[fips] Add FIPS and non-FIPS implementations for allowed TLS curves

[ycombinator]

Description

This PR introduces a new Go build tag, requirefips, that can be used (in the future) to build a FIPS-capable distribution of the OTel Collector. This PR uses this new build tag to create FIPS (//go:build requirefips) and non-FIPS (//go:build !requirefips) implementations of allowed TLS curves. The FIPS implementation contains all the TLS curves as the non-FIPS implementation except X25519 and X25519MLKEM768.

If these two curves were included in the FIPS distribution, running it with Golang >=1.24.6 and GODEBUG=fips140=only to surface non-FIPS-compliant algorithm uses will result in errors like so:

crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

Link to tracking issue

Fixes #13990

Testing

Run the existing confighttp.TestHttpReception unit test with Go >= 1.24.6 and GODEBUG=fips140=only to surface non-FIPS-compliant algorithm uses.

Without the requirefips build tag

$ go version
go version go1.25.1 darwin/arm64
$ GODEBUG=fips140=only go test ./... -test.v -test.run TestHttpReception -count 1
=== RUN   TestHttpReception
=== RUN   TestHttpReception/noTLS
=== RUN   TestHttpReception/TLS
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:64822": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS
=== RUN   TestHttpReception/TLS_(HTTP/1.1)
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:64824": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS_(HTTP/1.1)
=== RUN   TestHttpReception/NoServerCertificates
=== RUN   TestHttpReception/mTLS
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:64828": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/mTLS
=== RUN   TestHttpReception/NoClientCertificate
=== RUN   TestHttpReception/WrongClientCA
--- FAIL: TestHttpReception (0.03s)
    --- PASS: TestHttpReception/noTLS (0.01s)
    --- FAIL: TestHttpReception/TLS (0.01s)
    --- FAIL: TestHttpReception/TLS_(HTTP/1.1) (0.00s)
    --- PASS: TestHttpReception/NoServerCertificates (0.00s)
    --- FAIL: TestHttpReception/mTLS (0.01s)
    --- PASS: TestHttpReception/NoClientCertificate (0.00s)
    --- PASS: TestHttpReception/WrongClientCA (0.01s)
FAIL
FAIL	go.opentelemetry.io/collector/config/confighttp	0.501s
?   	go.opentelemetry.io/collector/config/confighttp/internal	[no test files]
FAIL

With the requirefips build tag

$ go version
go version go1.25.1 darwin/arm64
$ GODEBUG=fips140=only go test -tags requirefips ./... -test.v -test.run TestHttpReception -count 1
=== RUN   TestHttpReception
=== RUN   TestHttpReception/noTLS
=== RUN   TestHttpReception/TLS
=== RUN   TestHttpReception/TLS_(HTTP/1.1)
=== RUN   TestHttpReception/NoServerCertificates
=== RUN   TestHttpReception/mTLS
=== RUN   TestHttpReception/NoClientCertificate
=== RUN   TestHttpReception/WrongClientCA
--- PASS: TestHttpReception (0.03s)
    --- PASS: TestHttpReception/noTLS (0.00s)
    --- PASS: TestHttpReception/TLS (0.01s)
    --- PASS: TestHttpReception/TLS_(HTTP/1.1) (0.00s)
    --- PASS: TestHttpReception/NoServerCertificates (0.00s)
    --- PASS: TestHttpReception/mTLS (0.01s)
    --- PASS: TestHttpReception/NoClientCertificate (0.00s)
    --- PASS: TestHttpReception/WrongClientCA (0.01s)
PASS
ok  	go.opentelemetry.io/collector/config/confighttp	0.493s
?   	go.opentelemetry.io/collector/config/confighttp/internal	[no test files]

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.66%. Comparing base (a96eab1) to head (f47e6c8).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13992      +/-   ##
==========================================
- Coverage   91.67%   91.66%   -0.01%     
==========================================
  Files         654      654              
  Lines       42659    42663       +4     
==========================================
  Hits        39107    39107              
- Misses       2738     2741       +3     
- Partials      814      815       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ycombinator]

@dmitryax (since you are tagged as reviewer), I see that the contrib-tests-matrix (exporter-0) CI step is failing. I believe the failing test is https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/c08cb24e2cbe412fd4ec4367a3fd7bda4168bdf2/exporter/alertmanagerexporter/config_test.go#L26. What is the easiest way for me to run this test locally with the changes in this PR?