go crypto: test fips140=only mode

fips140=only from #70123 breaks any non-FIPS cryptography. Testing a mode designed to break things is tricky.

Running the whole test suite is prohibitive. Instead, we should probably write a dedicated test that goes through things that are expected to work, and things that are not expected to work.

Nov 22 '24 02:11 FiloSottile

Change https://go.dev/cl/631018 mentions this issue: crypto: implement fips140=only mode

Nov 22 '24 03:11 gopherbot

Related Code Changes

crypto: implement fips140=only mode

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

Nov 22 '24 03:11 gabyhelp

Change https://go.dev/cl/639196 mentions this issue: cmd/go: disable fips140=only during test binary compilation

Jan 02 '25 13:01 gopherbot

Change https://go.dev/cl/641096 mentions this issue: cmd/internal/hash: stop using md5, sha1

Jan 07 '25 16:01 gopherbot

Change https://go.dev/cl/728506 mentions this issue: crypto/internal/fips140only: test fips140=only mode

Dec 09 '25 00:12 gopherbot

Change https://go.dev/cl/728502 mentions this issue: crypto/mlkem/mlkemtest: error out in fips140=only mode

Dec 09 '25 10:12 gopherbot

Change https://go.dev/cl/728505 mentions this issue: crypto/hpke: apply fips140.WithoutEnforcement to ML-KEM+X25519 hybrid

Dec 09 '25 10:12 gopherbot

Change https://go.dev/cl/728501 mentions this issue: all: update to x/crypto@...

Dec 09 '25 10:12 gopherbot