crypto: clean up subprocess-spawning tests

Consistently use testenv.Command and testenv.Executable, avoid redundant
testenv.Must, use testenv.CleanCmdEnv where the output is parsed, always
log the output with a preceding newline, invoke tests with -v, and
always use cmd.Environ() to preserve existing env.

Change-Id: I647ff1a8b7d162e5e8df9424030fac446a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/728641
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Author: FiloSottile

src/crypto/cipher/gcm_fips140v2.0_test.go

@@ -22,12 +22,9 @@ func TestGCMNoncesFIPSV2(t *testing.T) {
 	cryptotest.MustSupportFIPS140(t)
 	if !fips140.Enabled {
 		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestGCMNoncesFIPSV2$", "-test.v")
-		cmd = testenv.CleanCmdEnv(cmd)
-		cmd.Env = append(cmd.Env, "GODEBUG=fips140=on")
+		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
 		out, err := cmd.CombinedOutput()
-		if len(out) != 0 {
-			t.Logf("\n%s", out)
-		}
+		t.Logf("running with GODEBUG=fips140=on:\n%s", out)
 		if err != nil {
 			t.Errorf("fips140=on subprocess failed: %v", err)
 		}

src/crypto/cipher/gcm_test.go

@@ -766,12 +766,9 @@ func TestGCMNoncesFIPSV1(t *testing.T) {
 	cryptotest.MustSupportFIPS140(t)
 	if !fips140.Enabled {
 		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestGCMNoncesFIPSV1$", "-test.v")
-		cmd = testenv.CleanCmdEnv(cmd)
-		cmd.Env = append(cmd.Env, "GODEBUG=fips140=on")
+		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
 		out, err := cmd.CombinedOutput()
-		if len(out) != 0 {
-			t.Logf("\n%s", out)
-		}
+		t.Logf("running with GODEBUG=fips140=on:\n%s", out)
 		if err != nil {
 			t.Errorf("fips140=on subprocess failed: %v", err)
 		}

src/crypto/ecdh/ecdh_test.go

@@ -16,7 +16,6 @@ import (
 	"internal/testenv"
 	"io"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -450,7 +449,6 @@ func TestLinker(t *testing.T) {
 	if testing.Short() {
 		t.Skip("test requires running 'go build'")
 	}
-	testenv.MustHaveGoBuild(t)
 
 	dir := t.TempDir()
 	hello := filepath.Join(dir, "hello.go")
@@ -460,25 +458,24 @@ func TestLinker(t *testing.T) {
 	}
 
 	run := func(args ...string) string {
-		cmd := exec.Command(args[0], args[1:]...)
+		cmd := testenv.Command(t, args[0], args[1:]...)
 		cmd.Dir = dir
-		out, err := cmd.CombinedOutput()
+		out, err := testenv.CleanCmdEnv(cmd).CombinedOutput()
 		if err != nil {
 			t.Fatalf("%v: %v\n%s", args, err, string(out))
 		}
 		return string(out)
 	}
 
-	goBin := testenv.GoToolPath(t)
-	run(goBin, "build", "-o", "hello.exe", "hello.go")
+	run(testenv.GoToolPath(t), "build", "-o", "hello.exe", "hello.go")
 	if out := run("./hello.exe"); out != "OK\n" {
 		t.Error("unexpected output:", out)
 	}
 
 	// List all text symbols under crypto/... and make sure there are some for
 	// P256, but none for the other curves.
 	var consistent bool
-	nm := run(goBin, "tool", "nm", "hello.exe")
+	nm := run(testenv.GoToolPath(t), "tool", "nm", "hello.exe")
 	for _, match := range regexp.MustCompile(`(?m)T (crypto/.*)$`).FindAllStringSubmatch(nm, -1) {
 		symbol := strings.ToLower(match[1])
 		if strings.Contains(symbol, "p256") {

src/crypto/fips140/enforcement_test.go

@@ -5,42 +5,77 @@
 package fips140_test
 
 import (
+	"crypto/des"
+	"crypto/fips140"
 	"crypto/internal/cryptotest"
 	"internal/testenv"
-	"path/filepath"
-	"strings"
 	"testing"
 )
 
+func expectAllowed(t *testing.T, why string, expected bool) {
+	t.Helper()
+	result := isAllowed()
+	if result != expected {
+		t.Fatalf("%v: expected: %v, got: %v", why, expected, result)
+	}
+}
+
+func isAllowed() bool {
+	_, err := des.NewCipher(make([]byte, 8))
+	return err == nil
+}
+
 func TestWithoutEnforcement(t *testing.T) {
-	testenv.MustHaveExec(t)
-	testenv.MustHaveGoBuild(t)
 	cryptotest.MustSupportFIPS140(t)
-
-	tool, _ := testenv.GoTool()
-	tmpdir := t.TempDir()
-	binFile := filepath.Join(tmpdir, "fips140.test")
-	cmd := testenv.Command(t, tool, "test", "-c", "-o", binFile, "./testdata")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		t.Log(string(out))
-		t.Errorf("Could not build enforcement tests")
-	}
-	cmd = testenv.Command(t, binFile, "-test.list", ".")
-	list, err := cmd.CombinedOutput()
-	if err != nil {
-		t.Log(string(out))
-		t.Errorf("Could not get enforcement test list")
+	if !fips140.Enforced() {
+		cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestWithoutEnforcement$", "-test.v")
+		cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=only")
+		out, err := cmd.CombinedOutput()
+		t.Logf("running with GODEBUG=fips140=only:\n%s", out)
+		if err != nil {
+			t.Errorf("fips140=only subprocess failed: %v", err)
+		}
+		return
 	}
-	for test := range strings.Lines(string(list)) {
-		test = strings.TrimSpace(test)
-		t.Run(test, func(t *testing.T) {
-			cmd = testenv.Command(t, binFile, "-test.run", "^"+test+"$")
-			cmd.Env = append(cmd.Env, "GODEBUG=fips140=only")
-			out, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Error(string(out))
-			}
+
+	t.Run("Disabled", func(t *testing.T) {
+		expectAllowed(t, "before enforcement disabled", false)
+		fips140.WithoutEnforcement(func() {
+			expectAllowed(t, "inside WithoutEnforcement", true)
 		})
-	}
+		// make sure that bypass doesn't live on after returning
+		expectAllowed(t, "after WithoutEnforcement", false)
+	})
+
+	t.Run("Nested", func(t *testing.T) {
+		expectAllowed(t, "before enforcement bypass", false)
+		fips140.WithoutEnforcement(func() {
+			fips140.WithoutEnforcement(func() {
+				expectAllowed(t, "inside nested WithoutEnforcement", true)
+			})
+			expectAllowed(t, "inside nested WithoutEnforcement", true)
+		})
+		expectAllowed(t, "after enforcement bypass", false)
+	})
+
+	t.Run("GoroutineInherit", func(t *testing.T) {
+		ch := make(chan bool, 2)
+		expectAllowed(t, "before enforcement bypass", false)
+		fips140.WithoutEnforcement(func() {
+			go func() {
+				ch <- isAllowed()
+			}()
+		})
+		allowed := <-ch
+		if !allowed {
+			t.Fatal("goroutine didn't inherit enforcement bypass")
+		}
+		go func() {
+			ch <- isAllowed()
+		}()
+		allowed = <-ch
+		if allowed {
+			t.Fatal("goroutine inherited bypass after WithoutEnforcement return")
+		}
+	})
 }

src/crypto/fips140/testdata/enforcement_test.go

@@ -18,13 +18,12 @@ import (
 // possible in this environment.
 func FetchModule(t *testing.T, module, version string) string {
 	testenv.MustHaveExternalNetwork(t)
-	goTool := testenv.GoToolPath(t)
 
 	// If the default GOMODCACHE doesn't exist, use a temporary directory
 	// instead. (For example, run.bash sets GOPATH=/nonexist-gopath.)
-	out, err := testenv.Command(t, goTool, "env", "GOMODCACHE").Output()
+	out, err := testenv.CleanCmdEnv(testenv.Command(t, testenv.GoToolPath(t), "env", "GOMODCACHE")).Output()
 	if err != nil {
-		t.Errorf("%s env GOMODCACHE: %v\n%s", goTool, err, out)
+		t.Errorf("%s env GOMODCACHE: %v\n%s", testenv.GoToolPath(t), err, out)
 		if ee, ok := err.(*exec.ExitError); ok {
 			t.Logf("%s", ee.Stderr)
 		}
@@ -44,7 +43,7 @@ func FetchModule(t *testing.T, module, version string) string {
 
 	t.Logf("fetching %s@%s\n", module, version)
 
-	output, err := testenv.Command(t, goTool, "mod", "download", "-json", module+"@"+version).CombinedOutput()
+	output, err := testenv.Command(t, testenv.GoToolPath(t), "mod", "download", "-json", module+"@"+version).CombinedOutput()
 	if err != nil {
 		t.Fatalf("failed to download %s@%s: %s\n%s\n", module, version, err, output)
 	}

src/crypto/internal/cryptotest/fetchmodule.go

@@ -44,7 +44,7 @@ func TestImports(t *testing.T) {
 {{range .XTestImports -}}
 {{$path}} {{.}}
 {{end -}}`, "crypto/internal/fips140/...")
-	bout, err := cmd.CombinedOutput()
+	bout, err := testenv.CleanCmdEnv(cmd).CombinedOutput()
 	if err != nil {
 		t.Fatalf("go list: %v\n%s", err, bout)
 	}

src/crypto/internal/fips140deps/fipsdeps_test.go

@@ -23,7 +23,7 @@ import (
 	"bytes"
 	"crypto/elliptic"
 	"crypto/internal/cryptotest"
-	"crypto/internal/entropy/v1.0.0"
+	entropy "crypto/internal/entropy/v1.0.0"
 	"crypto/internal/fips140"
 	"crypto/internal/fips140/aes"
 	"crypto/internal/fips140/aes/gcm"
@@ -2128,16 +2128,13 @@ func TestACVP(t *testing.T) {
 
 	// Build the acvptool binary.
 	toolPath := filepath.Join(t.TempDir(), "acvptool.exe")
-	goTool := testenv.GoToolPath(t)
-	cmd := testenv.Command(t, goTool,
+	cmd := testenv.Command(t, testenv.GoToolPath(t),
 		"build",
 		"-o", toolPath,
 		"./util/fipstools/acvp/acvptool")
 	cmd.Dir = bsslDir
-	out := &strings.Builder{}
-	cmd.Stderr = out
-	if err := cmd.Run(); err != nil {
-		t.Fatalf("failed to build acvptool: %s\n%s", err, out.String())
+	if out, err := cmd.CombinedOutput(); err != nil {
+		t.Fatalf("failed to build acvptool: %s\n%s", err, out)
 	}
 
 	// Similarly, fetch the ACVP data module that has vectors/expected answers.
@@ -2163,17 +2160,17 @@ func TestACVP(t *testing.T) {
 		"-module-wrappers", "go:" + os.Args[0],
 		"-tests", configPath,
 	}
-	cmd = testenv.Command(t, goTool, args...)
+	cmd = testenv.Command(t, testenv.GoToolPath(t), args...)
 	cmd.Dir = dataDir
 	cmd.Env = append(os.Environ(),
 		"ACVP_WRAPPER=1",
 		"GODEBUG=fips140=on",
 	)
-	output, err := cmd.CombinedOutput()
+	out, err := cmd.CombinedOutput()
+	t.Logf("\n%s", out)
 	if err != nil {
-		t.Fatalf("failed to run acvp tests: %s\n%s", err, string(output))
+		t.Fatalf("failed to run acvp tests: %s", err)
 	}
-	t.Log(string(output))
 }
 
 func TestTooFewArgs(t *testing.T) {

src/crypto/internal/fips140test/acvp_test.go

@@ -78,7 +78,7 @@ func TestAllCASTs(t *testing.T) {
 	// Ask "go list" for the location of the crypto/internal/fips140 tree, as it
 	// might be the unpacked frozen tree selected with GOFIPS140.
 	cmd := testenv.Command(t, testenv.GoToolPath(t), "list", "-f", `{{.Dir}}`, "crypto/internal/fips140")
-	out, err := cmd.CombinedOutput()
+	out, err := testenv.CleanCmdEnv(cmd).CombinedOutput()
 	if err != nil {
 		t.Fatalf("go list: %v\n%s", err, out)
 	}
@@ -161,13 +161,12 @@ func TestConditionals(t *testing.T) {
 
 func TestCASTPasses(t *testing.T) {
 	moduleStatus(t)
-	testenv.MustHaveExec(t)
 	cryptotest.MustSupportFIPS140(t)
 
 	cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestConditionals$", "-test.v")
-	cmd.Env = append(cmd.Env, "GODEBUG=fips140=debug")
+	cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=debug")
 	out, err := cmd.CombinedOutput()
-	t.Logf("%s", out)
+	t.Logf("running with GODEBUG=fips140=debug:\n%s", out)
 	if err != nil || !strings.Contains(string(out), "completed successfully") {
 		t.Errorf("TestConditionals did not complete successfully")
 	}
@@ -185,7 +184,6 @@ func TestCASTPasses(t *testing.T) {
 
 func TestCASTFailures(t *testing.T) {
 	moduleStatus(t)
-	testenv.MustHaveExec(t)
 	cryptotest.MustSupportFIPS140(t)
 
 	for _, name := range allCASTs {
@@ -197,11 +195,12 @@ func TestCASTFailures(t *testing.T) {
 			}
 			t.Logf("Testing CAST/PCT failure...")
 			cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestConditionals$", "-test.v")
-			cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s,fips140=on", name))
+			GODEBUG := fmt.Sprintf("GODEBUG=failfipscast=%s,fips140=on", name)
+			cmd.Env = append(cmd.Environ(), GODEBUG)
 			out, err := cmd.CombinedOutput()
-			t.Logf("%s", out)
+			t.Logf("running with %s:\n%s", GODEBUG, out)
 			if err == nil {
-				t.Fatal("Test did not fail as expected")
+				t.Fatal("test did not fail as expected")
 			}
 			if strings.Contains(string(out), "completed successfully") {
 				t.Errorf("CAST/PCT %s failure did not stop the program", name)

src/crypto/internal/fips140test/cast_test.go

@@ -44,7 +44,6 @@ func TestIntegrityCheck(t *testing.T) {
 
 func TestIntegrityCheckFailure(t *testing.T) {
 	moduleStatus(t)
-	testenv.MustHaveExec(t)
 	cryptotest.MustSupportFIPS140(t)
 
 	bin, err := os.ReadFile(os.Args[0])
@@ -73,7 +72,7 @@ func TestIntegrityCheckFailure(t *testing.T) {
 	cmd := testenv.Command(t, binPath, "-test.v", "-test.run=^TestIntegrityCheck$")
 	cmd.Env = append(cmd.Environ(), "GODEBUG=fips140=on")
 	out, err := cmd.CombinedOutput()
-	t.Logf("%s", out)
+	t.Logf("running with GODEBUG=fips140=on:\n%s", out)
 	if err == nil {
 		t.Errorf("modified binary did not fail as expected")
 	}