go/build: streamline the crypto package graph in TestDependencies

Change-Id: I975243b4897d5161b839f142afbd2a46bfa1fab0 Reviewed-on: https://go-review.googlesource.com/c/go/+/636555 Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> TryBot-Bypass: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
2025-12-08 06:10:04 +00:00 · 2024-12-16 15:52:47 +01:00 · 2024-12-16 15:52:47 +01:00 · 9f806bb76c
commit 9f806bb76c
parent 0cd833d198
1 changed files with 43 additions and 46 deletions
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@ -444,6 +444,10 @@ var depsRules = `
 	NET, log
 	< net/mail;

+	# FIPS is the FIPS 140 module.
+	# It must not depend on external crypto packages.
+	# See also fips140deps.AllowedInternalPackages.
+
 	io, math/rand/v2 < crypto/internal/randutil;

 	STR < crypto/internal/impl;
@ -455,8 +459,6 @@ var depsRules = `
 	internal/cpu, internal/goarch < crypto/internal/fips140deps/cpu;
 	internal/godebug < crypto/internal/fips140deps/godebug;

-	# FIPS is the FIPS 140 module.
-	# It must not depend on external crypto packages.
 	STR, crypto/internal/impl,
 	crypto/internal/entropy,
 	crypto/internal/randutil,
@ -491,63 +493,49 @@ var depsRules = `
 	< crypto/internal/fips140/rsa
 	< FIPS;

-	FIPS < crypto/internal/fips140/check/checktest;
+	FIPS, internal/godebug < crypto/fips140;

-	FIPS, sync/atomic < crypto/tls/internal/fips140tls;
+	crypto, hash !< FIPS;

-	FIPS, internal/godebug, hash < crypto/fips140, crypto/internal/fips140only;
+	# CRYPTO is core crypto algorithms - no cgo, fmt, net.
+	# Mostly wrappers around the FIPS module.

 	NONE < crypto/internal/boring/sig, crypto/internal/boring/syso;
 	sync/atomic < crypto/internal/boring/bcache;
-	crypto/internal/boring/sig, crypto/tls/internal/fips140tls < crypto/tls/fipsonly;

-	# CRYPTO is core crypto algorithms - no cgo, fmt, net.
-	FIPS, crypto/internal/fips140only,
+	FIPS, internal/godebug, hash, embed,
 	crypto/internal/boring/sig,
 	crypto/internal/boring/syso,
-	golang.org/x/sys/cpu,
-	hash, embed
+	crypto/internal/boring/bcache
+	< crypto/internal/fips140only
 	< crypto
 	< crypto/subtle
 	< crypto/cipher
-	< crypto/sha3;
-
-	crypto/cipher,
-	crypto/internal/boring/bcache
 	< crypto/internal/boring
-	< crypto/boring;
-
-	crypto/boring
-	< crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4,
-	  crypto/sha1, crypto/sha256, crypto/sha512, crypto/hkdf;
-
-	crypto/boring, crypto/internal/fips140/edwards25519/field
-	< crypto/ecdh;
-
-	crypto/hmac < crypto/pbkdf2;
-
-	crypto/internal/fips140/mlkem < crypto/mlkem;
-
-	crypto/aes,
+	< crypto/boring
+	< crypto/aes,
 	  crypto/des,
-	crypto/ecdh,
-	crypto/hmac,
-	crypto/md5,
 	  crypto/rc4,
+	  crypto/md5,
 	  crypto/sha1,
 	  crypto/sha256,
 	  crypto/sha512,
 	  crypto/sha3,
-	crypto/hkdf
+	  crypto/hmac,
+	  crypto/hkdf,
+	  crypto/pbkdf2,
+	  crypto/ecdh,
+	  crypto/mlkem
 	< CRYPTO;

 	CGO, fmt, net !< CRYPTO;

-	# CRYPTO-MATH is core bignum-based crypto - no cgo, net; fmt now ok.
+	# CRYPTO-MATH is crypto that exposes math/big APIs - no cgo, net; fmt now ok.
+
 	CRYPTO, FMT, math/big
 	< crypto/internal/boring/bbig
 	< crypto/rand
-	< crypto/ed25519
+	< crypto/ed25519 # depends on crypto/rand.Reader
 	< encoding/asn1
 	< golang.org/x/crypto/cryptobyte/asn1
 	< golang.org/x/crypto/cryptobyte
@ -558,17 +546,23 @@ var depsRules = `
 	CGO, net !< CRYPTO-MATH;

 	# TLS, Prince of Dependencies.
-	CRYPTO-MATH, NET, container/list, encoding/hex, encoding/pem
+
+	FIPS, sync/atomic < crypto/tls/internal/fips140tls;
+
+	crypto/internal/boring/sig, crypto/tls/internal/fips140tls < crypto/tls/fipsonly;
+
+	CRYPTO, golang.org/x/sys/cpu, encoding/binary, reflect
 	< golang.org/x/crypto/internal/alias
 	< golang.org/x/crypto/internal/subtle
 	< golang.org/x/crypto/chacha20
 	< golang.org/x/crypto/internal/poly1305
-	< golang.org/x/crypto/chacha20poly1305
+	< golang.org/x/crypto/chacha20poly1305;
+
+	CRYPTO-MATH, NET, container/list, encoding/hex, encoding/pem,
+	golang.org/x/crypto/chacha20poly1305, crypto/tls/internal/fips140tls
 	< crypto/internal/hpke
 	< crypto/x509/internal/macos
-	< crypto/x509/pkix;
-
-	crypto/tls/internal/fips140tls, crypto/x509/pkix
+	< crypto/x509/pkix
 	< crypto/x509
 	< crypto/tls;

@ -666,7 +660,7 @@ var depsRules = `
 	< testing/slogtest;

 	FMT, crypto/sha256, encoding/json, go/ast, go/parser, go/token,
-	internal/godebug, math/rand, encoding/hex, crypto/sha256
+	internal/godebug, math/rand, encoding/hex
 	< internal/fuzz;

 	OS, flag, testing, internal/cfg, internal/platform, internal/goroot
@ -696,6 +690,9 @@ var depsRules = `
 	CGO, FMT
 	< crypto/internal/sysrand/internal/seccomp;

+	FIPS
+	< crypto/internal/fips140/check/checktest;
+
 	# v2 execution trace parser.
 	FMT
 	< internal/trace/event;