Fix GOLANG_FIPS=0 and enable CGO for bin/go

dbenoit17 · dbenoit17 · commit 87678f0118f2 · 2025-06-02T11:10:50.000-04:00
Pick up these two patches from the go1.23-fips-release branch.
diff --git a/patches/000-fips.patch b/patches/000-fips.patch
diff --git a/patches/001-fix-linkage.patch b/patches/001-fix-linkage.patch
@@ -0,0 +1,15 @@
+diff --git a/src/cmd/dist/build.go b/src/cmd/dist/build.go
+index 32e59b446a..b55f29298b 100644
+--- a/src/cmd/dist/build.go
++++ b/src/cmd/dist/build.go
+@@ -1309,7 +1309,9 @@ func toolenv() []string {
+ 		// we disable cgo to get static binaries for cmd/go and cmd/pprof,
+ 		// so that they work on systems without the same dynamic libraries
+ 		// as the original build system.
+-		env = append(env, "CGO_ENABLED=0")
++		//
++		// Setting CGO_ENABLED to 0 prevents cmd/go and the like from linking with vendored openssl symbols.
++		// env = append(env, "CGO_ENABLED=0")
+ 	}
+ 	if isRelease || os.Getenv("GO_BUILDER_NAME") != "" {
+ 		// Add -trimpath for reproducible builds of releases.
diff --git a/patches/002-fix-std-crypto.patch b/patches/002-fix-std-crypto.patch
@@ -0,0 +1,43 @@
+diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go
+index 3d3a9a36ee..b7a65a1f6e 100644
+--- a/src/crypto/internal/backend/openssl.go
++++ b/src/crypto/internal/backend/openssl.go
+@@ -25,6 +25,21 @@ var enabled bool
+ var knownVersions = [...]string{"3", "1.1", "11", "111", "1.0.2", "1.0.0", "10"}
+ 
+ func init() {
++	// 0: FIPS opt-out: abort the process if it is enabled and can't be disabled.
++	// 1: FIPS required: abort the process if it is not enabled and can't be enabled.
++	// other values: do not override OpenSSL configured FIPS mode.
++	var fips string
++	if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
++		fips = v
++	} else if hostFIPSModeEnabled() {
++		// System configuration can only force FIPS mode.
++		fips = "1"
++	}
++
++	if fips != "1" {
++		return
++	}
++
+ 	version, _ := syscall.Getenv("GO_OPENSSL_VERSION_OVERRIDE")
+ 	if version == "" {
+ 		var fallbackVersion string
+@@ -49,16 +64,6 @@ func init() {
+ 	if err := openssl.Init(version); err != nil {
+ 		panic("opensslcrypto: can't initialize OpenSSL " + version + ": " + err.Error())
+ 	}
+-	// 0: FIPS opt-out: abort the process if it is enabled and can't be disabled.
+-	// 1: FIPS required: abort the process if it is not enabled and can't be enabled.
+-	// other values: do not override OpenSSL configured FIPS mode.
+-	var fips string
+-	if v, ok := syscall.Getenv("GOLANG_FIPS"); ok {
+-		fips = v
+-	} else if hostFIPSModeEnabled() {
+-		// System configuration can only force FIPS mode.
+-		fips = "1"
+-	}
+ 	switch fips {
+ 	case "0":
+ 		if openssl.FIPS() {
