cmd/go: `go test` doesn't work with `GODEBUG=fips140=only`

[qmuntal]

Go version

go version devel go1.24-c8fb6ae617 Sun Dec 8 15:34:47 2024 +0000 windows/amd64

Output of go env in your module/workspace:

set AR=ar
set CC=gcc
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_ENABLED=1
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set CXX=g++
set GCCGO=gccgo
set GO111MODULE=
set GOAMD64=v1
set GOARCH=amd64
set GOAUTH=netrc
set GOBIN=
set GOCACHE=C:\Users\qmuntaldiaz\AppData\Local\go-build
set GODEBUG=fips140=only
set GOENV=C:\Users\qmuntaldiaz\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFIPS140=off
set GOFLAGS=
set GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\QMUNTA~1\AppData\Local\Temp\go-build2630541339=/tmp/go-build -gno-record-gcc-switches
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMOD=C:\Users\qmuntaldiaz\code\golang-go\src\go.mod
set GOMODCACHE=C:\Users\qmuntaldiaz\go\pkg\mod
set GONOPROXY=github.com/microsoft/*,dev.azure.com/*
set GONOSUMDB=github.com/microsoft/*,dev.azure.com/*
set GOOS=windows
set GOPATH=C:\Users\qmuntaldiaz\go
set GOPRIVATE=github.com/microsoft/*,dev.azure.com/*
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Users\qmuntaldiaz\code\golang-go
set GOSUMDB=sum.golang.org
set GOTELEMETRY=on
set GOTELEMETRYDIR=C:\Users\qmuntaldiaz\AppData\Roaming\go\telemetry
set GOTMPDIR=
set GOTOOLCHAIN=auto
set GOTOOLDIR=C:\Users\qmuntaldiaz\code\golang-go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=devel go1.24-c8fb6ae617 Sun Dec 8 15:34:47 2024 +0000
set GOWORK=
set PKG_CONFIG=pkg-config

What did you do?

Run GODEBUG=fips140=only go test crypto/hmac

What did you see happen?

# crypto/hmac.test
<unknown line number>: internal compiler error: panic: crypto/md5: use of MD5 is not allowed in FIPS 140-only mode

goroutine 1 [running]:
runtime/debug.Stack()
        C:/Users/qmuntaldiaz/code/golang-go/src/runtime/debug/stack.go:26 +0x5e
cmd/compile/internal/base.FatalfAt({0xe8f40?, 0xc0?}, {0x14bb2de, 0x9}, {0xc0000e8f70, 0x1, 0x1})
        C:/Users/qmuntaldiaz/code/golang-go/src/cmd/compile/internal/base/print.go:230 +0x1ea
cmd/compile/internal/base.Fatalf(...)
        C:/Users/qmuntaldiaz/code/golang-go/src/cmd/compile/internal/base/print.go:195
cmd/compile/internal/gc.handlePanic()
        C:/Users/qmuntaldiaz/code/golang-go/src/cmd/compile/internal/gc/main.go:54 +0x8a
panic({0x13f25c0?, 0x163b380?})
        C:/Users/qmuntaldiaz/code/golang-go/src/runtime/panic.go:787 +0x132
crypto/md5.New(...)
        C:/Users/qmuntaldiaz/code/golang-go/src/crypto/md5/md5.go:108
internal/pkgbits.(*PkgEncoder).DumpTo(0xc00046b520, {0x163cc40, 0xc00058eb20})
        C:/Users/qmuntaldiaz/code/golang-go/src/internal/pkgbits/encoder.go:58 +0x83e
cmd/compile/internal/noder.writePkgStub({0x0?, {0x0?, 0x0?}}, {0xc00010e528, 0x1, 0x1})
        C:/Users/qmuntaldiaz/code/golang-go/src/cmd/compile/internal/noder/unified.go:357 +0x890
cmd/compile/internal/noder.unified({0x0?, {0x0?, 0x0?}}, {0xc00010e528?, 0x13dc200?, 0x0?})
        C:/Users/qmuntaldiaz/code/golang-go/src/cmd/compile/internal/noder/unified.go:195 +0xb3
cmd/compile/internal/noder.LoadPackage({0xc0000aa110, 0x1, 0xf})
        C:/Users/qmuntaldiaz/code/golang-go/src/cmd/compile/internal/noder/noder.go:77 +0x43a
cmd/compile/internal/gc.Main(0x14fbf78)
        C:/Users/qmuntaldiaz/code/golang-go/src/cmd/compile/internal/gc/main.go:208 +0xcc5
main.main()
        C:/Users/qmuntaldiaz/code/golang-go/src/cmd/compile/main.go:57 +0xf9

FAIL    crypto/hmac [build failed]
FAIL

What did you expect to see?

ok      crypto/hmac     2.442s

[gabyhelp]

Related Issues

• cmd/cgo/internal/testtls: `signal arrived during external code execution` on Windows with clang 14.0.6 #64400
• crypto/x509/internal/macos: build fails on macOS #49435 (closed)
• cmd/cgo/internal/testtls: TestTLS fails on Windows #61882 (closed)
• cmd/go: TestScript fails on Windows, macOS with case-sensitive filesystem #30432 (closed)
• this is a test #64928 (closed)
• RSA verification fails for some of the test cases when boring crypto is enabled instead of native go crytpo #68645 (closed)
• cmd/compile: unreachable panic with GODEBUG=gotypesalias=1 #65778 (closed)
• cmd/compile: internal compiler error: 'TestEnv': value generic.t1 (v164) incorrectly live at entry #66261 (closed)
• test #61922 (closed)
• all: `go tool dist test -msan` fails many tests #64256 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[qmuntal]

@golang/security @FiloSottile

[qmuntal]

@golang/release tentatively marking this as release blocker. If GODEBUG=fips140=only is broken we should consider pushing it to Go 1.25.

[FiloSottile]

Ah, good catch. We should probably just override GODEBUG=fips140=only in the compiler invocation from go test.

go test -c crypto/hmac && GODEBUG=fips140=only ./hmac.test still fails, but correctly because the crypto/hmac tests run SHA-1. I haven't changed all the standard library tests to support GODEBUG=fips140=only and I think we should probably not do it: it'd be colossal churn, for an unclear testing benefit.

[gopherbot]

Change https://go.dev/cl/639196 mentions this issue: cmd/go: disable fips140=only during test binary compilation

[prattmic]

There's nothing we'll do for this release, but it's a bit unfortunate that GODEBUG=foo go test is ambiguous w.r.t. whether the GODEBUG is intended for the toolchain or the test. It would be nice if they were differentiated somehow. This applies to GOMAXPROCS, GOGC, GOMEMLIMIT as well.

[gopherbot]

Change https://go.dev/cl/641096 mentions this issue: cmd/internal/hash: stop using md5, sha1