.gitignore

@@ -1 +1,2 @@
-SOURCES/go1.18.9-1-openssl-fips.tar.gz
+SOURCES/go1.21.9-1-openssl-fips.tar.gz
+SOURCES/go1.21.9.tar.gz

.golang.metadata

@@ -1 +1,2 @@
-ed6295dd73f7b822cd89f4527797ce87271bc672 SOURCES/go1.18.9-1-openssl-fips.tar.gz
+1162b641e8b23110eaab7496003585ea6c786158 SOURCES/go1.21.9-1-openssl-fips.tar.gz
+54c038c82c82ebe2ad4ee2d0a3d7c4d39809f59a SOURCES/go1.21.9.tar.gz

SOURCES/disable_static_tests_part1.patch

@@ -0,0 +1,288 @@
+diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go
+index 5f258a2..5dbbc42 100644
+--- a/src/crypto/internal/backend/nobackend.go
++++ b/src/crypto/internal/backend/nobackend.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
+-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
++//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
+ 
+ package backend
+ 
+diff --git a/src/crypto/internal/boring/goboringcrypto.h b/src/crypto/internal/boring/goboringcrypto.h
+index d6d99b1..f2fe332 100644
+--- a/src/crypto/internal/boring/goboringcrypto.h
++++ b/src/crypto/internal/boring/goboringcrypto.h
+@@ -1,4 +1,5 @@
+ // Copyright 2017 The Go Authors. All rights reserved.
++// +build !static
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+diff --git a/src/crypto/internal/boring/syso/syso.go b/src/crypto/internal/boring/syso/syso.go
+index b338754..db5ea1e 100644
+--- a/src/crypto/internal/boring/syso/syso.go
++++ b/src/crypto/internal/boring/syso/syso.go
+@@ -2,7 +2,7 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build boringcrypto
++//go:build boringcrypto && !static
+ 
+ // This package only exists with GOEXPERIMENT=boringcrypto.
+ // It provides the actual syso file.
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
+index 079fc3c..e826d0b 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/aes.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
+index 0b61e79..94d0c98 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
+index afec529..d822152 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+index 6d6a562..17cc314 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+@@ -1,4 +1,5 @@
+ // Copyright 2017 The Go Authors. All rights reserved.
++// +build !static
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ // +build linux
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
+index ae40b93..17bc075 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hkdf.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
+index 6f00177..f466b18 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/hmac.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
+index 7c0b5d6..262af07 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/notboring.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl
+-// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
++//go:build !linux || !cgo || android || cmd_go_bootstrap || msan || no_openssl || static
++// +build !linux !cgo android cmd_go_bootstrap msan no_openssl static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
+index d49194d..ff15054 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
+index 2349db1..57fbb04 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_ecdsa_signature.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+index 4379019..5034c46 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
+index 49d40a7..3b3dbf8 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_lock_setup.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
+index 7eb645e..1c3225a 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_aead_gcm.c
+@@ -1,4 +1,5 @@
+ // This file contains a port of the BoringSSL AEAD interface.
++// +build !static
+ // +build linux
+ // +build !android
+ // +build !no_openssl
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
+index df4ebe3..876393b 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_ctr128.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
+index 2eedd5b..04510d3 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_evp_md5_sha1.c
+@@ -1,4 +1,5 @@
+ // This file contains a backport of the EVP_md5_sha1 method.
++// +build !static
+ // +build linux
+ // +build !android
+ // +build !no_openssl
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
+index 362d9e5..bebafef 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_hmac.c
+@@ -1,4 +1,5 @@
+ // This file contains HMAC portability wrappers.
++// +build !static
+ // +build linux
+ // +build !android
+ // +build !no_openssl
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
+index 2824147..8bc1d85 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_port_rsa.c
+@@ -1,4 +1,5 @@
+ // This file contains RSA portability wrappers.
++// +build !static
+ // +build linux
+ // +build !android
+ // +build !no_openssl
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
+index 22bd865..b7aa26b 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_stub_rand.c
+@@ -1,4 +1,5 @@
+ // +build linux
++// +build !static
+ // +build !android
+ // +build !no_openssl
+ // +build !cmd_go_bootstrap
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
+index b3668b8..dcdae70 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rand.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
+index 915c840..8623d9d 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
+index 0b55ced..57309c0 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/sha.go
+@@ -2,8 +2,8 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl
+-// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl
++//go:build linux && !android && !cmd_go_bootstrap && !msan && !no_openssl && !static
++// +build linux,!android,!cmd_go_bootstrap,!msan,!no_openssl,!static
+ 
+ package openssl
+ 

SOURCES/disable_static_tests_part2.patch

@@ -0,0 +1,13 @@
+diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
+index 36a20e8b2a..8c2dd1b44b 100644
+--- a/src/cmd/dist/test.go
++++ b/src/cmd/dist/test.go
+@@ -1125,7 +1125,7 @@ func (t *tester) registerCgoTests(heading string) {
+ 			} else {
+ 				panic("unknown linkmode with static build: " + linkmode)
+ 			}
+-			gt.tags = append(gt.tags, "static")
++			gt.tags = append(gt.tags, "static", "no_openssl")
+ 		}
+ 		gt.ldflags = strings.Join(ldflags, " ")
+ 

SOURCES/enable-big-endian-fips.patch

@@ -1,363 +0,0 @@
-diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
-index 4820385f67..2415702b28 100644
---- a/src/crypto/internal/boring/goopenssl.h
-+++ b/src/crypto/internal/boring/goopenssl.h
-@@ -76,7 +76,7 @@ _goboringcrypto_DLOPEN_OPENSSL(void)
- #include <openssl/opensslv.h>
- #include <openssl/ssl.h>
- 
--DEFINEFUNCINTERNAL(int, OPENSSL_init, (void), ())
-+DEFINEFUNCINTERNAL(void, OPENSSL_init, (void), ())
- 
- static unsigned long _goboringcrypto_internal_OPENSSL_VERSION_NUMBER(void) {
- 	return OPENSSL_VERSION_NUMBER;
-@@ -97,35 +97,32 @@ DEFINEFUNCINTERNAL(void, ERR_error_string_n, (unsigned long e, unsigned char *bu
- 
- #include <openssl/crypto.h>
- 
--DEFINEFUNCINTERNAL(int, CRYPTO_num_locks, (void), ())
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNC(int, CRYPTO_num_locks, (void), ())
-+#else
- static inline int
- _goboringcrypto_CRYPTO_num_locks(void) {
-+	return CRYPTO_num_locks(); /* defined as macro */
-+}
-+#endif
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
--	return _goboringcrypto_internal_CRYPTO_num_locks();
-+DEFINEFUNC(void, CRYPTO_set_id_callback, (unsigned long (*id_function)(void)), (id_function))
- #else
--	return CRYPTO_num_locks();
--#endif
--}
--DEFINEFUNCINTERNAL(void, CRYPTO_set_id_callback, (unsigned long (*id_function)(void)), (id_function))
- static inline void
- _goboringcrypto_CRYPTO_set_id_callback(unsigned long (*id_function)(void)) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
--	_goboringcrypto_internal_CRYPTO_set_id_callback(id_function);
--#else
--	CRYPTO_set_id_callback(id_function);
--#endif
-+	CRYPTO_set_id_callback(id_function); /* defined as macro */
- }
--DEFINEFUNCINTERNAL(void, CRYPTO_set_locking_callback,
-+#endif
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNC(void, CRYPTO_set_locking_callback,
- 	(void (*locking_function)(int mode, int n, const char *file, int line)), 
- 	(locking_function))
-+#else
- static inline void
- _goboringcrypto_CRYPTO_set_locking_callback(void (*locking_function)(int mode, int n, const char *file, int line)) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
--	_goboringcrypto_internal_CRYPTO_set_locking_callback(locking_function);
--#else
--	CRYPTO_set_locking_callback(locking_function);
--#endif
-+	CRYPTO_set_locking_callback(locking_function); /* defined as macro */
- }
-+#endif
- 
- int _goboringcrypto_OPENSSL_thread_setup(void);
- 
-@@ -206,10 +203,16 @@ DEFINEFUNC(const GO_EVP_MD *, EVP_sha384, (void), ())
- DEFINEFUNC(const GO_EVP_MD *, EVP_sha512, (void), ())
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
- DEFINEFUNCINTERNAL(int, EVP_MD_type, (const GO_EVP_MD *arg0), (arg0))
-+DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
-+static inline int
-+_goboringcrypto_EVP_MD_get_size(const GO_EVP_MD *arg0)
-+{
-+	return _goboringcrypto_internal_EVP_MD_size(arg0);
-+}
- #else
- DEFINEFUNCINTERNAL(int, EVP_MD_get_type, (const GO_EVP_MD *arg0), (arg0))
-+DEFINEFUNC(int, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
- #endif
--DEFINEFUNCINTERNAL(size_t, EVP_MD_size, (const GO_EVP_MD *arg0), (arg0))
- DEFINEFUNCINTERNAL(const GO_EVP_MD*, EVP_md5_sha1, (void), ())
- 
- # include <openssl/md5.h>
-@@ -240,8 +243,6 @@ _goboringcrypto_EVP_md5_sha1(void) {
- 
- typedef HMAC_CTX GO_HMAC_CTX;
- 
--DEFINEFUNC(void, HMAC_CTX_init, (GO_HMAC_CTX * arg0), (arg0))
--DEFINEFUNC(void, HMAC_CTX_cleanup, (GO_HMAC_CTX * arg0), (arg0))
- DEFINEFUNC(int, HMAC_Init_ex,
- 		   (GO_HMAC_CTX * arg0, const void *arg1, int arg2, const GO_EVP_MD *arg3, ENGINE *arg4),
- 		   (arg0, arg1, arg2, arg3, arg4))
-@@ -249,59 +250,57 @@ DEFINEFUNC(int, HMAC_Update, (GO_HMAC_CTX * arg0, const uint8_t *arg1, size_t ar
- DEFINEFUNC(int, HMAC_Final, (GO_HMAC_CTX * arg0, uint8_t *arg1, unsigned int *arg2), (arg0, arg1, arg2))
- DEFINEFUNC(size_t, HMAC_CTX_copy, (GO_HMAC_CTX *dest, GO_HMAC_CTX *src), (dest, src))
- 
--DEFINEFUNCINTERNAL(void, HMAC_CTX_free, (GO_HMAC_CTX * arg0), (arg0))
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNCINTERNAL(void, HMAC_CTX_cleanup, (GO_HMAC_CTX * arg0), (arg0))
- static inline void
- _goboringcrypto_HMAC_CTX_free(HMAC_CTX *ctx) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    if (ctx != NULL) {
--       _goboringcrypto_HMAC_CTX_cleanup(ctx);
-+       _goboringcrypto_internal_HMAC_CTX_cleanup(ctx);
-        free(ctx);
-    }
-+}
- #else
--	_goboringcrypto_internal_HMAC_CTX_free(ctx);
-+DEFINEFUNC(void, HMAC_CTX_free, (GO_HMAC_CTX * arg0), (arg0))
- #endif
--}
- 
--DEFINEFUNCINTERNAL(EVP_MD*, HMAC_CTX_get_md, (const GO_HMAC_CTX* ctx), (ctx))
--DEFINEFUNCINTERNAL(size_t, EVP_MD_get_size, (const GO_EVP_MD *arg0), (arg0))
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- static inline size_t
- _goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
--	return _goboringcrypto_internal_EVP_MD_size(arg0->md);
--#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
--	const EVP_MD* md;
--	md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
--	return _goboringcrypto_internal_EVP_MD_get_size(md);
-+	return _goboringcrypto_EVP_MD_get_size(arg0->md);
-+}
- #else
-+DEFINEFUNCINTERNAL(const EVP_MD*, HMAC_CTX_get_md, (const GO_HMAC_CTX* ctx), (ctx))
-+static inline size_t
-+_goboringcrypto_HMAC_size(const GO_HMAC_CTX* arg0) {
- 	const EVP_MD* md;
- 	md = _goboringcrypto_internal_HMAC_CTX_get_md(arg0);
--	return _goboringcrypto_internal_EVP_MD_size(md);
--#endif
-+	return _goboringcrypto_EVP_MD_get_size(md);
- }
-+#endif
- 
--DEFINEFUNCINTERNAL(GO_HMAC_CTX*, HMAC_CTX_new, (void), ())
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+DEFINEFUNCINTERNAL(void, HMAC_CTX_init, (GO_HMAC_CTX * arg0), (arg0))
- static inline GO_HMAC_CTX*
- _goboringcrypto_HMAC_CTX_new(void) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	GO_HMAC_CTX* ctx = malloc(sizeof(GO_HMAC_CTX));
- 	if (ctx != NULL)
--		_goboringcrypto_HMAC_CTX_init(ctx);
-+		_goboringcrypto_internal_HMAC_CTX_init(ctx);
- 	return ctx;
-+}
- #else
--	return _goboringcrypto_internal_HMAC_CTX_new();
-+DEFINEFUNC(GO_HMAC_CTX*, HMAC_CTX_new, (void), ())
- #endif
--}
- 
--DEFINEFUNCINTERNAL(void, HMAC_CTX_reset, (GO_HMAC_CTX * arg0), (arg0))
--static inline void
--_goboringcrypto_HMAC_CTX_reset(GO_HMAC_CTX* ctx) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
--	_goboringcrypto_HMAC_CTX_cleanup(ctx);
--	_goboringcrypto_HMAC_CTX_init(ctx);
-+static inline int
-+_goboringcrypto_HMAC_CTX_reset(GO_HMAC_CTX* ctx) {
-+	_goboringcrypto_internal_HMAC_CTX_cleanup(ctx);
-+	_goboringcrypto_internal_HMAC_CTX_init(ctx);
-+	return 0;
-+}
- #else
--	_goboringcrypto_internal_HMAC_CTX_reset(ctx);
-+DEFINEFUNC(int, HMAC_CTX_reset, (GO_HMAC_CTX * arg0), (arg0))
- #endif
--}
- 
- int _goboringcrypto_HMAC_CTX_copy_ex(GO_HMAC_CTX *dest, const GO_HMAC_CTX *src);
- 
-@@ -408,16 +407,14 @@ DEFINEFUNCINTERNAL(int, ECDSA_verify,
- 	(int type, const unsigned char *dgst, size_t dgstlen, const unsigned char *sig, unsigned int siglen, EC_KEY *eckey),
- 	(type, dgst, dgstlen, sig, siglen, eckey))
- 
--DEFINEFUNCINTERNAL(EVP_MD_CTX*, EVP_MD_CTX_new, (void), ())
--DEFINEFUNCINTERNAL(EVP_MD_CTX*, EVP_MD_CTX_create, (void), ())
--
--static inline EVP_MD_CTX* _goboringcrypto_EVP_MD_CTX_create(void) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
--	return _goboringcrypto_internal_EVP_MD_CTX_create();
-+DEFINEFUNC(EVP_MD_CTX*, EVP_MD_CTX_create, (void), ())
- #else
-+DEFINEFUNCINTERNAL(EVP_MD_CTX*, EVP_MD_CTX_new, (void), ())
-+static inline EVP_MD_CTX* _goboringcrypto_EVP_MD_CTX_create(void) {
- 	return _goboringcrypto_internal_EVP_MD_CTX_new();
--#endif
- }
-+#endif
- 
- DEFINEFUNCINTERNAL(int, EVP_PKEY_assign,
- 	(EVP_PKEY *pkey, int type, void *eckey),
-@@ -441,7 +438,7 @@ DEFINEFUNC(int, EVP_DigestUpdate,
- 	(EVP_MD_CTX* ctx, const void *d, size_t cnt),
- 	(ctx, d, cnt))
- DEFINEFUNC(int, EVP_DigestSignFinal,
--	(EVP_MD_CTX* ctx, unsigned char *sig, unsigned int *siglen),
-+	(EVP_MD_CTX* ctx, unsigned char *sig, size_t *siglen),
- 	(ctx, sig, siglen))
- 
- DEFINEFUNC(int, EVP_DigestVerifyInit,
-@@ -451,18 +448,17 @@ DEFINEFUNC(int, EVP_DigestVerifyFinal,
- 	(EVP_MD_CTX* ctx, const uint8_t *sig, unsigned int siglen),
- 	(ctx, sig, siglen))
- 
--int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, EVP_PKEY *eckey);
-+int _goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *eckey);
- int _goboringcrypto_EVP_verify(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, const uint8_t *sig, unsigned int slen, EVP_PKEY *key);
- 
--DEFINEFUNCINTERNAL(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- DEFINEFUNCINTERNAL(void, EVP_MD_CTX_destroy, (EVP_MD_CTX *ctx), (ctx))
- static inline void _goboringcrypto_EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	return _goboringcrypto_internal_EVP_MD_CTX_destroy(ctx);
-+}
- #else
--	return _goboringcrypto_internal_EVP_MD_CTX_free(ctx);
-+DEFINEFUNC(void, EVP_MD_CTX_free, (EVP_MD_CTX *ctx), (ctx))
- #endif
--}
- 
- int _goboringcrypto_ECDSA_sign(EVP_MD *md, const uint8_t *arg1, size_t arg2, uint8_t *arg3, unsigned int *arg4, GO_EC_KEY *arg5);
- int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, const uint8_t *arg3, unsigned int arg4, GO_EC_KEY *arg5);
-@@ -473,7 +469,7 @@ int _goboringcrypto_ECDSA_verify(EVP_MD *md, const uint8_t *arg1, size_t arg2, c
- typedef RSA GO_RSA;
- typedef BN_GENCB GO_BN_GENCB;
- 
--int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa);
-+int _goboringcrypto_EVP_RSA_sign(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa);
- int _goboringcrypto_EVP_RSA_verify(EVP_MD* md, const uint8_t *msg, unsigned int msgLen, const uint8_t *sig, unsigned int slen, GO_RSA *rsa);
- 
- DEFINEFUNC(GO_RSA *, RSA_new, (void), ())
-@@ -774,10 +770,10 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP
- }
- 
- DEFINEFUNC(int, EVP_PKEY_decrypt,
--		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
-+		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, unsigned int arg4),
- 		   (arg0, arg1, arg2, arg3, arg4))
- DEFINEFUNC(int, EVP_PKEY_encrypt,
--		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, unsigned int *arg2, const uint8_t *arg3, unsigned int arg4),
-+		   (GO_EVP_PKEY_CTX * arg0, uint8_t *arg1, size_t *arg2, const uint8_t *arg3, unsigned int arg4),
- 		   (arg0, arg1, arg2, arg3, arg4))
- DEFINEFUNC(int, EVP_PKEY_decrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
- DEFINEFUNC(int, EVP_PKEY_encrypt_init, (GO_EVP_PKEY_CTX * arg0), (arg0))
-diff --git a/src/crypto/internal/boring/openssl_ecdsa_signature.c b/src/crypto/internal/boring/openssl_ecdsa_signature.c
-index 710d0744ff..9d0056c5f7 100644
---- a/src/crypto/internal/boring/openssl_ecdsa_signature.c
-+++ b/src/crypto/internal/boring/openssl_ecdsa_signature.c
-@@ -18,7 +18,9 @@ _goboringcrypto_ECDSA_sign(EVP_MD* md, const uint8_t *msg, size_t msgLen, uint8_
-         result = 0;
-         goto err;
-     }
--    result = _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, slen, key);
-+    size_t _slen;
-+    result = _goboringcrypto_EVP_sign(md, NULL, msg, msgLen, sig, &_slen, key);
-+    *slen = _slen;
- err:
-     _goboringcrypto_EVP_PKEY_free(key);
-     return result;
-diff --git a/src/crypto/internal/boring/openssl_evp.c b/src/crypto/internal/boring/openssl_evp.c
-index 36be702224..8b81fd71f6 100644
---- a/src/crypto/internal/boring/openssl_evp.c
-+++ b/src/crypto/internal/boring/openssl_evp.c
-@@ -7,7 +7,7 @@
- #include "goboringcrypto.h"
- 
- int
--_goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, unsigned int *slen, EVP_PKEY *key) {
-+_goboringcrypto_EVP_sign(EVP_MD* md, EVP_PKEY_CTX *ctx, const uint8_t *msg, size_t msgLen, uint8_t *sig, size_t *slen, EVP_PKEY *key) {
-     EVP_MD_CTX *mdctx = NULL;
-     int ret = 0;
- 
-diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
-index 5174f662c9..3ad4e69e9d 100644
---- a/src/crypto/internal/boring/openssl_port_rsa.c
-+++ b/src/crypto/internal/boring/openssl_port_rsa.c
-@@ -19,7 +19,7 @@ int _goboringcrypto_RSA_generate_key_fips(GO_RSA *rsa, int size, GO_BN_GENCB *cb
- 	return ret;
- }
- 
--int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_t *out, size_t max_out,
-+int _goboringcrypto_RSA_digest_and_sign_pss_mgf1(GO_RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
- 		const uint8_t *in, size_t in_len, EVP_MD *md, const EVP_MD *mgf1_md, int salt_len)
- {
- 	EVP_PKEY_CTX *ctx;
-@@ -173,7 +173,7 @@ err:
- 	return ret;
- }
- 
--int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, unsigned int *slen, RSA *rsa)
-+int _goboringcrypto_EVP_RSA_sign(EVP_MD *md, const uint8_t *msg, unsigned int msgLen, uint8_t *sig, size_t *slen, RSA *rsa)
- {
- 	int result;
- 	EVP_PKEY *key = _goboringcrypto_EVP_PKEY_new();
-diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
-index b1a2f57abd..e47ca3bb63 100644
---- a/src/crypto/internal/boring/rsa.go
-+++ b/src/crypto/internal/boring/rsa.go
-@@ -200,7 +200,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- 	padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
- 	init func(*C.GO_EVP_PKEY_CTX) C.int,
--	crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.uint, *C.uint8_t, C.uint) C.int,
-+	crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.size_t, *C.uint8_t, C.uint) C.int,
- 	in []byte) ([]byte, error) {
- 
- 	pkey, ctx, err := setupRSA(withKey, padding, h, label, saltLen, ch, init)
-@@ -210,7 +210,7 @@ func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
- 	defer C._goboringcrypto_EVP_PKEY_free(pkey)
- 	defer C._goboringcrypto_EVP_PKEY_CTX_free(ctx)
- 
--	var outLen C.uint
-+	var outLen C.size_t
- 	if crypt(ctx, nil, &outLen, base(in), C.uint(len(in))) == 0 {
- 		return nil, NewOpenSSLError("EVP_PKEY_decrypt/encrypt failed")
- 	}
-@@ -251,7 +251,7 @@ func decryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
- 	return C._goboringcrypto_EVP_PKEY_decrypt_init(ctx)
- }
- 
--func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
-+func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.uint) C.int {
- 	return C._goboringcrypto_EVP_PKEY_decrypt(ctx, out, outLen, in, inLen)
- }
- 
-@@ -259,7 +259,7 @@ func encryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int {
- 	return C._goboringcrypto_EVP_PKEY_encrypt_init(ctx)
- }
- 
--func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.uint, in *C.uint8_t, inLen C.uint) C.int {
-+func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.uint) C.int {
- 	return C._goboringcrypto_EVP_PKEY_encrypt(ctx, out, outLen, in, inLen)
- }
- 
-@@ -307,10 +307,9 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
- 		return nil, errors.New("crypto/rsa: unsupported hash function: " + strconv.Itoa(int(h)))
- 	}
- 
--	var out []byte
--	var outLen C.uint
--
- 	if msgIsHashed {
-+		var out []byte
-+		var outLen C.uint
- 		PanicIfStrictFIPS("You must provide a raw unhashed message for PKCS1v15 signing and use HashSignPKCS1v15 instead of SignPKCS1v15")
- 		nid := C._goboringcrypto_EVP_MD_type(md)
- 		if priv.withKey(func(key *C.GO_RSA) C.int {
-@@ -323,6 +322,9 @@ func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte, msgIsHashed
- 		return out[:outLen], nil
- 	}
- 
-+	var out []byte
-+	var outLen C.size_t
-+
- 	if priv.withKey(func(key *C.GO_RSA) C.int {
- 		return C._goboringcrypto_EVP_RSA_sign(md, base(msg), C.uint(len(msg)), base(out), &outLen, key)
- 	}) == 0 {

SOURCES/fix-memleak-setupRSA.patch

@@ -0,0 +1,172 @@
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
+index 56adf47bf6..9537870e3c 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/ecdh.go
+@@ -22,22 +22,10 @@ var (
+ type PublicKeyECDH struct {
+ 	_pkey *C.GO_EVP_PKEY
+ 	bytes []byte
+-
+-	// priv is only set when PublicKeyECDH is derived from a private key,
+-	// in which case priv's finalizer is responsible for freeing _pkey.
+-	// This ensures priv is not finalized while the public key is alive,
+-	// which could cause use-after-free and double-free behavior.
+-	//
+-	// We could avoid this altogether by using EVP_PKEY_up_ref
+-	// when instantiating a derived public key, unfortunately
+-	// it is not available on OpenSSL 1.0.2.
+-	priv *PrivateKeyECDH
+ }
+ 
+ func (k *PublicKeyECDH) finalize() {
+-	if k.priv == nil {
+-		C._goboringcrypto_EVP_PKEY_free(k._pkey)
+-	}
++	C._goboringcrypto_EVP_PKEY_free(k._pkey)
+ }
+ 
+ type PrivateKeyECDH struct {
+@@ -58,7 +46,7 @@ func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
+ 	if err != nil {
+ 		return nil, err
+ 	}
+-	k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...), nil}
++	k := &PublicKeyECDH{pkey, append([]byte(nil), bytes...)}
+ 	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
+ 	return k, nil
+ }
+@@ -87,14 +75,22 @@ func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
+ 	var bytes []byte
+ 	var cbytes *C.uchar
+ 
+-	n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(k._pkey, &cbytes)
++	pkey := C._goboringcrypto_EVP_PKEY_ref(k._pkey)
++	if pkey == nil {
++		return nil, NewOpenSSLError("EVP_PKEY_ref")
++	}
++	defer func() {
++		C._goboringcrypto_EVP_PKEY_free(pkey)
++	}()
++	n := C._goboringcrypto_EVP_PKEY_get1_encoded_ecdh_public_key(pkey, &cbytes)
+ 	if n == 0 {
+ 		return nil, NewOpenSSLError("EVP_PKEY_get1_encoded_ecdh_public_key")
+ 	}
+ 	bytes = C.GoBytes(unsafe.Pointer(cbytes), C.int(n))
+ 	C.free(unsafe.Pointer(cbytes))
+ 
+-	pub := &PublicKeyECDH{k._pkey, bytes, k}
++	pub := &PublicKeyECDH{pkey, bytes}
++	pkey = nil
+ 	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
+ 	return pub, nil
+ }
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+index a900b3f9e7..03367d5520 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+@@ -827,6 +827,9 @@ DEFINEFUNC(GO_EVP_PKEY *, EVP_PKEY_new, (void), ())
+ DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY * arg0), (arg0))
+ DEFINEFUNC(int, EVP_PKEY_set1_RSA, (GO_EVP_PKEY * arg0, GO_RSA *arg1), (arg0, arg1))
+ DEFINEFUNC(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY * arg0, GO_EC_KEY *arg1), (arg0, arg1))
++DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey))
++GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey);
++
+ DEFINEFUNC(int, EVP_PKEY_verify,
+ 	(EVP_PKEY_CTX *ctx, const unsigned char *sig, unsigned int siglen, const unsigned char *tbs, size_t tbslen),
+ 	(ctx, sig, siglen, tbs, tbslen))
+@@ -1083,15 +1086,6 @@ enum {
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ DEFINEFUNC(int, EVP_PKEY_set1_encoded_public_key, (GO_EVP_PKEY *pkey, const unsigned char *pub, size_t publen), (pkey, pub, publen))
+ DEFINEFUNC(size_t, EVP_PKEY_get1_encoded_public_key, (GO_EVP_PKEY *pkey, unsigned char **ppub), (pkey, ppub))
+-
+-DEFINEFUNC(const GO_EC_KEY *, EVP_PKEY_get0_EC_KEY, (const GO_EVP_PKEY *pkey), (pkey))
+-#else
+-DEFINEFUNCINTERNAL(void *, EVP_PKEY_get0, (const GO_EVP_PKEY *pkey), (pkey))
+-static const GO_EC_KEY *
+-_goboringcrypto_EVP_PKEY_get0_EC_KEY(const GO_EVP_PKEY *pkey)
+-{
+-  return _goboringcrypto_internal_EVP_PKEY_get0(pkey);
+-}
+ #endif
+ 
+ GO_EVP_PKEY *_goboringcrypto_EVP_PKEY_new_for_ecdh(int nid, const uint8_t *bytes, size_t len, int is_private);
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+index 24a9615108..c6b23a984b 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/openssl_evp.c
+@@ -5,6 +5,7 @@
+ // +build !msan
+ 
+ #include "goopenssl.h"
++#include <assert.h>
+ 
+ int _goboringcrypto_EVP_sign(EVP_MD *md, EVP_PKEY_CTX *ctx, const uint8_t *msg,
+                              size_t msgLen, uint8_t *sig, size_t *slen,
+@@ -138,3 +139,52 @@ err:
+ 
+   return ret;
+ }
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++DEFINEFUNCINTERNAL(int, EVP_PKEY_up_ref, (GO_EVP_PKEY *pkey), (pkey))
++
++GO_EVP_PKEY *
++_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey)
++{
++  if (_goboringcrypto_internal_EVP_PKEY_up_ref(pkey) != 1)
++    return NULL;
++
++  return pkey;
++}
++
++#else
++GO_EVP_PKEY *
++_goboringcrypto_EVP_PKEY_ref(GO_EVP_PKEY *pkey)
++{
++  GO_EVP_PKEY *result = NULL;
++
++  if (pkey->type != EVP_PKEY_EC && pkey->type != EVP_PKEY_RSA)
++    return NULL;
++
++  result = _goboringcrypto_EVP_PKEY_new();
++  if (!result)
++    goto err;
++
++  switch (pkey->type) {
++  case EVP_PKEY_EC:
++    if (_goboringcrypto_EVP_PKEY_set1_EC_KEY(result, _goboringcrypto_EVP_PKEY_get0_EC_KEY()) != 1)
++      goto err;
++    break;
++
++  case EVP_PKEY_RSA:
++    if (_goboringcrypto_EVP_PKEY_set1_RSA_KEY(result, _goboringcrypto_EVP_PKEY_get0_RSA_KEY()) != 1)
++      goto err;
++
++    break;
++
++  default:
++    assert(0);
++  }
++
++  return result;
++
++err:
++  _goboringcrypto_EVP_PKEY_free(result);
++  return NULL;
++}
++#endif
+diff --git a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
+index 75ba7a8a59..1e016676a0 100644
+--- a/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
++++ b/src/vendor/github.com/golang-fips/openssl-fips/openssl/rsa.go
+@@ -116,7 +116,9 @@ func (k *PrivateKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int {
+ 
+ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
+ 	padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
+-	init func(*C.GO_EVP_PKEY_CTX) C.int) (pkey *C.GO_EVP_PKEY, ctx *C.GO_EVP_PKEY_CTX, err error) {
++	init func(*C.GO_EVP_PKEY_CTX) C.int) (_ *C.GO_EVP_PKEY,_  *C.GO_EVP_PKEY_CTX, err error) {
++	var pkey *C.GO_EVP_PKEY
++	var ctx *C.GO_EVP_PKEY_CTX
+ 	defer func() {
+ 		if err != nil {
+ 			if pkey != nil {

SOURCES/go1.5-zoneinfo_testing_only.patch

@@ -1,73 +0,0 @@
-diff --git a/src/time/internal_test.go b/src/time/internal_test.go
-index f0dddb7..415949a 100644
---- a/src/time/internal_test.go
-+++ b/src/time/internal_test.go
-@@ -4,13 +4,15 @@
- 
- package time
- 
-+import "runtime"
-+
- func init() {
- 	// force US/Pacific for time zone tests
- 	ForceUSPacificForTesting()
- }
- 
- func initTestingZone() {
--	z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:])
-+	z, err := loadLocation("America/Los_Angeles", zoneSources)
- 	if err != nil {
- 		panic("cannot load America/Los_Angeles for testing: " + err.Error() + "; you may want to use -tags=timetzdata")
- 	}
-@@ -21,8 +23,9 @@ func initTestingZone() {
- var OrigZoneSources = zoneSources
- 
- func forceZipFileForTesting(zipOnly bool) {
--	zoneSources = make([]string, len(OrigZoneSources))
-+	zoneSources = make([]string, len(OrigZoneSources)+1)
- 	copy(zoneSources, OrigZoneSources)
-+	zoneSources = append(zoneSources, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
- 	if zipOnly {
- 		zoneSources = zoneSources[len(zoneSources)-1:]
- 	}
-diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go
-index f032aa7..e3e5547 100644
---- a/src/time/zoneinfo_test.go
-+++ b/src/time/zoneinfo_test.go
-@@ -9,6 +9,7 @@ import (
- 	"fmt"
- 	"os"
- 	"reflect"
-+	"runtime"
- 	"testing"
- 	"time"
- )
-@@ -137,7 +138,7 @@ func TestLoadLocationFromTZData(t *testing.T) {
- 		t.Fatal(err)
- 	}
- 
--	tzinfo, err := time.LoadTzinfo(locationName, time.OrigZoneSources[len(time.OrigZoneSources)-1])
-+	tzinfo, err := time.LoadTzinfo(locationName, runtime.GOROOT()+"/lib/time/zoneinfo.zip")
- 	if err != nil {
- 		t.Fatal(err)
- 	}
-diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go
-index 23f8b3c..228db1b 100644
---- a/src/time/zoneinfo_unix.go
-+++ b/src/time/zoneinfo_unix.go
-@@ -12,7 +12,6 @@
- package time
- 
- import (
--	"runtime"
- 	"syscall"
- )
- 
-@@ -22,7 +21,6 @@ var zoneSources = []string{
- 	"/usr/share/zoneinfo/",
- 	"/usr/share/lib/zoneinfo/",
- 	"/usr/lib/locale/TZ/",
--	runtime.GOROOT() + "/lib/time/zoneinfo.zip",
- }
- 
- func initLocal() {

SOURCES/modify_go.env.patch

@@ -0,0 +1,22 @@
+From eab9004c072200e58df83ab94678bda1faa7b229 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Fri, 9 Feb 2024 20:06:16 +0100
+Subject: [PATCH] Set GOTOOLCHAIN to local
+
+---
+ go.env | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/go.env b/go.env
+index 6ff2b921d4..e87f6e7b6d 100644
+--- a/go.env
++++ b/go.env
+@@ -9,4 +9,4 @@ GOSUMDB=sum.golang.org
+ 
+ # Automatically download newer toolchains as directed by go.mod files.
+ # See https://go.dev/doc/toolchain for details.
+-GOTOOLCHAIN=auto
++GOTOOLCHAIN=local
+-- 
+2.43.0
+

SOURCES/openssl_deprecated_algorithm_tests.patch

@@ -1,124 +0,0 @@
-diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
-index a4f2e2dbbe..76701d2e2b 100644
---- a/src/crypto/rsa/pkcs1v15_test.go
-+++ b/src/crypto/rsa/pkcs1v15_test.go
-@@ -52,6 +52,7 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
- }
- 
- func TestDecryptPKCS1v15(t *testing.T) {
-+	t.Skip("not supported in FIPS mode")
- 	decryptionFuncs := []func([]byte) ([]byte, error){
- 		func(ciphertext []byte) (plaintext []byte, err error) {
- 			return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
-@@ -76,6 +77,7 @@ func TestDecryptPKCS1v15(t *testing.T) {
- }
- 
- func TestEncryptPKCS1v15(t *testing.T) {
-+	t.Skip("not supported in FIPS mode")
- 	random := rand.Reader
- 	k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
- 
-@@ -137,6 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
- }
- 
- func TestEncryptPKCS1v15SessionKey(t *testing.T) {
-+	t.Skip("not supported in FIPS mode")
- 	for i, test := range decryptPKCS1v15SessionKeyTests {
- 		key := []byte("FAIL")
- 		err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
-@@ -151,6 +154,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
- }
- 
- func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
-+	t.Skip("not supported in FIPS mode")
- 	for i, test := range decryptPKCS1v15SessionKeyTests {
- 		plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
- 		if err != nil {
-@@ -270,6 +274,7 @@ func TestUnpaddedSignature(t *testing.T) {
- }
- 
- func TestShortSessionKey(t *testing.T) {
-+	t.Skip("not supported in FIPS mode")
- 	// This tests that attempting to decrypt a session key where the
- 	// ciphertext is too small doesn't run outside the array bounds.
- 	ciphertext, err := EncryptPKCS1v15(rand.Reader, &testRSA2048PrivateKey.PublicKey, []byte{1})
-diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
-index b547a87c71..99e7882866 100644
---- a/src/crypto/rsa/pss_test.go
-+++ b/src/crypto/rsa/pss_test.go
-@@ -77,6 +77,7 @@ func TestEMSAPSS(t *testing.T) {
- // TestPSSGolden tests all the test vectors in pss-vect.txt from
- // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
- func TestPSSGolden(t *testing.T) {
-+	t.Skip("SHA1 not supported in boring mode")
- 	inFile, err := os.Open("testdata/pss-vect.txt.bz2")
- 	if err != nil {
- 		t.Fatalf("Failed to open input file: %s", err)
-diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
-index 9aa67655ab..2f4e666abb 100644
---- a/src/crypto/rsa/rsa_test.go
-+++ b/src/crypto/rsa/rsa_test.go
-@@ -123,28 +123,29 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
- 		t.Errorf("private exponent too large")
- 	}
- 
--	if boring.Enabled() {
--		// Cannot call encrypt/decrypt directly. Test via PKCS1v15.
--		msg := []byte("hi!")
--		if priv.Size() >= 256 {
--			enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
--			if err != nil {
--				t.Errorf("EncryptPKCS1v15: %v", err)
--				return
--			}
--			dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
--			if err != nil {
--				t.Errorf("DecryptPKCS1v15: %v", err)
--				return
--			}
--			if !bytes.Equal(dec, msg) {
--				t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
--			}
--		} else {
--			t.Logf("skipping check for unsupported key less than 2048 bits")
--		}
--		return
--	}
-+        if boring.Enabled() {
-+                // Cannot call encrypt/decrypt directly. Test via EncryptOAEP.
-+		sha256 := sha256.New()
-+                msg := []byte("hi!")
-+                if priv.Size() >= 256 {
-+                        enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, msg, nil)
-+                        if err != nil {
-+                                t.Errorf("EncryptOAEP: %v", err)
-+                                return
-+                        }
-+                        dec, err := DecryptOAEP(sha256, rand.Reader, priv, enc, nil)
-+                        if err != nil {
-+                                t.Errorf("DecryptOAEP: %v", err)
-+                                return
-+                        }
-+                        if !bytes.Equal(dec, msg) {
-+                                t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
-+                        }
-+                } else {
-+                        t.Logf("skipping check for unsupported key less than 2048 bits")
-+                }
-+                return
-+        }
- 
- 	pub := &priv.PublicKey
- 	m := big.NewInt(42)
-@@ -312,6 +312,11 @@ func TestDecryptOAEP(t *testing.T) {
- 		private.PublicKey = PublicKey{N: n, E: test.e}
- 		private.D = d
- 
-+		if boring.Enabled() && private.PublicKey.Size() < 256 {
-+			t.Logf("skipping check for unsupported key less than 2048 bits")
-+			continue
-+		}
-+		t.Logf("running check for supported key size")
- 		for j, message := range test.msgs {
- 			out, err := DecryptOAEP(sha1, nil, private, message.out, nil)
- 			if err != nil {

SOURCES/ppc64le-internal-linker-fix.patch

@@ -1,122 +0,0 @@
-diff --git a/src/cmd/go/testdata/script/trampoline_reuse_test.txt b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
-new file mode 100644
-index 0000000000000..bca897c16d054
---- /dev/null
-+++ b/src/cmd/go/testdata/script/trampoline_reuse_test.txt
-@@ -0,0 +1,100 @@
-+# Verify PPC64 does not reuse a trampoline which is too far away.
-+# This tests an edge case where the direct call relocation addend should
-+# be ignored when computing the distance from the direct call to the
-+# already placed trampoline
-+[short] skip
-+[!ppc64] [!ppc64le] skip
-+[aix] skip
-+
-+# Note, this program does not run. Presumably, 'DWORD $0' is simpler to
-+# assembly 2^26 or so times.
-+#
-+# We build something which should be laid out as such:
-+#
-+# bar.Bar
-+# main.Func1
-+# bar.Bar+400-tramp0
-+# main.BigAsm
-+# main.Func2
-+# bar.Bar+400-tramp1
-+#
-+# bar.Bar needs to be placed far enough away to generate relocations
-+# from main package calls. and main.Func1 and main.Func2 are placed
-+# a bit more than the direct call limit apart, but not more than 0x400
-+# bytes beyond it (to verify the reloc calc).
-+
-+go build
-+
-+-- go.mod --
-+
-+module foo
-+
-+go 1.19
-+
-+-- main.go --
-+
-+package main
-+
-+import "foo/bar"
-+
-+func Func1()
-+
-+func main() {
-+        Func1()
-+        bar.Bar2()
-+}
-+
-+-- foo.s --
-+
-+TEXT main·Func1(SB),0,$0-0
-+        CALL bar·Bar+0x400(SB)
-+        CALL main·BigAsm(SB)
-+// A trampoline will be placed here to bar.Bar
-+
-+// This creates a gap sufficiently large to prevent trampoline reuse
-+#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
-+#define NOP256 NOP64 NOP64 NOP64 NOP64
-+#define NOP2S10 NOP256 NOP256 NOP256 NOP256
-+#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
-+#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
-+#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
-+#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
-+#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
-+#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
-+#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
-+#define BIGNOP NOP2S24 NOP2S24
-+TEXT main·BigAsm(SB),0,$0-0
-+        // Fill to the direct call limit so Func2 must generate a new trampoline.
-+        // As the implicit trampoline above is just barely unreachable.
-+        BIGNOP
-+        MOVD $main·Func2(SB), R3
-+
-+TEXT main·Func2(SB),0,$0-0
-+        CALL bar·Bar+0x400(SB)
-+// Another trampoline should be placed here.
-+
-+-- bar/bar.s --
-+
-+#define NOP64 DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0; DWORD $0;
-+#define NOP256 NOP64 NOP64 NOP64 NOP64
-+#define NOP2S10 NOP256 NOP256 NOP256 NOP256
-+#define NOP2S12 NOP2S10 NOP2S10 NOP2S10 NOP2S10
-+#define NOP2S14 NOP2S12 NOP2S12 NOP2S12 NOP2S12
-+#define NOP2S16 NOP2S14 NOP2S14 NOP2S14 NOP2S14
-+#define NOP2S18 NOP2S16 NOP2S16 NOP2S16 NOP2S16
-+#define NOP2S20 NOP2S18 NOP2S18 NOP2S18 NOP2S18
-+#define NOP2S22 NOP2S20 NOP2S20 NOP2S20 NOP2S20
-+#define NOP2S24 NOP2S22 NOP2S22 NOP2S22 NOP2S22
-+#define BIGNOP NOP2S24 NOP2S24 NOP2S10
-+// A very big not very interesting function.
-+TEXT bar·Bar(SB),0,$0-0
-+        BIGNOP
-+
-+-- bar/bar.go --
-+
-+package bar
-+
-+func Bar()
-+
-+func Bar2() {
-+}
-diff --git a/src/cmd/link/internal/ppc64/asm.go b/src/cmd/link/internal/ppc64/asm.go
-index 73c2718a3369f..879adaa965050 100644
---- a/src/cmd/link/internal/ppc64/asm.go
-+++ b/src/cmd/link/internal/ppc64/asm.go
-@@ -809,8 +809,9 @@ func trampoline(ctxt *ld.Link, ldr *loader.Loader, ri int, rs, s loader.Sym) {
- 				if ldr.SymValue(tramp) == 0 {
- 					break
- 				}
--
--				t = ldr.SymValue(tramp) + r.Add() - (ldr.SymValue(s) + int64(r.Off()))
-+				// Note, the trampoline is always called directly. The addend of the original relocation is accounted for in the
-+				// trampoline itself.
-+				t = ldr.SymValue(tramp) - (ldr.SymValue(s) + int64(r.Off()))
- 
- 				// With internal linking, the trampoline can be used if it is not too far.
- 				// With external linking, the trampoline must be in this section for it to be reused.

SOURCES/remove_ed25519vectors_test.patch

@@ -1,128 +0,0 @@
-From d7cad65ab9179804e9f089ce97bc124e9ef79494 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
-Date: Wed, 15 Dec 2021 16:02:15 +0100
-Subject: [PATCH] Remove ed25519vectors_test.go
-
----
- src/crypto/ed25519/ed25519vectors_test.go | 109 ----------------------
- 1 file changed, 109 deletions(-)
- delete mode 100644 src/crypto/ed25519/ed25519vectors_test.go
-
-diff --git a/src/crypto/ed25519/ed25519vectors_test.go b/src/crypto/ed25519/ed25519vectors_test.go
-deleted file mode 100644
-index 74fcdcdf4e..0000000000
---- a/src/crypto/ed25519/ed25519vectors_test.go
-+++ /dev/null
-@@ -1,109 +0,0 @@
--// Copyright 2021 The Go Authors. All rights reserved.
--// Use of this source code is governed by a BSD-style
--// license that can be found in the LICENSE file.
--
--package ed25519_test
--
--import (
--	"crypto/ed25519"
--	"encoding/hex"
--	"encoding/json"
--	"internal/testenv"
--	"os"
--	"os/exec"
--	"path/filepath"
--	"testing"
--)
--
--// TestEd25519Vectors runs a very large set of test vectors that exercise all
--// combinations of low-order points, low-order components, and non-canonical
--// encodings. These vectors lock in unspecified and spec-divergent behaviors in
--// edge cases that are not security relevant in most contexts, but that can
--// cause issues in consensus applications if changed.
--//
--// Our behavior matches the "classic" unwritten verification rules of the
--// "ref10" reference implementation.
--//
--// Note that although we test for these edge cases, they are not covered by the
--// Go 1 Compatibility Promise. Applications that need stable verification rules
--// should use github.com/hdevalence/ed25519consensus.
--//
--// See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details.
--func TestEd25519Vectors(t *testing.T) {
--	jsonVectors := downloadEd25519Vectors(t)
--	var vectors []struct {
--		A, R, S, M string
--		Flags      []string
--	}
--	if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
--		t.Fatal(err)
--	}
--	for i, v := range vectors {
--		expectedToVerify := true
--		for _, f := range v.Flags {
--			switch f {
--			// We use the simplified verification formula that doesn't multiply
--			// by the cofactor, so any low order residue will cause the
--			// signature not to verify.
--			//
--			// This is allowed, but not required, by RFC 8032.
--			case "LowOrderResidue":
--				expectedToVerify = false
--			// Our point decoding allows non-canonical encodings (in violation
--			// of RFC 8032) but R is not decoded: instead, R is recomputed and
--			// compared bytewise against the canonical encoding.
--			case "NonCanonicalR":
--				expectedToVerify = false
--			}
--		}
--
--		publicKey := decodeHex(t, v.A)
--		signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
--		message := []byte(v.M)
--
--		didVerify := ed25519.Verify(publicKey, message, signature)
--		if didVerify && !expectedToVerify {
--			t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
--		}
--		if !didVerify && expectedToVerify {
--			t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
--		}
--	}
--}
--
--func downloadEd25519Vectors(t *testing.T) []byte {
--	testenv.MustHaveExternalNetwork(t)
--
--	// Download the JSON test file from the GOPROXY with `go mod download`,
--	// pinning the version so test and module caching works as expected.
--	goTool := testenv.GoToolPath(t)
--	path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94"
--	cmd := exec.Command(goTool, "mod", "download", "-json", path)
--	// TODO: enable the sumdb once the TryBots proxy supports it.
--	cmd.Env = append(os.Environ(), "GONOSUMDB=*")
--	output, err := cmd.Output()
--	if err != nil {
--		t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
--	}
--	var dm struct {
--		Dir string // absolute path to cached source root directory
--	}
--	if err := json.Unmarshal(output, &dm); err != nil {
--		t.Fatal(err)
--	}
--
--	jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
--	if err != nil {
--		t.Fatalf("failed to read ed25519vectors.json: %v", err)
--	}
--	return jsonVectors
--}
--
--func decodeHex(t *testing.T, s string) []byte {
--	t.Helper()
--	b, err := hex.DecodeString(s)
--	if err != nil {
--		t.Errorf("invalid hex: %v", err)
--	}
--	return b
--}
--- 
-2.33.1
-

SOURCES/skip-test-overlong-message.patch

@@ -0,0 +1,15 @@
+diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
+index 0853178e3a..16eb37734b 100644
+--- a/src/crypto/rsa/pkcs1v15_test.go
++++ b/src/crypto/rsa/pkcs1v15_test.go
+@@ -247,6 +247,10 @@ func TestVerifyPKCS1v15(t *testing.T) {
+ }
+ 
+ func TestOverlongMessagePKCS1v15(t *testing.T) {
++	// OpenSSL now returns a random string instead of an error
++	if boring.Enabled() {
++		t.Skip("Not relevant in boring mode")
++	}
+ 	ciphertext := decodeBase64("fjOVdirUzFoLlukv80dBllMLjXythIf22feqPrNo0YoIjzyzyoMFiLjAc/Y4krkeZ11XFThIrEvw\nkRiZcCq5ng==")
+ 	_, err := DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext)
+ 	if err == nil {

SOURCES/skip_test_rhbz1939923.patch

@@ -0,0 +1,12 @@
+diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
+index b1cdabb..09eaace 100644
+--- a/src/crypto/x509/x509_test.go
++++ b/src/crypto/x509/x509_test.go
+@@ -2993,6 +2993,7 @@ func (bs *brokenSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte
+ }
+ 
+ func TestCreateCertificateBrokenSigner(t *testing.T) {
++	t.Skip("TODO Fix me: rhbz#1939923")
+ 	template := &Certificate{
+ 		SerialNumber: big.NewInt(10),
+ 		DNSNames:     []string{"example.com"},

SPECS/golang.spec

@@ -56,7 +56,7 @@
 %endif
 
 # Controls what ever we fail on failed tests
-%ifarch x86_64 %{arm} aarch64 ppc64le
+%ifarch x86_64 %{arm} ppc64le s390x
 %global fail_on_tests 1
 %else
 %global fail_on_tests 0
@@ -69,12 +69,8 @@
 %global shared 0
 %endif
 
-# Pre build std lib with -race enabled
-%ifarch x86_64
-%global race 1
-%else
+# Disabled due to 1.20 new cache usage, see 1.20 upstream release notes
 %global race 0
-%endif
 
 %ifarch x86_64
 %global gohostarch  amd64
@@ -95,20 +91,28 @@
 %global gohostarch  s390x
 %endif
 
-%global go_api 1.18
-%global go_version 1.18.9
+%global go_api 1.21
+%global version 1.21.9
 %global pkg_release 1
 
 Name:           golang
-Version:        %{go_version}
+Version:        %{version}
 Release:        1%{?dist}
+
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
 URL:            http://golang.org/
-Source0:        https://github.com/golang-fips/go/archive/refs/tags/go%{go_version}-%{pkg_release}-openssl-fips.tar.gz
+Source0:        https://github.com/golang/go/archive/refs/tags/go%{version}.tar.gz
+# Go's FIPS mode bindings are now provided as a standalone
+# module instead of in tree.  This makes it easier to see
+# the actual changes vs upstream Go.  The module source is
+# located at https://github.com/golang-fips/openssl-fips,
+# And pre-genetated patches to set up the module for a given
+# Go release are located at https://github.com/golang-fips/go.
+Source1:       https://github.com/golang-fips/go/archive/refs/tags/go%{version}-%{pkg_release}-openssl-fips.tar.gz
 # make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
-Source1:        fedora.go
+Source2:        fedora.go
 
 # The compiler is written in Go. Needs go(1.4+) compiler for build.
 # Actual Go based bootstrap compiler provided by above source.
@@ -124,10 +128,6 @@ BuildRequires:  net-tools
 %endif
 # For OpenSSL FIPS
 BuildRequires:  openssl-devel
-
-# For openssl-fipsinstall
-BuildRequires:  openssl
-
 # for tests
 BuildRequires:  pcre-devel, glibc-static, perl
 
@@ -137,20 +137,16 @@ Requires:       %{name}-src = %{version}-%{release}
 Requires:       openssl-devel
 Requires:       diffutils
 
-# we had been just removing the zoneinfo.zip, but that caused tests to fail for users that
-# later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests.
-Patch215:       go1.5-zoneinfo_testing_only.patch
-
 # Proposed patch by jcajka https://golang.org/cl/86541
 Patch221:       fix_TestScript_list_std.patch
+Patch229:       fix-memleak-setupRSA.patch
 
-Patch223: remove_ed25519vectors_test.patch
+Patch1939923:   skip_test_rhbz1939923.patch
 
-Patch224: openssl_deprecated_algorithm_tests.patch
-
-Patch225: enable-big-endian-fips.patch
-
-Patch226: ppc64le-internal-linker-fix.patch
+Patch2:		disable_static_tests_part1.patch
+Patch3:		disable_static_tests_part2.patch
+Patch4:		skip-test-overlong-message.patch
+Patch5:		modify_go.env.patch
 
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@@ -158,6 +154,9 @@ Obsoletes:      %{name}-docs < 1.1-4
 # RPM can't handle symlink -> dir with subpackages, so merge back
 Obsoletes:      %{name}-data < 1.1.1-4
 
+# We don't build golang-race anymore, rhbz#2230599
+Obsoletes:      golang-race < 1.20.0
+
 # These are the only RHEL/Fedora architectures that we compile this package for
 ExclusiveArch:  %{golang_arches}
 
@@ -239,16 +238,26 @@ Requires:       %{name} = %{version}-%{release}
 %endif
 
 %prep
-%setup -q -n go-go%{go_version}-%{pkg_release}-openssl-fips
+%setup -q -n go-go%{version}
 
-%patch215 -p1
-%patch221 -p1
-%patch223 -p1
-%patch224 -p1
-%patch225 -p1
-%patch226 -p1
+pushd ..
+tar -xf %{SOURCE1}
+popd
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
+patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/002-strict-fips-runtime-detection.patch
 
-cp %{SOURCE1} ./src/runtime/
+# Configure crypto tests
+pushd ../go-go%{version}-%{pkg_release}-openssl-fips
+ln -s ../go-go%{version} go
+./scripts/configure-crypto-tests.sh
+popd
+
+%autopatch -p1
+
+sed -i '1s/$/ (%{?rhel:Red Hat} %{version}-%{release})/' VERSION
+
+cp %{SOURCE2} ./src/runtime/
 
 %build
 set -xe
@@ -317,7 +326,7 @@ rm -rf pkg/bootstrap/bin
 
 # install everything into libdir (until symlink problems are fixed)
 # https://code.google.com/p/go/issues/detail?id=5830
-cp -apv api bin doc lib pkg src misc test VERSION \
+cp -apv api bin doc lib pkg src misc test go.env VERSION \
    $RPM_BUILD_ROOT%{goroot}
 
 # bz1099206
@@ -330,12 +339,11 @@ cwd=$(pwd)
 src_list=$cwd/go-src.list
 pkg_list=$cwd/go-pkg.list
 shared_list=$cwd/go-shared.list
-race_list=$cwd/go-race.list
 misc_list=$cwd/go-misc.list
 docs_list=$cwd/go-docs.list
 tests_list=$cwd/go-tests.list
-rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
-touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
+rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list
+touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list
 pushd $RPM_BUILD_ROOT%{goroot}
     find src/ -type d -a \( ! -name testdata -a ! -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $src_list
     find src/ ! -type d -a \( ! -ipath '*/testdata/*' -a ! -name '*_test*.go' \) -printf '%{goroot}/%p\n' >> $src_list
@@ -361,18 +369,11 @@ pushd $RPM_BUILD_ROOT%{goroot}
         echo "%%{goroot}/$file" >> $shared_list
         echo "%%{golibdir}/$(basename $file)" >> $shared_list
     done
-
+    
     find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list
     find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
 %endif
 
-%if %{race}
-
-    find pkg/*_race/ -type d -printf '%%%dir %{goroot}/%p\n' >> $race_list
-    find pkg/*_race/ ! -type d -printf '%{goroot}/%p\n' >> $race_list
-
-%endif
-
     find test/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list
     find test/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list
     find src/ -type d -a \( -name testdata -o -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $tests_list
@@ -404,6 +405,8 @@ cp -av %{SOURCE100} $RPM_BUILD_ROOT%{_sysconfdir}/gdbinit.d/golang.gdb
 # prelink blacklist
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d
 cp -av %{SOURCE101} $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d/golang.conf
+
+# Quick fix for the rhbz#2014704
 sed -i 's/const defaultGO_LDSO = `.*`/const defaultGO_LDSO = ``/' $RPM_BUILD_ROOT%{goroot}/src/internal/buildcfg/zbootstrap.go
 
 %check
@@ -440,25 +443,23 @@ export GO_TEST_RUN=""
 
 %if %{fail_on_tests}
 
+# TestEd25519Vectors needs network connectivity but it should be cover by
+# this test https://pkgs.devel.redhat.com/cgit/tests/golang/tree/Regression/internal-testsuite/runtest.sh#n127
+
 ./run.bash --no-rebuild -v -v -v -k $GO_TEST_RUN
 
-# tests timeout on ppc64le due to
-# https://bugzilla.redhat.com/show_bug.cgi?id=2118776
-%ifnarch ppc64le
-export OPENSSL_FORCE_FIPS_MODE=1
 # Run tests with FIPS enabled.
+export GOLANG_FIPS=1
 pushd crypto
   # Run all crypto tests but skip TLS, we will run FIPS specific TLS tests later
-  GOLANG_FIPS=1 go test $(go list ./... | grep -v tls) -v
+  go test $(go list ./... | grep -v tls) -v
   # Check that signature functions have parity between boring and notboring
   CGO_ENABLED=0 go test $(go list ./... | grep -v tls) -v
 popd
 # Run all FIPS specific TLS tests
 pushd crypto/tls
-  GOLANG_FIPS=1 go test -v -run "Boring"
+  go test -v -run "Boring"
 popd
-%endif
-
 %else
 ./run.bash --no-rebuild -v -v -v -k || :
 %endif
@@ -466,7 +467,7 @@ cd ..
 
 %files
 
-%doc AUTHORS CONTRIBUTORS LICENSE PATENTS
+%doc LICENSE PATENTS
 # VERSION has to be present in the GOROOT, for `go install std` to work
 %doc %{goroot}/VERSION
 %dir %{goroot}/doc
@@ -510,136 +511,221 @@ cd ..
 %files -f go-pkg.list bin
 %{_bindir}/go
 %{_bindir}/gofmt
+%{goroot}/go.env
 
 %if %{shared}
 %files -f go-shared.list shared
 %endif
 
-%if %{race}
-%files -f go-race.list race
-%endif
-
 %changelog
-* Tue Dec 20 2022 David Benoit <dbenoit@redhat.com> - 1.18.9-1
-- Rebase to Go 1.18.9
-- Enable big endian support for fips mode 
+* Fri Apr 12 2024 David Benoit <dbenoit@redhat.com> - 1.21.9-1
+- Fix CVE-2023-45288
+- Resolves: RHEL-31915
+
+* Mon Apr 1 2024 Archana Ravindar <aravinda@redhat.com> - 1.21.7-2
+- Fix CVE-2024-1394
+- Resolves RHEL-24300
+
+* Tue Feb 13 2024 Alejandro Sáez <asm@redhat.com> - 1.21.7-1
+- Rebase to Go 1.21.7
+- Add release information
+- Set GOTOOLCHAIN to local
+- Skip TestOverlongMessagePKCS1v15
+- Resolves: RHEL-24082
+- Resolves: RHEL-18363
+- Resolves: RHEL-18382
+
+* Wed Nov 08 2023 David Benoit <dbenoit@redhat.com> - 1.21.3-4
+- Do not remove GOPROXY/GOSUMDB
+- Related: RHEL-12620
+
+* Thu Nov 02 2023 David Benoit <dbenoit@redhat.com> - 1.21.3-3
+- Fix go.env in Go 1.21
+- Related: RHEL-12620
+
+* Tue Oct 31 2023 Archana Ravindar <aravinda@redhat.com> - 1.21.3-2
+- Rebase disable_static_tests_part2.patch to Go 1.21.3
+- Add missing strict fips runtime detection patch
+- Temporarily disable FIPS tests on aarch64 due to builder kernel bugs
+- Remove fix-memory-leak patch as it is fixed upstream
+- Resolves: RHEL-12620
+
+* Fri Oct 20 2023 Archana Ravindar <aravinda@redhat.com> - 1.21.3-1
+- Rebase Go to 1.21.3
+- Resolves: RHEL-12620
+
+* Mon Aug 14 2023 Alejandro Sáez <asm@redhat.com> - 1.20.6-2
+- Retire golang-race package
+- Resolves: rhbz#2230599
+
+* Tue Jul 25 2023 Alejandro Sáez <asm@redhat.com> - 1.20.6-1
+- Rebase to Go 1.20.6
+- Resolves: rhbz#2217596
+
+* Mon May 29 2023 Alejandro Sáez <asm@redhat.com> - 1.20.4-1
+- Rebase to Go 1.20.4
+- Resolves: rhbz#2204474
+
+* Tue Apr 11 2023 David Benoit <dbenoit@redhat.com> - 1.20.3-1
+- Rebase to Go 1.20.3
+- Remove race archives
+- Update static tests patches
+- Resolves: rhbz#2185260
+
+* Tue Jan 3 2023 David Benoit <dbenoit@redhat.com> - 1.19.4-2
+- Fix memory leaks in EVP_{sign,verify}_raw
+- Resolves: rhbz#2132767
+
+* Wed Dec 21 2022 David Benoit <dbenoit@redhat.com> - 1.19.4-1
+- Rebase to Go 1.19.4
 - Fix ppc64le linker issue
-- Resolves: rhbz#2144547
-- Resolves: rhbz#2149311
+- Remove defunct patches
+- Remove downstream generated FIPS mode patches
+- Add golang-fips/go as the source for FIPS mode patches
+- Resolves: rhbz#2144542
 
-* Tue Aug 16 2022 David Benoit <dbenoit@redhat.com> - 1.18.4-3
-- Temporarily disable crypto tests on ppc64le
-- Related: rhbz#2109180
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-4
+- Enable big endian support in FIPS mode
+- Resolves: rhbz#1969844
 
-* Wed Aug 10 2022 Alejandro Sáez <asm@redhat.com> - 1.18.4-2
-- Update to Go 1.18.4
-- Resolves: rhbz#2109180
-- Deprecates keys smaller than 2048 bits in TestDecryptOAEP in boring mode
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-3
+- Restore old HashSign/HashVerify API
+- Resolves: rhbz#2132730
 
-* Fri Aug 05 2022 Alejandro Sáez <asm@redhat.com> - 1.18.4-1
-- Update to Go 1.18.4
-- Resolves: rhbz#2109180
+* Mon Oct 17 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-2
+- Add support for 4096 bit keys in x509
+- Resolves: rhbz#2132694
 
-* Fri Jun 10 2022 David Benoit <dbenoit@redhat.com> - 1.18.2-2
-- Update deprecated openssl algorithms patch
-- Rebuild against openssl-3.0.1-33
-- Resolves: rhbz#2092136
-- Related: rhbz#2092016
+* Thu Oct 13 2022 David Benoit <dbenoit@redhat.com> - 1.19.2-1
+- Rebase to Go 1.19.2
+- Resolves: rhbz#2132730
 
-* Mon May 02 2022 David Benoit <dbenoit@redhat.com> - 1.18.2-1
-- Rebase to Go 1.18.2
-- Move to github.com/golang-fips/go
-- Resolves: rhbz#2075169
-- Resolves: rhbz#2060769
-- Resolves: rhbz#2067531
-- Resolves: rhbz#2067536
-- Resolves: rhbz#2067552
-- Resolves: rhbz#2025637
+* Wed Sep 14 2022 David Benoit <dbenoit@redhat.com> - 1.19.1-2
+- Rebase to Go 1.19.1
+- Resolves: rhbz#2131026
 
-* Mon Dec 13 2021 Alejandro Sáez <asm@redhat.com> - 1.17.5-1
+* Wed Aug 03 2022 Alejandro Sáez <asm@redhat.com> - 1.18.4-2
+- Adds patch for PIE mode issues on PPC64LE
+- Resolves: rhbz#2111593
+
+* Wed Jul 20 2022 David Benoit <dbenoit@redhat.com> - 1.18.4-1
+- Update Go to version 1.18.4
+- Resolves: rhbz#2109179
+
+* Wed Jul 20 2022 David Benoit <dbenoit@redhat.com> - 1.18.2-3
+- Clean up dist-git patches
+- Resolves: rhbz#2109175
+
+* Thu Jul 07 2022 Alejandro Sáez <asm@redhat.com> - 1.18.2-2
+- Bump up release version
+- Related: rhbz#2075162
+
+* Thu Jun 16 2022 David Benoit <dbenoit@redhat.com> - 1.18.2-1
+- Update to Go 1.18.2
+- Related: rhbz#2075162
+
+* Mon Apr 18 2022 David Benoit <dbenoit@redhat.com> - 1.18.0-2
+- Enable SHA1 in some contexts
+- Related: rhbz#2075162
+
+* Wed Apr 13 2022 David Benoit <dbenoit@redhat.com> - 1.18.0-1
+- Update Go to 1.18.0
+- Resolves: rhbz#2075162
+
+* Thu Feb 17 2022 David Benoit <dbenoit@redhat.com> - 1.17.7-1
+- Rebase to Go 1.17.7
+- Remove fips memory leak patch (fixed in tree)
+- Resolves: rhbz#2015930
+
+* Fri Dec 10 2021 David Benoit <dbenoit@redhat.com> - 1.17.5-1
 - Rebase to Go 1.17.5
+- Remove vdso_s390x_gettime patch
+- Resolves: rhbz#2031112
+- Related: rhbz#2028570
+
+* Fri Dec 03 2021 David Benoit <dbenoit@redhat.com> - 1.17.4-1
+- Rebase Go to 1.17.4
 - Add remove_waitgroup_misuse_tests patch
-- Add remove_ed25519vectors_test.patch
-- Remove FIPS checks to avoid issues in the CI
-- Related: rhbz#2031116
-- Resolves: rhbz#2022829
-- Resolves: rhbz#2024687
-- Resolves: rhbz#2030851
-- Resolves: rhbz#2031253
+- Related: rhbz#2014088
+- Resolves: rhbz#2028570
+- Resolves: rhbz#2022828
+- Resolves: rhbz#2024686
+- Resolves: rhbz#2028662
 
-* Wed Nov 03 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-1
+* Wed Oct 27 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-2
+- Resolves: rhbz#2014704
+
+* Tue Oct 12 2021 Alejandro Sáez <asm@redhat.com> - 1.17.2-1
 - Rebase to Go 1.17.2
-- Related: rhbz#2014087
+- Related: rhbz#2014088
+- Remove golang-1.15-warnCN.patch
+- Remove reject-leading-zeros.patch
 - Remove favicon.ico and robots.txt references
-- Exclude TestEd25519Vectors test
-- Update patch rhbz1952381
-- Remove rhbz1904567 patch
-- Remove rhbz1939923 patch
+- Exclude TestEd25519Vectors test 
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.16.6-4
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Tue Aug 17 2021 David Benoit <dbenoit@redhat.com> - 1.16.7-1
+- Rebase to Go 1.16.7
+- Resolves: rhbz#1994079
+- Add reject leading zeros patch
+- Resolves: rhbz#1993314
 
-* Wed Aug 4 2021 Derek Parker <deparker@redhat.com> - 1.16.6-3
-- Include ppc64le VDSO segfault backport fix
-- Resolves: rhbz#1966622
+* Wed Jul 21 2021 Derek Parker <deparker@redhat.com> - 1.16.6-2
+- Fix TestBoringServerCurves failure when run by itself
+- Resolves: rhbz#1976168
 
-* Mon Aug 2 2021 Derek Parker <deparker@redhat.com> - 1.16.6-2
-- Bump release
-- Resolves: rhbz#1904567
+* Thu Jul 15 2021 David Benoit <dbenoit@redhat.com> - 1.16.6-1
+- Rebase to go-1.16.6-1-openssl-fips
+- Resolves: rhbz#1982281
+- Addresses CVE-2021-34558
 
-* Mon Aug 2 2021 Derek Parker <deparker@redhat.com> - 1.16.6-2
-- Backport fix allowing LTO to be enabled on cgo sources
-- Resolves: rhbz#1904567
+* Tue Jul 06 2021 Alejandro Sáez <asm@redhat.com> - 1.16.5-1
+- Rebase to 1.16.5
+- Removes rhbz#1955032 patch, it's already included in this release
+- Removes rhbz#1956891 patch, it's already included in this release
+- Related: rhbz#1979677
+- Related: rhbz#1968738
+- Related: rhbz#1972420
 
-* Tue Jul 20 2021 Derek Parker <deparker@redhat.com> - 1.16.6-1
-- Rebase to 1.16.6
-- Resolves: rhbz#1984124
-- Replace symbols no longer present in OpenSSL 3.0 ABI
-- Resolves: rhbz#1984110
-- Fix TestBoringServerCurves failing when ran by itself
-- Resolves: rhbz#1977914
+* Thu Jun 17 2021 David Benoit <dbenoit@redhat.com> - 1.16.4-3
+- Fix zero-size allocation memory leak.
+- Related: rhbz#1951877
 
-* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 1.16.4-3
-- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
+* Tue Jun 08 2021 David Benoit <dbenoit@redhat.com> - 1.16.4-2
+- Resolves: rhbz#1951877
 
-* Fri May 28 2021 David Benoit <dbenoit@redhat.com> - 1.16.4-2
-- Port to OpenSSL 3.0
-- Resolves: rhbz#1952381
+* Mon May 24 2021 Alejandro Sáez <asm@redhat.com> - 1.16.4-1
+- Rebase to go-1.16.4-1-openssl-fips
 
-* Fri May 14 2021 Alejandro Sáez <asm@redhat.com> - 1.16.4-1
-- Rebase to 1.16.4
-- Resolves: rhbz#1955035
-- Resolves: rhbz#1957961
+* Tue May 04 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-3
+- Resolves: rhbz#1956891
 
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.16.1-3
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Thu Apr 29 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-2
+- Resolves: rhbz#1955032
 
-* Tue Mar 30 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-2
-- Rebase to go-1.16.1-2-openssl-fips
-- Resolves: rhbz#1922455
-
-* Tue Mar 30 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-1
+* Wed Mar 17 2021 Alejandro Sáez <asm@redhat.com> - 1.16.1-1
 - Rebase to go-1.16.1-2-openssl-fips
+- Resolves: rhbz#1938071
 - Adds a workaround for rhbz#1939923
 - Removes Patch224, it's on upstream -> rhbz#1888673
 - Removes Patch225, it's on upstream -> https://go-review.googlesource.com/c/text/+/238238
 - Removes old patches for cleaning purposes
-- Related: rhbz#1942898
 
 * Fri Jan 22 2021 David Benoit <dbenoit@redhat.com> - 1.15.7-1
 - Rebase to 1.15.7
-- Resolves: rhbz#1892207
-- Resolves: rhbz#1918755
+- Resolves: rhbz#1870531
+- Resolves: rhbz#1919261
 
 * Tue Nov 24 2020 David Benoit <dbenoit@redhat.com> - 1.15.5-1
 - Rebase to 1.15.5
-- Resolves: rhbz#1899184
-- Resolves: rhbz#1899185
-- Resolves: rhbz#1899186
+- Resolves: rhbz#1898652
+- Resolves: rhbz#1898660
+- Resolves: rhbz#1898649
 
-* Thu Nov 12 2020 David Benoit <dbenoit@redhat.com> - 1.15.3-2
+* Mon Nov 16 2020 David Benoit <dbenoit@redhat.com> - 1.15.3-2
+- fix typo in patch file name
+- Related: rhbz#1881539
+
+* Thu Nov 12 2020 David Benoit <dbenoit@redhat.com> - 1.15.3-1
 - Rebase to 1.15.3
 - fix x/text infinite loop
 - Resolves: rhbz#1881539