Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36100

[AES-GCM] cipher.AEAD is no-longer safe for concurrent use

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0.beta
    • rhel-10.0.beta
    • golang
    • None
    • golang-1.22.4-1.el10
    • Major
    • ZStream
    • 3
    • sst_pt_llvm_rust_go
    • ssg_platform_tools
    • 3
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • Sprint 4, Sprint 5, Sprint 6
    • Approved Blocker
    • None

      Due to caching in the golang-fips/openssl@v2 backend, certain operations are no longer thread safe. We end up reusing EVP_CIPHER_CTX objects across EVP based operations, which can cause problems if these routines are called from multiple goroutines in parallel.

      This issue was reported upstream by a Hashicorp Vault engineer: https://github.com/golang-fips/go/issues/187

            rh-ee-deparker Derek Parker
            rh-ee-deparker Derek Parker
            David Benoit David Benoit
            Edjunior Machado Edjunior Machado
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: