Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)?
Milan Broz
gmazyland at gmail.com
Fri Jan 17 21:58:07 CET 2014
On 01/17/2014 09:26 PM, Werner Koch wrote:
> On Fri, 17 Jan 2014 19:25, gmazyland at gmail.com said:
>
>> Is my assumption that all whirlpool implementations before
>> libgcrypt 1.6.0 are broken if used this way?
>
> Right. Now why are you using a non-standard algorithm and then also hit
> the 62 byte problem :-(
Whirlpool was never default but people like to fiddle with things :)
No idea how many devices use this but with more systems using libgcrypt 1.6.0,
more problems will appear...
> Anyway, I see that we need to do something about it. Changing the
> correct implementation is not a good idea but I would be possible to add
> a bug emulation flag. We do something similar in GnuPG to workaround a
> pgp-2 incompatibility.
>
> I can see two ways to implement it: If you only hash small amounts of
> data, retrying with the hash operation with the bug emulation flag set
> would be the easiest way. The other option would be to implement a
> variant of Whirlpool with this bug not fixed. Then you could add this
> as a second hash algorithm to the same context and hash only one. That
> is practical for streamed data but it does not save time because it
> always hashes twice (could be optimized but we would end up with quite
> some complexity).
The problem is in AF filter
http://code.google.com/p/cryptsetup/source/browse/lib/luks1/af.c
which uses hash to diffuse key to several encrypted sectors, hash is called
a lot of times there.
But I really do not care about speed here - the goal is create to some
easy way how to fix existing LUKS headers to work with new gcrypt.
> I would really prefer to add a bug emulation flag so that you could go
> and re-encrypt the data on the fly (using the fixed Whirlpool or SHA-x
> for better performance).
Yes, I prefer this as well. I had already code to reencrypt device, here we
need only to reencrypt header and keyslots.
I just need to have access to both whirlpool variants.
So if there is a "bug emulation flag" it could help to implement it.
Thanks,
Milan
More information about the Gcrypt-devel
mailing list