Build the Go toolchain using allowcryptofallback
#1505
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
allowcryptofallback
can be used to allow executing the Go toolchain withGOFIPS=1
, e.g.GOFIPS=1 go test .
, even when the Go toolchain itself is not built withGOEXPERIMENT=systemcrypto
.Reusing
allowcryptofallback
allows us to drop patch 7, which was tackling the same issue with a more intrusive and less robust approach: unsettingGOFIPS
when the runtime was initializing and setting it again every time a child process was spawned.This will help migrating from
GOFIPS
toGODEBUG=fips140
.These changes uncovered a latent bug in the Go toolchain:
GOFIPS
was not being honored, for a reason that I still not understand, the Go toolchain didn't pass theGOFIPS
env var to child processes. Note that this bug doesn't affect settingGOFIPS
in production environments, only when running commands likego test
,go run
, orgo tool dist test
.Now that
GOFIPS
actually does something when runninggo tool dist test
(which we execute in CI to run all the toolchain tests), Mariner 1 and Mariner 2 builders started to fail (see logs) due to FIPS mode not being enabled (remember that we removed theopenssl.SetFIPS(true)
call in #1496, so we no longer enable FIPS mode on demand). To fix this, I've updated the builder scripts so that it enables FIPS mode before running the tests by setting the Mariner/AZL3 specificOPENSSL_FORCE_FIPS_MODE
env var. Note that we already do something similar on Windows, where FIPS mode is enabled by modifying the system registry.For #1445.