FAIL on tls test suite for crypto-test.sh (VersionTLS13/fipstls)

[mark-trellix]

Hello, for the crypto-test.sh script only the tls test suite is failing for me after golang-fips patching.

I am using go1.23.6 as my compiler/bootstrap and targeting/using golang-fips tagged branch go1.23.6-1-openssl-fips. (I've also tried with go1.22.11 targeting golang-fips tag branch of go1.22.11-1-openssl-fips with same issue)

I first run ./scripts/full-initialize-repo.sh tags/go1.23.6, build go from patched source cd go/src && ./make.bash -v --no-clean, then run the crypto-test.sh with GOEXPERIMENT=strictfipsruntime which fails.

Does anyone have any idea as to why the tls test suite is failing? And maybe why its stating that boringcrypto is not available?

 /golang-fips/go/bin/go test -count=1 crypto/tls -run '^TestBoring' -v
=== RUN   TestBoringServerProtocolVersion
=== RUN   TestBoringServerProtocolVersion/VersionTLS10
=== RUN   TestBoringServerProtocolVersion/VersionTLS11
=== RUN   TestBoringServerProtocolVersion/VersionTLS12
=== RUN   TestBoringServerProtocolVersion/VersionTLS13
=== RUN   TestBoringServerProtocolVersion/fipstls
=== RUN   TestBoringServerProtocolVersion/fipstls/VersionTLS10
=== RUN   TestBoringServerProtocolVersion/fipstls/VersionTLS11
=== RUN   TestBoringServerProtocolVersion/fipstls/VersionTLS12
--- FAIL: TestBoringServerProtocolVersion (0.01s)
    --- PASS: TestBoringServerProtocolVersion/VersionTLS10 (0.00s)
    --- PASS: TestBoringServerProtocolVersion/VersionTLS11 (0.00s)
    --- PASS: TestBoringServerProtocolVersion/VersionTLS12 (0.00s)
    --- PASS: TestBoringServerProtocolVersion/VersionTLS13 (0.00s)
    --- FAIL: TestBoringServerProtocolVersion/fipstls (0.00s)
        --- PASS: TestBoringServerProtocolVersion/fipstls/VersionTLS10 (0.00s)
        --- PASS: TestBoringServerProtocolVersion/fipstls/VersionTLS11 (0.00s)
        --- PASS: TestBoringServerProtocolVersion/fipstls/VersionTLS12 (0.00s)
panic: boringcrypto: not available [recovered]
      panic: boringcrypto: not available

goroutine 25 [running]:
testing.tRunner.func1.2({0x746ee0, 0x853ae0})
      /golang-fips/go/src/testing/testing.go:1632 +0x230
testing.tRunner.func1()
      /golang-fips/go/src/testing/testing.go:1635 +0x35e
panic({0x746ee0?, 0x853ae0?})
      /golang-fips/go/src/runtime/panic.go:785 +0x132
crypto/internal/backend.SupportsHKDF(...)
      /golang-fips/go/src/crypto/internal/backend/nobackend.go:167
crypto/tls.TestBoringServerProtocolVersion.func2(0xc00015cb60)
      /golang-fips/go/src/crypto/tls/boring_test.go:78 +0x127
testing.tRunner(0xc00015cb60, 0xc00011c980)
      /golang-fips/go/src/testing/testing.go:1690 +0xf4
created by testing.(*T).Run in goroutine 20
      /golang-fips/go/src/testing/testing.go:1743 +0x390
FAIL  crypto/tls      0.026s
FAIL

If I only run against the crypto test suite ./scripts/crypto-test.sh --suites crypto it passes successfully.

Do I even really need to have the tls test suite pass to have a fips-compliant/working fips-patched go?

[mark-trellix]

Digging further I found in the function TestBoringServerProtocolVersion of file go/src/crypto/tls/boring_test.go that it runs a TLS13 test:

if boring.SupportsHKDF() {
      test(t, "VersionTLS13/fipstls", VersionTLS13, "")
}

I manually commented this block out and re-ran the tests again with success ALL TESTS PASSED

Any ideas why its failing on this version of tls?

[dbenoit17]

Which operating system and openssl version is this occurring with?

[mark-trellix]

Which operating system and openssl version is this occurring with?

OS: Ubuntu 22.04.5 LTS
OpenSSL: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Is there maybe a step I'm missing? I noticed there is a golang-fips/openssl repository, but I don't fully understand how to use it.