crypto/internal/cryptotest: add RerunWithFIPS140Enabled/Enforced

Change-Id: I131f84eabda6ed3e39ce64b75b19eb656a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/759382 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Mark Freeman <markfreeman@google.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2026-06-27 03:11:23 +00:00 · 2026-03-25 19:39:29 +01:00 · 2026-03-25 19:39:29 +01:00 · 8b2f069b14
commit 8b2f069b14
parent 10434cb4f2
7 changed files with 34 additions and 46 deletions
--- a/src/crypto/cipher/gcm_fips140v1.26_test.go
+++ b/src/crypto/cipher/gcm_fips140v1.26_test.go
@ -13,21 +13,13 @@ import (
 	fipsaes "crypto/internal/fips140/aes"
 	"crypto/internal/fips140/aes/gcm"
 	"encoding/binary"
-	"internal/testenv"
 	"math"
 	"testing"
 )

 func TestGCMNoncesFIPSV126(t *testing.T) {
-	cryptotest.MustSupportFIPS140(t)
 	if !fips140.Enabled {
-		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestGCMNoncesFIPSV126$", "-test.v")
-		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
-		out, err := cmd.CombinedOutput()
-		t.Logf("running with GODEBUG=fips140=on:\n%s", out)
-		if err != nil {
-			t.Errorf("fips140=on subprocess failed: %v", err)
-		}
+		cryptotest.RerunWithFIPS140Enabled(t)
 		return
 	}

--- a/src/crypto/cipher/gcm_test.go
+++ b/src/crypto/cipher/gcm_test.go
@ -17,7 +17,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"internal/testenv"
 	"io"
 	"reflect"
 	"testing"
@ -763,15 +762,8 @@ func TestGCMExtraMethods(t *testing.T) {
 }

 func TestGCMNoncesFIPSV1(t *testing.T) {
-	cryptotest.MustSupportFIPS140(t)
 	if !fips140.Enabled {
-		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestGCMNoncesFIPSV1$", "-test.v")
-		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
-		out, err := cmd.CombinedOutput()
-		t.Logf("running with GODEBUG=fips140=on:\n%s", out)
-		if err != nil {
-			t.Errorf("fips140=on subprocess failed: %v", err)
-		}
+		cryptotest.RerunWithFIPS140Enabled(t)
 		return
 	}

--- a/src/crypto/fips140/enforcement_test.go
+++ b/src/crypto/fips140/enforcement_test.go
@ -8,7 +8,6 @@ import (
 	"crypto/des"
 	"crypto/fips140"
 	"crypto/internal/cryptotest"
-	"internal/testenv"
 	"testing"
 )

@ -26,15 +25,8 @@ func isAllowed() bool {
 }

 func TestWithoutEnforcement(t *testing.T) {
-	cryptotest.MustSupportFIPS140(t)
 	if !fips140.Enforced() {
-		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestWithoutEnforcement$", "-test.v")
-		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=only")
-		out, err := cmd.CombinedOutput()
-		t.Logf("running with GODEBUG=fips140=only:\n%s", out)
-		if err != nil {
-			t.Errorf("fips140=only subprocess failed: %v", err)
-		}
+		cryptotest.RerunWithFIPS140Enforced(t)
 		return
 	}

--- a/src/crypto/internal/cryptotest/fips140.go
+++ b/src/crypto/internal/cryptotest/fips140.go
@ -6,6 +6,8 @@ package cryptotest

 import (
 	"crypto/internal/fips140"
+	"internal/testenv"
+	"regexp"
 	"testing"
 )

@ -15,3 +17,29 @@ func MustSupportFIPS140(t *testing.T) {
 		t.Skipf("test requires FIPS 140 mode: %v", err)
 	}
 }
+
+func RerunWithFIPS140Enabled(t *testing.T) {
+	t.Helper()
+	MustSupportFIPS140(t)
+	nameRegex := "^" + regexp.QuoteMeta(t.Name()) + "$"
+	cmd := testenv.Command(t, testenv.Executable(t), "-test.run="+nameRegex, "-test.v")
+	cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
+	out, err := cmd.CombinedOutput()
+	t.Logf("running with GODEBUG=fips140=on:\n%s", out)
+	if err != nil {
+		t.Errorf("fips140=on subprocess failed: %v", err)
+	}
+}
+
+func RerunWithFIPS140Enforced(t *testing.T) {
+	t.Helper()
+	MustSupportFIPS140(t)
+	nameRegex := "^" + regexp.QuoteMeta(t.Name()) + "$"
+	cmd := testenv.Command(t, testenv.Executable(t), "-test.run="+nameRegex, "-test.v")
+	cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=only")
+	out, err := cmd.CombinedOutput()
+	t.Logf("running with GODEBUG=fips140=only:\n%s", out)
+	if err != nil {
+		t.Errorf("fips140=only subprocess failed: %v", err)
+	}
+}
--- a/src/crypto/internal/fips140only/fips140only_test.go
+++ b/src/crypto/internal/fips140only/fips140only_test.go
@ -35,7 +35,6 @@ import (
 	"encoding/pem"
 	"fmt"
 	"internal/godebug"
-	"internal/testenv"
 	"io"
 	"math/big"
 	"os"
@ -46,15 +45,8 @@ import (
 )

 func TestFIPS140Only(t *testing.T) {
-	cryptotest.MustSupportFIPS140(t)
 	if !fips140only.Enforced() {
-		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestFIPS140Only$", "-test.v")
-		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=only")
-		out, err := cmd.CombinedOutput()
-		t.Logf("running with GODEBUG=fips140=only:\n%s", out)
-		if err != nil {
-			t.Errorf("fips140=only subprocess failed: %v", err)
-		}
+		cryptotest.RerunWithFIPS140Enforced(t)
 		return
 	}
 	t.Run("cryptocustomrand=0", func(t *testing.T) {
--- a/src/crypto/internal/fips140test/check_test.go
+++ b/src/crypto/internal/fips140test/check_test.go
@ -31,15 +31,7 @@ func TestIntegrityCheck(t *testing.T) {
 		t.Fatalf("GODEBUG=fips140=on but verification did not run")
 	}

-	cryptotest.MustSupportFIPS140(t)
-
-	cmd := testenv.Command(t, testenv.Executable(t), "-test.v", "-test.run=^TestIntegrityCheck$")
-	cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		t.Fatalf("GODEBUG=fips140=on %v failed: %v\n%s", cmd.Args, err, out)
-	}
-	t.Logf("exec'ed GODEBUG=fips140=on and succeeded:\n%s", out)
+	cryptotest.RerunWithFIPS140Enabled(t)
 }

 func TestIntegrityCheckFailure(t *testing.T) {
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@ -766,7 +766,7 @@ var depsRules = `
 	CRYPTO-MATH
 	< crypto/mlkem/mlkemtest;

-	CRYPTO-MATH, testing, internal/testenv, internal/testhash, encoding/json
+	CRYPTO-MATH, testing, internal/testenv, internal/testhash, encoding/json, regexp
 	< crypto/internal/cryptotest;

 	CGO, FMT