Bug 2136792

Summary:	GOLANG_FIPS=1 go get fails with "panic: crypto/elliptic: attempted operation on invalid point" on s390x [rhel-8.8]
Product:	Red Hat Enterprise Linux 8	Reporter:	Edjunior Barbosa Machado <emachado>
Component:	golang	Assignee:	David Benoit <dbenoit>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Edjunior Barbosa Machado <emachado>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.8	CC:	asm, emachado, sipoyare, tstellar
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	s390x
OS:	Unspecified
Whiteboard:
Fixed In Version:	go-toolset-rhel8-8080020230627164522.6b4b45d8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	2137763 (view as bug list)		Environment:
Last Closed:	2023-09-08 14:12:27 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2137763

Description Edjunior Barbosa Machado 2022-10-21 10:47:20 UTC

After fixing bug #2132694, 'GOLANG_FIPS=1 go get ...'  is now failing with panic on s390x only:

[root@s390x-kvm-055 tmp.eiWXO3QkTw]# GOLANG_FIPS=1 go get golang.org/x/net/html
panic: crypto/elliptic: attempted operation on invalid point

goroutine 37 [running]:
crypto/elliptic.panicIfNotOnCurve({0x17f1960, 0x1a9b310}, 0xc00006ee20, 0xc00006ee40)
	/usr/lib/golang/src/crypto/elliptic/elliptic.go:182 +0xee
crypto/elliptic.Marshal({0x17f1960, 0x1a9b310}, 0xc00006ee20, 0xc00006ee40)
	/usr/lib/golang/src/crypto/elliptic/elliptic.go:75 +0x42
crypto/tls.(*nistParameters).PublicKey(0xc0001311a0)
	/usr/lib/golang/src/crypto/tls/key_schedule.go:195 +0x62
crypto/tls.(*Conn).makeClientHello(0xc000121500)
	/usr/lib/golang/src/crypto/tls/handshake_client.go:146 +0xf3a
crypto/tls.(*Conn).clientHandshake(0xc000121500, {0x17f0718, 0xc0001384c0})
	/usr/lib/golang/src/crypto/tls/handshake_client.go:161 +0x90
crypto/tls.(*Conn).handshakeContext(0xc000121500, {0x17f0750, 0xc0000240b0})
	/usr/lib/golang/src/crypto/tls/conn.go:1462 +0x37c
crypto/tls.(*Conn).HandshakeContext(...)
	/usr/lib/golang/src/crypto/tls/conn.go:1405
net/http.(*persistConn).addTLS.func2()
	/usr/lib/golang/src/net/http/transport.go:1538 +0x9e
created by net/http.(*persistConn).addTLS
	/usr/lib/golang/src/net/http/transport.go:1534 +0x3dc
[root@s390x-kvm-055 ~]# rpm -qa golang

Like on previous bug, 'go get' works as expected when GOLANG_FIPS is not set:

[root@s390x-kvm-055 tmp.xILskNmDbj]# GOLANG_FIPS= go get -v golang.org/x/net/html
go: downloading golang.org/x/net v0.1.0
go: added golang.org/x/net v0.1.0

Version-Release number of selected component (if applicable):
go-toolset:rhel8:8080020221018192211:17f3f959
golang-1.19.2-3.module+el8.8.0+16972+3559a6f8.s390x
RHEL-8.8.0-20221017.2