Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)?

Werner Koch wk at gnupg.org
Fri Jan 17 21:26:10 CET 2014

On Fri, 17 Jan 2014 19:25, gmazyland at gmail.com said:

> Is my assumption that all whirlpool implementations before
> libgcrypt 1.6.0 are broken if used this way?

Right.  Now why are you using a non-standard algorithm and then also hit
the 62 byte problem :-(

Anyway, I see that we need to do something about it.  Changing the
correct implementation is not a good idea but I would be possible to add
a bug emulation flag.  We do something similar in GnuPG to workaround a
pgp-2 incompatibility.

I can see two ways to implement it: If you only hash small amounts of
data, retrying with the hash operation with the bug emulation flag set
would be the easiest way.  The other option would be to implement a
variant of Whirlpool with this bug not fixed.  Then you could add this
as a second hash algorithm to the same context and hash only one.  That
is practical for streamed data but it does not save time because it
always hashes twice (could be optimized but we would end up with quite
some complexity). 

I would really prefer to add a bug emulation flag so that you could go
and re-encrypt the data on the fly (using the fixed Whirlpool or SHA-x
for better performance).



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list