Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36100

[AES-GCM] cipher.AEAD is no-longer safe for concurrent use

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0.beta
    • rhel-10.0.beta
    • golang
    • None
    • golang-1.22.4-1.el10
    • None
    • Important
    • ZStream
    • 3
    • rhel-sst-pt-llvm-rust-go
    • ssg_platform_tools
    • 3
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Sprint 4, Sprint 5, Sprint 6
    • Approved Blocker
    • Unspecified Release Note Type - Unknown
    • None

      Due to caching in the golang-fips/openssl@v2 backend, certain operations are no longer thread safe. We end up reusing EVP_CIPHER_CTX objects across EVP based operations, which can cause problems if these routines are called from multiple goroutines in parallel.

      This issue was reported upstream by a Hashicorp Vault engineer: https://github.com/golang-fips/go/issues/187

              rh-ee-deparker Derek Parker
              rh-ee-deparker Derek Parker
              David Benoit David Benoit
              Edjunior Machado Edjunior Machado
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: