[fips] Add FIPS and non-FIPS implementations for allowed TLS curves (#13992)

ycombinator · web-flow · commit 26461395aad7 · 2025-10-20T23:28:21.000Z
#### Description This PR introduces a new Go build tag, `requirefips`, that can be used (in the future) to build a FIPS-capable distribution of the OTel Collector. This PR uses this new build tag to create FIPS (`//go:build requirefips`) and non-FIPS (`//go:build !requirefips`) implementations of allowed TLS curves. The FIPS implementation contains all the TLS curves as the non-FIPS implementation except `X25519` and `X25519MLKEM768`. If these two curves were included in the FIPS distribution, running it with Golang >=1.24.6 and `GODEBUG=fips140=only` to surface non-FIPS-compliant algorithm uses will result in errors like so: ``` crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode ```  #### Link to tracking issue Fixes #13990  #### Testing Run the existing `confighttp.TestHttpReception` unit test with Go >= 1.24.6 and `GODEBUG=fips140=only` to surface non-FIPS-compliant algorithm uses. ##### Without the `requirefips` build tag ``` $ go version go version go1.25.1 darwin/arm64 $ GODEBUG=fips140=only go test ./... -test.v -test.run TestHttpReception -count 1 === RUN TestHttpReception === RUN TestHttpReception/noTLS === RUN TestHttpReception/TLS server_test.go:267: Error Trace: /Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267 Error: Received unexpected error: Get "https://127.0.0.1:64822": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode Test: TestHttpReception/TLS === RUN TestHttpReception/TLS_(HTTP/1.1) server_test.go:267: Error Trace: /Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267 Error: Received unexpected error: Get "https://127.0.0.1:64824": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode Test: TestHttpReception/TLS_(HTTP/1.1) === RUN TestHttpReception/NoServerCertificates === RUN TestHttpReception/mTLS server_test.go:267: Error Trace: /Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267 Error: Received unexpected error: Get "https://127.0.0.1:64828": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode Test: TestHttpReception/mTLS === RUN TestHttpReception/NoClientCertificate === RUN TestHttpReception/WrongClientCA --- FAIL: TestHttpReception (0.03s) --- PASS: TestHttpReception/noTLS (0.01s) --- FAIL: TestHttpReception/TLS (0.01s) --- FAIL: TestHttpReception/TLS_(HTTP/1.1) (0.00s) --- PASS: TestHttpReception/NoServerCertificates (0.00s) --- FAIL: TestHttpReception/mTLS (0.01s) --- PASS: TestHttpReception/NoClientCertificate (0.00s) --- PASS: TestHttpReception/WrongClientCA (0.01s) FAIL FAIL go.opentelemetry.io/collector/config/confighttp 0.501s ? go.opentelemetry.io/collector/config/confighttp/internal [no test files] FAIL ``` ##### With the `requirefips` build tag ``` $ go version go version go1.25.1 darwin/arm64 $ GODEBUG=fips140=only go test -tags requirefips ./... -test.v -test.run TestHttpReception -count 1 === RUN TestHttpReception === RUN TestHttpReception/noTLS === RUN TestHttpReception/TLS === RUN TestHttpReception/TLS_(HTTP/1.1) === RUN TestHttpReception/NoServerCertificates === RUN TestHttpReception/mTLS === RUN TestHttpReception/NoClientCertificate === RUN TestHttpReception/WrongClientCA --- PASS: TestHttpReception (0.03s) --- PASS: TestHttpReception/noTLS (0.00s) --- PASS: TestHttpReception/TLS (0.01s) --- PASS: TestHttpReception/TLS_(HTTP/1.1) (0.00s) --- PASS: TestHttpReception/NoServerCertificates (0.00s) --- PASS: TestHttpReception/mTLS (0.01s) --- PASS: TestHttpReception/NoClientCertificate (0.00s) --- PASS: TestHttpReception/WrongClientCA (0.01s) PASS ok go.opentelemetry.io/collector/config/confighttp 0.493s ? go.opentelemetry.io/collector/config/confighttp/internal [no test files] ```
diff --git a/.chloggen/fips140-confighttp-testhttpreception.yaml b/.chloggen/fips140-confighttp-testhttpreception.yaml
@@ -0,0 +1,25 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver)
+component: all
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add FIPS and non-FIPS implementations for allowed TLS curves
+
+# One or more tracking issues or pull requests related to the change
+issues: [13990]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]
diff --git a/.github/workflows/utils/cspell.json b/.github/workflows/utils/cspell.json
@@ -26,6 +26,7 @@
       "Excalidraw",
       "Expvar",
       "Fanout",
+      "FIPS",
       "Funcs",
       "GHSA",
       "GOARCH",
diff --git a/config/configtls/configtls.go b/config/configtls/configtls.go
@@ -9,8 +9,10 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"maps"
 	"os"
 	"path/filepath"
+	"slices"
 	"sync"
 	"time"
 
@@ -268,15 +270,24 @@ func (c Config) loadTLSConfig() (*tls.Config, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	allowedCurves := slices.Collect(maps.Values(tlsCurveTypes))
 	curvePreferences := make([]tls.CurveID, 0, len(c.CurvePreferences))
 	for _, curve := range c.CurvePreferences {
 		curveID, ok := tlsCurveTypes[curve]
 		if !ok {
-			return nil, fmt.Errorf("invalid curve type: %s. Expected values are [P-256, P-384, P-521, X25519, X25519MLKEM768]", curve)
+			return nil, fmt.Errorf("invalid curve type: %s. Expected values are %s", curveID, allowedCurves)
 		}
 		curvePreferences = append(curvePreferences, curveID)
 	}
 
+	// If no curve preferences were explicitly specified in the configuration, use
+	// the ones we allow. This helps in particular with FIPS builds where not all curves
+	// are allowed.
+	if len(curvePreferences) == 0 {
+		curvePreferences = allowedCurves
+	}
+
 	return &tls.Config{
 		RootCAs:              certPool,
 		GetCertificate:       getCertificate,
@@ -501,11 +512,3 @@ var tlsVersions = map[string]uint16{
 	"1.2": tls.VersionTLS12,
 	"1.3": tls.VersionTLS13,
 }
-
-var tlsCurveTypes = map[string]tls.CurveID{
-	"P256":           tls.CurveP256,
-	"P384":           tls.CurveP384,
-	"P521":           tls.CurveP521,
-	"X25519":         tls.X25519,
-	"X25519MLKEM768": tls.X25519MLKEM768,
-}
diff --git a/config/configtls/configtls_test.go b/config/configtls/configtls_test.go
@@ -12,6 +12,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 
@@ -882,22 +883,14 @@ func TestSystemCertPool_loadCert(t *testing.T) {
 }
 
 func TestCurvePreferences(t *testing.T) {
-	tests := []struct {
+	type testCase struct {
 		name             string
 		preferences      []string
 		expectedCurveIDs []tls.CurveID
 		expectedErr      string
-	}{
-		{
-			name:             "X25519MLKEM768",
-			preferences:      []string{"X25519MLKEM768"},
-			expectedCurveIDs: []tls.CurveID{tls.X25519MLKEM768},
-		},
-		{
-			name:             "X25519",
-			preferences:      []string{"X25519"},
-			expectedCurveIDs: []tls.CurveID{tls.X25519},
-		},
+	}
+
+	tests := []testCase{
 		{
 			name:             "P521",
 			preferences:      []string{"P521"},
@@ -910,8 +903,8 @@ func TestCurvePreferences(t *testing.T) {
 		},
 		{
 			name:             "multiple",
-			preferences:      []string{"P256", "P521", "X25519"},
-			expectedCurveIDs: []tls.CurveID{tls.CurveP256, tls.CurveP521, tls.X25519},
+			preferences:      []string{"P256", "P521"},
+			expectedCurveIDs: []tls.CurveID{tls.CurveP256, tls.CurveP521},
 		},
 		{
 			name:             "invalid-curve",
@@ -920,6 +913,24 @@ func TestCurvePreferences(t *testing.T) {
 			expectedErr:      "invalid curve type",
 		},
 	}
+
+	// X25519 curves are not supported when GODEBUG=fips140=only is set, so we
+	// detect if it is and conditionally add test cases for those curves.
+	if !strings.Contains(os.Getenv("GODEBUG"), "fips140=only") {
+		tests = append(tests,
+			testCase{
+				name:             "X25519MLKEM768",
+				preferences:      []string{"X25519MLKEM768"},
+				expectedCurveIDs: []tls.CurveID{tls.X25519MLKEM768},
+			},
+			testCase{
+				name:             "X25519",
+				preferences:      []string{"X25519"},
+				expectedCurveIDs: []tls.CurveID{tls.X25519},
+			},
+		)
+	}
+
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			tlsSetting := ClientConfig{
diff --git a/config/configtls/curves_fips.go b/config/configtls/curves_fips.go
@@ -0,0 +1,19 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build requirefips
+
+package configtls // import "go.opentelemetry.io/collector/config/configtls"
+
+import "crypto/tls"
+
+var tlsCurveTypes = map[string]tls.CurveID{
+	"P256": tls.CurveP256,
+	"P384": tls.CurveP384,
+	"P521": tls.CurveP521,
+
+	// The following X25519 curves are not available in FIPS mode, so we remove them from the map.
+	// See also https://cs.opensource.google/go/go/+/refs/tags/go1.24.6:src/crypto/ecdh/x25519.go
+	//"X25519": tls.X25519,
+	//"X25519MLKEM768": tls.X25519MLKEM768,
+}
diff --git a/config/configtls/curves_nofips.go b/config/configtls/curves_nofips.go
@@ -0,0 +1,16 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build !requirefips
+
+package configtls // import "go.opentelemetry.io/collector/config/configtls"
+
+import "crypto/tls"
+
+var tlsCurveTypes = map[string]tls.CurveID{
+	"P256":           tls.CurveP256,
+	"P384":           tls.CurveP384,
+	"P521":           tls.CurveP521,
+	"X25519":         tls.X25519,
+	"X25519MLKEM768": tls.X25519MLKEM768,
+}
