11 changed files with 310 additions and 300 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/go1.21.9-1-openssl-fips.tar.gz
+SOURCES/go1.19.4-1-openssl-fips.tar.gz
-SOURCES/go1.21.9.tar.gz
+SOURCES/go1.19.4.tar.gz
--- a/.golang.metadata
+++ b/.golang.metadata
@ -1,2 +1,2 @@
-1162b641e8b23110eaab7496003585ea6c786158 SOURCES/go1.21.9-1-openssl-fips.tar.gz
+9463e718b1a8daa61009caa6c113197cbefbe9eb SOURCES/go1.19.4-1-openssl-fips.tar.gz
-54c038c82c82ebe2ad4ee2d0a3d7c4d39809f59a SOURCES/go1.21.9.tar.gz
+6debf76aa6fb97daff4d49502153a47093883c28 SOURCES/go1.19.4.tar.gz
--- a/SOURCES/cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
+++ b/SOURCES/cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
@ -0,0 +1,53 @@
 From 241192ecd31ca03a6f68fa7e55bb9f66040d3a2f Mon Sep 17 00:00:00 2001
 From: Lynn Boger <laboger@linux.vnet.ibm.com>
 Date: Thu, 14 Jul 2022 10:47:28 -0500
 Subject: [PATCH] cmd/link: use correct path for dynamic loader on ppc64le
 The setting of the path for the dynamic loader when building for
 linux/ppc64le ELF v2 was incorrectly set to the path for
 PPC64 ELF v1. This has not caused issues in the common cases
 because this string can be set based on the default GO_LDSO setting.
 It does result in an incorrect value when cross compiling binaries
 with -buildmode=pie.
 Updates #53813
 Change-Id: I84de1c97b42e0434760b76a57c5a05e055fbb730
 ---
 src/cmd/link/internal/ppc64/obj.go | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)
 diff --git a/src/cmd/link/internal/ppc64/obj.go b/src/cmd/link/internal/ppc64/obj.go
 index b6d5ad92af..bca8fa9212 100644
 --- a/src/cmd/link/internal/ppc64/obj.go
 +++ b/src/cmd/link/internal/ppc64/obj.go
@@ -38,9 +38,12 @@ import (
 )
 func Init() (*sys.Arch, ld.Arch) {
 -	arch := sys.ArchPPC64
 -	if buildcfg.GOARCH == "ppc64le" {
 -		arch = sys.ArchPPC64LE
 +	arch := sys.ArchPPC64LE
 +	dynld := "/lib64/ld64.so.2"
 +
 +	if buildcfg.GOARCH == "ppc64" {
 +		arch = sys.ArchPPC64
 +		dynld = "/lib64/ld64.so.1"
 	}
 	theArch := ld.Arch{
@@ -64,9 +67,7 @@ func Init() (*sys.Arch, ld.Arch) {
 		Machoreloc1:      machoreloc1,
 		Xcoffreloc1:      xcoffreloc1,
 -		// TODO(austin): ABI v1 uses /usr/lib/ld.so.1,
 -		Linuxdynld: "/lib64/ld64.so.1",
 -
 +		Linuxdynld:     dynld,
 		Freebsddynld:   "XXX",
 		Openbsddynld:   "XXX",
 		Netbsddynld:    "XXX",
 -- 
 2.35.3
--- a/SOURCES/disable_static_tests_part2.patch
+++ b/SOURCES/disable_static_tests_part2.patch
@ -1,13 +1,36 @@
 diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
-index 36a20e8b2a..8c2dd1b44b 100644
+index da5b179..6a772df 100644
 --- a/src/cmd/dist/test.go
 +++ b/src/cmd/dist/test.go
-@@ -1125,7 +1125,7 @@ func (t *tester) registerCgoTests(heading string) {
+@@ -1247,18 +1247,20 @@ func (t *tester) cgoTest(dt *distTest) error {
 				fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
 			} else {
- 				panic("unknown linkmode with static build: " + linkmode)
+ 				if goos != "android" {
 -					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
 +					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
 				}
 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), ".")
 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`, ".")
 				if goos != "android" {
 -					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
 +					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
 +					/*
 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
 					// -static in CGO_LDFLAGS triggers a different code path
 					// than -static in -extldflags, so test both.
 					// See issue #16651.
 					cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", ".")
 					setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
 +					*/
 				}
 			}
 -			gt.tags = append(gt.tags, "static")
 +			gt.tags = append(gt.tags, "static", "no_openssl")
 		}
 		gt.ldflags = strings.Join(ldflags, " ")
@@ -1268,7 +1270,7 @@ func (t *tester) cgoTest(dt *distTest) error {
 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie", ".")
 				}
 				t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie", ".")
 -				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", ".")
 +				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
 			}
 		}
 	}
--- a/SOURCES/fix-memleak-setupRSA.patch
+++ b/SOURCES/fix-memleak-setupRSA.patch
@ -1,172 +0,0 @@
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
 index 56adf47bf6..9537870e3c 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
@@ -22,22 +22,10 @@ var (
 type PublicKeyECDH struct {
 	_pkey *C.GO_EVP_PKEY
 	bytes []byte
 -
 -	// priv is only set when PublicKeyECDH is derived from a private key,
 -	// in which case priv's finalizer is responsible for freeing _pkey.
 -	// This ensures priv is not finalized while the public key is alive,
 -	// which could cause use-after-free and double-free behavior.
 -	//
 -	// We could avoid this altogether by using EVP_PKEY_up_ref
 -	// when instantiating a derived public key, unfortunately
 -	// it is not available on OpenSSL 1.0.2.
 -	priv *PrivateKeyECDH
 }
 func (k *PublicKeyECDH) finalize() {
 -	if k.priv == nil {
 -		C._goboringcrypto_EVP_PKEY_free(k._pkey)
 -	}
 +	C._goboringcrypto_EVP_PKEY_free(k._pkey)
 }
 type PrivateKeyECDH struct {
@@ -58,7 +46,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
 	if err != nil {
 		return nil, err
 	}
 -	k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...), nil}
 +	k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...)}
 	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
 	return k, nil
 }
@@ -87,14 +75,22 @@ func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
 	var bytes []byte
 	var cbytes *C.uchar
 -	n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(k._pkey, &cbytes)
 +	pkey := C._goboringcrypto_EVP_PKEY_ref(k._pkey)
 +	if pkey == nil {
 +		return nil, NewOpenSSLError("EVP_PKEY_ref")
 +	}
 +	defer func() {
 +		C._goboringcrypto_EVP_PKEY_free(pkey)
 +	}()
 +	n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(pkey, &cbytes)
 	if n == 0 {
 		return nil, NewOpenSSLError("EVP_PKEY_get1_encoded_ecdh_public_key")
 	}
 	bytes = C.GoBytes(unsafe.Pointer(cbytes), C.int(n))
 	C.free(unsafe.Pointer(cbytes))
 -	pub := &PublicKeyECDH{k._pkey, bytes, k}
 +	pub := &PublicKeyECDH{pkey, bytes}
 +	pkey = nil
 	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
 	return pub, nil
 }
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
 index a900b3f9e7..03367d5520 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
@@ -827,6 +827,9 @@ DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ())
 DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0))
 DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1))
 DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1))
 +DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey))
 +GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey);
 +
 DEFINEFUNC(int, EVP_PKEY_verify,
 	(EVP_PKEY_CTX *ctx, const unsigned char *sig, unsigned int siglen, const unsigned char *tbs, size_t tbslen),
 	(ctx, sig, siglen, tbs, tbslen))
@@ -1083,15 +1086,6 @@ enum {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 DEFINEFUNC(int, EVP_PKEY_set1_encoded_public_key, (GO_EVP_PKEY *pkey, const unsigned char *pub, size_t publen), (pkey, pub, publen))
 DEFINEFUNC(size_t, EVP_PKEY_get1_encoded_public_key, (GO_EVP_PKEY *pkey, unsigned char **ppub), (pkey, ppub))
 -
 -DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey))
 -#else
 -DEFINEFUNCINTERNAL(void *, EVP_PKEY_get0, (const GO_EVP_PKEY *pkey), (pkey))
 -static const GO_EC_KEY *
 -_goboringcrypto_EVP_PKEY_get0_EC_KEY(const GO_EVP_PKEY *pkey)
 -{
 -  return _goboringcrypto_internal_EVP_PKEY_get0(pkey);
 -}
 #endif
 GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_new_for_ecdh(int nid, const uint8_t *bytes, size_t len, int is_private);
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
 index 24a9615108..c6b23a984b 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
@@ -5,6 +5,7 @@
 // +build !msan
 #include "goopenssl.h"
 +#include <assert.h>
 int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
                              size_t msgLen, uint8_t *sig, size_t *slen,
@@ -138,3 +139,52 @@ err:
   return ret;
 }
 +
 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 +DEFINEFUNCINTERNAL(int, EVP_PKEY_up_ref, (GO_EVP_PKEY *pkey), (pkey))
 +
 +GO_EVP_PKEY *
 +_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey)
 +{
 +  if (_goboringcrypto_internal_EVP_PKEY_up_ref(pkey) != 1)
 +    return NULL;
 +
 +  return pkey;
 +}
 +
 +#else
 +GO_EVP_PKEY *
 +_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey)
 +{
 +  GO_EVP_PKEY *result = NULL;
 +
 +  if (pkey->type != EVP_PKEY_EC && pkey->type != EVP_PKEY_RSA)
 +    return NULL;
 +
 +  result = _goboringcrypto_EVP_PKEY_new();
 +  if (!result)
 +    goto err;
 +
 +  switch (pkey->type) {
 +  case EVP_PKEY_EC:
 +    if (_goboringcrypto_EVP_PKEY_set1_EC_KEY(result, _goboringcrypto_EVP_PKEY_get0_EC_KEY()) != 1)
 +      goto err;
 +    break;
 +
 +  case EVP_PKEY_RSA:
 +    if (_goboringcrypto_EVP_PKEY_set1_RSA_KEY(result, _goboringcrypto_EVP_PKEY_get0_RSA_KEY()) != 1)
 +      goto err;
 +
 +    break;
 +
 +  default:
 +    assert(0);
 +  }
 +
 +  return result;
 +
 +err:
 +  _goboringcrypto_EVP_PKEY_free(result);
 +  return NULL;
 +}
 +#endif
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
 index 75ba7a8a59..1e016676a0 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
@@ -116,7 +116,9 @@ func (k *PrivateKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int {
 func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
 	padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
 -	init func(*C.GO_EVP_PKEY_CTX) C.int) (pkey *C.GO_EVP_PKEY, ctx *C.GO_EVP_PKEY_CTX, err error) {
 +	init func(*C.GO_EVP_PKEY_CTX) C.int) (_ *C.GO_EVP_PKEY,_  *C.GO_EVP_PKEY_CTX, err error) {
 +	var pkey *C.GO_EVP_PKEY
 +	var ctx *C.GO_EVP_PKEY_CTX
 	defer func() {
 		if err != nil {
 			if pkey != nil {
--- a/SOURCES/fix-memory-leak-evp-sign-verify.patch
+++ b/SOURCES/fix-memory-leak-evp-sign-verify.patch
@ -0,0 +1,48 @@
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
 index 2124978..1f853b4 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
@@ -44,7 +44,11 @@ int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *m
                              GO_RSA *rsa_key) {
   int ret = 0;
   GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
 -  _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
 +  if (!pk)
 +    return 0;
 +
 +  if (!(_goboringcrypto_EVP_PKEY_set1_RSA(pk, rsa_key)))
 +    goto err;
   if (!ctx && !(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
     goto err;
@@ -64,6 +68,8 @@ int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *m
 err:
   if (ctx)
     _goboringcrypto_EVP_PKEY_CTX_free(ctx);
 +  if (pk)
 +    _goboringcrypto_EVP_PKEY_free(pk);
   return ret;
 }
@@ -104,7 +110,11 @@ int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
   int ret = 0;
   EVP_PKEY_CTX *ctx;
   GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
 -  _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
 +  if (!pk)
 +    return 0;
 +
 +  if (!(_goboringcrypto_EVP_PKEY_set1_RSA(pk, rsa_key)))
 +    goto err;
   if (!(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
     goto err;
@@ -124,6 +134,8 @@ int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
 err:
   if (ctx)
     _goboringcrypto_EVP_PKEY_CTX_free(ctx);
 +  if (pk)
 +    _goboringcrypto_EVP_PKEY_free(pk);
   return ret;
 }
--- a/SOURCES/fix-test-1024-leaf-certs.patch
+++ b/SOURCES/fix-test-1024-leaf-certs.patch
@ -0,0 +1,13 @@
 diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
 index 10d1cf0..51feb3b 100644
 --- a/src/crypto/tls/boring_test.go
 +++ b/src/crypto/tls/boring_test.go
@@ -326,7 +326,7 @@ func TestBoringCertAlgs(t *testing.T) {
 	I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK)
 	L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK)
 -	L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf|boringCertNotBoring)
 +	L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf)
 	// client verifying server cert
 	testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
--- a/SOURCES/modify_go.env.patch
+++ b/SOURCES/modify_go.env.patch
@ -1,22 +0,0 @@
 From eab9004c072200e58df83ab94678bda1faa7b229 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
 Date: Fri, 9 Feb 2024 20:06:16 +0100
 Subject: [PATCH] Set GOTOOLCHAIN to local
 ---
 go.env | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/go.env b/go.env
 index 6ff2b921d4..e87f6e7b6d 100644
 --- a/go.env
 +++ b/go.env
@@ -9,4 +9,4 @@ GOSUMDB=sum.golang.org
 # Automatically download newer toolchains as directed by go.mod files.
 # See https://go.dev/doc/toolchain for details.
 -GOTOOLCHAIN=auto
 +GOTOOLCHAIN=local
 -- 
 2.43.0
--- a/SOURCES/ppc64le-internal-linker-fix.patch
+++ b/SOURCES/ppc64le-internal-linker-fix.patch
@ -0,0 +1,122 @@
 diff --git a/src/cmd/go/testdata/script/trampoline_reuse_test.txt b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
 new file mode 100644
 index 0000000000000..bca897c16d054
 --- /dev/null
 +++ b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
@@ -0,0 +1,100 @@
 +# Verify PPC64 does not reuse a trampoline which is too far away.
 +# This tests an edge case where the direct call relocation addend should
 +# be ignored when computing the distance from the direct call to the
 +# already placed trampoline
 +[short] skip
 +[!ppc64] [!ppc64le] skip
 +[aix] skip
 +
 +# Note, this program does not run. Presumably, 'DWORD $0' is simpler to
 +# assembly 2^26 or so times.
 +#
 +# We build something which should be laid out as such:
 +#
 +# bar.Bar
 +# main.Func1
 +# bar.Bar+400-tramp0
 +# main.BigAsm
 +# main.Func2
 +# bar.Bar+400-tramp1
 +#
 +# bar.Bar needs to be placed far enough away to generate relocations
 +# from main package calls. and main.Func1 and main.Func2 are placed
 +# a bit more than the direct call limit apart, but not more than 0x400
 +# bytes beyond it (to verify the reloc calc).
 +
 +go build
 +
 +-- go.mod --
 +
 +module foo
 +
 +go 1.19
 +
 +-- main.go --
 +
 +package main
 +
 +import "foo/bar"
 +
 +func Func1()
 +
 +func main() {
 +        Func1()
 +        bar.Bar2()
 +}
 +
 +-- foo.s --
 +
 +TEXT main·Func1(SB),0,$0-0
 +        CALL bar·Bar+0x400(SB)
 +        CALL main·BigAsm(SB)
 +// A trampoline will be placed here to bar.Bar
 +
 +// This creates a gap sufficiently large to prevent trampoline reuse
 +#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
 +#define NOP256 NOP64 NOP64 NOP64 NOP64
 +#define NOP2S10 NOP256 NOP256 NOP256 NOP256
 +#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
 +#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
 +#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
 +#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
 +#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
 +#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
 +#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
 +#define BIGNOP NOP2S24 NOP2S24
 +TEXT main·BigAsm(SB),0,$0-0
 +        // Fill to the direct call limit so Func2 must generate a new trampoline.
 +        // As the implicit trampoline above is just barely unreachable.
 +        BIGNOP
 +        MOVD $main·Func2(SB), R3
 +
 +TEXT main·Func2(SB),0,$0-0
 +        CALL bar·Bar+0x400(SB)
 +// Another trampoline should be placed here.
 +
 +-- bar/bar.s --
 +
 +#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
 +#define NOP256 NOP64 NOP64 NOP64 NOP64
 +#define NOP2S10 NOP256 NOP256 NOP256 NOP256
 +#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
 +#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
 +#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
 +#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
 +#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
 +#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
 +#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
 +#define BIGNOP NOP2S24 NOP2S24 NOP2S10
 +// A very big not very interesting function.
 +TEXT bar·Bar(SB),0,$0-0
 +        BIGNOP
 +
 +-- bar/bar.go --
 +
 +package bar
 +
 +func Bar()
 +
 +func Bar2() {
 +}
 diff --git a/src/cmd/link/internal/ppc64/asm.go b/src/cmd/link/internal/ppc64/asm.go
 index 5d5fbe2a97735..6313879da083c 100644
 --- a/src/cmd/link/internal/ppc64/asm.go
 +++ b/src/cmd/link/internal/ppc64/asm.go
@@ -900,8 +900,9 @@ func trampoline(ctxt *ld.Link, ldr *loader.Loader, ri int, rs, s loader.Sym) {
 				if ldr.SymValue(tramp) == 0 {
 					break
 				}
 -
 -				t = ldr.SymValue(tramp) + r.Add() - (ldr.SymValue(s) + int64(r.Off()))
 +				// Note, the trampoline is always called directly. The addend of the original relocation is accounted for in the
 +				// trampoline itself.
 +				t = ldr.SymValue(tramp) - (ldr.SymValue(s) + int64(r.Off()))
 				// With internal linking, the trampoline can be used if it is not too far.
 				// With external linking, the trampoline must be in this section for it to be reused.
--- a/SOURCES/skip-test-overlong-message.patch
+++ b/SOURCES/skip-test-overlong-message.patch
@ -1,15 +0,0 @@
 diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
 index 0853178e3a..16eb37734b 100644
 --- a/src/crypto/rsa/pkcs1v15_test.go
 +++ b/src/crypto/rsa/pkcs1v15_test.go
@@ -247,6 +247,10 @@ func TestVerifyPKCS1v15(t *testing.T) {
 }
 func TestOverlongMessagePKCS1v15(t *testing.T) {
 +	// OpenSSL now returns a random string instead of an error
 +	if boring.Enabled() {
 +		t.Skip("Not relevant in boring mode")
 +	}
 	ciphertext := decodeBase64("fjOVdirUzFoLlukv80dBllMLjXythIf22feqPrNo0YoIjzyzyoMFiLjAc/Y4krkeZ11XFThIrEvw\nkRiZcCq5ng==")
 	_, err := DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext)
 	if err == nil {
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@ -56,7 +56,7 @@
 %endif
 # Controls what ever we fail on failed tests
-%ifarch x86_64 %{arm} ppc64le s390x
+%ifarch x86_64 %{arm} aarch64 ppc64le s390x
 %global fail_on_tests 1
 %else
 %global fail_on_tests 0
@ -69,8 +69,12 @@
 %global shared 0
 %endif
-# Disabled due to 1.20 new cache usage, see 1.20 upstream release notes
+# Pre build std lib with -race enabled
 %ifarch x86_64
 %global race 1
 %else
 %global race 0
 %endif
 %ifarch x86_64
 %global gohostarch  amd64
@ -91,14 +95,13 @@
 %global gohostarch  s390x
 %endif
-%global go_api 1.21
+%global go_api 1.19
-%global version 1.21.9
+%global version 1.19.4
 %global pkg_release 1
 Name:           golang
 Version:        %{version}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@ -137,16 +140,19 @@ Requires:       %{name}-src = %{version}-%{release}
 Requires:       openssl-devel
 Requires:       diffutils
 # Proposed patch by jcajka https://golang.org/cl/86541
 Patch221:       fix_TestScript_list_std.patch
 Patch229:       fix-memleak-setupRSA.patch
 Patch1939923:   skip_test_rhbz1939923.patch
-Patch2:		disable_static_tests_part1.patch
+Patch2: 	disable_static_tests_part1.patch
-Patch3:		disable_static_tests_part2.patch
+Patch3: 	disable_static_tests_part2.patch
-Patch4:		skip-test-overlong-message.patch
+Patch4:		ppc64le-internal-linker-fix.patch
-Patch5:		modify_go.env.patch
+Patch5:		fix-test-1024-leaf-certs.patch
 Patch6:		fix-memory-leak-evp-sign-verify.patch
 Patch227: cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@ -154,9 +160,6 @@ Obsoletes:      %{name}-docs < 1.1-4
 # RPM can't handle symlink -> dir with subpackages, so merge back
 Obsoletes:      %{name}-data < 1.1.1-4
 # We don't build golang-race anymore, rhbz#2230599
 Obsoletes:      golang-race < 1.20.0
 # These are the only RHEL/Fedora architectures that we compile this package for
 ExclusiveArch:  %{golang_arches}
@ -245,17 +248,17 @@ tar -xf %{SOURCE1}
 popd
 patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
 patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
 patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/002-strict-fips-runtime-detection.patch
-# Configure crypto tests
+%patch2 -p1
-pushd ../go-go%{version}-%{pkg_release}-openssl-fips
+%patch3 -p1
-ln -s ../go-go%{version} go
+%patch4 -p1
-./scripts/configure-crypto-tests.sh
+%patch5 -p1
-popd
+%patch6 -p1
-%autopatch -p1
+%patch221 -p1
-sed -i '1s/$/ (%{?rhel:Red Hat} %{version}-%{release})/' VERSION
+%patch1939923 -p1
 %patch227 -p1
 cp %{SOURCE2} ./src/runtime/
@ -326,7 +329,7 @@ rm -rf pkg/bootstrap/bin
 # install everything into libdir (until symlink problems are fixed)
 # https://code.google.com/p/go/issues/detail?id=5830
-cp -apv api bin doc lib pkg src misc test go.env VERSION \
+cp -apv api bin doc lib pkg src misc test VERSION \
   $RPM_BUILD_ROOT%{goroot}
 # bz1099206
@ -339,11 +342,12 @@ cwd=$(pwd)
 src_list=$cwd/go-src.list
 pkg_list=$cwd/go-pkg.list
 shared_list=$cwd/go-shared.list
 race_list=$cwd/go-race.list
 misc_list=$cwd/go-misc.list
 docs_list=$cwd/go-docs.list
 tests_list=$cwd/go-tests.list
-rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list
+rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
-touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list
+touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
 pushd $RPM_BUILD_ROOT%{goroot}
    find src/ -type d -a \( ! -name testdata -a ! -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $src_list
    find src/ ! -type d -a \( ! -ipath '*/testdata/*' -a ! -name '*_test*.go' \) -printf '%{goroot}/%p\n' >> $src_list
@ -374,6 +378,13 @@ pushd $RPM_BUILD_ROOT%{goroot}
    find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
 %endif
 %if %{race}
    find pkg/*_race/ -type d -printf '%%%dir %{goroot}/%p\n' >> $race_list
    find pkg/*_race/ ! -type d -printf '%{goroot}/%p\n' >> $race_list
 %endif
    find test/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list
    find test/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list
    find src/ -type d -a \( -name testdata -o -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $tests_list
@ -511,67 +522,16 @@ cd ..
 %files -f go-pkg.list bin
 %{_bindir}/go
 %{_bindir}/gofmt
 %{goroot}/go.env
 %if %{shared}
 %files -f go-shared.list shared
 %endif
 %if %{race}
 %files -f go-race.list race
 %endif
 %changelog
 * Fri Apr 12 2024 David Benoit <dbenoit@redhat.com> - 1.21.9-1
 - Fix CVE-2023-45288
 - Resolves: RHEL-31915
 * Mon Apr 1 2024 Archana Ravindar <aravinda@redhat.com> - 1.21.7-2
 - Fix CVE-2024-1394
 - Resolves RHEL-24300
 * Tue Feb 13 2024 Alejandro Sáez <asm@redhat.com> - 1.21.7-1
 - Rebase to Go 1.21.7
 - Add release information
 - Set GOTOOLCHAIN to local
 - Skip TestOverlongMessagePKCS1v15
 - Resolves: RHEL-24082
 - Resolves: RHEL-18363
 - Resolves: RHEL-18382
 * Wed Nov 08 2023 David Benoit <dbenoit@redhat.com> - 1.21.3-4
 - Do not remove GOPROXY/GOSUMDB
 - Related: RHEL-12620
 * Thu Nov 02 2023 David Benoit <dbenoit@redhat.com> - 1.21.3-3
 - Fix go.env in Go 1.21
 - Related: RHEL-12620
 * Tue Oct 31 2023 Archana Ravindar <aravinda@redhat.com> - 1.21.3-2
 - Rebase disable_static_tests_part2.patch to Go 1.21.3
 - Add missing strict fips runtime detection patch
 - Temporarily disable FIPS tests on aarch64 due to builder kernel bugs
 - Remove fix-memory-leak patch as it is fixed upstream
 - Resolves: RHEL-12620
 * Fri Oct 20 2023 Archana Ravindar <aravinda@redhat.com> - 1.21.3-1
 - Rebase Go to 1.21.3
 - Resolves: RHEL-12620
 * Mon Aug 14 2023 Alejandro Sáez <asm@redhat.com> - 1.20.6-2
 - Retire golang-race package
 - Resolves: rhbz#2230599
 * Tue Jul 25 2023 Alejandro Sáez <asm@redhat.com> - 1.20.6-1
 - Rebase to Go 1.20.6
 - Resolves: rhbz#2217596
 * Mon May 29 2023 Alejandro Sáez <asm@redhat.com> - 1.20.4-1
 - Rebase to Go 1.20.4
 - Resolves: rhbz#2204474
 * Tue Apr 11 2023 David Benoit <dbenoit@redhat.com> - 1.20.3-1
 - Rebase to Go 1.20.3
 - Remove race archives
 - Update static tests patches
 - Resolves: rhbz#2185260
 * Tue Jan 3 2023 David Benoit <dbenoit@redhat.com> - 1.19.4-2
 - Fix memory leaks in EVP_{sign,verify}_raw
 - Resolves: rhbz#2132767
`@ -1,2 +1,2 @@`
	`SOURCES/go1.21.9-1-openssl-fips.tar.gz`	`SOURCES/go1.19.4-1-openssl-fips.tar.gz`
	`SOURCES/go1.21.9.tar.gz`	`SOURCES/go1.19.4.tar.gz`
`@ -1,2 +1,2 @@`
	`1162b641e8b23110eaab7496003585ea6c786158 SOURCES/go1.21.9-1-openssl-fips.tar.gz`	`9463e718b1a8daa61009caa6c113197cbefbe9eb SOURCES/go1.19.4-1-openssl-fips.tar.gz`
	`54c038c82c82ebe2ad4ee2d0a3d7c4d39809f59a SOURCES/go1.21.9.tar.gz`	`6debf76aa6fb97daff4d49502153a47093883c28 SOURCES/go1.19.4.tar.gz`