Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-43239

golang panics with "tls: HKDF-Expand-Label invocation failed unexpectedly" with GOLANG_FIPS=1

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • golang
    • None
    • None
    • None
    • 1
    • rhel-sst-pt-llvm-rust-go
    • ssg_platform_tools
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Sprint 6
    • None
    • None
    • All
    • None

      Latest rhel-9.5 golang-1.22.4-1.el9 fails to run 'go get' when executing on FIPS mode:

      [root@vm-10-0-186-151 tmp]# go mod init test
go: creating new go.mod: module test
[root@vm-10-0-186-151 tmp]# go get -v golang.org/x/net
go: downloading golang.org/x/net v0.26.0
go: added golang.org/x/net v0.26.0
[root@vm-10-0-186-151 tmp]# GOLANG_FIPS=1 go get -v golang.org/x/net
panic: tls: HKDF-Expand-Label invocation failed unexpectedly

goroutine 31 [running]:
crypto/tls.(*cipherSuiteTLS13).expandLabel(0xf54880, {0xc000030a00, 0x20, 0x20}, {0xaccde0?, 0x7?}, {0xc000030a20, 0x20, 0x20}, 0x20)
	crypto/tls/key_schedule.go:66 +0x565
crypto/tls.(*cipherSuiteTLS13).deriveSecret(0xf54880, {0xc000030a00, 0x20, 0x20}, {0xaccde0, 0x7}, {0x0?, 0x0?})
	crypto/tls/key_schedule.go:86 +0xd2
crypto/tls.(*clientHandshakeStateTLS13).establishHandshakeKeys(0xc000067bd0)
	crypto/tls/handshake_client_tls13.go:392 +0x109
crypto/tls.(*clientHandshakeStateTLS13).handshake(0xc000067bd0)
	crypto/tls/handshake_client_tls13.go:90 +0x2bb
crypto/tls.(*Conn).clientHandshake(0xc000178388, {0xbe5c00, 0xc000080ff0})
	crypto/tls/handshake_client.go:265 +0x594
crypto/tls.(*Conn).handshakeContext(0xc000178388, {0xbe5b90, 0xfff0e0})
	crypto/tls/conn.go:1553 +0x3cb
crypto/tls.(*Conn).HandshakeContext(...)
	crypto/tls/conn.go:1493
net/http.(*persistConn).addTLS.func2()
	net/http/transport.go:1573 +0x6e
created by net/http.(*persistConn).addTLS in goroutine 16
	net/http/transport.go:1569 +0x309
[root@vm-10-0-186-151 tmp]# rpm -qa golang openssl
openssl-3.2.2-1.el9.x86_64
golang-1.22.4-1.el9.x86_64

      TestBoringCertAlgs from crypto/tls testsuite also panics:

      [root@vm-10-0-186-151 tmp]# GOLANG_FIPS=1 go test -v -timeout 50m -count=1 -run TestBoringCertAlgs crypto/tls
=== RUN   TestBoringCertAlgs
--- FAIL: TestBoringCertAlgs (1.08s)
panic: tls: HKDF-Expand-Label invocation failed unexpectedly [recovered]
	panic: tls: HKDF-Expand-Label invocation failed unexpectedly

goroutine 7 [running]:
testing.tRunner.func1.2({0x730a00, 0x834df0})
	/usr/lib/golang/src/testing/testing.go:1631 +0x24a
testing.tRunner.func1()
	/usr/lib/golang/src/testing/testing.go:1634 +0x377
panic({0x730a00?, 0x834df0?})
	/usr/lib/golang/src/runtime/panic.go:770 +0x132
crypto/tls.(*cipherSuiteTLS13).expandLabel(0xa1ce40, {0xc000022e40, 0x20, 0x20}, {0x796bf3?, 0x7?}, {0xc000022e60, 0x20, 0x20}, 0x20)
	/usr/lib/golang/src/crypto/tls/key_schedule.go:66 +0x565
crypto/tls.(*cipherSuiteTLS13).deriveSecret(0xa1ce40, {0xc000022e40, 0x20, 0x20}, {0x796bf3, 0x7}, {0x0?, 0x0?})
	/usr/lib/golang/src/crypto/tls/key_schedule.go:86 +0xd2
crypto/tls.(*serverHandshakeStateTLS13).sendServerParameters(0xc00002d7f0)
	/usr/lib/golang/src/crypto/tls/handshake_server_tls13.go:615 +0x17b
crypto/tls.(*serverHandshakeStateTLS13).handshake(0xc00002d7f0)
	/usr/lib/golang/src/crypto/tls/handshake_server_tls13.go:59 +0x72
crypto/tls.(*Conn).serverHandshake(0xc000004e08, {0x838790, 0xc0000703c0})
	/usr/lib/golang/src/crypto/tls/handshake_server.go:53 +0x16a
crypto/tls.(*Conn).handshakeContext(0xc000004e08, {0x838640, 0xabcdc0})
	/usr/lib/golang/src/crypto/tls/conn.go:1553 +0x3cb
crypto/tls.(*Conn).HandshakeContext(...)
	/usr/lib/golang/src/crypto/tls/conn.go:1493
crypto/tls.(*Conn).Handshake(...)
	/usr/lib/golang/src/crypto/tls/conn.go:1477
crypto/tls.boringHandshake(0xc0000a8680?, 0xc0000a81a0, 0xc0000a8680)
	/usr/lib/golang/src/crypto/tls/boring_test.go:202 +0x21f
crypto/tls.TestBoringCertAlgs.func1(0xc0000a8b60, {0x7965ab, 0x5}, 0xc000362e40, {0x76fa40, 0xc0000b4800}, {0xc000362ed0, 0x2, 0x2}, 0x0)
	/usr/lib/golang/src/crypto/tls/boring_test.go:380 +0x1fe
crypto/tls.TestBoringCertAlgs(0xc0000a8b60)
	/usr/lib/golang/src/crypto/tls/boring_test.go:438 +0x5bb
testing.tRunner(0xc0000a8b60, 0x7d7cd0)
	/usr/lib/golang/src/testing/testing.go:1689 +0xfb
created by testing.(*T).Run in goroutine 1
	/usr/lib/golang/src/testing/testing.go:1742 +0x390
FAIL	crypto/tls	1.120s
FAIL

              dbenoit@redhat.com David Benoit
              rhn-support-emachado Edjunior Machado
              David Benoit David Benoit
              Edjunior Machado Edjunior Machado
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: