1,13 @@
+diff --git a/src/cmd/go/testdata/script/list_std.txt b/src/cmd/go/testdata/script/list_std.txt
+index 6ab1bd1..4a00e43 100644
+--- a/src/cmd/go/testdata/script/list_std.txt
++++ b/src/cmd/go/testdata/script/list_std.txt
+@@ -6,7 +6,7 @@ env GO111MODULE=off
+ # Listing GOROOT should only find standard packages.
+ cd $GOROOT/src
+ go list -f '{{if not .Standard}}{{.ImportPath}}{{end}}' ./...
+-! stdout .
++stdout _$GOROOT
+ 
+ # Standard packages should include cmd, but not cmd/vendor.
+ go list ./...

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

go1.5-zoneinfo_testing_only.patch

@@ -0,0 +1,73 @@
+diff --git a/src/time/internal_test.go b/src/time/internal_test.go
+index f0dddb7..415949a 100644
+--- a/src/time/internal_test.go
++++ b/src/time/internal_test.go
+@@ -4,13 +4,15 @@
+ 
+ package time
+ 
++import "runtime"
++
+ func init() {
+ 	// force US/Pacific for time zone tests
+ 	ForceUSPacificForTesting()
+ }
+ 
+ func initTestingZone() {
+-	z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:])
++	z, err := loadLocation("America/Los_Angeles", zoneSources)
+ 	if err != nil {
+ 		panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata")
+ 	}
+@@ -21,8 +23,9 @@ func initTestingZone() {
+ var OrigZoneSources = zoneSources
+ 
+ func forceZipFileForTesting(zipOnly bool) {
+-	zoneSources = make([]string, len(OrigZoneSources))
++	zoneSources = make([]string, len(OrigZoneSources)+1)
+ 	copy(zoneSources, OrigZoneSources)
++	zoneSources = append(zoneSources, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
+ 	if zipOnly {
+ 		zoneSources = zoneSources[len(zoneSources)-1:]
+ 	}
+diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go
+index f032aa7..e3e5547 100644
+--- a/src/time/zoneinfo_test.go
++++ b/src/time/zoneinfo_test.go
+@@ -9,6 +9,7 @@ import (
+ 	"fmt"
+ 	"os"
+ 	"reflect"
++	"runtime"
+ 	"testing"
+ 	"time"
+ )
+@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) {
+ 		t.Fatal(err)
+ 	}
+ 
+-	tzinfo, err := time.LoadTzinfo(locationName, time.OrigZoneSources[len(time.OrigZoneSources)-1])
++	tzinfo, err := time.LoadTzinfo(locationName, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go
+index 23f8b3c..228db1b 100644
+--- a/src/time/zoneinfo_unix.go
++++ b/src/time/zoneinfo_unix.go
+@@ -12,7 +12,6 @@
+ package time
+ 
+ import (
+-	"runtime"
+ 	"syscall"
+ )
+ 
+@@ -22,7 +21,6 @@ var zoneSources = []string{
+ 	"/usr/share/zoneinfo/",
+ 	"/usr/share/lib/zoneinfo/",
+ 	"/usr/lib/locale/TZ/",
+-	runtime.GOROOT() + "/lib/time/zoneinfo.zip",
+ }
+ 
+ func initLocal() {

golang-gdbinit

@@ -0,0 +1 @@
+add-auto-load-safe-path /usr/lib/golang/src/pkg/runtime/runtime-gdb.py

golang-prelink.conf

@@ -0,0 +1,3 @@
+# there are ELF files in src which are testdata and shouldn't be modified
+-b /usr/lib/golang/src
+-b /usr/lib64/golang/src

openssl_deprecated_algorithm_tests.patch

@@ -0,0 +1,112 @@
+diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
+index a4f2e2dbbe..76701d2e2b 100644
+--- a/src/crypto/rsa/pkcs1v15_test.go
++++ b/src/crypto/rsa/pkcs1v15_test.go
+@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
+ }
+ 
+ func TestDecryptPKCS1v15(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	decryptionFuncs := []func([]byte) ([]byte, error){
+ 		func(ciphertext []byte) (plaintext []byte, err error) {
+ 			return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
+@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
+ }
+ 
+ func TestEncryptPKCS1v15(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	random := rand.Reader
+ 	k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
+ 
+@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
+ }
+ 
+ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	for i, test := range decryptPKCS1v15SessionKeyTests {
+ 		key := []byte("FAIL")
+ 		err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
+@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
+ }
+ 
+ func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	for i, test := range decryptPKCS1v15SessionKeyTests {
+ 		plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
+ 		if err != nil {
+@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
+ }
+ 
+ func TestShortSessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	// This tests that attempting to decrypt a session key where the
+ 	// ciphertext is too small doesn't run outside the array bounds.
+ 	ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
+diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
+index b547a87c71..99e7882866 100644
+--- a/src/crypto/rsa/pss_test.go
++++ b/src/crypto/rsa/pss_test.go
+@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
+ // TestPSSGolden tests all the test vectors in pss-vect.txt from
+ // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
+ func TestPSSGolden(t *testing.T) {
++	t.Skip("SHA1 not supported in boring mode")
+ 	inFile, err := os.Open("testdata/pss-vect.txt.bz2")
+ 	if err != nil {
+ 		t.Fatalf("Failed to open input file: %s", err)
+diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
+index 9aa67655ab..2f4e666abb 100644
+--- a/src/crypto/rsa/rsa_test.go
++++ b/src/crypto/rsa/rsa_test.go
+@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
+ 		t.Errorf("private exponent too large")
+ 	}
+ 
+-	if boring.Enabled() {
+-		// Cannot call encrypt/decrypt directly. Test via PKCS1v15.
+-		msg := []byte("hi!")
+-		if priv.Size() >= 256 {
+-			enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
+-			if err != nil {
+-				t.Errorf("EncryptPKCS1v15: %v", err)
+-				return
+-			}
+-			dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
+-			if err != nil {
+-				t.Errorf("DecryptPKCS1v15: %v", err)
+-				return
+-			}
+-			if !bytes.Equal(dec, msg) {
+-				t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
+-			}
+-		} else {
+-			t.Logf("skipping check for unsupported key less than 2048 bits")
+-		}
+-		return
+-	}
++        if boring.Enabled() {
++                // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
++		sha256 := sha256.New()
++                msg := []byte("hi!")
++                if priv.Size() >= 256 {
++                        enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
++                        if err != nil {
++                                t.Errorf("EncryptOAEP: %v", err)
++                                return
++                        }
++                        dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
++                        if err != nil {
++                                t.Errorf("DecryptOAEP: %v", err)
++                                return
++                        }
++                        if !bytes.Equal(dec, msg) {
++                                t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
++                        }
++                } else {
++                        t.Logf("skipping check for unsupported key less than 2048 bits")
++                }
++                return
++        }
+ 
+ 	pub := &priv.PublicKey
+ 	m := big.NewInt(42)

remove_ed25519vectors_test.patch

@@ -0,0 +1,128 @@
+From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Wed, 15 Dec 2021 16:02:15 +0100
+Subject: [PATCH] Remove ed25519vectors_test.go
+
+---
+ src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
+ 1 file changed, 109 deletions(-)
+ delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
+
+diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
+deleted file mode 100644
+index 74fcdcdf4e..0000000000
+--- a/src/crypto/ed25519/ed25519vectors_test.go
++++ /dev/null
+@@ -1,109 +0,0 @@
+-// Copyright 2021 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-package ed25519_test
+-
+-import (
+-	"crypto/ed25519"
+-	"encoding/hex"
+-	"encoding/json"
+-	"internal/testenv"
+-	"os"
+-	"os/exec"
+-	"path/filepath"
+-	"testing"
+-)
+-
+-// TestEd25519Vectors runs a very large set of test vectors that exercise all
+-// combinations of low-order points, low-order components, and non-canonical
+-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
+-// edge cases that are not security relevant in most contexts, but that can
+-// cause issues in consensus applications if changed.
+-//
+-// Our behavior matches the "classic" unwritten verification rules of the
+-// "ref10" reference implementation.
+-//
+-// Note that although we test for these edge cases, they are not covered by the
+-// Go 1 Compatibility Promise. Applications that need stable verification rules
+-// should use github.com/hdevalence/ed25519consensus.
+-//
+-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
+-func TestEd25519Vectors(t *testing.T) {
+-	jsonVectors := downloadEd25519Vectors(t)
+-	var vectors []struct {
+-		A, R, S, M string
+-		Flags      []string
+-	}
+-	if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
+-		t.Fatal(err)
+-	}
+-	for i, v := range vectors {
+-		expectedToVerify := true
+-		for _, f := range v.Flags {
+-			switch f {
+-			// We use the simplified verification formula that doesn't multiply
+-			// by the cofactor, so any low order residue will cause the
+-			// signature not to verify.
+-			//
+-			// This is allowed, but not required, by RFC 8032.
+-			case "LowOrderResidue":
+-				expectedToVerify = false
+-			// Our point decoding allows non-canonical encodings (in violation
+-			// of RFC 8032) but R is not decoded: instead, R is recomputed and
+-			// compared bytewise against the canonical encoding.
+-			case "NonCanonicalR":
+-				expectedToVerify = false
+-			}
+-		}
+-
+-		publicKey := decodeHex(t, v.A)
+-		signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
+-		message := []byte(v.M)
+-
+-		didVerify := ed25519.Verify(publicKey, message, signature)
+-		if didVerify && !expectedToVerify {
+-			t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
+-		}
+-		if !didVerify && expectedToVerify {
+-			t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
+-		}
+-	}
+-}
+-
+-func downloadEd25519Vectors(t *testing.T) []byte {
+-	testenv.MustHaveExternalNetwork(t)
+-
+-	// Download the JSON test file from the GOPROXY with `go mod download`,
+-	// pinning the version so test and module caching works as expected.
+-	goTool := testenv.GoToolPath(t)
+-	path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
+-	cmd := exec.Command(goTool, "mod", "download", "-json", path)
+-	// TODO: enable the sumdb once the TryBots proxy supports it.
+-	cmd.Env = append(os.Environ(), "GONOSUMDB=*")
+-	output, err := cmd.Output()
+-	if err != nil {
+-		t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
+-	}
+-	var dm struct {
+-		Dir string // absolute path to cached source root directory
+-	}
+-	if err := json.Unmarshal(output, &dm); err != nil {
+-		t.Fatal(err)
+-	}
+-
+-	jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
+-	if err != nil {
+-		t.Fatalf("failed to read ed25519vectors.json: %v", err)
+-	}
+-	return jsonVectors
+-}
+-
+-func decodeHex(t *testing.T, s string) []byte {
+-	t.Helper()
+-	b, err := hex.DecodeString(s)
+-	if err != nil {
+-		t.Errorf("invalid hex: %v", err)
+-	}
+-	return b
+-}
+-- 
+2.33.1
+

rhbz1955035.patch

@@ -0,0 +1,42 @@
+From 4ec78a579cc3c83a7d0afc7483fb3e69e2fd87a7 Mon Sep 17 00:00:00 2001
+From: "Paul E. Murphy" <murp@ibm.com>
+Date: Tue, 27 Apr 2021 15:05:51 -0500
+Subject: [PATCH] cmd/link: disable plugin support if cgo is disabled
+
+Functional plugin support requires cgo to be enabled. Disable
+it if the environment has disabled cgo.
+
+This prevents unexpected linker failures when linking large
+binaries with cgo disabled which use the plugin package.
+
+Fixes #45564
+
+Change-Id: Ib71f0e089f7373b7b3e3cd53da3612291e7bc473
+Reviewed-on: https://go-review.googlesource.com/c/go/+/314449
+Run-TryBot: Paul Murphy <murp@ibm.com>
+Reviewed-by: Cherry Zhang <cherryyz@google.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+Trust: Lynn Boger <laboger@linux.vnet.ibm.com>
+---
+ src/cmd/link/internal/ld/lib.go | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
+index 0e77424884..f7a32aebae 100644
+--- a/src/cmd/link/internal/ld/lib.go
++++ b/src/cmd/link/internal/ld/lib.go
+@@ -533,7 +533,10 @@ func (ctxt *Link) loadlib() {
+ 	// up symbol by name may not get expected result.
+ 
+ 	iscgo = ctxt.LibraryByPkg["runtime/cgo"] != nil
+-	ctxt.canUsePlugins = ctxt.LibraryByPkg["plugin"] != nil
++
++	// Plugins a require cgo support to function. Similarly, plugins may require additional
++	// internal linker support on some platforms which may not be implemented.
++	ctxt.canUsePlugins = ctxt.LibraryByPkg["plugin"] != nil && iscgo
+ 
+ 	// We now have enough information to determine the link mode.
+ 	determineLinkMode(ctxt)
+-- 
+2.30.2
+

skip_test_rhbz1939923.patch

@@ -0,0 +1,12 @@
+diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
+index 51dda16815..2d1e1b1e6e 100644
+--- a/src/crypto/x509/x509_test.go
++++ b/src/crypto/x509/x509_test.go
+@@ -2880,6 +2880,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
+ }
+ 
+ func TestCreateCertificateBrokenSigner(t *testing.T) {
++	t.Skip("TODO Fix me: rhbz#1939923")
+ 	template := &Certificate{
+ 		SerialNumber: big.NewInt(10),
+ 		DNSNames:     []string{"example.com"},

sources

@@ -0,0 +1 @@
+SHA1 (go1.18.2-1-openssl-fips.tar.gz) = 2982f1fe39b59089eab5469bb6b3bb9f462abe45