cmd/dist: don't test FIPS when ASAN is on

CL 627603 added a clear error that FIPS+ASAN doesn't work, and
disabled a test in check_test.go. The :gofips140 test variants
in cmd/dist need to be disabled as well.

Remove a return after testing.T.Skipf since it's unreachable.

For #70321.
Fixes #70496.

Change-Id: Ia53830db1260a817aff1a82cbd91b725e0791437
Cq-Include-Trybots: luci.golang.try:gotip-linux-amd64-asan-clang15
Reviewed-on: https://go-review.googlesource.com/c/go/+/631095
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>

diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
index c77aedbbd060af9e7b3a89a1b0ada7b194692b1a..5a981f8bc147decb25101547f4f87dda5a6ec86b 100644 (file)
--- a/src/cmd/dist/test.go
+++ b/src/cmd/dist/test.go
@@ -714,7 +714,7 @@ func (t *tester) registerTests() {
        })
 
        // Check that all crypto packages compile (and test correctly, in longmode) with fips.
-       if fipsSupported() {
+       if t.fipsSupported() {
                // Test standard crypto packages with fips140=on.
                t.registerTest("GODEBUG=fips140=on go test crypto/...", &goTest{
                        variant: "gofips140",
@@ -1794,7 +1794,7 @@ func isEnvSet(evar string) bool {
        return false
 }
 
-func fipsSupported() bool {
+func (t *tester) fipsSupported() bool {
        // Use GOFIPS140 or GOEXPERIMENT=boringcrypto, but not both.
        if strings.Contains(goexperiment, "boringcrypto") {
                return false
@@ -1811,6 +1811,13 @@ func fipsSupported() bool {
                goos == "aix":
                return false
        }
+
+       // For now, FIPS+ASAN doesn't need to work.
+       // If this is made to work, also re-enable the test in check_test.go.
+       if t.asan {
+               return false
+       }
+
        return true
 }
 

diff --git a/src/crypto/internal/fips140/check/check.go b/src/crypto/internal/fips140/check/check.go
index d8526e151d56bdf90f3097ed6ba788e91f5565fe..ff61b80cb37ed21a17e73e66d4e761bd1767d4c1 100644 (file)
--- a/src/crypto/internal/fips140/check/check.go
+++ b/src/crypto/internal/fips140/check/check.go
@@ -83,7 +83,8 @@ func init() {
                // crypto/internal/fips140deps and then call it to unpoison the range
                // before reading it, but it is unclear whether that would then cause
                // false negatives. For now, FIPS+ASAN doesn't need to work.
-               // If this is made to work, also re-enable the test in check_test.go.
+               // If this is made to work, also re-enable the test in check_test.go
+               // and in cmd/dist/test.go.
                panic("fips140: cannot verify in asan mode")
        }
 

diff --git a/src/crypto/internal/fips140test/check_test.go b/src/crypto/internal/fips140test/check_test.go
index 1c7dae4127be5f3ec23c04be9bd29b395dff89df..8e1998a5259115ca5c8a1cb6426f1ebd193af474 100644 (file)
--- a/src/crypto/internal/fips140test/check_test.go
+++ b/src/crypto/internal/fips140test/check_test.go
@@ -41,7 +41,6 @@ func TestFIPSCheckVerify(t *testing.T) {
        if asan.Enabled {
                // Verification panics with asan; don't bother.
                t.Skipf("skipping with -asan")
-               return
        }
 
        cmd := testenv.Command(t, os.Args[0], "-test.v", "-test.run=TestFIPSCheck")