sha1 hash using libgcrypt different from what returns sha1sum

David Shaw dshaw at
Tue Nov 12 20:06:09 CET 2013

On Nov 11, 2013, at 6:44 PM, Yuriy Kaminskiy <yumkam at> wrote:

> This u32 counter overflows after processing (2**32)*64 bytes (== 2**38 B == 256
> GiB).
> Actually, as number of bytes in final blocks will be added to [effectively]
> 64-bit variable, those "nblocks wraparound effects" will be visible only with
> files over (2**38)+63 bytes, very peculiar limit.
> I strongly believe this is a bug, I have not found any such behavior in standard
> - only limitation for SHA-1 is 2**64 bits (2**61 bytes).

Nice find!  This is a problem.

> There are exactly same bug with sha256 and md5 implementations (but, curiously,
> there are *no* similar problem in sha512).

Yes.  SHA-512 (and thus SHA-384) are inherently 64-bit.  They don't even build unless the compiler supports 64-bit types.


More information about the Gnupg-devel mailing list