import golang-1.19.4-1.module+el8.8.0+17628+80ec917c

2022-12-24 08:12:40 +00:00 · 2022-12-24 08:12:40 +00:00 · c315dab3da
commit c315dab3da
parent 8856a18b10
8 changed files with 167 additions and 6878 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
-SOURCES/go1.19.2.tar.gz
+SOURCES/go1.19.4-1-openssl-fips.tar.gz
 SOURCES/go1.19.4.tar.gz
--- a/.golang.metadata
+++ b/.golang.metadata
@ -1 +1,2 @@
-1324ae800bf3b78c8cfda83fb9d69d7d46c51bf1 SOURCES/go1.19.2.tar.gz
+9463e718b1a8daa61009caa6c113197cbefbe9eb SOURCES/go1.19.4-1-openssl-fips.tar.gz
 6debf76aa6fb97daff4d49502153a47093883c28 SOURCES/go1.19.4.tar.gz
--- a/SOURCES/000-initial-setup.patch
+++ b/SOURCES/000-initial-setup.patch
@ -1,829 +0,0 @@
 diff --git a/api/go1.19.txt b/api/go1.19.txt
 index 523f752..778e1d5 100644
 --- a/api/go1.19.txt
 +++ b/api/go1.19.txt
@@ -290,3 +290,5 @@ pkg sync/atomic, type Uint64 struct #50860
 pkg sync/atomic, type Uintptr struct #50860
 pkg time, method (Duration) Abs() Duration #51414
 pkg time, method (Time) ZoneBounds() (Time, Time) #50062
 +pkg crypto/ecdsa, func HashSign(io.Reader, *PrivateKey, []uint8, crypto.Hash) (*big.Int, *big.Int, error) #000000
 +pkg crypto/ecdsa, func HashVerify(*PublicKey, []uint8, *big.Int, *big.Int, crypto.Hash) bool #000000
 diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt
 index a0a41a5..208aa70 100644
 --- a/src/cmd/go/testdata/script/gopath_std_vendor.txt
 +++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt
@@ -21,11 +21,11 @@ go build .
 go list -deps -f '{{.ImportPath}} {{.Dir}}' .
 stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
 -! stdout $GOROOT[/\\]src[/\\]vendor
 +! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
 go list -test -deps -f '{{.ImportPath}} {{.Dir}}' .
 stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
 -! stdout $GOROOT[/\\]src[/\\]vendor
 +! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
 -- issue16333/issue16333.go --
 package vendoring17
 diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify.go b/src/crypto/ecdsa/ecdsa_hashsignverify.go
 new file mode 100644
 index 0000000..37f3a18
 --- /dev/null
 +++ b/src/crypto/ecdsa/ecdsa_hashsignverify.go
@@ -0,0 +1,45 @@
 +package ecdsa
 +
 +import (
 +	"crypto"
 +	"crypto/internal/boring"
 +	"crypto/internal/randutil"
 +	"math/big"
 +	"io"
 +)
 +
 +func HashSign(rand io.Reader, priv *PrivateKey, msg []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
 +	randutil.MaybeReadByte(rand)
 +
 +	if boring.Enabled {
 +		b, err := boringPrivateKey(priv)
 +		if err != nil {
 +			return nil, nil, err
 +		}
 +		return boring.HashSignECDSA(b, msg, h)
 +	}
 +	boring.UnreachableExceptTests()
 +
 +	hash := h.New()
 +	hash.Write(msg)
 +	d := hash.Sum(nil)
 +
 +	return Sign(rand, priv, d)
 +}
 +
 +func HashVerify(pub *PublicKey, msg []byte, r, s *big.Int, h crypto.Hash) bool {
 +	if boring.Enabled {
 +		bpk, err := boringPublicKey(pub)
 +		if err != nil {
 +			return false
 +		}
 +		return boring.HashVerifyECDSA(bpk, msg, r, s, h)
 +	}
 +	boring.UnreachableExceptTests()
 +
 +	hash := h.New()
 +	hash.Write(msg)
 +	d := hash.Sum(nil)
 +
 +	return Verify(pub, d, r, s)
 +}
 diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
 new file mode 100644
 index 0000000..d12ba2f
 --- /dev/null
 +++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go
@@ -0,0 +1,42 @@
 +package ecdsa
 +
 +import (
 +	"crypto"
 +	"crypto/internal/boring"
 +	"crypto/elliptic"
 +	"crypto/rand"
 +	"testing"
 +)
 +
 +func testHashSignAndHashVerify(t *testing.T, c elliptic.Curve, tag string) {
 +	priv, err := GenerateKey(c, rand.Reader)
 +	if priv == nil {
 +		t.Fatal(err)
 +	}
 +
 +	msg := []byte("testing")
 +	h := crypto.SHA256
 +	r, s, err := HashSign(rand.Reader, priv, msg, h)
 +	if err != nil {
 +		t.Errorf("%s: error signing: %s", tag, err)
 +		return
 +	}
 +
 +	if !HashVerify(&priv.PublicKey, msg, r, s, h) {
 +		t.Errorf("%s: Verify failed", tag)
 +	}
 +
 +	msg[0] ^= 0xff
 +	if HashVerify(&priv.PublicKey, msg, r, s, h) {
 +		t.Errorf("%s: Verify should not have succeeded", tag)
 +	}
 +}
 +func TestHashSignAndHashVerify(t *testing.T) {
 +	testHashSignAndHashVerify(t, elliptic.P256(), "p256")
 +
 +	if testing.Short() && !boring.Enabled {
 +		return
 +	}
 +	testHashSignAndHashVerify(t, elliptic.P384(), "p384")
 +	testHashSignAndHashVerify(t, elliptic.P521(), "p521")
 +}
 diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go
 index 7c51817..102c4e5 100644
 --- a/src/crypto/ed25519/ed25519_test.go
 +++ b/src/crypto/ed25519/ed25519_test.go
@@ -187,6 +187,7 @@ func TestMalleability(t *testing.T) {
 }
 func TestAllocations(t *testing.T) {
 +	t.Skip("Allocations test broken with openssl linkage")
 	if boring.Enabled {
 		t.Skip("skipping allocations test with BoringCrypto")
 	}
 diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
 index f933f28..223ce04 100644
 --- a/src/crypto/ed25519/ed25519vectors_test.go
 +++ b/src/crypto/ed25519/ed25519vectors_test.go
@@ -72,6 +72,7 @@ func TestEd25519Vectors(t *testing.T) {
 }
 func downloadEd25519Vectors(t *testing.T) []byte {
 +	t.Skip("skipping test that downloads external data")
 	testenv.MustHaveExternalNetwork(t)
 	// Create a temp dir and modcache subdir.
 diff --git a/src/crypto/internal/backend/bbig/big.go b/src/crypto/internal/backend/bbig/big.go
 new file mode 100644
 index 0000000..c0800df
 --- /dev/null
 +++ b/src/crypto/internal/backend/bbig/big.go
@@ -0,0 +1,38 @@
 +// Copyright 2022 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +// This is a mirror of crypto/internal/boring/bbig/big.go.
 +
 +package bbig
 +
 +import (
 +	"math/big"
 +	"unsafe"
 +
 +	"github.com/golang-fips/openssl-fips/openssl"
 +)
 +
 +func Enc(b *big.Int) openssl.BigInt {
 +	if b == nil {
 +		return nil
 +	}
 +	x := b.Bits()
 +	if len(x) == 0 {
 +		return openssl.BigInt{}
 +	}
 +	// TODO: Use unsafe.Slice((*uint)(&x[0]), len(x)) once go1.16 is no longer supported.
 +	return (*(*[]uint)(unsafe.Pointer(&x)))[:len(x)]
 +}
 +
 +func Dec(b openssl.BigInt) *big.Int {
 +	if b == nil {
 +		return nil
 +	}
 +	if len(b) == 0 {
 +		return new(big.Int)
 +	}
 +	// TODO: Use unsafe.Slice((*uint)(&b[0]), len(b)) once go1.16 is no longer supported.
 +	x := (*(*[]big.Word)(unsafe.Pointer(&b)))[:len(b)]
 +	return new(big.Int).SetBits(x)
 +}
 diff --git a/src/crypto/internal/backend/dummy.s b/src/crypto/internal/backend/dummy.s
 new file mode 100644
 index 0000000..e69de29
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
 new file mode 100644
 index 0000000..482ed6f
 --- /dev/null
 +++ b/src/crypto/internal/backend/nobackend.go
@@ -0,0 +1,155 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
 +// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
 +
 +package backend
 +
 +import (
 +	"crypto"
 +	"crypto/cipher"
 +	"crypto/internal/boring/sig"
 +	"math/big"
 +	"github.com/golang-fips/openssl-fips/openssl"
 +	"hash"
 +	"io"
 +)
 +
 +var enabled = false
 +
 +// Unreachable marks code that should be unreachable
 +// when BoringCrypto is in use. It is a no-op without BoringCrypto.
 +func Unreachable() {
 +	// Code that's unreachable when using BoringCrypto
 +	// is exactly the code we want to detect for reporting
 +	// standard Go crypto.
 +	sig.StandardCrypto()
 +}
 +
 +// UnreachableExceptTests marks code that should be unreachable
 +// when BoringCrypto is in use. It is a no-op without BoringCrypto.
 +func UnreachableExceptTests() {}
 +
 +func ExecutingTest() bool { return false }
 +
 +// This is a noop withotu BoringCrytpo.
 +func PanicIfStrictFIPS(v interface{}) {}
 +
 +type randReader int
 +
 +func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") }
 +
 +const RandReader = randReader(0)
 +
 +func Enabled() bool   { return false }
 +func NewSHA1() hash.Hash   { panic("boringcrypto: not available") }
 +func NewSHA224() hash.Hash { panic("boringcrypto: not available") }
 +func NewSHA256() hash.Hash { panic("boringcrypto: not available") }
 +func NewSHA384() hash.Hash { panic("boringcrypto: not available") }
 +func NewSHA512() hash.Hash { panic("boringcrypto: not available") }
 +func SHA1(_ []byte) [20]byte { panic("boringcrypto: not available") }
 +func SHA224(_ []byte) [28]byte { panic("boringcrypto: not available") }
 +func SHA256(_ []byte) [32]byte { panic("boringcrypto: not available") }
 +func SHA384(_ []byte) [48]byte { panic("boringcrypto: not available") }
 +func SHA512(_ []byte) [64]byte { panic("boringcrypto: not available") }
 +
 +func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") }
 +
 +func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
 +
 +type PublicKeyECDSA struct{ _ int }
 +type PrivateKeyECDSA struct{ _ int }
 +
 +func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
 +	panic("boringcrypto: not available")
 +}
 +func GenerateKeyECDSA(curve string) (X, Y, D openssl.BigInt, err error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPrivateKeyECDSA(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDSA, error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPublicKeyECDSA(curve string, X, Y openssl.BigInt) (*PublicKeyECDSA, error) {
 +	panic("boringcrypto: not available")
 +}
 +func SignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (r, s openssl.BigInt, err error) {
 +	panic("boringcrypto: not available")
 +}
 +func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func VerifyECDSA(pub *PublicKeyECDSA, hash, sig []byte) bool {
 +	panic("boringcrypto: not available")
 +}
 +
 +type PublicKeyECDH struct{ _ int }
 +type PrivateKeyECDH struct{ _ int }
 +
 +func GenerateKeyECDH(curve string) (X, Y, D openssl.BigInt, err error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPrivateKeyECDH(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDH, error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPublicKeyECDH(curve string, X, Y openssl.BigInt) (*PublicKeyECDH, error) {
 +	panic("boringcrypto: not available")
 +}
 +func SharedKeyECDH(priv *PrivateKeyECDH, peerPublicKey []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +
 +type PublicKeyRSA struct{ _ int }
 +type PrivateKeyRSA struct{ _ int }
 +
 +func DecryptRSAOAEP(h hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func EncryptRSAOAEP(h hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt, err error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt) (*PrivateKeyRSA, error) {
 +	panic("boringcrypto: not available")
 +}
 +func NewPublicKeyRSA(N, E openssl.BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") }
 +func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, msgHashed bool) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, msgHashed bool) error {
 +	panic("boringcrypto: not available")
 +}
 +func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
 +	panic("boringcrypto: not available")
 +}
 +
 +func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
 +	panic("boringcrypto: not available")
 +}
 +func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
 +	panic("boringcrypto: not available")
 +}
 +func HashVerifyECDSA(pub *PublicKeyECDSA, msg []byte, r, s *big.Int, h crypto.Hash) bool {
 +	panic("boringcrypto: not available")
 +}
 +func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
 +	panic("boringcrypto: not available")
 +}
 diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
 new file mode 100644
 index 0000000..4040c77
 --- /dev/null
 +++ b/src/crypto/internal/backend/openssl.go
@@ -0,0 +1,105 @@
 +// Copyright 2017 The Go Authors. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +//go:build linux && cgo && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
 +// +build linux,cgo,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
 +
 +// Package openssl provides access to OpenSSLCrypto implementation functions.
 +// Check the variable Enabled to find out whether OpenSSLCrypto is available.
 +// If OpenSSLCrypto is not available, the functions in this package all panic.
 +package backend
 +
 +import (
 +	"github.com/golang-fips/openssl-fips/openssl"
 +)
 +
 +// Enabled controls whether FIPS crypto is enabled.
 +var Enabled = openssl.Enabled
 +
 +// Unreachable marks code that should be unreachable
 +// when OpenSSLCrypto is in use. It panics only when
 +// the system is in FIPS mode.
 +func Unreachable() {
 +	if Enabled() {
 +		panic("opensslcrypto: invalid code execution")
 +	}
 +}
 +
 +// Provided by runtime.crypto_backend_runtime_arg0 to avoid os import.
 +func runtime_arg0() string
 +
 +func hasSuffix(s, t string) bool {
 +	return len(s) > len(t) && s[len(s)-len(t):] == t
 +}
 +
 +// UnreachableExceptTests marks code that should be unreachable
 +// when OpenSSLCrypto is in use. It panics.
 +func UnreachableExceptTests() {
 +	name := runtime_arg0()
 +	// If OpenSSLCrypto ran on Windows we'd need to allow _test.exe and .test.exe as well.
 +	if Enabled() && !hasSuffix(name, "_test") && !hasSuffix(name, ".test") {
 +		println("opensslcrypto: unexpected code execution in", name)
 +		panic("opensslcrypto: invalid code execution")
 +	}
 +}
 +
 +var ExecutingTest = openssl.ExecutingTest
 +
 +const RandReader = openssl.RandReader
 +
 +var NewGCMTLS = openssl.NewGCMTLS
 +var NewSHA1 = openssl.NewSHA1
 +var NewSHA224 = openssl.NewSHA224
 +var NewSHA256 = openssl.NewSHA256
 +var NewSHA384 = openssl.NewSHA384
 +var NewSHA512 = openssl.NewSHA512
 +
 +var SHA1 = openssl.SHA1
 +var SHA224 = openssl.SHA224
 +var SHA256 = openssl.SHA256
 +var SHA384 = openssl.SHA384
 +var SHA512 = openssl.SHA512
 +
 +var NewHMAC = openssl.NewHMAC
 +
 +var NewAESCipher = openssl.NewAESCipher
 +
 +type PublicKeyECDSA = openssl.PublicKeyECDSA
 +type PrivateKeyECDSA = openssl.PrivateKeyECDSA
 +
 +var GenerateKeyECDSA = openssl.GenerateKeyECDSA
 +var NewPrivateKeyECDSA = openssl.NewPrivateKeyECDSA
 +var NewPublicKeyECDSA = openssl.NewPublicKeyECDSA
 +var SignMarshalECDSA = openssl.SignMarshalECDSA
 +var VerifyECDSA = openssl.VerifyECDSA
 +var HashVerifyECDSA = openssl.HashVerifyECDSA
 +var HashSignECDSA = openssl.HashSignECDSA
 +
 +type PublicKeyECDH = openssl.PublicKeyECDH
 +type PrivateKeyECDH = openssl.PrivateKeyECDH
 +
 +var GenerateKeyECDH = openssl.GenerateKeyECDH
 +var NewPrivateKeyECDH = openssl.NewPrivateKeyECDH
 +var NewPublicKeyECDH = openssl.NewPublicKeyECDH
 +var SharedKeyECDH = openssl.SharedKeyECDH
 +
 +type PublicKeyRSA = openssl.PublicKeyRSA
 +type PrivateKeyRSA = openssl.PrivateKeyRSA
 +
 +var DecryptRSAOAEP = openssl.DecryptRSAOAEP
 +var DecryptRSAPKCS1 = openssl.DecryptRSAPKCS1
 +var DecryptRSANoPadding = openssl.DecryptRSANoPadding
 +var EncryptRSAOAEP = openssl.EncryptRSAOAEP
 +var EncryptRSAPKCS1 = openssl.EncryptRSAPKCS1
 +var EncryptRSANoPadding = openssl.EncryptRSANoPadding
 +var GenerateKeyRSA = openssl.GenerateKeyRSA
 +var NewPrivateKeyRSA = openssl.NewPrivateKeyRSA
 +var NewPublicKeyRSA = openssl.NewPublicKeyRSA
 +var SignRSAPKCS1v15 = openssl.SignRSAPKCS1v15
 +var SignRSAPSS = openssl.SignRSAPSS
 +var VerifyRSAPKCS1v15 = openssl.VerifyRSAPKCS1v15
 +var VerifyRSAPSS = openssl.VerifyRSAPSS
 +
 +var ExtractHKDF = openssl.ExtractHKDF
 +var ExpandHKDF = openssl.ExpandHKDF
 diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
 index 1827f76..4c5c352 100644
 --- a/src/crypto/tls/boring.go
 +++ b/src/crypto/tls/boring.go
@@ -8,8 +8,15 @@ package tls
 import (
 	"crypto/internal/boring/fipstls"
 +	boring "crypto/internal/backend"
 )
 +func init() {
 +       if boring.Enabled && !boring.ExecutingTest() {
 +               fipstls.Force()
 +       }
 +}
 +
 // needFIPS returns fipstls.Required(); it avoids a new import in common.go.
 func needFIPS() bool {
 	return fipstls.Required()
@@ -17,14 +24,14 @@ func needFIPS() bool {
 // fipsMinVersion replaces c.minVersion in FIPS-only mode.
 func fipsMinVersion(c *Config) uint16 {
 -	// FIPS requires TLS 1.2.
 +	// FIPS requires TLS 1.2 or later.
 	return VersionTLS12
 }
 // fipsMaxVersion replaces c.maxVersion in FIPS-only mode.
 func fipsMaxVersion(c *Config) uint16 {
 -	// FIPS requires TLS 1.2.
 -	return VersionTLS12
 +	// FIPS requires TLS 1.2 or later.
 +	return VersionTLS13
 }
 // default defaultFIPSCurvePreferences is the FIPS-allowed curves,
 diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
 index f743fc8..9fec2c8 100644
 --- a/src/crypto/tls/boring_test.go
 +++ b/src/crypto/tls/boring_test.go
@@ -51,11 +51,11 @@ func TestBoringServerProtocolVersion(t *testing.T) {
 	test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
 	test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
 	test("VersionTLS12", VersionTLS12, "")
 -	test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
 +	test("VersionTLS13", VersionTLS13, "")
 }
 func isBoringVersion(v uint16) bool {
 -	return v == VersionTLS12
 +	return v == VersionTLS12 || v == VersionTLS13
 }
 func isBoringCipherSuite(id uint16) bool {
@@ -65,7 +65,9 @@ func isBoringCipherSuite(id uint16) bool {
 		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 		TLS_RSA_WITH_AES_128_GCM_SHA256,
 -		TLS_RSA_WITH_AES_256_GCM_SHA384:
 +		TLS_RSA_WITH_AES_256_GCM_SHA384,
 +		TLS_AES_128_GCM_SHA256,
 +		TLS_AES_256_GCM_SHA384:
 		return true
 	}
 	return false
@@ -311,7 +313,7 @@ func TestBoringCertAlgs(t *testing.T) {
 	// Set up some roots, intermediate CAs, and leaf certs with various algorithms.
 	// X_Y is X signed by Y.
 	R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
 -	R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
 +	R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
 	M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
 	M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)
 diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go
 index 9a1fa31..f7c64db 100644
 --- a/src/crypto/tls/cipher_suites.go
 +++ b/src/crypto/tls/cipher_suites.go
@@ -354,6 +354,11 @@ var defaultCipherSuitesTLS13NoAES = []uint16{
 	TLS_AES_256_GCM_SHA384,
 }
 +var defaultFIPSCipherSuitesTLS13 = []uint16{
 +	TLS_AES_128_GCM_SHA256,
 +	TLS_AES_256_GCM_SHA384,
 +}
 +
 var (
 	hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
 	hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
 diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
 index e61e3eb..7031ab8 100644
 --- a/src/crypto/tls/handshake_client.go
 +++ b/src/crypto/tls/handshake_client.go
@@ -127,7 +127,9 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 	var params ecdheParameters
 	if hello.supportedVersions[0] == VersionTLS13 {
 -		if hasAESGCMHardwareSupport {
 +		if needFIPS() {
 +			hello.cipherSuites = append(hello.cipherSuites, defaultFIPSCipherSuitesTLS13...)
 +		} else if hasAESGCMHardwareSupport {
 			hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
 		} else {
 			hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...)
 diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
 index 380de9f..02b4ac8 100644
 --- a/src/crypto/tls/handshake_client_test.go
 +++ b/src/crypto/tls/handshake_client_test.go
@@ -2135,6 +2135,7 @@ func testBuffering(t *testing.T, version uint16) {
 }
 func TestAlertFlushing(t *testing.T) {
 +       t.Skip("unsupported in FIPS mode, different error returned")
 	c, s := localPipe(t)
 	done := make(chan bool)
 diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
 index c798986..7a60702 100644
 --- a/src/crypto/tls/handshake_client_tls13.go
 +++ b/src/crypto/tls/handshake_client_tls13.go
@@ -41,10 +41,6 @@ type clientHandshakeStateTLS13 struct {
 func (hs *clientHandshakeStateTLS13) handshake() error {
 	c := hs.c
 -	if needFIPS() {
 -		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
 -	}
 -
 	// The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
 	// sections 4.1.2 and 4.1.3.
 	if c.handshakes > 0 {
 diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
 index 03a477f..1ef6afc 100644
 --- a/src/crypto/tls/handshake_server_tls13.go
 +++ b/src/crypto/tls/handshake_server_tls13.go
@@ -45,10 +45,6 @@ type serverHandshakeStateTLS13 struct {
 func (hs *serverHandshakeStateTLS13) handshake() error {
 	c := hs.c
 -	if needFIPS() {
 -		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
 -	}
 -
 	// For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
 	if err := hs.processClientHello(); err != nil {
 		return err
 diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
 index 3140169..323d683 100644
 --- a/src/crypto/tls/key_schedule.go
 +++ b/src/crypto/tls/key_schedule.go
@@ -7,6 +7,8 @@ package tls
 import (
 	"crypto/elliptic"
 	"crypto/hmac"
 +	"crypto/internal/boring"
 +	"crypto/internal/boring/bbig"
 	"errors"
 	"hash"
 	"io"
@@ -43,9 +45,20 @@ func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []by
 		b.AddBytes(context)
 	})
 	out := make([]byte, length)
 -	n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
 -	if err != nil || n != length {
 -		panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
 +	if boring.Enabled {
 +		reader, err := boring.ExpandHKDF(c.hash.New, secret, hkdfLabel.BytesOrPanic())
 +		if err != nil {
 +			panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
 +		}
 +		n, err := reader.Read(out)
 +		if err != nil || n != length {
 +			panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
 +		}
 +	} else {
 +		n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out)
 +		if err != nil || n != length {
 +			panic("tls: HKDF-Expand-Label invocation failed unexpectedly")
 +		}
 	}
 	return out
 }
@@ -63,7 +76,15 @@ func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte {
 	if newSecret == nil {
 		newSecret = make([]byte, c.hash.Size())
 	}
 -	return hkdf.Extract(c.hash.New, newSecret, currentSecret)
 +	if boring.Enabled {
 +		ikm, err := boring.ExtractHKDF(c.hash.New, newSecret, currentSecret)
 +		if err != nil {
 +			panic("tls: HKDF-Extract invocation failed unexpectedly")
 +		}
 +		return ikm
 +	} else {
 +		return hkdf.Extract(c.hash.New, newSecret, currentSecret)
 +	}
 }
 // nextTrafficSecret generates the next traffic secret, given the current one,
@@ -129,9 +150,19 @@ func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters,
 	p := &nistParameters{curveID: curveID}
 	var err error
 -	p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
 -	if err != nil {
 -		return nil, err
 +	if boring.Enabled {
 +		x, y, d, err := boring.GenerateKeyECDH(curve.Params().Name)
 +		if err != nil {
 +			return nil, err
 +		}
 +		p.x = bbig.Dec(x)
 +		p.y = bbig.Dec(y)
 +		p.privateKey = bbig.Dec(d).Bytes()
 +	} else {
 +		p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand)
 +		if err != nil {
 +			return nil, err
 +		}
 	}
 	return p, nil
 }
@@ -166,15 +197,28 @@ func (p *nistParameters) PublicKey() []byte {
 func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
 	curve, _ := curveForCurveID(p.curveID)
 -	// Unmarshal also checks whether the given point is on the curve.
 -	x, y := elliptic.Unmarshal(curve, peerPublicKey)
 -	if x == nil {
 -		return nil
 -	}
 +	if boring.Enabled {
 +		k := new(big.Int).SetBytes(p.privateKey)
 +		priv, err := boring.NewPrivateKeyECDH(curve.Params().Name, bbig.Enc(p.x), bbig.Enc(p.y), bbig.Enc(k))
 +		if err != nil {
 +			return nil
 +		}
 +		sharedKey, err := boring.SharedKeyECDH(priv, peerPublicKey)
 +		if err != nil {
 +			return nil
 +		}
 +		return sharedKey
 +	} else {
 +		// Unmarshal also checks whether the given point is on the curve.
 +		x, y := elliptic.Unmarshal(curve, peerPublicKey)
 +		if x == nil {
 +			return nil
 +		}
 -	xShared, _ := curve.ScalarMult(x, y, p.privateKey)
 -	sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
 -	return xShared.FillBytes(sharedKey)
 +		xShared, _ := curve.ScalarMult(x, y, p.privateKey)
 +		sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
 +		return xShared.FillBytes(sharedKey)
 +	}
 }
 type x25519Parameters struct {
 diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go
 index 4aae905..42706f9 100644
 --- a/src/crypto/x509/boring.go
 +++ b/src/crypto/x509/boring.go
@@ -26,7 +26,7 @@ func boringAllowCert(c *Certificate) bool {
 	default:
 		return false
 	case *rsa.PublicKey:
 -		if size := k.N.BitLen(); size != 2048 && size != 3072 {
 +		if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
 			return false
 		}
 	case *ecdsa.PublicKey:
 diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go
 index 7010f44..70021f3 100644
 --- a/src/crypto/x509/boring_test.go
 +++ b/src/crypto/x509/boring_test.go
@@ -54,7 +54,7 @@ type boringCertificate struct {
 func TestBoringAllowCert(t *testing.T) {
 	R1 := testBoringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
 -	R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
 +	R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK)
 	M1_R1 := testBoringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
 	M2_R1 := testBoringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)
 diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
 index 141fdb9..d8e81d9 100644
 --- a/src/go/build/deps_test.go
 +++ b/src/go/build/deps_test.go
@@ -414,19 +414,23 @@ var depsRules = `
 	< crypto/internal/edwards25519
 	< crypto/cipher;
 -	crypto/cipher,
 +	fmt, crypto/cipher,
 	crypto/internal/boring/bcache
 	< crypto/internal/boring
 +	< github.com/golang-fips/openssl-fips/openssl
 +	< crypto/internal/backend
 	< crypto/boring
 	< crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
 	  crypto/sha1, crypto/sha256, crypto/sha512
 	< CRYPTO;
 -	CGO, fmt, net !< CRYPTO;
 +	CGO, net !< CRYPTO;
 	# CRYPTO-MATH is core bignum-based crypto - no cgo, net; fmt now ok.
 	CRYPTO, FMT, math/big, embed
 +	< github.com/golang-fips/openssl-fips/openssl/bbig
 	< crypto/internal/boring/bbig
 +	< crypto/internal/backend/bbig
 	< crypto/internal/randutil
 	< crypto/rand
 	< crypto/ed25519
@@ -601,6 +605,7 @@ func listStdPkgs(goroot string) ([]string, error) {
 }
 func TestDependencies(t *testing.T) {
 +	t.Skip("openssl-fips based toolchain has different dependencies than upstream")
 	if !testenv.HasSrc() {
 		// Tests run in a limited file system and we do not
 		// provide access to every source file.
@@ -644,7 +649,7 @@ var buildIgnore = []byte("\n//go:build ignore")
 func findImports(pkg string) ([]string, error) {
 	vpkg := pkg
 -	if strings.HasPrefix(pkg, "golang.org") {
 +	if strings.HasPrefix(pkg, "golang.org") || strings.HasPrefix(pkg, "github.com") {
 		vpkg = "vendor/" + pkg
 	}
 	dir := filepath.Join(Default.GOROOT, "src", vpkg)
@@ -654,7 +659,7 @@ func findImports(pkg string) ([]string, error) {
 	}
 	var imports []string
 	var haveImport = map[string]bool{}
 -	if pkg == "crypto/internal/boring" {
 +	if pkg == "crypto/internal/boring" || pkg == "github.com/golang-fips/openssl-fips/openssl" {
 		haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports
 	}
 	fset := token.NewFileSet()
 diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go
 index 5a98b20..dc25cdc 100644
 --- a/src/runtime/runtime_boring.go
 +++ b/src/runtime/runtime_boring.go
@@ -17,3 +17,8 @@ func boring_runtime_arg0() string {
 //go:linkname fipstls_runtime_arg0 crypto/internal/boring/fipstls.runtime_arg0
 func fipstls_runtime_arg0() string { return boring_runtime_arg0() }
 +
 +//go:linkname crypto_backend_runtime_arg0 crypto/internal/backend.runtime_arg0
 +func crypto_backend_runtime_arg0() string {
 +	return boring_runtime_arg0()
 +}
 \ No newline at end of file
--- a/SOURCES/001-initial-openssl-for-fips.patch
+++ b/SOURCES/001-initial-openssl-for-fips.patch
--- a/SOURCES/enable-big-endian-fips-mode.patch
+++ b/SOURCES/enable-big-endian-fips-mode.patch
@ -1,348 +0,0 @@
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 index b3501400e0..5e1e789da0 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
@@ -131,7 +131,7 @@ func NewPrivateKeyECDSA(curve string, X, Y BigInt, D BigInt) (*PrivateKeyECDSA,
 func HashSignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (*big.Int, *big.Int, error) {
 	size := C._goboringcrypto_ECDSA_size(priv.key)
 	sig := make([]byte, size)
 -	var sigLen C.uint
 +	var sigLen C.size_t
 	md := cryptoHashToMD(h)
 	if md == nil {
 		panic("boring: invalid hash")
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
 index 411fefdf78..217b320e4a 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
@@ -218,10 +218,16 @@ DEFINEFUNC(const GO_EVP_MD *, EVP_sha512, (void), ())
 DEFINEFUNC(const GO_EVP_MD *, EVP_md_null, (void), ())
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 DEFINEFUNCINTERNAL(int, EVP_MD_type, (const GO_EVP_MD *arg0), (arg0))
 +DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
 +static inline int
 +_goboringcrypto_EVP_MD_get_size(const GO_EVP_MD *arg0)
 +{
 +	return _goboringcrypto_internal_EVP_MD_size(arg0);
 +}
 #else
 DEFINEFUNCINTERNAL(int, EVP_MD_get_type, (const GO_EVP_MD *arg0), (arg0))
 +DEFINEFUNC(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
 #endif
 -DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
 DEFINEFUNCINTERNAL(const GO_EVP_MD*, EVP_md5_sha1, (void), ())
 # include <openssl/md5.h>
@@ -275,26 +281,16 @@ DEFINEFUNC(void, HMAC_CTX_free, (GO_HMAC_CTX * arg0), (arg0))
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 static inline size_t
 _goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
 -	return _goboringcrypto_internal_EVP_MD_size(arg0->md);
 +	return _goboringcrypto_EVP_MD_get_size(arg0->md);
 }
 #else
 DEFINEFUNCINTERNAL(const EVP_MD*, HMAC_CTX_get_md, (const GO_HMAC_CTX* ctx), (ctx))
 -# if OPENSSL_VERSION_NUMBER < 0x30000000L
 -static inline size_t
 -_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
 -	const EVP_MD* md;
 -	md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
 -	return _goboringcrypto_internal_EVP_MD_size(md);
 -}
 -# else
 -DEFINEFUNCINTERNAL(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
 static inline size_t
 _goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
 	const EVP_MD* md;
 	md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
 -	return _goboringcrypto_internal_EVP_MD_get_size(md);
 +	return _goboringcrypto_EVP_MD_get_size(md);
 }
 -# endif
 #endif
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -370,6 +366,7 @@ DEFINEFUNC(unsigned int, BN_num_bits, (const GO_BIGNUM *arg0), (arg0))
 DEFINEFUNC(int, BN_is_negative, (const GO_BIGNUM *arg0), (arg0))
 DEFINEFUNC(GO_BIGNUM *, BN_bin2bn, (const uint8_t *arg0, size_t arg1, GO_BIGNUM *arg2), (arg0, arg1, arg2))
 DEFINEFUNC(GO_BIGNUM *, BN_lebin2bn, (const unsigned char *s, size_t len, BIGNUM *ret), (s, len, ret))
 +DEFINEFUNC(int, BN_bn2binpad, (const BIGNUM *a, unsigned char *to, size_t tolen), (a, to, tolen))
 DEFINEFUNC(int, BN_bn2lebinpad, (const BIGNUM *a, unsigned char *to, size_t tolen), (a, to, tolen))
 static inline unsigned int
@@ -418,7 +415,7 @@ typedef ECDSA_SIG GO_ECDSA_SIG;
 DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_SIG_new, (void), ())
 DEFINEFUNC(void, ECDSA_SIG_free, (GO_ECDSA_SIG * arg0), (arg0))
 DEFINEFUNC(GO_ECDSA_SIG *, ECDSA_do_sign, (const uint8_t *arg0, size_t arg1, const GO_EC_KEY *arg2), (arg0, arg1, arg2))
 -DEFINEFUNC(int, ECDSA_do_verify, (const uint8_t *arg0, size_t arg1, const GO_ECDSA_SIG *arg2, const GO_EC_KEY *arg3), (arg0, arg1, arg2, arg3))
 +DEFINEFUNC(int, ECDSA_do_verify, (const uint8_t *arg0, size_t arg1, const GO_ECDSA_SIG *arg2, GO_EC_KEY *arg3), (arg0, arg1, arg2, arg3))
 DEFINEFUNC(size_t, ECDSA_size, (const GO_EC_KEY *arg0), (arg0))
 DEFINEFUNCINTERNAL(int, ECDSA_sign, 
@@ -453,25 +450,25 @@ _goboringcrypto_EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *rsa) {
 }
 DEFINEFUNC(int, EVP_DigestSignInit,
 -	(EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, const EVP_PKEY *pkey),
 +	(EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey),
 	(ctx, pctx, type, e, pkey))
 DEFINEFUNC(int, EVP_DigestUpdate,
 	(EVP_MD_CTX* ctx, const void *d, size_t cnt),
 	(ctx, d, cnt))
 DEFINEFUNC(int, EVP_DigestSignFinal,
 -	(EVP_MD_CTX* ctx, unsigned char *sig, unsigned int *siglen),
 +	(EVP_MD_CTX* ctx, unsigned char *sig, size_t *siglen),
 	(ctx, sig, siglen))
 DEFINEFUNC(int, EVP_DigestVerifyInit,
 -	(EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, const EVP_PKEY *pkey),
 +	(EVP_MD_CTX* ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey),
 	(ctx, pctx, type, e, pkey))
 DEFINEFUNC(int, EVP_DigestVerifyFinal,
 	(EVP_MD_CTX* ctx, const uint8_t *sig, unsigned int siglen),
 	(ctx, sig, siglen))
 typedef RSA GO_RSA;
 -int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, EVP_PKEY *eckey);
 +int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *eckey);
 int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
                                                               size_t msgLen, uint8_t *sig, size_t *slen,
                                                               GO_RSA *key);
@@ -490,7 +487,7 @@ static inline void _goboringcrypto_EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
 DEFINEFUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
 #endif
 -int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, unsigned int *arg4, GO_EC_KEY *arg5);
 +int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, size_t *arg4, GO_EC_KEY *arg5);
 int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, const uint8_t *arg3, unsigned int arg4, GO_EC_KEY *arg5);
 #include <openssl/rsa.h>
@@ -498,7 +495,7 @@ int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, c
 // Note: order of struct fields here is unchecked.
 typedef BN_GENCB GO_BN_GENCB;
 -int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa);
 +int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa);
 int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
 DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
@@ -800,10 +797,10 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP
 }
 DEFINEFUNC(int, EVP_PKEY_decrypt,
 -		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
 +		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
 		   (arg0, arg1, arg2, arg3, arg4))
 DEFINEFUNC(int, EVP_PKEY_encrypt,
 -		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
 +		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, size_t arg4),
 		   (arg0, arg1, arg2, arg3, arg4))
 DEFINEFUNC(int, EVP_PKEY_decrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
 DEFINEFUNC(int, EVP_PKEY_encrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
 index 86d7c6c212..2f45dabca2 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
@@ -14,6 +14,7 @@ package openssl
 */
 import "C"
 import (
 +	"encoding/binary"
 	"errors"
 	"fmt"
 	"math/bits"
@@ -184,25 +185,73 @@ type fail string
 func (e fail) Error() string { return "boringcrypto: " + string(e) + " failed" }
 -func wbase(b BigInt) *C.uint8_t {
 -	if len(b) == 0 {
 -		return nil
 +const wordBytes = bits.UintSize / 8
 +
 +// These two functions were copied from `math/big` package, which
 +// defines `big.Int` with a similar representation.
 +func (z BigInt) writeBytes(buf []byte) (i int) {
 +	i = len(buf)
 +	for _, d := range z {
 +		for j := 0; j < wordBytes; j++ {
 +			i--
 +			if i >= 0 {
 +				buf[i] = byte(d)
 +			} else if byte(d) != 0 {
 +				panic("boringcrypto: buffer too small to fit value")
 +			}
 +			d >>= 8
 +		}
 +	}
 +
 +	if i < 0 {
 +		i = 0
 +	}
 +	for i < len(buf) && buf[i] == 0 {
 +		i++
 	}
 -	return (*C.uint8_t)(unsafe.Pointer(&b[0]))
 +
 +	return
 }
 -const wordBytes = bits.UintSize / 8
 +func bytesToBig(buf []byte) BigInt {
 +	z := make(BigInt, (len(buf) + wordBytes - 1) / wordBytes)
 +	i := len(buf)
 +	for k := 0; i >= wordBytes; k++ {
 +		if bits.UintSize == 64 {
 +			z[k] = uint(binary.BigEndian.Uint64(buf[i-wordBytes : i]))
 +		} else {
 +			z[k] = uint(binary.BigEndian.Uint32(buf[i-wordBytes : i]))
 +		}
 +		i -= wordBytes
 +	}
 +	if i > 0 {
 +		var d uint
 +		for s := uint(0); i > 0; s += 8 {
 +			d |= uint(buf[i-1]) << s
 +			i--
 +		}
 +		z[len(z)-1] = d
 +	}
 +
 +	i = len(z)
 +	for i > 0 && z[i-1] == 0 {
 +		i--
 +	}
 +	return z[0:i]
 +}
 func bigToBN(x BigInt) *C.GO_BIGNUM {
 -	return C._goboringcrypto_BN_lebin2bn(wbase(x), C.size_t(len(x)*wordBytes), nil)
 +	buf := make([]byte, len(x)*wordBytes)
 +	buf = buf[x.writeBytes(buf):]
 +	return C._goboringcrypto_BN_bin2bn(base(buf), C.size_t(len(buf)), nil)
 }
 func bnToBig(bn *C.GO_BIGNUM) BigInt {
 -	x := make(BigInt, (C._goboringcrypto_BN_num_bytes(bn)+wordBytes-1)/wordBytes)
 -	if C._goboringcrypto_BN_bn2lebinpad(bn, wbase(x), C.size_t(len(x)*wordBytes)) == 0 {
 +	buf := make([]byte, C._goboringcrypto_BN_num_bytes(bn))
 +	if C._goboringcrypto_BN_bn2binpad(bn, base(buf), C.size_t(len(buf))) == 0 {
 		panic("boringcrypto: bignum conversion failed")
 	}
 -	return x
 +	return bytesToBig(buf)
 }
 func bigToBn(bnp **C.GO_BIGNUM, b BigInt) bool {
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
 index 2349db1fd9..714d18f1e8 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
@@ -7,7 +7,7 @@
 #include "goopenssl.h"
 int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *msg, size_t msgLen,
 -                               uint8_t *sig, unsigned int *slen,
 +                               uint8_t *sig, size_t *slen,
                                GO_EC_KEY *eckey) {
   int result;
   EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
 index 43790198c6..76bac5bc01 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
@@ -7,7 +7,7 @@
 #include "goopenssl.h"
 int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
 -                             size_t msgLen, uint8_t *sig, unsigned int *slen,
 +                             size_t msgLen, uint8_t *sig, size_t *slen,
                              EVP_PKEY *key) {
   EVP_MD_CTX *mdctx = NULL;
   int ret = 0;
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
 index 28241470f5..bf39656b45 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
@@ -21,7 +21,7 @@ int _goboringcrypto_RSA_generate_key_fips(GO_RSA *rsa, int size,
 }
 int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(
 -    GO_RSA *rsa, unsigned int *out_len, uint8_t *out, size_t max_out,
 +    GO_RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
     const uint8_t *in, size_t in_len, EVP_MD *md, const EVP_MD *mgf1_md,
     int salt_len) {
   EVP_PKEY_CTX *ctx;
@@ -184,7 +184,7 @@ err:
 int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg,
                                  unsigned int msgLen, uint8_t *sig,
 -                                 unsigned int *slen, RSA *rsa) {
 +                                 size_t *slen, RSA *rsa) {
   int result;
   EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
   if (!key) {
@@ -216,4 +216,4 @@ int _goboringcrypto_EVP_RSA_verify(EVP_MD *md, const uint8_t *msg,
 err:
   _goboringcrypto_EVP_PKEY_free(key);
   return result;
 -}
 \ No newline at end of file
 +}
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
 index 915c840834..f48c57adff 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
@@ -199,7 +199,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
 func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
 	padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
 	init func(*C.GO_EVP_PKEY_CTX) C.int,
 -	crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.uint, *C.uint8_t, C.uint) C.int,
 +	crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.size_t, *C.uint8_t, C.size_t) C.int,
 	in []byte) ([]byte, error) {
 	pkey, ctx, err := setupRSA(withKey, padding, h, label, saltLen, ch, init)
@@ -209,12 +209,12 @@ func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
 	defer C._goboringcrypto_EVP_PKEY_free(pkey)
 	defer C._goboringcrypto_EVP_PKEY_CTX_free(ctx)
 -	var outLen C.uint
 -	if crypt(ctx, nil, &outLen, base(in), C.uint(len(in))) == 0 {
 +	var outLen C.size_t
 +	if crypt(ctx, nil, &outLen, base(in), C.size_t(len(in))) == 0 {
 		return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
 	}
 	out := make([]byte, outLen)
 -	if crypt(ctx, base(out), &outLen, base(in), C.uint(len(in))) <= 0 {
 +	if crypt(ctx, base(out), &outLen, base(in), C.size_t(len(in))) <= 0 {
 		return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
 	}
 	return out[:outLen], nil
@@ -250,7 +250,7 @@ func decryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
 	return C._goboringcrypto_EVP_PKEY_decrypt_init(ctx)
 }
 -func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
 +func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int {
 	return C._goboringcrypto_EVP_PKEY_decrypt(ctx, out, outLen, in, inLen)
 }
@@ -258,7 +258,7 @@ func encryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
 	return C._goboringcrypto_EVP_PKEY_encrypt_init(ctx)
 }
 -func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
 +func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int {
 	return C._goboringcrypto_EVP_PKEY_encrypt(ctx, out, outLen, in, inLen)
 }
@@ -326,7 +326,7 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
 	}
 	var out []byte
 -	var outLen C.uint
 +	var outLen C.size_t
 	if priv.withKey(func(key *C.GO_RSA) C.int {
 		return C._goboringcrypto_EVP_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
--- a/SOURCES/fix-test-1024-leaf-certs.patch
+++ b/SOURCES/fix-test-1024-leaf-certs.patch
@ -0,0 +1,13 @@
 diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
 index 10d1cf0..51feb3b 100644
 --- a/src/crypto/tls/boring_test.go
 +++ b/src/crypto/tls/boring_test.go
@@ -326,7 +326,7 @@ func TestBoringCertAlgs(t *testing.T) {
 	I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK)
 	L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK)
 -	L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf|boringCertNotBoring)
 +	L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf)
 	// client verifying server cert
 	testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
--- a/SOURCES/ppc64le-internal-linker-fix.patch
+++ b/SOURCES/ppc64le-internal-linker-fix.patch
@ -0,0 +1,122 @@
 diff --git a/src/cmd/go/testdata/script/trampoline_reuse_test.txt b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
 new file mode 100644
 index 0000000000000..bca897c16d054
 --- /dev/null
 +++ b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
@@ -0,0 +1,100 @@
 +# Verify PPC64 does not reuse a trampoline which is too far away.
 +# This tests an edge case where the direct call relocation addend should
 +# be ignored when computing the distance from the direct call to the
 +# already placed trampoline
 +[short] skip
 +[!ppc64] [!ppc64le] skip
 +[aix] skip
 +
 +# Note, this program does not run. Presumably, 'DWORD $0' is simpler to
 +# assembly 2^26 or so times.
 +#
 +# We build something which should be laid out as such:
 +#
 +# bar.Bar
 +# main.Func1
 +# bar.Bar+400-tramp0
 +# main.BigAsm
 +# main.Func2
 +# bar.Bar+400-tramp1
 +#
 +# bar.Bar needs to be placed far enough away to generate relocations
 +# from main package calls. and main.Func1 and main.Func2 are placed
 +# a bit more than the direct call limit apart, but not more than 0x400
 +# bytes beyond it (to verify the reloc calc).
 +
 +go build
 +
 +-- go.mod --
 +
 +module foo
 +
 +go 1.19
 +
 +-- main.go --
 +
 +package main
 +
 +import "foo/bar"
 +
 +func Func1()
 +
 +func main() {
 +        Func1()
 +        bar.Bar2()
 +}
 +
 +-- foo.s --
 +
 +TEXT main·Func1(SB),0,$0-0
 +        CALL bar·Bar+0x400(SB)
 +        CALL main·BigAsm(SB)
 +// A trampoline will be placed here to bar.Bar
 +
 +// This creates a gap sufficiently large to prevent trampoline reuse
 +#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
 +#define NOP256 NOP64 NOP64 NOP64 NOP64
 +#define NOP2S10 NOP256 NOP256 NOP256 NOP256
 +#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
 +#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
 +#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
 +#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
 +#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
 +#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
 +#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
 +#define BIGNOP NOP2S24 NOP2S24
 +TEXT main·BigAsm(SB),0,$0-0
 +        // Fill to the direct call limit so Func2 must generate a new trampoline.
 +        // As the implicit trampoline above is just barely unreachable.
 +        BIGNOP
 +        MOVD $main·Func2(SB), R3
 +
 +TEXT main·Func2(SB),0,$0-0
 +        CALL bar·Bar+0x400(SB)
 +// Another trampoline should be placed here.
 +
 +-- bar/bar.s --
 +
 +#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
 +#define NOP256 NOP64 NOP64 NOP64 NOP64
 +#define NOP2S10 NOP256 NOP256 NOP256 NOP256
 +#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
 +#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
 +#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
 +#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
 +#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
 +#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
 +#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
 +#define BIGNOP NOP2S24 NOP2S24 NOP2S10
 +// A very big not very interesting function.
 +TEXT bar·Bar(SB),0,$0-0
 +        BIGNOP
 +
 +-- bar/bar.go --
 +
 +package bar
 +
 +func Bar()
 +
 +func Bar2() {
 +}
 diff --git a/src/cmd/link/internal/ppc64/asm.go b/src/cmd/link/internal/ppc64/asm.go
 index 5d5fbe2a97735..6313879da083c 100644
 --- a/src/cmd/link/internal/ppc64/asm.go
 +++ b/src/cmd/link/internal/ppc64/asm.go
@@ -900,8 +900,9 @@ func trampoline(ctxt *ld.Link, ldr *loader.Loader, ri int, rs, s loader.Sym) {
 				if ldr.SymValue(tramp) == 0 {
 					break
 				}
 -
 -				t = ldr.SymValue(tramp) + r.Add() - (ldr.SymValue(s) + int64(r.Off()))
 +				// Note, the trampoline is always called directly. The addend of the original relocation is accounted for in the
 +				// trampoline itself.
 +				t = ldr.SymValue(tramp) - (ldr.SymValue(s) + int64(r.Off()))
 				// With internal linking, the trampoline can be used if it is not too far.
 				// With external linking, the trampoline must be in this section for it to be reused.
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@ -96,19 +96,26 @@
 %endif
 %global go_api 1.19
-%global version 1.19.2
+%global version 1.19.4
 %global pkg_release 1
 Name:           golang
 Version:        %{version}
-Release:        4%{?dist}
+Release:        1%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
 URL:            http://golang.org/
 Source0:        https://github.com/golang/go/archive/refs/tags/go%{version}.tar.gz
 # Go's FIPS mode bindings are now provided as a standalone
 # module instead of in tree.  This makes it easier to see
 # the actual changes vs upstream Go.  The module source is
 # located at https://github.com/golang-fips/openssl-fips,
 # And pre-genetated patches to set up the module for a given
 # Go release are located at https://github.com/golang-fips/go.
 Source1:       https://github.com/golang-fips/go/archive/refs/tags/go%{version}-%{pkg_release}-openssl-fips.tar.gz
 # make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
-Source1:        fedora.go
+Source2:        fedora.go
 # The compiler is written in Go. Needs go(1.4+) compiler for build.
 # Actual Go based bootstrap compiler provided by above source.
@ -139,11 +146,10 @@ Patch221:       fix_TestScript_list_std.patch
 Patch1939923:   skip_test_rhbz1939923.patch
 Patch0:		000-initial-setup.patch
 Patch1:		001-initial-openssl-for-fips.patch
 Patch2: 	disable_static_tests_part1.patch
 Patch3: 	disable_static_tests_part2.patch
-Patch4:		enable-big-endian-fips-mode.patch
+Patch4:		ppc64le-internal-linker-fix.patch
 Patch5:		fix-test-1024-leaf-certs.patch
 Patch227: cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
@ -236,18 +242,23 @@ Requires:       %{name} = %{version}-%{release}
 %prep
 %setup -q -n go-go%{version}
-%patch0 -p1
+pushd ..
-%patch1 -p1
+tar -xf %{SOURCE1}
 popd
 patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
 patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch221 -p1
 %patch1939923 -p1
 %patch227 -p1
-cp %{SOURCE1} ./src/runtime/
+cp %{SOURCE2} ./src/runtime/
 %build
 set -xe
@ -519,6 +530,14 @@ cd ..
 %endif
 %changelog
 * Wed Dec 21 2022 David Benoit <dbenoit@redhat.com> - 1.19.4-1
 - Rebase to Go 1.19.4
 - Fix ppc64le linker issue
 - Remove defunct patches
 - Remove downstream generated FIPS mode patches
 - Add golang-fips/go as the source for FIPS mode patches
 - Resolves: rhbz#2144542
 * Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-4
 - Enable big endian support in FIPS mode
 - Resolves: rhbz#1969844
`@ -1 +1,2 @@`
	`SOURCES/go1.19.2.tar.gz`	`SOURCES/go1.19.4-1-openssl-fips.tar.gz`
		`SOURCES/go1.19.4.tar.gz`
`@ -1 +1,2 @@`
	`1324ae800bf3b78c8cfda83fb9d69d7d46c51bf1 SOURCES/go1.19.2.tar.gz`	`9463e718b1a8daa61009caa6c113197cbefbe9eb SOURCES/go1.19.4-1-openssl-fips.tar.gz`
		`6debf76aa6fb97daff4d49502153a47093883c28 SOURCES/go1.19.4.tar.gz`