.gitignore

@@ -1 +1,2 @@
-SOURCES/go1.19.1.tar.gz
+SOURCES/go1.21.9-1-openssl-fips.tar.gz
+SOURCES/go1.21.9.tar.gz

.golang.metadata

@@ -1 +1,2 @@
-564d4664e5fafb4da637a01aa62501336d79135f SOURCES/go1.19.1.tar.gz
+1162b641e8b23110eaab7496003585ea6c786158 SOURCES/go1.21.9-1-openssl-fips.tar.gz
+54c038c82c82ebe2ad4ee2d0a3d7c4d39809f59a SOURCES/go1.21.9.tar.gz

SOURCES/000-initial-setup.patch

@@ -1,427 +0,0 @@
-diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt
-index a0a41a5..208aa70 100644
---- a/src/cmd/go/testdata/script/gopath_std_vendor.txt
-+++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt
-@@ -21,11 +21,11 @@ go build .
- 
- go list -deps -f '{{.ImportPath}} {{.Dir}}' .
- stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
--! stdout $GOROOT[/\\]src[/\\]vendor
-+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
- 
- go list -test -deps -f '{{.ImportPath}} {{.Dir}}' .
- stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
--! stdout $GOROOT[/\\]src[/\\]vendor
-+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack
- 
- -- issue16333/issue16333.go --
- package vendoring17
-diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go
-index 7c51817..102c4e5 100644
---- a/src/crypto/ed25519/ed25519_test.go
-+++ b/src/crypto/ed25519/ed25519_test.go
-@@ -187,6 +187,7 @@ func TestMalleability(t *testing.T) {
- }
- 
- func TestAllocations(t *testing.T) {
-+	t.Skip("Allocations test broken with openssl linkage")
- 	if boring.Enabled {
- 		t.Skip("skipping allocations test with BoringCrypto")
- 	}
-diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
-index f933f28..223ce04 100644
---- a/src/crypto/ed25519/ed25519vectors_test.go
-+++ b/src/crypto/ed25519/ed25519vectors_test.go
-@@ -72,6 +72,7 @@ func TestEd25519Vectors(t *testing.T) {
- }
- 
- func downloadEd25519Vectors(t *testing.T) []byte {
-+	t.Skip("skipping test that downloads external data")
- 	testenv.MustHaveExternalNetwork(t)
- 
- 	// Create a temp dir and modcache subdir.
-diff --git a/src/crypto/internal/backend/bbig/big.go b/src/crypto/internal/backend/bbig/big.go
-new file mode 100644
-index 0000000..c0800df
---- /dev/null
-+++ b/src/crypto/internal/backend/bbig/big.go
-@@ -0,0 +1,38 @@
-+// Copyright 2022 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+// This is a mirror of crypto/internal/boring/bbig/big.go.
-+
-+package bbig
-+
-+import (
-+	"math/big"
-+	"unsafe"
-+
-+	"github.com/golang-fips/openssl-fips/openssl"
-+)
-+
-+func Enc(b *big.Int) openssl.BigInt {
-+	if b == nil {
-+		return nil
-+	}
-+	x := b.Bits()
-+	if len(x) == 0 {
-+		return openssl.BigInt{}
-+	}
-+	// TODO: Use unsafe.Slice((*uint)(&x[0]), len(x)) once go1.16 is no longer supported.
-+	return (*(*[]uint)(unsafe.Pointer(&x)))[:len(x)]
-+}
-+
-+func Dec(b openssl.BigInt) *big.Int {
-+	if b == nil {
-+		return nil
-+	}
-+	if len(b) == 0 {
-+		return new(big.Int)
-+	}
-+	// TODO: Use unsafe.Slice((*uint)(&b[0]), len(b)) once go1.16 is no longer supported.
-+	x := (*(*[]big.Word)(unsafe.Pointer(&b)))[:len(b)]
-+	return new(big.Int).SetBits(x)
-+}
-diff --git a/src/crypto/internal/backend/dummy.s b/src/crypto/internal/backend/dummy.s
-new file mode 100644
-index 0000000..e69de29
-diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
-new file mode 100644
-index 0000000..1d75287
---- /dev/null
-+++ b/src/crypto/internal/backend/nobackend.go
-@@ -0,0 +1,140 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
-+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
-+
-+package backend
-+
-+import (
-+	"crypto"
-+	"crypto/cipher"
-+	"crypto/internal/boring/sig"
-+	"github.com/golang-fips/openssl-fips/openssl"
-+	"hash"
-+)
-+
-+var enabled = false
-+
-+// Unreachable marks code that should be unreachable
-+// when BoringCrypto is in use. It is a no-op without BoringCrypto.
-+func Unreachable() {
-+	// Code that's unreachable when using BoringCrypto
-+	// is exactly the code we want to detect for reporting
-+	// standard Go crypto.
-+	sig.StandardCrypto()
-+}
-+
-+// UnreachableExceptTests marks code that should be unreachable
-+// when BoringCrypto is in use. It is a no-op without BoringCrypto.
-+func UnreachableExceptTests() {}
-+
-+func ExecutingTest() bool { return false }
-+
-+// This is a noop withotu BoringCrytpo.
-+func PanicIfStrictFIPS(v interface{}) {}
-+
-+type randReader int
-+
-+func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") }
-+
-+const RandReader = randReader(0)
-+
-+func Enabled() bool   { return false }
-+func NewSHA1() hash.Hash   { panic("boringcrypto: not available") }
-+func NewSHA224() hash.Hash { panic("boringcrypto: not available") }
-+func NewSHA256() hash.Hash { panic("boringcrypto: not available") }
-+func NewSHA384() hash.Hash { panic("boringcrypto: not available") }
-+func NewSHA512() hash.Hash { panic("boringcrypto: not available") }
-+func SHA1(_ []byte) [20]byte { panic("boringcrypto: not available") }
-+func SHA224(_ []byte) [28]byte { panic("boringcrypto: not available") }
-+func SHA256(_ []byte) [32]byte { panic("boringcrypto: not available") }
-+func SHA384(_ []byte) [48]byte { panic("boringcrypto: not available") }
-+func SHA512(_ []byte) [64]byte { panic("boringcrypto: not available") }
-+
-+func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") }
-+
-+func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
-+
-+type PublicKeyECDSA struct{ _ int }
-+type PrivateKeyECDSA struct{ _ int }
-+
-+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
-+	panic("boringcrypto: not available")
-+}
-+func GenerateKeyECDSA(curve string) (X, Y, D openssl.BigInt, err error) {
-+	panic("boringcrypto: not available")
-+}
-+func NewPrivateKeyECDSA(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDSA, error) {
-+	panic("boringcrypto: not available")
-+}
-+func NewPublicKeyECDSA(curve string, X, Y openssl.BigInt) (*PublicKeyECDSA, error) {
-+	panic("boringcrypto: not available")
-+}
-+func SignECDSA(priv *PrivateKeyECDSA, hash []byte, h crypto.Hash) (r, s openssl.BigInt, err error) {
-+	panic("boringcrypto: not available")
-+}
-+func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func VerifyECDSA(pub *PublicKeyECDSA, hash, sig []byte) bool {
-+	panic("boringcrypto: not available")
-+}
-+
-+type PublicKeyECDH struct{ _ int }
-+type PrivateKeyECDH struct{ _ int }
-+
-+func GenerateKeyECDH(curve string) (X, Y, D openssl.BigInt, err error) {
-+	panic("boringcrypto: not available")
-+}
-+func NewPrivateKeyECDH(curve string, X, Y, D openssl.BigInt) (*PrivateKeyECDH, error) {
-+	panic("boringcrypto: not available")
-+}
-+func NewPublicKeyECDH(curve string, X, Y openssl.BigInt) (*PublicKeyECDH, error) {
-+	panic("boringcrypto: not available")
-+}
-+func SharedKeyECDH(priv *PrivateKeyECDH, peerPublicKey []byte) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+
-+type PublicKeyRSA struct{ _ int }
-+type PrivateKeyRSA struct{ _ int }
-+
-+func DecryptRSAOAEP(h hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func EncryptRSAOAEP(h hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt, err error) {
-+	panic("boringcrypto: not available")
-+}
-+func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv openssl.BigInt) (*PrivateKeyRSA, error) {
-+	panic("boringcrypto: not available")
-+}
-+func NewPublicKeyRSA(N, E openssl.BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") }
-+func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, msgHashed bool) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
-+	panic("boringcrypto: not available")
-+}
-+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, msgHashed bool) error {
-+	panic("boringcrypto: not available")
-+}
-+func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
-+	panic("boringcrypto: not available")
-+}
-diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
-new file mode 100644
-index 0000000..4c327e0
---- /dev/null
-+++ b/src/crypto/internal/backend/openssl.go
-@@ -0,0 +1,92 @@
-+// Copyright 2017 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
-+// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
-+
-+// Package openssl provides access to OpenSSLCrypto implementation functions.
-+// Check the variable Enabled to find out whether OpenSSLCrypto is available.
-+// If OpenSSLCrypto is not available, the functions in this package all panic.
-+package backend
-+
-+import (
-+	"github.com/golang-fips/openssl-fips/openssl"
-+)
-+
-+// Enabled controls whether FIPS crypto is enabled.
-+var Enabled = openssl.Enabled
-+
-+// Unreachable marks code that should be unreachable
-+// when OpenSSLCrypto is in use. It panics only when
-+// the system is in FIPS mode.
-+func Unreachable() {
-+	if Enabled() {
-+		panic("opensslcrypto: invalid code execution")
-+	}
-+}
-+
-+// Provided by runtime.crypto_backend_runtime_arg0 to avoid os import.
-+func runtime_arg0() string
-+
-+func hasSuffix(s, t string) bool {
-+	return len(s) > len(t) && s[len(s)-len(t):] == t
-+}
-+
-+// UnreachableExceptTests marks code that should be unreachable
-+// when OpenSSLCrypto is in use. It panics.
-+func UnreachableExceptTests() {
-+	name := runtime_arg0()
-+	// If OpenSSLCrypto ran on Windows we'd need to allow _test.exe and .test.exe as well.
-+	if Enabled() && !hasSuffix(name, "_test") && !hasSuffix(name, ".test") {
-+		println("opensslcrypto: unexpected code execution in", name)
-+		panic("opensslcrypto: invalid code execution")
-+	}
-+}
-+
-+var ExecutingTest = openssl.ExecutingTest
-+
-+const RandReader = openssl.RandReader
-+
-+var NewGCMTLS = openssl.NewGCMTLS
-+var NewSHA1 = openssl.NewSHA1
-+var NewSHA224 = openssl.NewSHA224
-+var NewSHA256 = openssl.NewSHA256
-+var NewSHA384 = openssl.NewSHA384
-+var NewSHA512 = openssl.NewSHA512
-+
-+var SHA1 = openssl.SHA1
-+var SHA224 = openssl.SHA224
-+var SHA256 = openssl.SHA256
-+var SHA384 = openssl.SHA384
-+var SHA512 = openssl.SHA512
-+
-+var NewHMAC = openssl.NewHMAC
-+
-+var NewAESCipher = openssl.NewAESCipher
-+
-+type PublicKeyECDSA = openssl.PublicKeyECDSA
-+type PrivateKeyECDSA = openssl.PrivateKeyECDSA
-+
-+var GenerateKeyECDSA = openssl.GenerateKeyECDSA
-+var NewPrivateKeyECDSA = openssl.NewPrivateKeyECDSA
-+var NewPublicKeyECDSA = openssl.NewPublicKeyECDSA
-+var SignMarshalECDSA = openssl.SignMarshalECDSA
-+var VerifyECDSA = openssl.VerifyECDSA
-+
-+type PublicKeyRSA = openssl.PublicKeyRSA
-+type PrivateKeyRSA = openssl.PrivateKeyRSA
-+
-+var DecryptRSAOAEP = openssl.DecryptRSAOAEP
-+var DecryptRSAPKCS1 = openssl.DecryptRSAPKCS1
-+var DecryptRSANoPadding = openssl.DecryptRSANoPadding
-+var EncryptRSAOAEP = openssl.EncryptRSAOAEP
-+var EncryptRSAPKCS1 = openssl.EncryptRSAPKCS1
-+var EncryptRSANoPadding = openssl.EncryptRSANoPadding
-+var GenerateKeyRSA = openssl.GenerateKeyRSA
-+var NewPrivateKeyRSA = openssl.NewPrivateKeyRSA
-+var NewPublicKeyRSA = openssl.NewPublicKeyRSA
-+var SignRSAPKCS1v15 = openssl.SignRSAPKCS1v15
-+var SignRSAPSS = openssl.SignRSAPSS
-+var VerifyRSAPKCS1v15 = openssl.VerifyRSAPKCS1v15
-+var VerifyRSAPSS = openssl.VerifyRSAPSS
-diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
-index 1827f76..239e6a2 100644
---- a/src/crypto/tls/boring.go
-+++ b/src/crypto/tls/boring.go
-@@ -8,8 +8,15 @@ package tls
- 
- import (
- 	"crypto/internal/boring/fipstls"
-+	boring "crypto/internal/backend"
- )
- 
-+func init() {
-+       if boring.Enabled && !boring.ExecutingTest() {
-+               fipstls.Force()
-+       }
-+}
-+
- // needFIPS returns fipstls.Required(); it avoids a new import in common.go.
- func needFIPS() bool {
- 	return fipstls.Required()
-diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
-index 380de9f..02b4ac8 100644
---- a/src/crypto/tls/handshake_client_test.go
-+++ b/src/crypto/tls/handshake_client_test.go
-@@ -2135,6 +2135,7 @@ func testBuffering(t *testing.T, version uint16) {
- }
- 
- func TestAlertFlushing(t *testing.T) {
-+       t.Skip("unsupported in FIPS mode, different error returned")
- 	c, s := localPipe(t)
- 	done := make(chan bool)
- 
-diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
-index 141fdb9..71434f2 100644
---- a/src/go/build/deps_test.go
-+++ b/src/go/build/deps_test.go
-@@ -414,19 +414,23 @@ var depsRules = `
- 	< crypto/internal/edwards25519
- 	< crypto/cipher;
- 
--	crypto/cipher,
-+	fmt, crypto/cipher,
- 	crypto/internal/boring/bcache
- 	< crypto/internal/boring
-+	< github.com/golang-fips/openssl-fips/openssl
-+	< crypto/internal/backend
- 	< crypto/boring
- 	< crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
- 	  crypto/sha1, crypto/sha256, crypto/sha512
- 	< CRYPTO;
- 
--	CGO, fmt, net !< CRYPTO;
-+	CGO, net !< CRYPTO;
- 
- 	# CRYPTO-MATH is core bignum-based crypto - no cgo, net; fmt now ok.
- 	CRYPTO, FMT, math/big, embed
-+	< github.com/golang-fips/openssl-fips/openssl/bbig
- 	< crypto/internal/boring/bbig
-+	< crypto/internal/backend/bbig
- 	< crypto/internal/randutil
- 	< crypto/rand
- 	< crypto/ed25519
-@@ -644,7 +648,7 @@ var buildIgnore = []byte("\n//go:build ignore")
- 
- func findImports(pkg string) ([]string, error) {
- 	vpkg := pkg
--	if strings.HasPrefix(pkg, "golang.org") {
-+	if strings.HasPrefix(pkg, "golang.org") || strings.HasPrefix(pkg, "github.com") {
- 		vpkg = "vendor/" + pkg
- 	}
- 	dir := filepath.Join(Default.GOROOT, "src", vpkg)
-@@ -654,7 +658,7 @@ func findImports(pkg string) ([]string, error) {
- 	}
- 	var imports []string
- 	var haveImport = map[string]bool{}
--	if pkg == "crypto/internal/boring" {
-+	if pkg == "crypto/internal/boring" || pkg == "github.com/golang-fips/openssl-fips/openssl" {
- 		haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports
- 	}
- 	fset := token.NewFileSet()
-diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go
-index 5a98b20..dc25cdc 100644
---- a/src/runtime/runtime_boring.go
-+++ b/src/runtime/runtime_boring.go
-@@ -17,3 +17,8 @@ func boring_runtime_arg0() string {
- 
- //go:linkname fipstls_runtime_arg0 crypto/internal/boring/fipstls.runtime_arg0
- func fipstls_runtime_arg0() string { return boring_runtime_arg0() }
-+
-+//go:linkname crypto_backend_runtime_arg0 crypto/internal/backend.runtime_arg0
-+func crypto_backend_runtime_arg0() string {
-+	return boring_runtime_arg0()
-+}
-\ No newline at end of file

SOURCES/cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch

@@ -1,53 +0,0 @@
-From 241192ecd31ca03a6f68fa7e55bb9f66040d3a2f Mon Sep 17 00:00:00 2001
-From: Lynn Boger <laboger@linux.vnet.ibm.com>
-Date: Thu, 14 Jul 2022 10:47:28 -0500
-Subject: [PATCH] cmd/link: use correct path for dynamic loader on ppc64le
-
-The setting of the path for the dynamic loader when building for
-linux/ppc64le ELF v2 was incorrectly set to the path for
-PPC64 ELF v1. This has not caused issues in the common cases
-because this string can be set based on the default GO_LDSO setting.
-It does result in an incorrect value when cross compiling binaries
-with -buildmode=pie.
-
-Updates #53813
-
-Change-Id: I84de1c97b42e0434760b76a57c5a05e055fbb730
----
- src/cmd/link/internal/ppc64/obj.go | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/src/cmd/link/internal/ppc64/obj.go b/src/cmd/link/internal/ppc64/obj.go
-index b6d5ad92af..bca8fa9212 100644
---- a/src/cmd/link/internal/ppc64/obj.go
-+++ b/src/cmd/link/internal/ppc64/obj.go
-@@ -38,9 +38,12 @@ import (
- )
- 
- func Init() (*sys.Arch, ld.Arch) {
--	arch := sys.ArchPPC64
--	if buildcfg.GOARCH == "ppc64le" {
--		arch = sys.ArchPPC64LE
-+	arch := sys.ArchPPC64LE
-+	dynld := "/lib64/ld64.so.2"
-+
-+	if buildcfg.GOARCH == "ppc64" {
-+		arch = sys.ArchPPC64
-+		dynld = "/lib64/ld64.so.1"
- 	}
- 
- 	theArch := ld.Arch{
-@@ -64,9 +67,7 @@ func Init() (*sys.Arch, ld.Arch) {
- 		Machoreloc1:      machoreloc1,
- 		Xcoffreloc1:      xcoffreloc1,
- 
--		// TODO(austin): ABI v1 uses /usr/lib/ld.so.1,
--		Linuxdynld: "/lib64/ld64.so.1",
--
-+		Linuxdynld:     dynld,
- 		Freebsddynld:   "XXX",
- 		Openbsddynld:   "XXX",
- 		Netbsddynld:    "XXX",
--- 
-2.35.3
-

SOURCES/disable_static_tests_part1.patch

@@ -1,5 +1,5 @@
 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
-index 1d75287..2b99ea2 100644
+index 5f258a2..5dbbc42 100644
 --- a/src/crypto/internal/backend/nobackend.go
 +++ b/src/crypto/internal/backend/nobackend.go
 @@ -2,8 +2,8 @@
@@ -13,21 +13,6 @@ index 1d75287..2b99ea2 100644
  
  package backend
  
-diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
-index 4c327e0..6786c1f 100644
---- a/src/crypto/internal/backend/openssl.go
-+++ b/src/crypto/internal/backend/openssl.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
- 
--//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl
--// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl
-+//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl,!static
- 
- // Package openssl provides access to OpenSSLCrypto implementation functions.
- // Check the variable Enabled to find out whether OpenSSLCrypto is available.
 diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
 index d6d99b1..f2fe332 100644
 --- a/src/crypto/internal/boring/goboringcrypto.h
@@ -82,7 +67,7 @@ index 0b61e79..94d0c98 100644
  package openssl
  
 diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
-index eb63507..a3aeed1 100644
+index afec529..d822152 100644
 --- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 +++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
 @@ -2,8 +2,8 @@

SOURCES/disable_static_tests_part2.patch

@@ -1,36 +1,13 @@
 diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
-index da5b179..6a772df 100644
+index 36a20e8b2a..8c2dd1b44b 100644
 --- a/src/cmd/dist/test.go
 +++ b/src/cmd/dist/test.go
-@@ -1247,18 +1247,20 @@ func (t *tester) cgoTest(dt *distTest) error {
- 				fmt.Println("No support for static linking found (lacks libc.a?), skip cgo static linking test.")
+@@ -1125,7 +1125,7 @@ func (t *tester) registerCgoTests(heading string) {
  			} else {
- 				if goos != "android" {
--					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
-+					t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
- 				}
- 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), ".")
- 				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external`, ".")
- 				if goos != "android" {
--					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
-+					t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, "-tags=no_openssl")
-+					/*
- 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", "-ldflags", `-linkmode=external -extldflags "-static -pthread"`, ".")
- 					// -static in CGO_LDFLAGS triggers a different code path
- 					// than -static in -extldflags, so test both.
- 					// See issue #16651.
- 					cmd := t.addCmd(dt, "misc/cgo/test", t.goTest(), "-tags=static", ".")
- 					setEnv(cmd, "CGO_LDFLAGS", "-static -pthread")
-+					*/
- 				}
- 			}
- 
-@@ -1268,7 +1270,7 @@ func (t *tester) cgoTest(dt *distTest) error {
- 					t.addCmd(dt, "misc/cgo/test", t.goTest(), "-buildmode=pie", "-ldflags=-linkmode=internal", "-tags=internal,internal_pie", ".")
- 				}
- 				t.addCmd(dt, "misc/cgo/testtls", t.goTest(), "-buildmode=pie", ".")
--				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", ".")
-+				t.addCmd(dt, "misc/cgo/nocgo", t.goTest(), "-buildmode=pie", "-tags=no_openssl")
+ 				panic("unknown linkmode with static build: " + linkmode)
  			}
+-			gt.tags = append(gt.tags, "static")
++			gt.tags = append(gt.tags, "static", "no_openssl")
  		}
- 	}
+ 		gt.ldflags = strings.Join(ldflags, " ")
+ 

SOURCES/fix-memleak-setupRSA.patch

@@ -0,0 +1,172 @@
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
+index 56adf47bf6..9537870e3c 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
+@@ -22,22 +22,10 @@ var (
+ type PublicKeyECDH struct {
+ 	_pkey *C.GO_EVP_PKEY
+ 	bytes []byte
+-
+-	// priv is only set when PublicKeyECDH is derived from a private key,
+-	// in which case priv's finalizer is responsible for freeing _pkey.
+-	// This ensures priv is not finalized while the public key is alive,
+-	// which could cause use-after-free and double-free behavior.
+-	//
+-	// We could avoid this altogether by using EVP_PKEY_up_ref
+-	// when instantiating a derived public key, unfortunately
+-	// it is not available on OpenSSL 1.0.2.
+-	priv *PrivateKeyECDH
+ }
+ 
+ func (k *PublicKeyECDH) finalize() {
+-	if k.priv == nil {
+-		C._goboringcrypto_EVP_PKEY_free(k._pkey)
+-	}
++	C._goboringcrypto_EVP_PKEY_free(k._pkey)
+ }
+ 
+ type PrivateKeyECDH struct {
+@@ -58,7 +46,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
+ 	if err != nil {
+ 		return nil, err
+ 	}
+-	k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...), nil}
++	k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...)}
+ 	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
+ 	return k, nil
+ }
+@@ -87,14 +75,22 @@ func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
+ 	var bytes []byte
+ 	var cbytes *C.uchar
+ 
+-	n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(k._pkey, &cbytes)
++	pkey := C._goboringcrypto_EVP_PKEY_ref(k._pkey)
++	if pkey == nil {
++		return nil, NewOpenSSLError("EVP_PKEY_ref")
++	}
++	defer func() {
++		C._goboringcrypto_EVP_PKEY_free(pkey)
++	}()
++	n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(pkey, &cbytes)
+ 	if n == 0 {
+ 		return nil, NewOpenSSLError("EVP_PKEY_get1_encoded_ecdh_public_key")
+ 	}
+ 	bytes = C.GoBytes(unsafe.Pointer(cbytes), C.int(n))
+ 	C.free(unsafe.Pointer(cbytes))
+ 
+-	pub := &PublicKeyECDH{k._pkey, bytes, k}
++	pub := &PublicKeyECDH{pkey, bytes}
++	pkey = nil
+ 	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
+ 	return pub, nil
+ }
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+index a900b3f9e7..03367d5520 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+@@ -827,6 +827,9 @@ DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ())
+ DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0))
+ DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1))
+ DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1))
++DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey))
++GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey);
++
+ DEFINEFUNC(int, EVP_PKEY_verify,
+ 	(EVP_PKEY_CTX *ctx, const unsigned char *sig, unsigned int siglen, const unsigned char *tbs, size_t tbslen),
+ 	(ctx, sig, siglen, tbs, tbslen))
+@@ -1083,15 +1086,6 @@ enum {
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ DEFINEFUNC(int, EVP_PKEY_set1_encoded_public_key, (GO_EVP_PKEY *pkey, const unsigned char *pub, size_t publen), (pkey, pub, publen))
+ DEFINEFUNC(size_t, EVP_PKEY_get1_encoded_public_key, (GO_EVP_PKEY *pkey, unsigned char **ppub), (pkey, ppub))
+-
+-DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey))
+-#else
+-DEFINEFUNCINTERNAL(void *, EVP_PKEY_get0, (const GO_EVP_PKEY *pkey), (pkey))
+-static const GO_EC_KEY *
+-_goboringcrypto_EVP_PKEY_get0_EC_KEY(const GO_EVP_PKEY *pkey)
+-{
+-  return _goboringcrypto_internal_EVP_PKEY_get0(pkey);
+-}
+ #endif
+ 
+ GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_new_for_ecdh(int nid, const uint8_t *bytes, size_t len, int is_private);
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+index 24a9615108..c6b23a984b 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+@@ -5,6 +5,7 @@
+ // +build !msan
+ 
+ #include "goopenssl.h"
++#include <assert.h>
+ 
+ int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
+                              size_t msgLen, uint8_t *sig, size_t *slen,
+@@ -138,3 +139,52 @@ err:
+ 
+   return ret;
+ }
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++DEFINEFUNCINTERNAL(int, EVP_PKEY_up_ref, (GO_EVP_PKEY *pkey), (pkey))
++
++GO_EVP_PKEY *
++_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey)
++{
++  if (_goboringcrypto_internal_EVP_PKEY_up_ref(pkey) != 1)
++    return NULL;
++
++  return pkey;
++}
++
++#else
++GO_EVP_PKEY *
++_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey)
++{
++  GO_EVP_PKEY *result = NULL;
++
++  if (pkey->type != EVP_PKEY_EC && pkey->type != EVP_PKEY_RSA)
++    return NULL;
++
++  result = _goboringcrypto_EVP_PKEY_new();
++  if (!result)
++    goto err;
++
++  switch (pkey->type) {
++  case EVP_PKEY_EC:
++    if (_goboringcrypto_EVP_PKEY_set1_EC_KEY(result, _goboringcrypto_EVP_PKEY_get0_EC_KEY()) != 1)
++      goto err;
++    break;
++
++  case EVP_PKEY_RSA:
++    if (_goboringcrypto_EVP_PKEY_set1_RSA_KEY(result, _goboringcrypto_EVP_PKEY_get0_RSA_KEY()) != 1)
++      goto err;
++
++    break;
++
++  default:
++    assert(0);
++  }
++
++  return result;
++
++err:
++  _goboringcrypto_EVP_PKEY_free(result);
++  return NULL;
++}
++#endif
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
+index 75ba7a8a59..1e016676a0 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
+@@ -116,7 +116,9 @@ func (k *PrivateKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int {
+ 
+ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
+ 	padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
+-	init func(*C.GO_EVP_PKEY_CTX) C.int) (pkey *C.GO_EVP_PKEY, ctx *C.GO_EVP_PKEY_CTX, err error) {
++	init func(*C.GO_EVP_PKEY_CTX) C.int) (_ *C.GO_EVP_PKEY,_  *C.GO_EVP_PKEY_CTX, err error) {
++	var pkey *C.GO_EVP_PKEY
++	var ctx *C.GO_EVP_PKEY_CTX
+ 	defer func() {
+ 		if err != nil {
+ 			if pkey != nil {

SOURCES/modify_go.env.patch

@@ -0,0 +1,22 @@
+From eab9004c072200e58df83ab94678bda1faa7b229 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Fri, 9 Feb 2024 20:06:16 +0100
+Subject: [PATCH] Set GOTOOLCHAIN to local
+
+---
+ go.env | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/go.env b/go.env
+index 6ff2b921d4..e87f6e7b6d 100644
+--- a/go.env
++++ b/go.env
+@@ -9,4 +9,4 @@ GOSUMDB=sum.golang.org
+ 
+ # Automatically download newer toolchains as directed by go.mod files.
+ # See https://go.dev/doc/toolchain for details.
+-GOTOOLCHAIN=auto
++GOTOOLCHAIN=local
+-- 
+2.43.0
+

SOURCES/openssl_cgo_build_tag.patch

@@ -1,15 +0,0 @@
-diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
-index 6786c1f..5a330cf 100644
---- a/src/crypto/internal/backend/openssl.go
-+++ b/src/crypto/internal/backend/openssl.go
-@@ -2,8 +2,8 @@
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
- 
--//go:build linux && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl && !static
--// +build linux,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl,!static
-+//go:build linux && cgo && !android && !gocrypt && !cmd_go_bootstrap && !msan && !no_openssl && !static
-+// +build linux,cgo,!android,!gocrypt,!cmd_go_bootstrap,!msan,!no_openssl,!static
- 
- // Package openssl provides access to OpenSSLCrypto implementation functions.
- // Check the variable Enabled to find out whether OpenSSLCrypto is available.

SOURCES/skip-test-overlong-message.patch

@@ -0,0 +1,15 @@
+diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
+index 0853178e3a..16eb37734b 100644
+--- a/src/crypto/rsa/pkcs1v15_test.go
++++ b/src/crypto/rsa/pkcs1v15_test.go
+@@ -247,6 +247,10 @@ func TestVerifyPKCS1v15(t *testing.T) {
+ }
+ 
+ func TestOverlongMessagePKCS1v15(t *testing.T) {
++	// OpenSSL now returns a random string instead of an error
++	if boring.Enabled() {
++		t.Skip("Not relevant in boring mode")
++	}
+ 	ciphertext := decodeBase64("fjOVdirUzFoLlukv80dBllMLjXythIf22feqPrNo0YoIjzyzyoMFiLjAc/Y4krkeZ11XFThIrEvw\nkRiZcCq5ng==")
+ 	_, err := DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext)
+ 	if err == nil {

SPECS/golang.spec

@@ -56,7 +56,7 @@
 %endif
 
 # Controls what ever we fail on failed tests
-%ifarch x86_64 %{arm} aarch64 ppc64le
+%ifarch x86_64 %{arm} ppc64le s390x
 %global fail_on_tests 1
 %else
 %global fail_on_tests 0
@@ -69,12 +69,8 @@
 %global shared 0
 %endif
 
-# Pre build std lib with -race enabled
-%ifarch x86_64
-%global race 1
-%else
+# Disabled due to 1.20 new cache usage, see 1.20 upstream release notes
 %global race 0
-%endif
 
 %ifarch x86_64
 %global gohostarch  amd64
@@ -95,20 +91,28 @@
 %global gohostarch  s390x
 %endif
 
-%global go_api 1.19
-%global version 1.19.1
+%global go_api 1.21
+%global version 1.21.9
 %global pkg_release 1
 
 Name:           golang
 Version:        %{version}
-Release:        2%{?dist}
+Release:        1%{?dist}
+
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
 URL:            http://golang.org/
 Source0:        https://github.com/golang/go/archive/refs/tags/go%{version}.tar.gz
+# Go's FIPS mode bindings are now provided as a standalone
+# module instead of in tree.  This makes it easier to see
+# the actual changes vs upstream Go.  The module source is
+# located at https://github.com/golang-fips/openssl-fips,
+# And pre-genetated patches to set up the module for a given
+# Go release are located at https://github.com/golang-fips/go.
+Source1:       https://github.com/golang-fips/go/archive/refs/tags/go%{version}-%{pkg_release}-openssl-fips.tar.gz
 # make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
-Source1:        fedora.go
+Source2:        fedora.go
 
 # The compiler is written in Go. Needs go(1.4+) compiler for build.
 # Actual Go based bootstrap compiler provided by above source.
@@ -133,19 +137,16 @@ Requires:       %{name}-src = %{version}-%{release}
 Requires:       openssl-devel
 Requires:       diffutils
 
-
 # Proposed patch by jcajka https://golang.org/cl/86541
 Patch221:       fix_TestScript_list_std.patch
+Patch229:       fix-memleak-setupRSA.patch
 
 Patch1939923:   skip_test_rhbz1939923.patch
 
-Patch0:		000-initial-setup.patch
-Patch1:		001-initial-openssl-for-fips.patch
-Patch2: 	disable_static_tests_part1.patch
-Patch3: 	disable_static_tests_part2.patch
-Patch4:		openssl_cgo_build_tag.patch
-
-Patch227: cmd-link-use-correct-path-for-dynamic-loader-on-ppc6.patch
+Patch2:		disable_static_tests_part1.patch
+Patch3:		disable_static_tests_part2.patch
+Patch4:		skip-test-overlong-message.patch
+Patch5:		modify_go.env.patch
 
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@@ -153,6 +154,9 @@ Obsoletes:      %{name}-docs < 1.1-4
 # RPM can't handle symlink -> dir with subpackages, so merge back
 Obsoletes:      %{name}-data < 1.1.1-4
 
+# We don't build golang-race anymore, rhbz#2230599
+Obsoletes:      golang-race < 1.20.0
+
 # These are the only RHEL/Fedora architectures that we compile this package for
 ExclusiveArch:  %{golang_arches}
 
@@ -234,20 +238,26 @@ Requires:       %{name} = %{version}-%{release}
 %endif
 
 %prep
-%setup -q -n go-go1.19.1
+%setup -q -n go-go%{version}
 
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
+pushd ..
+tar -xf %{SOURCE1}
+popd
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/002-strict-fips-runtime-detection.patch
 
-%patch221 -p1
+# Configure crypto tests
+pushd ../go-go%{version}-%{pkg_release}-openssl-fips
+ln -s ../go-go%{version} go
+./scripts/configure-crypto-tests.sh
+popd
 
-%patch1939923 -p1
-%patch227 -p1
+%autopatch -p1
 
-cp %{SOURCE1} ./src/runtime/
+sed -i '1s/$/ (%{?rhel:Red Hat} %{version}-%{release})/' VERSION
+
+cp %{SOURCE2} ./src/runtime/
 
 %build
 set -xe
@@ -316,7 +326,7 @@ rm -rf pkg/bootstrap/bin
 
 # install everything into libdir (until symlink problems are fixed)
 # https://code.google.com/p/go/issues/detail?id=5830
-cp -apv api bin doc lib pkg src misc test VERSION \
+cp -apv api bin doc lib pkg src misc test go.env VERSION \
    $RPM_BUILD_ROOT%{goroot}
 
 # bz1099206
@@ -329,12 +339,11 @@ cwd=$(pwd)
 src_list=$cwd/go-src.list
 pkg_list=$cwd/go-pkg.list
 shared_list=$cwd/go-shared.list
-race_list=$cwd/go-race.list
 misc_list=$cwd/go-misc.list
 docs_list=$cwd/go-docs.list
 tests_list=$cwd/go-tests.list
-rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
-touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
+rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list
+touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list
 pushd $RPM_BUILD_ROOT%{goroot}
     find src/ -type d -a \( ! -name testdata -a ! -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $src_list
     find src/ ! -type d -a \( ! -ipath '*/testdata/*' -a ! -name '*_test*.go' \) -printf '%{goroot}/%p\n' >> $src_list
@@ -365,13 +374,6 @@ pushd $RPM_BUILD_ROOT%{goroot}
     find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
 %endif
 
-%if %{race}
-
-    find pkg/*_race/ -type d -printf '%%%dir %{goroot}/%p\n' >> $race_list
-    find pkg/*_race/ ! -type d -printf '%{goroot}/%p\n' >> $race_list
-
-%endif
-
     find test/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list
     find test/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list
     find src/ -type d -a \( -name testdata -o -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $tests_list
@@ -509,16 +511,95 @@ cd ..
 %files -f go-pkg.list bin
 %{_bindir}/go
 %{_bindir}/gofmt
+%{goroot}/go.env
 
 %if %{shared}
 %files -f go-shared.list shared
 %endif
 
-%if %{race}
-%files -f go-race.list race
-%endif
-
 %changelog
+* Fri Apr 12 2024 David Benoit <dbenoit@redhat.com> - 1.21.9-1
+- Fix CVE-2023-45288
+- Resolves: RHEL-31915
+
+* Mon Apr 1 2024 Archana Ravindar <aravinda@redhat.com> - 1.21.7-2
+- Fix CVE-2024-1394
+- Resolves RHEL-24300
+
+* Tue Feb 13 2024 Alejandro Sáez <asm@redhat.com> - 1.21.7-1
+- Rebase to Go 1.21.7
+- Add release information
+- Set GOTOOLCHAIN to local
+- Skip TestOverlongMessagePKCS1v15
+- Resolves: RHEL-24082
+- Resolves: RHEL-18363
+- Resolves: RHEL-18382
+
+* Wed Nov 08 2023 David Benoit <dbenoit@redhat.com> - 1.21.3-4
+- Do not remove GOPROXY/GOSUMDB
+- Related: RHEL-12620
+
+* Thu Nov 02 2023 David Benoit <dbenoit@redhat.com> - 1.21.3-3
+- Fix go.env in Go 1.21
+- Related: RHEL-12620
+
+* Tue Oct 31 2023 Archana Ravindar <aravinda@redhat.com> - 1.21.3-2
+- Rebase disable_static_tests_part2.patch to Go 1.21.3
+- Add missing strict fips runtime detection patch
+- Temporarily disable FIPS tests on aarch64 due to builder kernel bugs
+- Remove fix-memory-leak patch as it is fixed upstream
+- Resolves: RHEL-12620
+
+* Fri Oct 20 2023 Archana Ravindar <aravinda@redhat.com> - 1.21.3-1
+- Rebase Go to 1.21.3
+- Resolves: RHEL-12620
+
+* Mon Aug 14 2023 Alejandro Sáez <asm@redhat.com> - 1.20.6-2
+- Retire golang-race package
+- Resolves: rhbz#2230599
+
+* Tue Jul 25 2023 Alejandro Sáez <asm@redhat.com> - 1.20.6-1
+- Rebase to Go 1.20.6
+- Resolves: rhbz#2217596
+
+* Mon May 29 2023 Alejandro Sáez <asm@redhat.com> - 1.20.4-1
+- Rebase to Go 1.20.4
+- Resolves: rhbz#2204474
+
+* Tue Apr 11 2023 David Benoit <dbenoit@redhat.com> - 1.20.3-1
+- Rebase to Go 1.20.3
+- Remove race archives
+- Update static tests patches
+- Resolves: rhbz#2185260
+
+* Tue Jan 3 2023 David Benoit <dbenoit@redhat.com> - 1.19.4-2
+- Fix memory leaks in EVP_{sign,verify}_raw
+- Resolves: rhbz#2132767
+
+* Wed Dec 21 2022 David Benoit <dbenoit@redhat.com> - 1.19.4-1
+- Rebase to Go 1.19.4
+- Fix ppc64le linker issue
+- Remove defunct patches
+- Remove downstream generated FIPS mode patches
+- Add golang-fips/go as the source for FIPS mode patches
+- Resolves: rhbz#2144542
+
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-4
+- Enable big endian support in FIPS mode
+- Resolves: rhbz#1969844
+
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-3
+- Restore old HashSign/HashVerify API
+- Resolves: rhbz#2132730
+
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-2
+- Add support for 4096 bit keys in x509
+- Resolves: rhbz#2132694
+
+* Thu Oct 13 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-1
+- Rebase to Go 1.19.2
+- Resolves: rhbz#2132730
+
 * Wed Sep 14 2022 David Benoit <dbenoit@redhat.com> - 1.19.1-2
 - Rebase to Go 1.19.1
 - Resolves: rhbz#2131026