import (
"crypto/internal/fips/hmac"
"crypto/internal/fips/sha256"
+ "internal/asan"
"internal/byteorder"
"internal/godebug"
"io"
return
}
+ if asan.Enabled {
+ // ASAN disapproves of reading swaths of global memory below.
+ // One option would be to expose runtime.asanunpoison through
+ // crypto/internal/fipsdeps and then call it to unpoison the range
+ // before reading it, but it is unclear whether that would then cause
+ // false negatives. For now, FIPS+ASAN doesn't need to work.
+ // If this is made to work, also re-enable the test in check_test.go.
+ panic("fips140: cannot verify in asan mode")
+ return
+ }
+
switch v {
case "on", "only", "debug":
// ok
"crypto/internal/fips/check/checktest"
"fmt"
"internal/abi"
+ "internal/asan"
"internal/godebug"
"os"
"os/exec"
if !Supported() {
t.Skipf("skipping on %s-%s", runtime.GOOS, runtime.GOARCH)
}
+ if asan.Enabled {
+ // Verification panics with asan; don't bother.
+ t.Skipf("skipping with -asan")
+ return
+ }
cmd := exec.Command(os.Args[0], "-test.v")
cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
#include "textflag.h"
-DATA ·RODATA(SB)/4, $2
-GLOBL ·RODATA(SB), RODATA, $4
+DATA crypto∕internal∕fips∕check∕checktest·RODATA(SB)/4, $2
+GLOBL crypto∕internal∕fips∕check∕checktest·RODATA(SB), RODATA, $4
// the crypto/internal/fips/check test.
package checktest
-import _ "crypto/internal/fips/check"
+import (
+ _ "crypto/internal/fips/check"
+ _ "unsafe" // go:linkname
+)
var NOPTRDATA int = 1
+// The linkname here disables asan registration of this global,
+// because asan gets mad about rodata globals.
+//
+//go:linkname RODATA crypto/internal/fips/check/checktest.RODATA
var RODATA int32 // set to 2 in asm.s
// DATA needs to have both a pointer and an int so that _some_ of it gets