Bug 2136792

Summary: GOLANG_FIPS=1 go get fails with "panic: crypto/elliptic: attempted operation on invalid point" on s390x [rhel-8.8]
Product: Red Hat Enterprise Linux 8 Reporter: Edjunior Barbosa Machado <emachado>
Component: golangAssignee: David Benoit <dbenoit>
Status: CLOSED CURRENTRELEASE QA Contact: Edjunior Barbosa Machado <emachado>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.8CC: asm, emachado, sipoyare, tstellar
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: s390x   
OS: Unspecified   
Whiteboard:
Fixed In Version: go-toolset-rhel8-8080020230627164522.6b4b45d8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2137763 (view as bug list) Environment:
Last Closed: 2023-09-08 14:12:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2137763    

Description Edjunior Barbosa Machado 2022-10-21 10:47:20 UTC 
After fixing bug #2132694, 'GOLANG_FIPS=1 go get ...'  is now failing with panic on s390x only:

[root@s390x-kvm-055 tmp.eiWXO3QkTw]# GOLANG_FIPS=1 go get golang.org/x/net/html
panic: crypto/elliptic: attempted operation on invalid point

goroutine 37 [running]:
crypto/elliptic.panicIfNotOnCurve({0x17f1960, 0x1a9b310}, 0xc00006ee20, 0xc00006ee40)
	/usr/lib/golang/src/crypto/elliptic/elliptic.go:182 +0xee
crypto/elliptic.Marshal({0x17f1960, 0x1a9b310}, 0xc00006ee20, 0xc00006ee40)
	/usr/lib/golang/src/crypto/elliptic/elliptic.go:75 +0x42
crypto/tls.(*nistParameters).PublicKey(0xc0001311a0)
	/usr/lib/golang/src/crypto/tls/key_schedule.go:195 +0x62
crypto/tls.(*Conn).makeClientHello(0xc000121500)
	/usr/lib/golang/src/crypto/tls/handshake_client.go:146 +0xf3a
crypto/tls.(*Conn).clientHandshake(0xc000121500, {0x17f0718, 0xc0001384c0})
	/usr/lib/golang/src/crypto/tls/handshake_client.go:161 +0x90
crypto/tls.(*Conn).handshakeContext(0xc000121500, {0x17f0750, 0xc0000240b0})
	/usr/lib/golang/src/crypto/tls/conn.go:1462 +0x37c
crypto/tls.(*Conn).HandshakeContext(...)
	/usr/lib/golang/src/crypto/tls/conn.go:1405
net/http.(*persistConn).addTLS.func2()
	/usr/lib/golang/src/net/http/transport.go:1538 +0x9e
created by net/http.(*persistConn).addTLS
	/usr/lib/golang/src/net/http/transport.go:1534 +0x3dc
[root@s390x-kvm-055 ~]# rpm -qa golang

Like on previous bug, 'go get' works as expected when GOLANG_FIPS is not set:

[root@s390x-kvm-055 tmp.xILskNmDbj]# GOLANG_FIPS= go get -v golang.org/x/net/html
go: downloading golang.org/x/net v0.1.0
go: added golang.org/x/net v0.1.0

Version-Release number of selected component (if applicable):
go-toolset:rhel8:8080020221018192211:17f3f959
golang-1.19.2-3.module+el8.8.0+16972+3559a6f8.s390x
RHEL-8.8.0-20221017.2