Support the new Go FIPS compiler which was upgraded inside Go 1.21.6

The release of Go 1.21.6 includes the new boring crypto when compiling with FIPS enabled. See https://go.dev/doc/devel/release#go1.21.0 and https://github.com/golang/go/issues/64717. This new version of boring crypto allows the use of TLS v1.3 for the first time, so we changed the Pinniped code to use TLS v1.3 where appropriate when compiled with the FIPS compiler. It also changed the allowed TLS v1.2 ciphers, so we updated those as well. After this commit, the project must be compiled by at least Go v1.21.6 when compiling in fips mode. The hack/Dockerfile_fips was already updated to use that version of Go in a previous commit. Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2026-01-03 11:45:45 +00:00 · 2024-01-17 14:29:08 -08:00
parent bcf070cb73
commit 50e4d6db6c
8 changed files with 175 additions and 99 deletions
--- a/test/testlib/securetls.go
+++ b/test/testlib/securetls.go
@@ -1,4 +1,4 @@
-// Copyright 2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package testlib
@@ -18,7 +18,7 @@ import (

 	"github.com/stretchr/testify/require"

-	"go.pinniped.dev/internal/crypto/ptls"
+	"go.pinniped.dev/internal/testutil/tlsserver"
 )

 func RunNmapSSLEnum(t *testing.T, host string, port uint16) (string, string) {
@@ -51,9 +51,8 @@ func RunNmapSSLEnum(t *testing.T, host string, port uint16) (string, string) {
 }

 func GetExpectedCiphers(config *tls.Config) string {
-	secureConfig := ptls.Secure(nil)
-
 	skip12 := config.MinVersion == tls.VersionTLS13
+	skip13 := config.MaxVersion == tls.VersionTLS12

 	var tls12Bit, tls13Bit string

@@ -90,12 +89,15 @@ func GetExpectedCiphers(config *tls.Config) string {
 		tls12Bit = fmt.Sprintf(tls12Base, s.String(), cipherSuitePreference)
 	}

-	skip13 := config.MaxVersion == tls.VersionTLS12
 	if !skip13 {
 		var s strings.Builder
-		for i, id := range secureConfig.CipherSuites {
-			s.WriteString(fmt.Sprintf(tls13Item, strings.Replace(tls.CipherSuiteName(id), "TLS_", "TLS_AKE_WITH_", 1)))
-			if i == len(secureConfig.CipherSuites)-1 {
+		tls13CipherSuites := tlsserver.GetExpectedTLS13Ciphers()
+		for i, id := range tls13CipherSuites {
+			s.WriteString(fmt.Sprintf(tls13Item,
+				strings.Replace(tls.CipherSuiteName(id), "TLS_", "TLS_AKE_WITH_", 1),
+				tlsserver.GetExpectedTLS13CipherNMapKeyExchangeInfoValue(id)),
+			)
+			if i == len(tls13CipherSuites)-1 {
 				break
 			}
 			s.WriteString("\n")
@@ -114,7 +116,7 @@ const (

 Nmap done: 1 IP address (1 host up) scanned in`

-	// cipher preference is a variable because in FIPs mode it is server
+	// cipher preference is a variable because in FIPS mode it is server
 	// but in normal mode it is client.
 	tls12Base = `
 |   TLSv1.2: 
@@ -138,5 +140,5 @@ Nmap done: 1 IP address (1 host up) scanned in`
 	// For the RSA ciphers, we expect this output to be RSA 2048.
 	rsa2048 = "rsa 2048"

-	tls13Item = `|       %s (ecdh_x25519) - A`
+	tls13Item = `|       %s (%s) - A`
 )