From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jD4ftd2Gqenc for ; Fri, 17 Jan 2014 19:26:17 +0100 (CET) Received: from mail-ea0-f179.google.com (mail-ea0-f179.google.com [209.85.215.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Fri, 17 Jan 2014 19:26:17 +0100 (CET) Received: by mail-ea0-f179.google.com with SMTP id q10so1121956ead.24 for ; Fri, 17 Jan 2014 10:25:42 -0800 (PST) Message-ID: <52D975A3.6080609@gmail.com> Date: Fri, 17 Jan 2014 19:25:39 +0100 From: Milan Broz MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [dm-crypt] Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: gcrypt-devel@gnupg.org Cc: dm-crypt Hi, since this commit (present in 1.6.0) "md: Fix Whirlpool flaw." http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=0a28b2d2c9181a536fc894e24626714832619923 seems that Whirlpool hash produces different output if data are written in parts. (If entered as one buffer, it seems to be compatible though.) Unfortunately, cryptsetup in its anti-forensic filter uses something like this: gcry_md_write(iv, iv_size) gcry_md_write(buf, buf_size) gcry_md_read ... Change above seems to breaks all LUKS devices which used Whirlpool as hash before and upgraded to gcrypt 1.6.0 (cryptsetup cannot open them anymore). See for example https://bbs.archlinux.org/viewtopic.php?id=175737 Is my assumption that all whirlpool implementations before libgcrypt 1.6.0 are broken if used this way? (Using different crypto backend seems to support this assumption...) Thanks, Milan