Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)?

Milan Broz gmazyland at gmail.com
Fri Jan 17 19:25:39 CET 2014


since this commit (present in 1.6.0)

"md: Fix Whirlpool flaw."

seems that Whirlpool hash produces different output
if data are written in parts.
(If entered as one buffer, it seems to be compatible though.)

Unfortunately, cryptsetup in its anti-forensic filter uses something like this:
  gcry_md_write(iv, iv_size)
  gcry_md_write(buf, buf_size)
  gcry_md_read ...

Change above seems to breaks all LUKS devices which used Whirlpool as hash
before and upgraded to gcrypt 1.6.0 (cryptsetup cannot open them anymore).

See for example https://bbs.archlinux.org/viewtopic.php?id=175737

Is my assumption that all whirlpool implementations before
libgcrypt 1.6.0 are broken if used this way?

(Using different crypto backend seems to support this assumption...)


More information about the Gcrypt-devel mailing list