From: Dmitri Shuralyov <dmitshur@golang.org>
Date: Fri, 22 Nov 2024 04:39:47 +0000 (-0500)
Subject: cmd/dist: don't test FIPS when ASAN is on
X-Git-Tag: go1.24rc1~91
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=4865aadc21acebc8039f914929f03c7042b2ae8d;p=gostls13.git

cmd/dist: don't test FIPS when ASAN is on

CL 627603 added a clear error that FIPS+ASAN doesn't work, and
disabled a test in check_test.go. The :gofips140 test variants
in cmd/dist need to be disabled as well.

Remove a return after testing.T.Skipf since it's unreachable.

For #70321.
Fixes #70496.

Change-Id: Ia53830db1260a817aff1a82cbd91b725e0791437
Cq-Include-Trybots: luci.golang.try:gotip-linux-amd64-asan-clang15
Reviewed-on: https://go-review.googlesource.com/c/go/+/631095
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
---

diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
index c77aedbbd0..5a981f8bc1 100644
--- a/src/cmd/dist/test.go
+++ b/src/cmd/dist/test.go
@@ -714,7 +714,7 @@ func (t *tester) registerTests() {
 	})
 
 	// Check that all crypto packages compile (and test correctly, in longmode) with fips.
-	if fipsSupported() {
+	if t.fipsSupported() {
 		// Test standard crypto packages with fips140=on.
 		t.registerTest("GODEBUG=fips140=on go test crypto/...", &goTest{
 			variant: "gofips140",
@@ -1794,7 +1794,7 @@ func isEnvSet(evar string) bool {
 	return false
 }
 
-func fipsSupported() bool {
+func (t *tester) fipsSupported() bool {
 	// Use GOFIPS140 or GOEXPERIMENT=boringcrypto, but not both.
 	if strings.Contains(goexperiment, "boringcrypto") {
 		return false
@@ -1811,6 +1811,13 @@ func fipsSupported() bool {
 		goos == "aix":
 		return false
 	}
+
+	// For now, FIPS+ASAN doesn't need to work.
+	// If this is made to work, also re-enable the test in check_test.go.
+	if t.asan {
+		return false
+	}
+
 	return true
 }
 
diff --git a/src/crypto/internal/fips140/check/check.go b/src/crypto/internal/fips140/check/check.go
index d8526e151d..ff61b80cb3 100644
--- a/src/crypto/internal/fips140/check/check.go
+++ b/src/crypto/internal/fips140/check/check.go
@@ -83,7 +83,8 @@ func init() {
 		// crypto/internal/fips140deps and then call it to unpoison the range
 		// before reading it, but it is unclear whether that would then cause
 		// false negatives. For now, FIPS+ASAN doesn't need to work.
-		// If this is made to work, also re-enable the test in check_test.go.
+		// If this is made to work, also re-enable the test in check_test.go
+		// and in cmd/dist/test.go.
 		panic("fips140: cannot verify in asan mode")
 	}
 
diff --git a/src/crypto/internal/fips140test/check_test.go b/src/crypto/internal/fips140test/check_test.go
index 1c7dae4127..8e1998a525 100644
--- a/src/crypto/internal/fips140test/check_test.go
+++ b/src/crypto/internal/fips140test/check_test.go
@@ -41,7 +41,6 @@ func TestFIPSCheckVerify(t *testing.T) {
 	if asan.Enabled {
 		// Verification panics with asan; don't bother.
 		t.Skipf("skipping with -asan")
-		return
 	}
 
 	cmd := testenv.Command(t, os.Args[0], "-test.v", "-test.run=TestFIPSCheck")