Bug 2132419

Summary: rhel-8.8 golang net/http testcases failures on s390x
Product: Red Hat Enterprise Linux 8 Reporter: Edjunior Barbosa Machado <emachado>
Component: golangAssignee: David Benoit <dbenoit>
Status: CLOSED ERRATA QA Contact: Edjunior Barbosa Machado <emachado>
Severity: unspecified Docs Contact: Jacob Taylor Valdez <jvaldez>
Priority: unspecified    
Version: 8.8CC: asm, dbenoit, emachado, jvaldez, sipoyare, tstellar
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: s390x   
OS: Unspecified   
Whiteboard:
Fixed In Version: go-toolset-rhel8-8080020221121140318.17f3f959 Doc Type: Bug Fix
Doc Text:
.Implemented big endian support in `OpenSSL` bindings for `golang` Previously, the `OpenSSL` bindings for `golang` did not have support for big-endian, leading to potential issues with the conversion of `BigInt` values. As a result, the crypto routines were unable to perform this conversion. To fix this issue, big-endian support was implemented in the `OpenSSL` bindings for `golang`. As a result, conversions from `BigInt` are now successful, and the tests pass as expected.
 Story Points: ---
Clone Of:
: 2133399 (view as bug list) Environment:
Last Closed: 2023-05-16 08:24:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2133399    

Description Edjunior Barbosa Machado 2022-10-05 15:31:45 UTC 
Description of problem:
A number of tests from golang net/http internal testsuite are failing on latest golang-1.19.1-2.module+el8.8.0+16778+5fbb74f5 on RHEL-8.8.0-20220929.2 s390x, most of them with "tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed":

[root@s390x-kvm-061 ~]# GOLANG_FIPS=1 go test -timeout 50m -count=1 net/http
--- FAIL: TestTransportBodyAltRewind (0.00s)
    transport_internal_test.go:218: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
    transport_internal_test.go:265: Post "https://example.org/": remote error: tls: internal error
2022/10/05 09:26:51 http: TLS handshake error from 127.0.0.1:46500: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
--- FAIL: TestNextProtoUpgrade (0.00s)
    alpn_test.go:49: Get "https://127.0.0.1:36945": remote error: tls: internal error
2022/10/05 09:26:52 http: TLS handshake error from 127.0.0.1:40460: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
--- FAIL: TestClientHead_h2 (0.01s)
    client_test.go:100: Head "https://127.0.0.1:41297": remote error: tls: internal error
2022/10/05 09:26:54 http: TLS handshake error from 127.0.0.1:50378: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
[root@s390x-kvm-061 ~]# head -n 50 _net-http.log 
--- FAIL: TestTransportBodyAltRewind (0.00s)
    transport_internal_test.go:218: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
    transport_internal_test.go:265: Post "https://example.org/": remote error: tls: internal error
2022/10/05 09:26:51 http: TLS handshake error from 127.0.0.1:46500: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
--- FAIL: TestNextProtoUpgrade (0.00s)
    alpn_test.go:49: Get "https://127.0.0.1:36945": remote error: tls: internal error
2022/10/05 09:26:52 http: TLS handshake error from 127.0.0.1:40460: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
--- FAIL: TestClientHead_h2 (0.01s)
    client_test.go:100: Head "https://127.0.0.1:41297": remote error: tls: internal error
2022/10/05 09:26:54 http: TLS handshake error from 127.0.0.1:50378: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
--- FAIL: TestStreamingGet_h2 (0.01s)
    client_test.go:778: Get "https://127.0.0.1:42103": remote error: tls: internal error
--- FAIL: TestClientInsecureTransport (0.03s)
    client_test.go:869: insecure=true: got unexpected err=Get "https://127.0.0.1:43801": remote error: tls: internal error
2022/10/05 09:26:54 http: TLS handshake error from 127.0.0.1:49572: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
--- FAIL: TestClientWithCorrectTLSServerName (0.00s)
    client_test.go:914: expected successful TLS connection, got error: Get "https://127.0.0.1:43457": remote error: tls: internal error
2022/10/05 09:26:54 http: TLS handshake error from 127.0.0.1:59994: tls: failed to sign handshake: boringcrypto: RSA_sign_pss_mgf1 failed
--- FAIL: TestTransportUsesTLSConfigServerName (0.00s)
    client_test.go:968: Get "https://some-other-host.tld/": remote error: tls: internal error
2022/10/05 09:26:54 http: panic serving 127.0.0.1:56502: runtime error: index out of range [0] with length 0
goroutine 319 [running]:
net/http.(*conn).serve.func1()
	/usr/lib/golang/src/net/http/server.go:1850 +0x122
panic({0x153a8c0, 0xc00002e120})
	/usr/lib/golang/src/runtime/panic.go:890 +0x2ca
crypto/rsa.decryptPKCS1v15({0x163ae40, 0x16368b0}, 0xc00028c2a0, {0xc00027eb3e, 0x0, 0x2})
	/usr/lib/golang/src/crypto/rsa/pkcs1v15.go:196 +0x430
crypto/rsa.DecryptPKCS1v15SessionKey({0x163ae40, 0x16368b0}, 0xc00028c2a0, {0xc00027eb3e, 0x0, 0x2}, {0xc0001a7d10, 0x30, 0x30})
	/usr/lib/golang/src/crypto/rsa/pkcs1v15.go:147 +0x140
crypto/rsa.(*PrivateKey).Decrypt(0xc00028c2a0, {0x163ae40, 0x16368b0}, {0xc00027eb3e, 0x0, 0x2}, {0x14c71c0, 0xc00027eb40})
	/usr/lib/golang/src/crypto/rsa/rsa.go:171 +0x128
crypto/tls.rsaKeyAgreement.processClientKeyExchange({}, 0xc00014c000, 0xc00014a980, 0xc0001a44b0, 0x303)
	/usr/lib/golang/src/crypto/tls/key_agreement.go:63 +0x172
crypto/tls.(*serverHandshakeState).doFullHandshake(0xc0002557c0)
	/usr/lib/golang/src/crypto/tls/handshake_server.go:624 +0xea8
crypto/tls.(*serverHandshakeState).handshake(0xc0002557c0)
	/usr/lib/golang/src/crypto/tls/handshake_server.go:102 +0x25e
crypto/tls.(*Conn).serverHandshake(0xc0000b8380, {0x163cf98, 0xc0000200c0})
	/usr/lib/golang/src/crypto/tls/handshake_server.go:62 +0xe2
crypto/tls.(*Conn).handshakeContext(0xc0000b8380, {0x163d040, 0xc0001a4240})
	/usr/lib/golang/src/crypto/tls/conn.go:1462 +0x37c
crypto/tls.(*Conn).HandshakeContext(...)
	/usr/lib/golang/src/crypto/tls/conn.go:1405
net/http.(*conn).serve(0xc0000bc8c0, {0x163d040, 0xc0001a4150})
	/usr/lib/golang/src/net/http/server.go:1873 +0x103e
created by net/http.(*Server).Serve
	/usr/lib/golang/src/net/http/server.go:3102 +0x5b8
--- FAIL: TestResponseSetsTLSConnectionState (0.00s)
(...)

FWIW, similar "TLS handshake error" failures were also seen on rhel-8.6 go-toolset, as addressed on bug #2015930.

Version-Release number of selected component (if applicable):
golang-1.19.1-2.module+el8.8.0+16778+5fbb74f5.s390x
go-toolset:rhel8:8080020220930130611:17f3f959

Steps to Reproduce:
1. GOLANG_FIPS=1 go test -timeout 50m -count=1 net/http
Comment 12 errata-xmlrpc 2023-05-16 08:24:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (go-toolset:rhel8 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2761
Comment 13 Red Hat Bugzilla 2023-09-19 04:27:51 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days