Support new golang fips compiler

[cfryanr]

Support the new Go FIPS compiler which was upgraded inside Go 1.21.6

The release of Go 1.21.6 includes the new boring crypto when compiling with FIPS enabled. See https://go.dev/doc/devel/release#go1.21.0 (search for 1.21.6 in that doc) and golang/go#64717.

This new version of boring crypto allows the use of TLS v1.3 for the first time, so we changed the Pinniped code to use TLS v1.3 where appropriate when compiled with the FIPS compiler. It also changed the allowed TLS v1.2 ciphers, so we updated those as well (it appears to have dropped TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384).

After this commit, the project must be compiled by at least Go v1.21.6 when compiling in fips mode. The hack/Dockerfile_fips was already updated to use that version of Go in a previous commit.

Release note:

TBD

Update February 8, 2024: Much of this work had to be reverted when Go downgraded goboring. See #1863.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (4ce9663) 79.09% compared to head (50e4d6d) 79.10%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1841   +/-   ##
=======================================
  Coverage   79.09%   79.10%           
=======================================
  Files         173      173           
  Lines       16207    16201    -6     
=======================================
- Hits        12819    12815    -4     
+ Misses       3068     3066    -2     
  Partials      320      320           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[benjaminapetersen]

LGTM

[benjaminapetersen]

Just to create some cross-link reference for a related issue: #1605

[benjaminapetersen]

All green, lgtm!