From: Russ Cox <rsc@golang.org>
Date: Thu, 14 Nov 2024 18:37:38 +0000 (-0500)
Subject: cmd/internal/obj: exclude external test packages from FIPS scope
X-Git-Tag: go1.24rc1~337
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=61790207f52fb594aeb5cd71c1ef62051bc177f9;p=gostls13.git

cmd/internal/obj: exclude external test packages from FIPS scope

Excluding external test packages allows them to use
//go:embed, which requires data relocations in data.
(Obviously the external test code is testing the FIPS module,
not part of it, so this is reasonable.)

Change-Id: I4bae71320ccb5faf718c045540a9ba6dd93e378f
Reviewed-on: https://go-review.googlesource.com/c/go/+/628735
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
---

diff --git a/src/cmd/internal/obj/fips.go b/src/cmd/internal/obj/fips.go
index acf74691f6..978028f70a 100644
--- a/src/cmd/internal/obj/fips.go
+++ b/src/cmd/internal/obj/fips.go
@@ -148,6 +148,12 @@ const enableFIPS = true
 
 // IsFIPS reports whether we are compiling one of the crypto/internal/fips/... packages.
 func (ctxt *Link) IsFIPS() bool {
+	if strings.HasSuffix(ctxt.Pkgpath, "_test") {
+		// External test packages are outside the FIPS hash scope.
+		// This allows them to use //go:embed, which would otherwise
+		// emit absolute relocations in the global data.
+		return false
+	}
 	return ctxt.Pkgpath == "crypto/internal/fips" || strings.HasPrefix(ctxt.Pkgpath, "crypto/internal/fips/")
 }
 
@@ -225,6 +231,11 @@ func (s *LSym) setFIPSType(ctxt *Link) {
 		return
 	}
 
+	if strings.Contains(name, "_test.") {
+		// External test packages are not in the scope.
+		return
+	}
+
 	// Now we're at least handling a FIPS symbol.
 	// It's okay to be slower now, since this code only runs when compiling a few packages.