sha1 hash using libgcrypt different from what returns sha1sum

Werner Koch wk at
Tue Nov 12 18:34:24 CET 2013

On Tue, 12 Nov 2013 00:44, yumkam at said:

> I strongly believe this is a bug, I have not found any such behavior in standard

You are right.  This is a limitation of the code which was never hit in
practice until now - at least I hope so.  The more disturbing fact is
that this also affects GPG encrypted files: SHA-1 is used for an MDC to
protect the encrtpted messages.  If both parties use GPG, this won't be
a problem but it is not standard compliant.

Now, what shall we do with GPG? 

 - Fix the code and hope that no encrypted files larger than 256GB need

 - Fix and print a warning for an MDC mismatch in case the file is too

 - Fix and add an option to use the unfixed SHA-1 code?  Takes a lot of
   time for processing.

Anyone tested this with PGP?

> There are exactly same bug with sha256 and md5 implementations (but, curiously,
> there are *no* similar problem in sha512).

SHA-512 uses a 64 bit type for the counter because its implementation
requires a 64 bit type anyway.



Funny that Libgcrypt passes the FIPS validation.

Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list