Source file src/crypto/internal/fips140test/check_test.go 

     1  // Copyright 2024 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package fipstest
     6  
     7  import (
     8  	"crypto/internal/fips140"
     9  	. "crypto/internal/fips140/check"
    10  	"crypto/internal/fips140/check/checktest"
    11  	"fmt"
    12  	"internal/abi"
    13  	"internal/godebug"
    14  	"internal/testenv"
    15  	"os"
    16  	"testing"
    17  	"unicode"
    18  	"unsafe"
    19  )
    20  
    21  const enableFIPSTest = true
    22  
    23  func TestFIPSCheckVerify(t *testing.T) {
    24  	if Verified {
    25  		t.Logf("verified")
    26  		return
    27  	}
    28  
    29  	if godebug.New("#fips140").Value() == "on" {
    30  		t.Fatalf("GODEBUG=fips140=on but verification did not run")
    31  	}
    32  
    33  	if !enableFIPSTest {
    34  		return
    35  	}
    36  
    37  	if err := fips140.Supported(); err != nil {
    38  		t.Skipf("skipping: %v", err)
    39  	}
    40  
    41  	cmd := testenv.Command(t, os.Args[0], "-test.v", "-test.run=TestFIPSCheck")
    42  	cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
    43  	out, err := cmd.CombinedOutput()
    44  	if err != nil {
    45  		t.Fatalf("GODEBUG=fips140=on %v failed: %v\n%s", cmd.Args, err, out)
    46  	}
    47  	t.Logf("exec'ed GODEBUG=fips140=on and succeeded:\n%s", out)
    48  }
    49  
    50  func TestFIPSCheckInfo(t *testing.T) {
    51  	if !enableFIPSTest {
    52  		return
    53  	}
    54  
    55  	if err := fips140.Supported(); err != nil {
    56  		t.Skipf("skipping: %v", err)
    57  	}
    58  
    59  	// Check that the checktest symbols are initialized properly.
    60  	if checktest.NOPTRDATA != 1 {
    61  		t.Errorf("checktest.NOPTRDATA = %d, want 1", checktest.NOPTRDATA)
    62  	}
    63  	if checktest.RODATA != 2 {
    64  		t.Errorf("checktest.RODATA = %d, want 2", checktest.RODATA)
    65  	}
    66  	if checktest.DATA.P != &checktest.NOPTRDATA {
    67  		t.Errorf("checktest.DATA.P = %p, want &checktest.NOPTRDATA (%p)", checktest.DATA.P, &checktest.NOPTRDATA)
    68  	}
    69  	if checktest.DATA.X != 3 {
    70  		t.Errorf("checktest.DATA.X = %d, want 3", checktest.DATA.X)
    71  	}
    72  	if checktest.NOPTRBSS != 0 {
    73  		t.Errorf("checktest.NOPTRBSS = %d, want 0", checktest.NOPTRBSS)
    74  	}
    75  	if checktest.BSS != nil {
    76  		t.Errorf("checktest.BSS = %p, want nil", checktest.BSS)
    77  	}
    78  	if p := checktest.PtrStaticData(); p != nil && *p != 10 {
    79  		t.Errorf("*checktest.PtrStaticData() = %d, want 10", *p)
    80  	}
    81  
    82  	// Check that the checktest symbols are in the right go:fipsinfo sections.
    83  	sect := func(i int, name string, p unsafe.Pointer) {
    84  		s := Linkinfo.Sects[i]
    85  		if !(uintptr(s.Start) <= uintptr(p) && uintptr(p) < uintptr(s.End)) {
    86  			t.Errorf("checktest.%s (%#x) not in section #%d (%#x..%#x)", name, p, i, s.Start, s.End)
    87  		}
    88  	}
    89  	sect(0, "TEXT", unsafe.Pointer(abi.FuncPCABIInternal(checktest.TEXT)))
    90  	if p := checktest.PtrStaticText(); p != nil {
    91  		sect(0, "StaticText", p)
    92  	}
    93  	sect(1, "RODATA", unsafe.Pointer(&checktest.RODATA))
    94  	sect(2, "NOPTRDATA", unsafe.Pointer(&checktest.NOPTRDATA))
    95  	if p := checktest.PtrStaticData(); p != nil {
    96  		sect(2, "StaticData", unsafe.Pointer(p))
    97  	}
    98  	sect(3, "DATA", unsafe.Pointer(&checktest.DATA))
    99  
   100  	// Check that some symbols are not in FIPS sections.
   101  	no := func(name string, p unsafe.Pointer, ix ...int) {
   102  		for _, i := range ix {
   103  			s := Linkinfo.Sects[i]
   104  			if uintptr(s.Start) <= uintptr(p) && uintptr(p) < uintptr(s.End) {
   105  				t.Errorf("%s (%#x) unexpectedly in section #%d (%#x..%#x)", name, p, i, s.Start, s.End)
   106  			}
   107  		}
   108  	}
   109  
   110  	// Check that the symbols are not in unexpected sections (that is, no overlaps).
   111  	no("checktest.TEXT", unsafe.Pointer(abi.FuncPCABIInternal(checktest.TEXT)), 1, 2, 3)
   112  	no("checktest.RODATA", unsafe.Pointer(&checktest.RODATA), 0, 2, 3)
   113  	no("checktest.NOPTRDATA", unsafe.Pointer(&checktest.NOPTRDATA), 0, 1, 3)
   114  	no("checktest.DATA", unsafe.Pointer(&checktest.DATA), 0, 1, 2)
   115  
   116  	// Check that non-FIPS symbols are not in any of the sections.
   117  	no("fmt.Printf", unsafe.Pointer(abi.FuncPCABIInternal(fmt.Printf)), 0, 1, 2, 3)     // TEXT
   118  	no("unicode.Categories", unsafe.Pointer(&unicode.Categories), 0, 1, 2, 3)           // BSS
   119  	no("unicode.ASCII_Hex_Digit", unsafe.Pointer(&unicode.ASCII_Hex_Digit), 0, 1, 2, 3) // DATA
   120  
   121  	// Check that we have enough data in total.
   122  	// On arm64 the fips sections in this test currently total 23 kB.
   123  	n := uintptr(0)
   124  	for _, s := range Linkinfo.Sects {
   125  		n += uintptr(s.End) - uintptr(s.Start)
   126  	}
   127  	if n < 16*1024 {
   128  		t.Fatalf("fips sections not big enough: %d, want at least 16 kB", n)
   129  	}
   130  }
   131  

View as plain text

go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.