Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)?
Milan Broz
gmazyland at gmail.com
Fri Jan 17 19:25:39 CET 2014
Hi,
since this commit (present in 1.6.0)
"md: Fix Whirlpool flaw."
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=0a28b2d2c9181a536fc894e24626714832619923
seems that Whirlpool hash produces different output
if data are written in parts.
(If entered as one buffer, it seems to be compatible though.)
Unfortunately, cryptsetup in its anti-forensic filter uses something like this:
gcry_md_write(iv, iv_size)
gcry_md_write(buf, buf_size)
gcry_md_read ...
Change above seems to breaks all LUKS devices which used Whirlpool as hash
before and upgraded to gcrypt 1.6.0 (cryptsetup cannot open them anymore).
See for example https://bbs.archlinux.org/viewtopic.php?id=175737
Is my assumption that all whirlpool implementations before
libgcrypt 1.6.0 are broken if used this way?
(Using different crypto backend seems to support this assumption...)
Thanks,
Milan
More information about the Gcrypt-devel
mailing list