[fips] Add FIPS and non-FIPS implementations for allowed TLS curves

[ycombinator]

Description

This PR introduces a new Go build tag, requirefips, that can be used (in the future) to build a FIPS-capable distribution of the OTel Collector. This PR uses this new build tag to create FIPS (//go:build requirefips) and non-FIPS (//go:build !requirefips) implementations of allowed TLS curves. The FIPS implementation contains all the TLS curves as the non-FIPS implementation except X25519 and X25519MLKEM768.

If these two curves were included in the FIPS distribution, running it with Golang >=1.24.6 and GODEBUG=fips140=only to surface non-FIPS-compliant algorithm uses will result in errors like so:

crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

Link to tracking issue

Fixes #13990

Testing

Run the existing confighttp.TestHttpReception unit test with Go >= 1.24.6 and GODEBUG=fips140=only to surface non-FIPS-compliant algorithm uses.

Without the requirefips build tag

$ go version
go version go1.25.1 darwin/arm64
$ GODEBUG=fips140=only go test ./... -test.v -test.run TestHttpReception -count 1
=== RUN   TestHttpReception
=== RUN   TestHttpReception/noTLS
=== RUN   TestHttpReception/TLS
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:64822": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS
=== RUN   TestHttpReception/TLS_(HTTP/1.1)
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:64824": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS_(HTTP/1.1)
=== RUN   TestHttpReception/NoServerCertificates
=== RUN   TestHttpReception/mTLS
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:64828": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/mTLS
=== RUN   TestHttpReception/NoClientCertificate
=== RUN   TestHttpReception/WrongClientCA
--- FAIL: TestHttpReception (0.03s)
    --- PASS: TestHttpReception/noTLS (0.01s)
    --- FAIL: TestHttpReception/TLS (0.01s)
    --- FAIL: TestHttpReception/TLS_(HTTP/1.1) (0.00s)
    --- PASS: TestHttpReception/NoServerCertificates (0.00s)
    --- FAIL: TestHttpReception/mTLS (0.01s)
    --- PASS: TestHttpReception/NoClientCertificate (0.00s)
    --- PASS: TestHttpReception/WrongClientCA (0.01s)
FAIL
FAIL	go.opentelemetry.io/collector/config/confighttp	0.501s
?   	go.opentelemetry.io/collector/config/confighttp/internal	[no test files]
FAIL

With the requirefips build tag

$ go version
go version go1.25.1 darwin/arm64
$ GODEBUG=fips140=only go test -tags requirefips ./... -test.v -test.run TestHttpReception -count 1
=== RUN   TestHttpReception
=== RUN   TestHttpReception/noTLS
=== RUN   TestHttpReception/TLS
=== RUN   TestHttpReception/TLS_(HTTP/1.1)
=== RUN   TestHttpReception/NoServerCertificates
=== RUN   TestHttpReception/mTLS
=== RUN   TestHttpReception/NoClientCertificate
=== RUN   TestHttpReception/WrongClientCA
--- PASS: TestHttpReception (0.03s)
    --- PASS: TestHttpReception/noTLS (0.00s)
    --- PASS: TestHttpReception/TLS (0.01s)
    --- PASS: TestHttpReception/TLS_(HTTP/1.1) (0.00s)
    --- PASS: TestHttpReception/NoServerCertificates (0.00s)
    --- PASS: TestHttpReception/mTLS (0.01s)
    --- PASS: TestHttpReception/NoClientCertificate (0.00s)
    --- PASS: TestHttpReception/WrongClientCA (0.01s)
PASS
ok  	go.opentelemetry.io/collector/config/confighttp	0.493s
?   	go.opentelemetry.io/collector/config/confighttp/internal	[no test files]

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.60%. Comparing base (8b09905) to head (6ccd2be).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13992      +/-   ##
==========================================
- Coverage   91.61%   91.60%   -0.02%     
==========================================
  Files         655      655              
  Lines       42782    42786       +4     
==========================================
- Hits        39195    39192       -3     
- Misses       2764     2769       +5     
- Partials      823      825       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ycombinator]

@dmitryax (since you are tagged as reviewer), I see that the contrib-tests-matrix (exporter-0) CI step is failing. I believe the failing test is https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/c08cb24e2cbe412fd4ec4367a3fd7bda4168bdf2/exporter/alertmanagerexporter/config_test.go#L26. What is the easiest way for me to run this test locally with the changes in this PR?

[bogdan-st]

@ycombinator What I ve been doing in general is look at the "run tests" step in the CI, at the top you can see the make commands that have been used and you can run the same test locally.

[dmitryax]

@ycombinator that failure seems to be from the time when we had the contrib out of sync. Rebasing should help

[dmitryax]

I think we need to run the tests with GODEBUG=fips140=only in CI as well then

[ycombinator]

I think we need to run the tests with GODEBUG=fips140=only in CI as well then

Definitely. I'm tackling that in a separate PR here: #13926. As suggested in that PR, I created separate issues for each of the failures I found and am putting up PRs (like this one here) to address them. Once all the separate issues are addressed, I'll rebase #13926 on main and put it in review.