From: Milan Broz <gmazyland@gmail.com>
To: gcrypt-devel@gnupg.org
Cc: dm-crypt <dm-crypt@saout.de>
Subject: Re: [dm-crypt] Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)?
Date: Fri, 17 Jan 2014 21:58:07 +0100 [thread overview]
Message-ID: <52D9995F.1070808@gmail.com> (raw)
In-Reply-To: <87sismz76l.fsf@vigenere.g10code.de>
On 01/17/2014 09:26 PM, Werner Koch wrote:
> On Fri, 17 Jan 2014 19:25, gmazyland@gmail.com said:
>
>> Is my assumption that all whirlpool implementations before
>> libgcrypt 1.6.0 are broken if used this way?
>
> Right. Now why are you using a non-standard algorithm and then also hit
> the 62 byte problem :-(
Whirlpool was never default but people like to fiddle with things :)
No idea how many devices use this but with more systems using libgcrypt 1.6.0,
more problems will appear...
> Anyway, I see that we need to do something about it. Changing the
> correct implementation is not a good idea but I would be possible to add
> a bug emulation flag. We do something similar in GnuPG to workaround a
> pgp-2 incompatibility.
>
> I can see two ways to implement it: If you only hash small amounts of
> data, retrying with the hash operation with the bug emulation flag set
> would be the easiest way. The other option would be to implement a
> variant of Whirlpool with this bug not fixed. Then you could add this
> as a second hash algorithm to the same context and hash only one. That
> is practical for streamed data but it does not save time because it
> always hashes twice (could be optimized but we would end up with quite
> some complexity).
The problem is in AF filter
http://code.google.com/p/cryptsetup/source/browse/lib/luks1/af.c
which uses hash to diffuse key to several encrypted sectors, hash is called
a lot of times there.
But I really do not care about speed here - the goal is create to some
easy way how to fix existing LUKS headers to work with new gcrypt.
> I would really prefer to add a bug emulation flag so that you could go
> and re-encrypt the data on the fly (using the fixed Whirlpool or SHA-x
> for better performance).
Yes, I prefer this as well. I had already code to reencrypt device, here we
need only to reencrypt header and keyslots.
I just need to have access to both whirlpool variants.
So if there is a "bug emulation flag" it could help to implement it.
Thanks,
Milan
next prev parent reply other threads:[~2014-01-17 20:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-17 18:25 [dm-crypt] Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)? Milan Broz
2014-01-17 20:26 ` Werner Koch
2014-01-17 20:58 ` Milan Broz [this message]
2014-01-19 14:13 ` Werner Koch
2014-01-19 19:49 ` Milan Broz
2014-01-20 7:56 ` Werner Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52D9995F.1070808@gmail.com \
--to=gmazyland@gmail.com \
--cc=dm-crypt@saout.de \
--cc=gcrypt-devel@gnupg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.