crypto/internal/fips/check: fix for ASAN builds

For now, FIPS does not work with ASAN: ASAN detects reads it doesn't like during the scans of memory done by verification. It could be made to work if there was a way to disable ASAN during verification, but that doesn't appear to be possible. Instead of a cryptic ASAN message, panic with a clear error. And disable the test during ASAN. Fixes #70321. Change-Id: Ibc3876836abb83248a23c18c3b44c4cbb4a0c600 Reviewed-on: https://go-review.googlesource.com/c/go/+/627603 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
2024-11-22 11:04:40 -07:00 · 2024-11-14 12:56:46 +01:00 · 2024-11-14 12:56:46 +01:00 · 534551d55a
commit 534551d55a
parent 102d031a58
4 changed files with 28 additions and 3 deletions
--- a/src/crypto/internal/fips/check/check.go
+++ b/src/crypto/internal/fips/check/check.go
@ -15,6 +15,7 @@ package check
 import (
 	"crypto/internal/fips/hmac"
 	"crypto/internal/fips/sha256"
+	"internal/asan"
 	"internal/byteorder"
 	"internal/godebug"
 	"io"
@ -77,6 +78,17 @@ func init() {
 		return
 	}

+	if asan.Enabled {
+		// ASAN disapproves of reading swaths of global memory below.
+		// One option would be to expose runtime.asanunpoison through
+		// crypto/internal/fipsdeps and then call it to unpoison the range
+		// before reading it, but it is unclear whether that would then cause
+		// false negatives. For now, FIPS+ASAN doesn't need to work.
+		// If this is made to work, also re-enable the test in check_test.go.
+		panic("fips140: cannot verify in asan mode")
+		return
+	}
+
 	switch v {
 	case "on", "only", "debug":
 		// ok
--- a/src/crypto/internal/fips/check/check_test.go
+++ b/src/crypto/internal/fips/check/check_test.go
@ -9,6 +9,7 @@ import (
 	"crypto/internal/fips/check/checktest"
 	"fmt"
 	"internal/abi"
+	"internal/asan"
 	"internal/godebug"
 	"os"
 	"os/exec"
@ -37,6 +38,11 @@ func TestVerify(t *testing.T) {
 	if !Supported() {
 		t.Skipf("skipping on %s-%s", runtime.GOOS, runtime.GOARCH)
 	}
+	if asan.Enabled {
+		// Verification panics with asan; don't bother.
+		t.Skipf("skipping with -asan")
+		return
+	}

 	cmd := exec.Command(os.Args[0], "-test.v")
 	cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
--- a/src/crypto/internal/fips/check/checktest/asm.s
+++ b/src/crypto/internal/fips/check/checktest/asm.s
@ -2,5 +2,5 @@

 #include "textflag.h"

-DATA ·RODATA(SB)/4, $2
-GLOBL ·RODATA(SB), RODATA, $4
+DATA crypto∕internal∕fips∕check∕checktest·RODATA(SB)/4, $2
+GLOBL crypto∕internal∕fips∕check∕checktest·RODATA(SB), RODATA, $4
--- a/src/crypto/internal/fips/check/checktest/test.go
+++ b/src/crypto/internal/fips/check/checktest/test.go
@ -6,10 +6,17 @@
 // the crypto/internal/fips/check test.
 package checktest

-import _ "crypto/internal/fips/check"
+import (
+	_ "crypto/internal/fips/check"
+	_ "unsafe" // go:linkname
+)

 var NOPTRDATA int = 1

+// The linkname here disables asan registration of this global,
+// because asan gets mad about rodata globals.
+//
+//go:linkname RODATA crypto/internal/fips/check/checktest.RODATA
 var RODATA int32 // set to 2 in asm.s

 // DATA needs to have both a pointer and an int so that _some_ of it gets