Panic when using OpenSSL 3.3.1 with FIPS Provider 3.0.9

[xnox]

When compiling golang-fips/go with all the up to date patches (up to and including https://github.com/golang-fips/go/blob/main/patches/017-fix-linkage.patch) and running it in FIPS mode with upstream OpenSSL 3.3.1 with FIPS provider at 3.0.9 a panic happens during regular operation (i.e. go mod tidy / go get)

2024/06/12 23:21:24 WARN go: downloading google.golang.org/protobuf v1.33.0
2024/06/12 23:21:24 WARN panic: tls: HKDF-Expand-Label invocation failed unexpectedly
2024/06/12 23:21:24 WARN
2024/06/12 23:21:24 WARN goroutine 1579 [running]:
2024/06/12 23:21:24 WARN crypto/tls.(*cipherSuiteTLS13).expandLabel(0xf53a40, {0xc0006821c0, 0x20, 0x20}, {0xaccde0?, 0x7?}, {0xc0006821e0, 0x20, 0x20}, 0x20)
2024/06/12 23:21:24 WARN     crypto/tls/key_schedule.go:66 +0x565
2024/06/12 23:21:24 WARN crypto/tls.(*cipherSuiteTLS13).deriveSecret(0xf53a40, {0xc0006821c0, 0x20, 0x20}, {0xaccde0, 0x7}, {0x0?, 0x0?})
2024/06/12 23:21:24 WARN     crypto/tls/key_schedule.go:86 +0xd2
2024/06/12 23:21:24 WARN crypto/tls.(*clientHandshakeStateTLS13).establishHandshakeKeys(0xc000bc1bd0)
2024/06/12 23:21:24 WARN     crypto/tls/handshake_client_tls13.go:392 +0x109
2024/06/12 23:21:24 WARN crypto/tls.(*clientHandshakeStateTLS13).handshake(0xc000bc1bd0)
2024/06/12 23:21:24 WARN     crypto/tls/handshake_client_tls13.go:90 +0x2bb
2024/06/12 23:21:24 WARN crypto/tls.(*Conn).clientHandshake(0xc00088d508, {0xbe5b80, 0xc000f036d0})
2024/06/12 23:21:24 WARN     crypto/tls/handshake_client.go:265 +0x594
2024/06/12 23:21:24 WARN crypto/tls.(*Conn).handshakeContext(0xc00088d508, {0xbe5b10, 0xffe2e0})
2024/06/12 23:21:24 WARN     crypto/tls/conn.go:1553 +0x3cb
2024/06/12 23:21:24 WARN crypto/tls.(*Conn).HandshakeContext(...)
2024/06/12 23:21:24 WARN     crypto/tls/conn.go:1493
2024/06/12 23:21:24 WARN net/http.(*persistConn).addTLS.func2()
2024/06/12 23:21:24 WARN     net/http/transport.go:1573 +0x6e
2024/06/12 23:21:24 WARN created by net/http.(*persistConn).addTLS in goroutine 1078
2024/06/12 23:21:24 WARN     net/http/transport.go:1569 +0x309

I am currently suspecting the changes in openssl/openssl#23456 and openssl/openssl#24141 are exposing this error, but I didn't yet investigate if there is incompatibility upstream or if bindings in golang-fips/go golang-fips/openssl need adjustment.

[dbenoit17]

This has been patched in openssl-3.2.2-2 in CentOS Stream. It's a compatibility issue with the fips provider within openssl so we don't expect any changes required to golang-fips/go.

[xnox]

This has been patched in openssl-3.2.2-2 in CentOS Stream. It's a compatibility issue with the fips provider within openssl so we don't expect any changes required to golang-fips/go.

Thanks, that pointed to openssl/openssl#24611 which points to openssl/openssl#24661

[renildk7878]

I have the same issue; I am using 3.1.6 openssl + 3.0.8 FIPS.

Sep 04 09:58:33 test bash[42596]: panic: tls: HKDF-Expand-Label invocation failed unexpectedly: EVP_PKEY_CTX_add1_hkdf_info Sep 04 09:58:33 test bash[42596]: openssl error(s): Sep 04 09:58:33 test bash[42596]: goroutine 495 [running]: Sep 04 09:58:33 test bash[42596]: crypto/tls.(*cipherSuiteTLS13).expandLabel(0x5aab358af220, {0xc000618870, 0x30, 0x30}, {0x5aab340ab1bd?, 0x7?}, {0xc0006188a0, 0x30, 0x30}, 0x> Sep 04 09:58:33 test bash[42596]: crypto/tls/key_schedule.go:67 +0x5ae Sep 04 09:58:33 test bash[42596]: crypto/tls.(*cipherSuiteTLS13).deriveSecret(0x5aab358af220, {0xc000618870, 0x30, 0x30}, {0x5aab340ab1bd, 0x7}, {0x0?, 0x0?}) Sep 04 09:58:33 test bash[42596]: crypto/tls/key_schedule.go:84 +0xd2 Sep 04 09:58:33 test bash[42596]: crypto/tls.(*clientHandshakeStateTLS13).establishHandshakeKeys(0xc0008f7bd0) Sep 04 09:58:33 test bash[42596]: crypto/tls/handshake_client_tls13.go:388 +0x109 Sep 04 09:58:33 test bash[42596]: crypto/tls.(*clientHandshakeStateTLS13).handshake(0xc0008f7bd0) Sep 04 09:58:33 test bash[42596]: crypto/tls/handshake_client_tls13.go:86 +0x274 Sep 04 09:58:33 test bash[42596]: crypto/tls.(*Conn).clientHandshake(0xc000737188, {0x5aab34aa7458, 0xc0006815e0}) Sep 04 09:58:33 test bash[42596]: crypto/tls/handshake_client.go:265 +0x594 Sep 04 09:58:33 test bash[42596]: crypto/tls.(*Conn).handshakeContext(0xc000737188, {0x5aab34aa73b0, 0x5aab35a57e00}) Sep 04 09:58:33 test bash[42596]: crypto/tls/conn.go:1553 +0x3cb Sep 04 09:58:33 test bash[42596]: crypto/tls.(*Conn).HandshakeContext(...) Sep 04 09:58:33 test bash[42596]: crypto/tls/conn.go:1493 Sep 04 09:58:33 test bash[42596]: net/http.(*persistConn).addTLS.func2() Sep 04 09:58:33 test bash[42596]: net/http/transport.go:1573 +0x6e Sep 04 09:58:33 test bash[42596]: created by net/http.(*persistConn).addTLS in goroutine 304 Sep 04 09:58:33 test bash[42596]: net/http/transport.go:1569 +0x309

Did it got fixed any version of linux?

[xnox]

I have the same issue; I am using 3.1.6 openssl + 3.0.8 FIPS.

If your 3.1.6 openssl contains regression openssl/openssl@3a16b60 ensure that it also has the fix up openssl/openssl@14de8da or a revert of the regression.

Did it got fixed any version of linux?

yes.