'make check' with --enable-hmac-binary-check and GNU gold
Clemens Lang
cllang at redhat.com
Thu Feb 10 17:46:56 CET 2022
Hi,
in my testing, I've tried to make
./configure --enable-hmac-binary-check
make
LIBGCRYPT_FORCE_FIPS_MODE=1 make check
work out of the box, but for some reason, this failed with an HMAC
mismatch. I've taken inspiration from what Jakub did downstream [1] to
compute the HMAC from a copy of the library with the .rodata1 section
set to 32 0-bytes and ported that into src/Makefile.am, which fixed the
test execution.
Further investigation shows that any use of objcopy on the libgcrypt
library before HMAC calculation fixes the mismatch, even invocations
that are not supposed to modify the binary, such as
objcopy --dump-section .rodata1=/dev/stdout src/.libs/libgcrypt.so
This happens because objcopy drops entries from the .strtab section of
the binary, presumably because it removes unused values. Since this
modifies the binary, the computed checksum is no longer valid. Adding
the additional objcopy invocation ensures that this cleanup has happened
before the checksum is computed, such that the only modification to the
library afterwards is in the .rodata1 section, which we expect and
handle during the selftest.
This only happens when GNU gold is used as linker, specifically GNU gold
(version 2.37-10.fc35) 1.16. GNU ld does not show the same problem.
[1]: https://gitlab.com/redhat/centos-stream/rpms/libgcrypt/-/blob/c9s/libgcrypt.spec#L92-95
More information about the Gcrypt-devel
mailing list