.gitignore

@@ -1,2 +1,12 @@
-SOURCES/go1.20.12-2-openssl-fips.tar.gz
-SOURCES/go1.20.12.tar.gz
+SOURCES/go1.19.4-1-openssl-fips.tar.gz
+SOURCES/go1.19.4.tar.gz
+/go1.19.4-1-openssl-fips.tar.gz
+/go1.19.4.tar.gz
+/go1.19.6-1-openssl-fips.tar.gz
+/go1.19.6.tar.gz
+/go1.20.3.tar.gz
+/go1.20.3-1-openssl-fips.tar.gz
+/go1.20.4.tar.gz
+/go1.20.4-3-openssl-fips.tar.gz
+/go1.20.6.tar.gz
+/go1.20.6-1-openssl-fips.tar.gz

.golang.metadata

@@ -1,2 +0,0 @@
-f57205df5fc5d2e0392ca39c795c6d60d22f0c80 SOURCES/go1.20.12-2-openssl-fips.tar.gz
-6d5bc127443fc42b1af8d9ba4115abe18554feb7 SOURCES/go1.20.12.tar.gz

README.md

@@ -0,0 +1,65 @@
+# Golang
+
+## Introduction
+
+This package holds the spec file and related patches for the Golang package.
+The golang package is part of the larger go-toolset meta package.
+
+## Sources
+
+This particular branch provides Go 1.16.x. The sources for this branch can be
+found at https://pagure.io/go/tree/go1.16-openssl-fips. The reason the source is
+coming from a pagure fork as opposed to an upstream tarball is due to certain
+patches we have written and currently maintain in order to claim FIPS compliance
+by calling into OpenSSL. Shipping a forked version of the toolchain is not the
+ideal scenario, and there is work in progress with upstream to enable us to
+instead ship a pure upstream toolchain and include a crypto module in go-toolset
+which will satisfy our FIPS requirements.
+
+The current fork is based on an upstream branch[[0]] which uses
+boringcrypto[[1]] instead of OpenSSL.
+
+If you need to make changes to the source for a rebase or bug fix, check out the
+pagure repo and switch to the branch listed above. Once you have made your
+changes you can test them locally with `./all.bash`. You may want to export
+`GOLANG_FIPS=1` before running that if you want to verify the FIPS codepaths are
+correct. Please note however that the test suite does not fully expect FIPS
+compliance, and will attempt to test non FIPS compliant code paths. The easiest
+way to test your changes correctly is to create a tarball locally and execute a
+mockbuild using this packge, which knows how to correctly run the testsuite in
+both FIPS and non-FIPS modes.
+
+NOTE: The way pagure previously handled uploaded releases has changed, and
+releases must be tagged in the appropriate branch, from which pagure will
+generate source tarballs.
+
+## Testing & building changes
+
+The first test you should run is a local mockbuild. This can be done with the
+rhpkg command:
+
+```
+rhpkg mockbuild
+```
+
+Once everything builds and passes locally you'll likely want to perform a
+scratch build. This will ensure that the changes you made build and run
+correctly on all architectures that this package supports. The best way to do
+this is to run a scratch build from your local sources without first having to
+push them. This ensures your changes are correct before commiting them to the
+repo. This can also be done via the following rhpkg command:
+
+```
+rhpkg scratch-build --srpm
+```
+
+Once your scratch build has passed you can execute a real build:
+
+```
+rhpkg build
+```
+
+---
+
+[0] https://github.com/golang/go/tree/dev.boringcrypto 
+[1] https://opensource.google.com/projects/boringssl

SOURCES/fix-memleak-rsa-ecdh.patch

@@ -1,172 +0,0 @@
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
-index 56adf47bf6..9537870e3c 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
-@@ -22,22 +22,10 @@ var (
- type PublicKeyECDH struct {
- 	_pkey *C.GO_EVP_PKEY
- 	bytes []byte
--
--	// priv is only set when PublicKeyECDH is derived from a private key,
--	// in which case priv's finalizer is responsible for freeing _pkey.
--	// This ensures priv is not finalized while the public key is alive,
--	// which could cause use-after-free and double-free behavior.
--	//
--	// We could avoid this altogether by using EVP_PKEY_up_ref
--	// when instantiating a derived public key, unfortunately
--	// it is not available on OpenSSL 1.0.2.
--	priv *PrivateKeyECDH
- }
- 
- func (k *PublicKeyECDH) finalize() {
--	if k.priv == nil {
--		C._goboringcrypto_EVP_PKEY_free(k._pkey)
--	}
-+	C._goboringcrypto_EVP_PKEY_free(k._pkey)
- }
- 
- type PrivateKeyECDH struct {
-@@ -58,7 +46,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
- 	if err != nil {
- 		return nil, err
- 	}
--	k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...), nil}
-+	k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...)}
- 	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
- 	return k, nil
- }
-@@ -87,14 +75,22 @@ func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
- 	var bytes []byte
- 	var cbytes *C.uchar
- 
--	n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(k._pkey, &cbytes)
-+	pkey := C._goboringcrypto_EVP_PKEY_ref(k._pkey)
-+	if pkey == nil {
-+		return nil, NewOpenSSLError("EVP_PKEY_ref")
-+	}
-+	defer func() {
-+		C._goboringcrypto_EVP_PKEY_free(pkey)
-+	}()
-+	n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(pkey, &cbytes)
- 	if n == 0 {
- 		return nil, NewOpenSSLError("EVP_PKEY_get1_encoded_ecdh_public_key")
- 	}
- 	bytes = C.GoBytes(unsafe.Pointer(cbytes), C.int(n))
- 	C.free(unsafe.Pointer(cbytes))
- 
--	pub := &PublicKeyECDH{k._pkey, bytes, k}
-+	pub := &PublicKeyECDH{pkey, bytes}
-+	pkey = nil
- 	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
- 	return pub, nil
- }
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
-index a900b3f9e7..03367d5520 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
-@@ -827,6 +827,9 @@ DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ())
- DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0))
- DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1))
- DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1))
-+DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey))
-+GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey);
-+
- DEFINEFUNC(int, EVP_PKEY_verify,
- 	(EVP_PKEY_CTX *ctx, const unsigned char *sig, unsigned int siglen, const unsigned char *tbs, size_t tbslen),
- 	(ctx, sig, siglen, tbs, tbslen))
-@@ -1083,15 +1086,6 @@ enum {
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L
- DEFINEFUNC(int, EVP_PKEY_set1_encoded_public_key, (GO_EVP_PKEY *pkey, const unsigned char *pub, size_t publen), (pkey, pub, publen))
- DEFINEFUNC(size_t, EVP_PKEY_get1_encoded_public_key, (GO_EVP_PKEY *pkey, unsigned char **ppub), (pkey, ppub))
--
--DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey))
--#else
--DEFINEFUNCINTERNAL(void *, EVP_PKEY_get0, (const GO_EVP_PKEY *pkey), (pkey))
--static const GO_EC_KEY *
--_goboringcrypto_EVP_PKEY_get0_EC_KEY(const GO_EVP_PKEY *pkey)
--{
--  return _goboringcrypto_internal_EVP_PKEY_get0(pkey);
--}
- #endif
- 
- GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_new_for_ecdh(int nid, const uint8_t *bytes, size_t len, int is_private);
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
-index 24a9615108..c6b23a984b 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
-@@ -5,6 +5,7 @@
- // +build !msan
- 
- #include "goopenssl.h"
-+#include <assert.h>
- 
- int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
-                              size_t msgLen, uint8_t *sig, size_t *slen,
-@@ -138,3 +139,52 @@ err:
- 
-   return ret;
- }
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+DEFINEFUNCINTERNAL(int, EVP_PKEY_up_ref, (GO_EVP_PKEY *pkey), (pkey))
-+
-+GO_EVP_PKEY *
-+_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey)
-+{
-+  if (_goboringcrypto_internal_EVP_PKEY_up_ref(pkey) != 1)
-+    return NULL;
-+
-+  return pkey;
-+}
-+
-+#else
-+GO_EVP_PKEY *
-+_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey)
-+{
-+  GO_EVP_PKEY *result = NULL;
-+
-+  if (pkey->type != EVP_PKEY_EC && pkey->type != EVP_PKEY_RSA)
-+    return NULL;
-+
-+  result = _goboringcrypto_EVP_PKEY_new();
-+  if (!result)
-+    goto err;
-+
-+  switch (pkey->type) {
-+  case EVP_PKEY_EC:
-+    if (_goboringcrypto_EVP_PKEY_set1_EC_KEY(result, _goboringcrypto_EVP_PKEY_get0_EC_KEY()) != 1)
-+      goto err;
-+    break;
-+
-+  case EVP_PKEY_RSA:
-+    if (_goboringcrypto_EVP_PKEY_set1_RSA_KEY(result, _goboringcrypto_EVP_PKEY_get0_RSA_KEY()) != 1)
-+      goto err;
-+
-+    break;
-+
-+  default:
-+    assert(0);
-+  }
-+
-+  return result;
-+
-+err:
-+  _goboringcrypto_EVP_PKEY_free(result);
-+  return NULL;
-+}
-+#endif
-diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-index 75ba7a8a59..1e016676a0 100644
---- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-+++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
-@@ -116,7 +116,9 @@ func (k *PrivateKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int {
- 
- func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- 	padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
--	init func(*C.GO_EVP_PKEY_CTX) C.int) (pkey *C.GO_EVP_PKEY, ctx *C.GO_EVP_PKEY_CTX, err error) {
-+	init func(*C.GO_EVP_PKEY_CTX) C.int) (_ *C.GO_EVP_PKEY,_  *C.GO_EVP_PKEY_CTX, err error) {
-+	var pkey *C.GO_EVP_PKEY
-+	var ctx *C.GO_EVP_PKEY_CTX
- 	defer func() {
- 		if err != nil {
- 			if pkey != nil {

SOURCES/skip-test-overlong-message.patch

@@ -1,15 +0,0 @@
-diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
-index 0853178e3a..16eb37734b 100644
---- a/src/crypto/rsa/pkcs1v15_test.go
-+++ b/src/crypto/rsa/pkcs1v15_test.go
-@@ -247,6 +247,10 @@ func TestVerifyPKCS1v15(t *testing.T) {
- }
- 
- func TestOverlongMessagePKCS1v15(t *testing.T) {
-+	// OpenSSL now returns a random string instead of an error
-+	if boring.Enabled() {
-+		t.Skip("Not relevant in boring mode")
-+	}
- 	ciphertext := decodeBase64("fjOVdirUzFoLlukv80dBllMLjXythIf22feqPrNo0YoIjzyzyoMFiLjAc/Y4krkeZ11XFThIrEvw\nkRiZcCq5ng==")
- 	_, err := DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext)
- 	if err == nil {

cgo-lto-fix.patch

@@ -0,0 +1,289 @@
+From 24e9707cbfa6b1ed6abdd4b11f9ddaf3aac5ad88 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Tue, 25 May 2021 16:31:41 -0700
+Subject: [PATCH] cmd/link, cmd/cgo: support -flto in CFLAGS
+
+The linker now accepts unrecognized object files in external linking mode.
+These objects will simply be passed to the external linker.
+This permits using -flto which can generate pure byte code objects,
+whose symbol table the linker does not know how to read.
+
+The cgo tool now passes -fno-lto when generating objects whose symbols
+it needs to read. The cgo tool now emits matching types in different
+objects, so that the lto linker does not report a mismatch.
+
+This is based on https://golang.org/cl/293290 by Derek Parker.
+
+For #43505
+Fixes #43830
+Fixes #46295
+
+Change-Id: I6787de213417466784ddef5af8899e453b4ae1ad
+Reviewed-on: https://go-review.googlesource.com/c/go/+/322614
+Trust: Ian Lance Taylor <iant@golang.org>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
+---
+
+diff --git a/src/cmd/cgo/gcc.go b/src/cmd/cgo/gcc.go
+index ae61725..a73e998 100644
+--- a/src/cmd/cgo/gcc.go
++++ b/src/cmd/cgo/gcc.go
+@@ -1638,6 +1638,8 @@
+ 		c = append(c, "-maix64")
+ 		c = append(c, "-mcmodel=large")
+ 	}
++	// disable LTO so we get an object whose symbols we can read
++	c = append(c, "-fno-lto")
+ 	c = append(c, "-") //read input from standard input
+ 	return c
+ }
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index 8c31d5b..94152f4 100644
+--- a/src/cmd/cgo/out.go
++++ b/src/cmd/cgo/out.go
+@@ -168,8 +168,18 @@
+ 			if *gccgo {
+ 				fmt.Fprintf(fc, "extern byte *%s;\n", n.C)
+ 			} else {
+-				fmt.Fprintf(fm, "extern char %s[];\n", n.C)
+-				fmt.Fprintf(fm, "void *_cgohack_%s = %s;\n\n", n.C, n.C)
++				// Force a reference to all symbols so that
++				// the external linker will add DT_NEEDED
++				// entries as needed on ELF systems.
++				// Treat function variables differently
++				// to avoid type confict errors from LTO
++				// (Link Time Optimization).
++				if n.Kind == "fpvar" {
++					fmt.Fprintf(fm, "extern void %s();\n", n.C)
++				} else {
++					fmt.Fprintf(fm, "extern char %s[];\n", n.C)
++					fmt.Fprintf(fm, "void *_cgohack_%s = %s;\n\n", n.C, n.C)
++				}
+ 				fmt.Fprintf(fgo2, "//go:linkname __cgo_%s %s\n", n.C, n.C)
+ 				fmt.Fprintf(fgo2, "//go:cgo_import_static %s\n", n.C)
+ 				fmt.Fprintf(fgo2, "var __cgo_%s byte\n", n.C)
+@@ -1042,7 +1052,7 @@
+ 		fmt.Fprintf(fgo2, "//go:cgo_export_static _cgoexp%s_%s\n", cPrefix, exp.ExpName)
+ 		fmt.Fprintf(fgo2, "func _cgoexp%s_%s(a *%s) {\n", cPrefix, exp.ExpName, gotype)
+ 
+-		fmt.Fprintf(fm, "int _cgoexp%s_%s;\n", cPrefix, exp.ExpName)
++		fmt.Fprintf(fm, "void _cgoexp%s_%s(void* p){}\n", cPrefix, exp.ExpName)
+ 
+ 		if gccResult != "void" {
+ 			// Write results back to frame.
+diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
+index 50bf80b..bc49c6d 100644
+--- a/src/cmd/dist/test.go
++++ b/src/cmd/dist/test.go
+@@ -722,14 +722,29 @@
+ 				},
+ 			})
+ 			if t.hasCxx() {
+-				t.tests = append(t.tests, distTest{
+-					name:    "swig_callback",
+-					heading: "../misc/swig/callback",
+-					fn: func(dt *distTest) error {
+-						t.addCmd(dt, "misc/swig/callback", t.goTest())
+-						return nil
++				t.tests = append(t.tests,
++					distTest{
++						name:    "swig_callback",
++						heading: "../misc/swig/callback",
++						fn: func(dt *distTest) error {
++							t.addCmd(dt, "misc/swig/callback", t.goTest())
++							return nil
++						},
+ 					},
+-				})
++					distTest{
++						name:    "swig_callback_lto",
++						heading: "../misc/swig/callback",
++						fn: func(dt *distTest) error {
++							cmd := t.addCmd(dt, "misc/swig/callback", t.goTest())
++							cmd.Env = append(os.Environ(),
++								"CGO_CFLAGS=-flto",
++								"CGO_CXXFLAGS=-flto",
++								"CGO_LDFLAGS=-flto",
++							)
++							return nil
++						},
++					},
++				)
+ 			}
+ 		}
+ 	}
+diff --git a/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt b/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt
+new file mode 100644
+index 0000000..e2483ba
+--- /dev/null
++++ b/src/cmd/go/testdata/script/cgo_lto2_issue43830.txt
+@@ -0,0 +1,33 @@
++# tests golang.org/issue/43830
++
++[!cgo] skip 'skipping test without cgo'
++[openbsd] env CC='clang'
++[openbsd] [!exec:clang] skip 'skipping test without clang present'
++[!openbsd] env CC='gcc'
++[!openbsd] [!exec:gcc] skip 'skipping test without gcc present'
++
++env CGO_CFLAGS='-Wno-ignored-optimization-argument -flto -ffat-lto-objects'
++
++go build main.go
++
++-- main.go --
++
++package main
++
++import "fmt"
++
++// #include "hello.h"
++import "C"
++
++func main() {
++	hello := C.hello
++	fmt.Printf("%v\n", hello)
++}
++
++-- hello.h --
++
++#include <stdio.h>
++
++void hello(void) {
++  printf("hello\n");
++}
+diff --git a/src/cmd/go/testdata/script/cgo_lto_issue43830.txt b/src/cmd/go/testdata/script/cgo_lto_issue43830.txt
+new file mode 100644
+index 0000000..06ab2f3
+--- /dev/null
++++ b/src/cmd/go/testdata/script/cgo_lto_issue43830.txt
+@@ -0,0 +1,39 @@
++# tests golang.org/issue/43830
++
++[!cgo] skip 'skipping test without cgo'
++[openbsd] env CC='clang'
++[openbsd] [!exec:clang] skip 'skipping test without clang present'
++[!openbsd] env CC='gcc'
++[!openbsd] [!exec:gcc] skip 'skipping test without gcc present'
++
++env CGO_CFLAGS='-Wno-ignored-optimization-argument -flto -ffat-lto-objects'
++
++go build main.go add.go
++
++-- main.go --
++
++package main
++
++/*
++int c_add(int a, int b) {
++	return myadd(a, b);
++}
++*/
++import "C"
++
++func main() {
++	println(C.c_add(1, 2))
++}
++
++-- add.go --
++
++package main
++
++import "C"
++
++/* test */
++
++//export myadd
++func myadd(a C.int, b C.int) C.int {
++	return a + b
++}
+diff --git a/src/cmd/link/internal/ld/ar.go b/src/cmd/link/internal/ld/ar.go
+index 22f53a4..23915f9 100644
+--- a/src/cmd/link/internal/ld/ar.go
++++ b/src/cmd/link/internal/ld/ar.go
+@@ -124,6 +124,10 @@
+ 
+ 			libgcc := sym.Library{Pkg: "libgcc"}
+ 			h := ldobj(ctxt, f, &libgcc, l, pname, name)
++			if h.ld == nil {
++				Errorf(nil, "%s unrecognized object file at offset %d", name, off)
++				continue
++			}
+ 			f.MustSeek(h.off, 0)
+ 			h.ld(ctxt, f, h.pkg, h.length, h.pn)
+ 		}
+diff --git a/src/cmd/link/internal/ld/config.go b/src/cmd/link/internal/ld/config.go
+index ae0d752..20f1d0b 100644
+--- a/src/cmd/link/internal/ld/config.go
++++ b/src/cmd/link/internal/ld/config.go
+@@ -241,6 +241,10 @@
+ 		return true, "dynamically linking with a shared library"
+ 	}
+ 
++	if unknownObjFormat {
++		return true, "some input objects have an unrecognized file format"
++	}
++
+ 	return false, ""
+ }
+ 
+@@ -248,7 +252,7 @@
+ //
+ // It is called after flags are processed and inputs are processed,
+ // so the ctxt.LinkMode variable has an initial value from the -linkmode
+-// flag and the iscgo externalobj variables are set.
++// flag and the iscgo, externalobj, and unknownObjFormat variables are set.
+ func determineLinkMode(ctxt *Link) {
+ 	extNeeded, extReason := mustLinkExternal(ctxt)
+ 	via := ""
+diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
+index e8f001b..644faeb 100644
+--- a/src/cmd/link/internal/ld/lib.go
++++ b/src/cmd/link/internal/ld/lib.go
+@@ -343,10 +343,16 @@
+ const pkgdef = "__.PKGDEF"
+ 
+ var (
+-	// Set if we see an object compiled by the host compiler that is not
+-	// from a package that is known to support internal linking mode.
++	// externalobj is set to true if we see an object compiled by
++	// the host compiler that is not from a package that is known
++	// to support internal linking mode.
+ 	externalobj = false
+-	theline     string
++
++	// unknownObjFormat is set to true if we see an object whose
++	// format we don't recognize.
++	unknownObjFormat = false
++
++	theline string
+ )
+ 
+ func Lflag(ctxt *Link, arg string) {
+@@ -1065,6 +1071,10 @@
+ 		}
+ 
+ 		f.MustSeek(h.off, 0)
++		if h.ld == nil {
++			Errorf(nil, "%s: unrecognized object file format", h.pn)
++			continue
++		}
+ 		h.ld(ctxt, f, h.pkg, h.length, h.pn)
+ 		f.Close()
+ 	}
+@@ -1855,6 +1865,14 @@
+ 		return ldhostobj(ldxcoff, ctxt.HeadType, f, pkg, length, pn, file)
+ 	}
+ 
++	if c1 != 'g' || c2 != 'o' || c3 != ' ' || c4 != 'o' {
++		// An unrecognized object is just passed to the external linker.
++		// If we try to read symbols from this object, we will
++		// report an error at that time.
++		unknownObjFormat = true
++		return ldhostobj(nil, ctxt.HeadType, f, pkg, length, pn, file)
++	}
++
+ 	/* check the header */
+ 	line, err := f.ReadString('\n')
+ 	if err != nil {

cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch

@@ -0,0 +1,53 @@
+From 241192ecd31ca03a6f68fa7e55bb9f66040d3a2f Mon Sep 17 00:00:00 2001
+From: Lynn Boger <laboger@linux.vnet.ibm.com>
+Date: Thu, 14 Jul 2022 10:47:28 -0500
+Subject: [PATCH] cmd/link: use correct path for dynamic loader on ppc64le
+
+The setting of the path for the dynamic loader when building for
+linux/ppc64le ELF v2 was incorrectly set to the path for
+PPC64 ELF v1. This has not caused issues in the common cases
+because this string can be set based on the default GO_LDSO setting.
+It does result in an incorrect value when cross compiling binaries
+with -buildmode=pie.
+
+Updates #53813
+
+Change-Id: I84de1c97b42e0434760b76a57c5a05e055fbb730
+---
+ src/cmd/link/internal/ppc64/obj.go | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/cmd/link/internal/ppc64/obj.go b/src/cmd/link/internal/ppc64/obj.go
+index b6d5ad92af..bca8fa9212 100644
+--- a/src/cmd/link/internal/ppc64/obj.go
++++ b/src/cmd/link/internal/ppc64/obj.go
+@@ -38,9 +38,12 @@ import (
+ )
+ 
+ func Init() (*sys.Arch, ld.Arch) {
+-	arch := sys.ArchPPC64
+-	if buildcfg.GOARCH == "ppc64le" {
+-		arch = sys.ArchPPC64LE
++	arch := sys.ArchPPC64LE
++	dynld := "/lib64/ld64.so.2"
++
++	if buildcfg.GOARCH == "ppc64" {
++		arch = sys.ArchPPC64
++		dynld = "/lib64/ld64.so.1"
+ 	}
+ 
+ 	theArch := ld.Arch{
+@@ -64,9 +67,7 @@ func Init() (*sys.Arch, ld.Arch) {
+ 		Machoreloc1:      machoreloc1,
+ 		Xcoffreloc1:      xcoffreloc1,
+ 
+-		// TODO(austin): ABI v1 uses /usr/lib/ld.so.1,
+-		Linuxdynld: "/lib64/ld64.so.1",
+-
++		Linuxdynld:     dynld,
+ 		Freebsddynld:   "XXX",
+ 		Openbsddynld:   "XXX",
+ 		Netbsddynld:    "XXX",
+-- 
+2.35.3
+

disable_static_external_tests.patch

@@ -0,0 +1,310 @@
+diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
+index d9eb9c3..506f979 100644
+--- a/src/cmd/dist/test.go
++++ b/src/cmd/dist/test.go
+@@ -1180,18 +1180,20 @@ func (t *tester) cgoTest(dt *distTest) error {
+ 				fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
+ 			} else {
+ 				if goos != "android" {
+-					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
++					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
+ 				}
+ 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest())
+ 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`)
+ 				if goos != "android" {
+-					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
++					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
++					/*
+ 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`)
+ 					// -static in CGO_LDFLAGS triggers a different code path
+ 					// than -static in -extldflags, so test both.
+ 					// See issue #16651.
+ 					cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static")
+ 					setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
++					*/
+ 				}
+ 			}
+ 
+@@ -1201,7 +1203,7 @@ func (t *tester) cgoTest(dt *distTest) error {
+ 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie")
+ 				}
+ 				t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie")
+-				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie")
++				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
+ 			}
+ 		}
+ 	}
+diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
+index a495bd7..2c6107b 100644
+--- a/src/crypto/internal/boring/aes.go
++++ b/src/crypto/internal/boring/aes.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/aes_test.go b/src/crypto/internal/boring/aes_test.go
+index 3b4c364..371bc20 100644
+--- a/src/crypto/internal/boring/aes_test.go
++++ b/src/crypto/internal/boring/aes_test.go
+@@ -1,9 +1,5 @@
+-// +build linux
+-// +build !android
+-// +build !no_openssl
+-// +build !cmd_go_bootstrap
+-// +build !msan
+-// +build cgo
++//go:build linux && !android && !no_openssl && !cmd_go_bootstrap && !msan && cgo && !static
++// +build linux,!android,!no_openssl,!cmd_go_bootstrap,!msan,cgo,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
+index ec6e80c..05431b1 100644
+--- a/src/crypto/internal/boring/boring.go
++++ b/src/crypto/internal/boring/boring.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/ecdsa.go b/src/crypto/internal/boring/ecdsa.go
+index f72da41..33ee442 100644
+--- a/src/crypto/internal/boring/ecdsa.go
++++ b/src/crypto/internal/boring/ecdsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
+index 4547ade..b8aaae4 100644
+--- a/src/crypto/internal/boring/goboringcrypto.h
++++ b/src/crypto/internal/boring/goboringcrypto.h
+@@ -1,6 +1,12 @@
+ // Copyright 2017 The Go Authors. All rights reserved.
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
++// +build linux
++// +build !android
++// +build !no_openssl
++// +build !cmd_go_bootstrap
++// +build !msan
++// +build !static
+ 
+ // This header file describes the BoringCrypto ABI as built for use in Go.
+ // The BoringCrypto build for Go (which generates goboringcrypto_*.syso)
+diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
+index 4820385..ac41482 100644
+--- a/src/crypto/internal/boring/goopenssl.h
++++ b/src/crypto/internal/boring/goopenssl.h
+@@ -6,6 +6,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ // This header file describes the OpenSSL ABI as built for use in Go.
+ 
+diff --git a/src/crypto/internal/boring/hmac.go b/src/crypto/internal/boring/hmac.go
+index 4e913c3..10cfbb3 100644
+--- a/src/crypto/internal/boring/hmac.go
++++ b/src/crypto/internal/boring/hmac.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/notboring.go b/src/crypto/internal/boring/notboring.go
+index e513834..08c5245 100644
+--- a/src/crypto/internal/boring/notboring.go
++++ b/src/crypto/internal/boring/notboring.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
+-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
++//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
+index 710d074..853be3d 100644
+--- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
++++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c
+index 36be702..331dfd3 100644
+--- a/src/crypto/internal/boring/openssl_evp.c
++++ b/src/crypto/internal/boring/openssl_evp.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_lock_setup.c b/src/crypto/internal/boring/openssl_lock_setup.c
+index 955924e..c0f3435 100644
+--- a/src/crypto/internal/boring/openssl_lock_setup.c
++++ b/src/crypto/internal/boring/openssl_lock_setup.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ #include <stdio.h>
+diff --git a/src/crypto/internal/boring/openssl_port_aead_gcm.c b/src/crypto/internal/boring/openssl_port_aead_gcm.c
+index b39bf54..80c933a 100644
+--- a/src/crypto/internal/boring/openssl_port_aead_gcm.c
++++ b/src/crypto/internal/boring/openssl_port_aead_gcm.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ #include <openssl/err.h>
+diff --git a/src/crypto/internal/boring/openssl_port_ctr128.c b/src/crypto/internal/boring/openssl_port_ctr128.c
+index abaff5c..e2263a5 100644
+--- a/src/crypto/internal/boring/openssl_port_ctr128.c
++++ b/src/crypto/internal/boring/openssl_port_ctr128.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
+index 8418c38..39bf3ae 100644
+--- a/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
++++ b/src/crypto/internal/boring/openssl_port_evp_md5_sha1.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ // The following is a partial backport of crypto/evp/m_md5_sha1.c,
+ // commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e on the
+diff --git a/src/crypto/internal/boring/openssl_port_hmac.c b/src/crypto/internal/boring/openssl_port_hmac.c
+index be7c71a..35e1860 100644
+--- a/src/crypto/internal/boring/openssl_port_hmac.c
++++ b/src/crypto/internal/boring/openssl_port_hmac.c
+@@ -4,6 +4,8 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
++
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
+index 5174f66..a8008e9 100644
+--- a/src/crypto/internal/boring/openssl_port_rsa.c
++++ b/src/crypto/internal/boring/openssl_port_rsa.c
+@@ -4,6 +4,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ 
+diff --git a/src/crypto/internal/boring/openssl_stub_rand.c b/src/crypto/internal/boring/openssl_stub_rand.c
+index 18d6777..e8ac53b 100644
+--- a/src/crypto/internal/boring/openssl_stub_rand.c
++++ b/src/crypto/internal/boring/openssl_stub_rand.c
+@@ -3,6 +3,7 @@
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+ // +build !msan
++// +build !static
+ 
+ #include "goboringcrypto.h"
+ #include <openssl/rand.h>
+diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go
+index e9c334f..3adbd4d 100644
+--- a/src/crypto/internal/boring/rand.go
++++ b/src/crypto/internal/boring/rand.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
+index b1a2f57..0cabadb 100644
+--- a/src/crypto/internal/boring/rsa.go
++++ b/src/crypto/internal/boring/rsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 
+diff --git a/src/crypto/internal/boring/sha.go b/src/crypto/internal/boring/sha.go
+index bdcc782..6184d6c 100644
+--- a/src/crypto/internal/boring/sha.go
++++ b/src/crypto/internal/boring/sha.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package boring
+ 

fix-memory-leak-evp-sign-verify.patch

@@ -0,0 +1,48 @@
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+index 76bac5b..24a9615 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+@@ -43,7 +43,11 @@ int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *m
+                              GO_RSA *rsa_key) {
+   int ret = 0;
+   GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
+-  _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
++  if (!pk)
++    return 0;
++
++  if (!(_goboringcrypto_EVP_PKEY_set1_RSA(pk, rsa_key)))
++    goto err;
+ 
+   if (!ctx && !(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
+     goto err;
+@@ -63,6 +67,8 @@ int _goboringcrypto_EVP_sign_raw(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *m
+ err:
+   if (ctx)
+     _goboringcrypto_EVP_PKEY_CTX_free(ctx);
++  if (pk)
++    _goboringcrypto_EVP_PKEY_free(pk);
+ 
+   return ret;
+ }
+@@ -103,7 +109,11 @@ int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
+   int ret = 0;
+   EVP_PKEY_CTX *ctx;
+   GO_EVP_PKEY *pk = _goboringcrypto_EVP_PKEY_new();
+-  _goboringcrypto_EVP_PKEY_assign_RSA(pk, rsa_key);
++  if (!pk)
++    return 0;
++
++  if (!(_goboringcrypto_EVP_PKEY_set1_RSA(pk, rsa_key)))
++    goto err;
+ 
+   if (!(ctx = _goboringcrypto_EVP_PKEY_CTX_new(pk, NULL)))
+     goto err;
+@@ -123,6 +133,8 @@ int _goboringcrypto_EVP_verify_raw(const uint8_t *msg, size_t msgLen,
+ err:
+   if (ctx)
+     _goboringcrypto_EVP_PKEY_CTX_free(ctx);
++  if (pk)
++    _goboringcrypto_EVP_PKEY_free(pk);
+ 
+   return ret;
+ }

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

go1.5-zoneinfo_testing_only.patch

@@ -0,0 +1,73 @@
+diff --git a/src/time/internal_test.go b/src/time/internal_test.go
+index f0dddb7..415949a 100644
+--- a/src/time/internal_test.go
++++ b/src/time/internal_test.go
+@@ -4,13 +4,15 @@
+ 
+ package time
+ 
++import "runtime"
++
+ func init() {
+ 	// force US/Pacific for time zone tests
+ 	ForceUSPacificForTesting()
+ }
+ 
+ func initTestingZone() {
+-	z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:])
++	z, err := loadLocation("America/Los_Angeles", zoneSources)
+ 	if err != nil {
+ 		panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata")
+ 	}
+@@ -21,8 +23,9 @@ func initTestingZone() {
+ var OrigZoneSources = zoneSources
+ 
+ func forceZipFileForTesting(zipOnly bool) {
+-	zoneSources = make([]string, len(OrigZoneSources))
++	zoneSources = make([]string, len(OrigZoneSources)+1)
+ 	copy(zoneSources, OrigZoneSources)
++	zoneSources = append(zoneSources, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
+ 	if zipOnly {
+ 		zoneSources = zoneSources[len(zoneSources)-1:]
+ 	}
+diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go
+index f032aa7..e3e5547 100644
+--- a/src/time/zoneinfo_test.go
++++ b/src/time/zoneinfo_test.go
+@@ -9,6 +9,7 @@ import (
+ 	"fmt"
+ 	"os"
+ 	"reflect"
++	"runtime"
+ 	"testing"
+ 	"time"
+ )
+@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) {
+ 		t.Fatal(err)
+ 	}
+ 
+-	tzinfo, err := time.LoadTzinfo(locationName, time.OrigZoneSources[len(time.OrigZoneSources)-1])
++	tzinfo, err := time.LoadTzinfo(locationName, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go
+index 23f8b3c..228db1b 100644
+--- a/src/time/zoneinfo_unix.go
++++ b/src/time/zoneinfo_unix.go
+@@ -12,7 +12,6 @@
+ package time
+ 
+ import (
+-	"runtime"
+ 	"syscall"
+ )
+ 
+@@ -22,7 +21,6 @@ var zoneSources = []string{
+ 	"/usr/share/zoneinfo/",
+ 	"/usr/share/lib/zoneinfo/",
+ 	"/usr/lib/locale/TZ/",
+-	runtime.GOROOT() + "/lib/time/zoneinfo.zip",
+ }
+ 
+ func initLocal() {

golang.spec

@@ -92,12 +92,12 @@
 %endif
 
 %global go_api 1.20
-%global version 1.20.12
-%global pkg_release 2
+%global version 1.20.6
+%global pkg_release 1
 
 Name:           golang
 Version:        %{version}
-Release:        8%{?dist}
+Release:        2%{?dist}
 
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
@@ -140,14 +140,12 @@ Requires:       diffutils
 
 # Proposed patch by jcajka https://golang.org/cl/86541
 Patch221:       fix_TestScript_list_std.patch
-Patch222:	skip-test-overlong-message.patch
 
 Patch1939923:   skip_test_rhbz1939923.patch
 
-Patch2:		disable_static_tests_part1.patch
-Patch3:		disable_static_tests_part2.patch
-
-Patch229:	fix-memleak-rsa-ecdh.patch
+Patch2:        disable_static_tests_part1.patch
+Patch3:        disable_static_tests_part2.patch
+Patch6:		fix-memory-leak-evp-sign-verify.patch
 
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@@ -244,10 +242,8 @@ Requires:       %{name} = %{version}-%{release}
 pushd ..
 tar -xf %{SOURCE1}
 popd
-
-for patch in ../go-go%{version}-%{pkg_release}-openssl-fips/patches/*.patch; do
-  patch -p1 < "${patch}"
-done
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
 
 # Configure crypto tests
 pushd ../go-go%{version}-%{pkg_release}-openssl-fips
@@ -257,15 +253,12 @@ popd
 
 %patch2 -p1
 %patch3 -p1
+%patch6 -p1
 
 %patch221 -p1
-%patch222 -p1
-
-%patch229 -p1
 
 %patch1939923 -p1
 
-
 cp %{SOURCE2} ./src/runtime/
 
 %build
@@ -526,33 +519,6 @@ cd ..
 %endif
 
 %changelog
-* Wed Apr 10 2024 David Benoit <dbenoit@redhat.com> - 1.20.12-8
-- Update sources file
-- Related: RHEL-27928
-
-* Tue Apr 09 2024 David Benoit <dbenoit@redhat.com> - 1.20.12-7
-- Fix CVE-2024-1394
-- Resolves: RHEL-27928
-
-* Mon Apr 08 2024 Derek Parker <deparker@redhat.com> - 1.20.12-6
-- Fix CVE-2023-45288
-- Resolves: RHEL-31914
-
-* Wed Dec 13 2023 David Benoit <dbenoit@redhat.com> - 1.20.12-2
-- Fix sources file
-- Related: RHEL-19231
-
-* Tue Dec 12 2023 David Benoit <dbenoit@redhat.com> - 1.20.12-1
-- Update to Go 1.20.12
-- Fix CVE-2023-39326
-- Resolves: RHEL-19231
-
-* Fri Oct 13 2023 David Benoit <dbenoit@redhat.com> - 1.20.10-1
-- Update to Go 1.20.10
-- Fix CVE-2023-39325
-- Midstream patches
-- Resolves: RHEL-12619
-
 * Mon Aug 14 2023 Alejandro Sáez <asm@redhat.com> - 1.20.6-2
 - Retire golang-race package
 - Resolves: rhbz#2230599

openssl_deprecated_algorithm_tests.patch

@@ -0,0 +1,112 @@
+diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
+index a4f2e2dbbe..76701d2e2b 100644
+--- a/src/crypto/rsa/pkcs1v15_test.go
++++ b/src/crypto/rsa/pkcs1v15_test.go
+@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
+ }
+ 
+ func TestDecryptPKCS1v15(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	decryptionFuncs := []func([]byte) ([]byte, error){
+ 		func(ciphertext []byte) (plaintext []byte, err error) {
+ 			return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
+@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
+ }
+ 
+ func TestEncryptPKCS1v15(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	random := rand.Reader
+ 	k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
+ 
+@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
+ }
+ 
+ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	for i, test := range decryptPKCS1v15SessionKeyTests {
+ 		key := []byte("FAIL")
+ 		err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
+@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
+ }
+ 
+ func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	for i, test := range decryptPKCS1v15SessionKeyTests {
+ 		plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
+ 		if err != nil {
+@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
+ }
+ 
+ func TestShortSessionKey(t *testing.T) {
++	t.Skip("not supported in FIPS mode")
+ 	// This tests that attempting to decrypt a session key where the
+ 	// ciphertext is too small doesn't run outside the array bounds.
+ 	ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
+diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
+index b547a87c71..99e7882866 100644
+--- a/src/crypto/rsa/pss_test.go
++++ b/src/crypto/rsa/pss_test.go
+@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
+ // TestPSSGolden tests all the test vectors in pss-vect.txt from
+ // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
+ func TestPSSGolden(t *testing.T) {
++	t.Skip("SHA1 not supported in boring mode")
+ 	inFile, err := os.Open("testdata/pss-vect.txt.bz2")
+ 	if err != nil {
+ 		t.Fatalf("Failed to open input file: %s", err)
+diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
+index 9aa67655ab..2f4e666abb 100644
+--- a/src/crypto/rsa/rsa_test.go
++++ b/src/crypto/rsa/rsa_test.go
+@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
+ 		t.Errorf("private exponent too large")
+ 	}
+ 
+-	if boring.Enabled() {
+-		// Cannot call encrypt/decrypt directly. Test via PKCS1v15.
+-		msg := []byte("hi!")
+-		if priv.Size() >= 256 {
+-			enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
+-			if err != nil {
+-				t.Errorf("EncryptPKCS1v15: %v", err)
+-				return
+-			}
+-			dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
+-			if err != nil {
+-				t.Errorf("DecryptPKCS1v15: %v", err)
+-				return
+-			}
+-			if !bytes.Equal(dec, msg) {
+-				t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
+-			}
+-		} else {
+-			t.Logf("skipping check for unsupported key less than 2048 bits")
+-		}
+-		return
+-	}
++        if boring.Enabled() {
++                // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
++		sha256 := sha256.New()
++                msg := []byte("hi!")
++                if priv.Size() >= 256 {
++                        enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
++                        if err != nil {
++                                t.Errorf("EncryptOAEP: %v", err)
++                                return
++                        }
++                        dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
++                        if err != nil {
++                                t.Errorf("DecryptOAEP: %v", err)
++                                return
++                        }
++                        if !bytes.Equal(dec, msg) {
++                                t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
++                        }
++                } else {
++                        t.Logf("skipping check for unsupported key less than 2048 bits")
++                }
++                return
++        }
+ 
+ 	pub := &priv.PublicKey
+ 	m := big.NewInt(42)

remove_ed25519vectors_test.patch

@@ -0,0 +1,128 @@
+From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Wed, 15 Dec 2021 16:02:15 +0100
+Subject: [PATCH] Remove ed25519vectors_test.go
+
+---
+ src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
+ 1 file changed, 109 deletions(-)
+ delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
+
+diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
+deleted file mode 100644
+index 74fcdcdf4e..0000000000
+--- a/src/crypto/ed25519/ed25519vectors_test.go
++++ /dev/null
+@@ -1,109 +0,0 @@
+-// Copyright 2021 The Go Authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style
+-// license that can be found in the LICENSE file.
+-
+-package ed25519_test
+-
+-import (
+-	"crypto/ed25519"
+-	"encoding/hex"
+-	"encoding/json"
+-	"internal/testenv"
+-	"os"
+-	"os/exec"
+-	"path/filepath"
+-	"testing"
+-)
+-
+-// TestEd25519Vectors runs a very large set of test vectors that exercise all
+-// combinations of low-order points, low-order components, and non-canonical
+-// encodings. These vectors lock in unspecified and spec-divergent behaviors in
+-// edge cases that are not security relevant in most contexts, but that can
+-// cause issues in consensus applications if changed.
+-//
+-// Our behavior matches the "classic" unwritten verification rules of the
+-// "ref10" reference implementation.
+-//
+-// Note that although we test for these edge cases, they are not covered by the
+-// Go 1 Compatibility Promise. Applications that need stable verification rules
+-// should use github.com/hdevalence/ed25519consensus.
+-//
+-// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
+-func TestEd25519Vectors(t *testing.T) {
+-	jsonVectors := downloadEd25519Vectors(t)
+-	var vectors []struct {
+-		A, R, S, M string
+-		Flags      []string
+-	}
+-	if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
+-		t.Fatal(err)
+-	}
+-	for i, v := range vectors {
+-		expectedToVerify := true
+-		for _, f := range v.Flags {
+-			switch f {
+-			// We use the simplified verification formula that doesn't multiply
+-			// by the cofactor, so any low order residue will cause the
+-			// signature not to verify.
+-			//
+-			// This is allowed, but not required, by RFC 8032.
+-			case "LowOrderResidue":
+-				expectedToVerify = false
+-			// Our point decoding allows non-canonical encodings (in violation
+-			// of RFC 8032) but R is not decoded: instead, R is recomputed and
+-			// compared bytewise against the canonical encoding.
+-			case "NonCanonicalR":
+-				expectedToVerify = false
+-			}
+-		}
+-
+-		publicKey := decodeHex(t, v.A)
+-		signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
+-		message := []byte(v.M)
+-
+-		didVerify := ed25519.Verify(publicKey, message, signature)
+-		if didVerify && !expectedToVerify {
+-			t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
+-		}
+-		if !didVerify && expectedToVerify {
+-			t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
+-		}
+-	}
+-}
+-
+-func downloadEd25519Vectors(t *testing.T) []byte {
+-	testenv.MustHaveExternalNetwork(t)
+-
+-	// Download the JSON test file from the GOPROXY with `go mod download`,
+-	// pinning the version so test and module caching works as expected.
+-	goTool := testenv.GoToolPath(t)
+-	path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
+-	cmd := exec.Command(goTool, "mod", "download", "-json", path)
+-	// TODO: enable the sumdb once the TryBots proxy supports it.
+-	cmd.Env = append(os.Environ(), "GONOSUMDB=*")
+-	output, err := cmd.Output()
+-	if err != nil {
+-		t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
+-	}
+-	var dm struct {
+-		Dir string // absolute path to cached source root directory
+-	}
+-	if err := json.Unmarshal(output, &dm); err != nil {
+-		t.Fatal(err)
+-	}
+-
+-	jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
+-	if err != nil {
+-		t.Fatalf("failed to read ed25519vectors.json: %v", err)
+-	}
+-	return jsonVectors
+-}
+-
+-func decodeHex(t *testing.T, s string) []byte {
+-	t.Helper()
+-	b, err := hex.DecodeString(s)
+-	if err != nil {
+-		t.Errorf("invalid hex: %v", err)
+-	}
+-	return b
+-}
+-- 
+2.33.1
+

rhbz1955035.patch

@@ -0,0 +1,42 @@
+From 4ec78a579cc3c83a7d0afc7483fb3e69e2fd87a7 Mon Sep 17 00:00:00 2001
+From: "Paul E. Murphy" <murp@ibm.com>
+Date: Tue, 27 Apr 2021 15:05:51 -0500
+Subject: [PATCH] cmd/link: disable plugin support if cgo is disabled
+
+Functional plugin support requires cgo to be enabled. Disable
+it if the environment has disabled cgo.
+
+This prevents unexpected linker failures when linking large
+binaries with cgo disabled which use the plugin package.
+
+Fixes #45564
+
+Change-Id: Ib71f0e089f7373b7b3e3cd53da3612291e7bc473
+Reviewed-on: https://go-review.googlesource.com/c/go/+/314449
+Run-TryBot: Paul Murphy <murp@ibm.com>
+Reviewed-by: Cherry Zhang <cherryyz@google.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+Trust: Lynn Boger <laboger@linux.vnet.ibm.com>
+---
+ src/cmd/link/internal/ld/lib.go | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
+index 0e77424884..f7a32aebae 100644
+--- a/src/cmd/link/internal/ld/lib.go
++++ b/src/cmd/link/internal/ld/lib.go
+@@ -533,7 +533,10 @@ func (ctxt *Link) loadlib() {
+ 	// up symbol by name may not get expected result.
+ 
+ 	iscgo = ctxt.LibraryByPkg["runtime/cgo"] != nil
+-	ctxt.canUsePlugins = ctxt.LibraryByPkg["plugin"] != nil
++
++	// Plugins a require cgo support to function. Similarly, plugins may require additional
++	// internal linker support on some platforms which may not be implemented.
++	ctxt.canUsePlugins = ctxt.LibraryByPkg["plugin"] != nil && iscgo
+ 
+ 	// We now have enough information to determine the link mode.
+ 	determineLinkMode(ctxt)
+-- 
+2.30.2
+

sources

@@ -0,0 +1,2 @@
+SHA512 (go1.20.6.tar.gz) = 45990e2bb4ddf84646ecca5814a62b4330063188238b5ab3f9d47f517a227ea7a981fe3d50681f4187462d01d0c1601cb01375f940569a5465b78065a4371cd4
+SHA512 (go1.20.6-1-openssl-fips.tar.gz) = 7e1f9a61b8d419233b41d4592e8741a9d3039120c1fb444cfd7ac229d65a8031ecf1644e1161bc6cf5739ac7ec84e6405eb101f63b5a972ecb6b2ea69cea39e2