[dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux

[dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux

[accounts]

Hi,

After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from 
1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux 
package manager), I am unable to open my luks encrypted partitions using 
the corrent passphrase.

As can be seen here https://bbs.archlinux.org/viewtopic.php?id=175737 
I'm not the only Arch linux user who encountered this problem.

Forum user "eisensheng" pointed out that it seems to be related to the 
whirlpool hash which I am also using:

"
Appears to be a problem with the whirlpool hash option.

I've created the following LUKS containers on an older system with

     libgcrypt 1.5.3-1

     cryptsetup 1.6.3-1

and tried to open those LUKS containers on an updated system with

     libgcrypt 1.6.0-1

     cryptsetup 1.6.3-2

# cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c aes-cbc-plain -s 
128

-> can't open

# cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c 
serpent-xts-essiv:sha256 -s 128

-> can't open

# cryptsetup luksFormat /dev/sdj1 --hash sha1 -c 
serpent-xts-essiv:sha256 -s 128

-> can open
"

Cheers,

Fabrice Bongartz

[dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux

[Fabrice Bongartz]

[-- Attachment #1: Type: text/plain, Size: 1096 bytes --]

Hi,

After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from 1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux 
package manager), I am unable to open my luks encrypted partitions using the corrent passphrase.

As can be seen here https://bbs.archlinux.org/viewtopic.php?id=175737 I'm not the only Arch linux user who has encountered this problem.

Forum user "eisensheng" pointed out that it seems to be related to the whirlpool hash which I am also using:

"
Appears to be a problem with the whirlpool hash option.

I've created the following LUKS containers on an older system with

    libgcrypt 1.5.3-1

    cryptsetup 1.6.3-1

and tried to open those LUKS containers on an updated system with

    libgcrypt 1.6.0-1

    cryptsetup 1.6.3-2

# cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c aes-cbc-plain -s 128

-> can't open

# cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c serpent-xts-essiv:sha256 -s 128

-> can't open

# cryptsetup luksFormat /dev/sdj1 --hash sha1 -c serpent-xts-essiv:sha256 -s 128

-> can open
"

Cheers,

Fabrice Bongartz 

[-- Attachment #2: Type: text/html, Size: 1371 bytes --]

Re: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux

[Milan Broz]

On 01/17/2014 10:48 AM, Fabrice Bongartz wrote:
> Hi,
> 
> After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from
> 1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux 
> package manager), I am unable to open my luks encrypted partitions
> using the corrent passphrase.
> 
> As can be seen here https://bbs.archlinux.org/viewtopic.php?id=175737
> I'm not the only Arch linux user who has encountered this problem.

Hi,
please use you distro bugzilla and once distro maintainer has enough info,
create upstream issue
Distro specific bug is https://bugs.archlinux.org/task/38550

I bet it is another problem in libgcrypt 1.6
(the first one is http://code.google.com/p/cryptsetup/issues/detail?id=199 where
I already sent fix directly to gcrypt upstream)

Please try to downgrade libgcrypt, rebuild cryptsetup 1.6.3 and try again.
(There is no whirlpool specific code in cryptsetup. I will check gcrypt
how gcrypt use whirlpool later though...)

I plan to release 1.6.4 soon with disabling slow pbkdf2 from gcrypt, so if there
is another issue it should be fixed as well.

Thanks,
Milan

p.s.
As upstream maintainer, I have really no time to fix distro specific issues
I personally use Debian/Gentoo/Fedora/CentoOS where I can do some distro specific things
but I cannot simply test everything. Distro maintainer understand distro details,
so he can send me all relevant debug logs etc.

Just one warning: if anyone said he tested "cryptsetup-nuke-keys (AUR) 1.6.3-2" or so
these report will go directly to /dev/null.
Please always use upstream code when reporting to upstream. Thanks.

Re: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux

[Fabrice Bongartz]

Alright, thank you and sorry for posting this here. FYI A distro specific bug has been opened at https://bugs.archlinux.org/task/38550 

Fabrice 

----- Ursprüngliche Mail ----- 
Von: "Milan Broz" <gmazyland@gmail.com> 
An: "dm-crypt" <dm-crypt@saout.de> 
CC: "fabrice bongartz" <fabrice.bongartz@grenzecho.be> 
Gesendet: Freitag, 17. Januar 2014 12:14:35 
Betreff: Re: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux 

On 01/17/2014 10:48 AM, Fabrice Bongartz wrote: 
> Hi, 
> 
> After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from 
> 1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux 
> package manager), I am unable to open my luks encrypted partitions 
> using the corrent passphrase. 
> 
> As can be seen here https://bbs.archlinux.org/viewtopic.php?id=175737 
> I'm not the only Arch linux user who has encountered this problem. 

Hi, 
please use you distro bugzilla and once distro maintainer has enough info, 
create upstream issue 
Distro specific bug is https://bugs.archlinux.org/task/38550 

I bet it is another problem in libgcrypt 1.6 
(the first one is http://code.google.com/p/cryptsetup/issues/detail?id=199 where 
I already sent fix directly to gcrypt upstream) 

Please try to downgrade libgcrypt, rebuild cryptsetup 1.6.3 and try again. 
(There is no whirlpool specific code in cryptsetup. I will check gcrypt 
how gcrypt use whirlpool later though...) 

I plan to release 1.6.4 soon with disabling slow pbkdf2 from gcrypt, so if there 
is another issue it should be fixed as well. 

Thanks, 
Milan 

p.s. 
As upstream maintainer, I have really no time to fix distro specific issues 
I personally use Debian/Gentoo/Fedora/CentoOS where I can do some distro specific things 
but I cannot simply test everything. Distro maintainer understand distro details, 
so he can send me all relevant debug logs etc. 

Just one warning: if anyone said he tested "cryptsetup-nuke-keys (AUR) 1.6.3-2" or so 
these report will go directly to /dev/null. 
Please always use upstream code when reporting to upstream. Thanks. 
_______________________________________________ 
dm-crypt mailing list 
dm-crypt@saout.de 
http://www.saout.de/mailman/listinfo/dm-crypt 

Re: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux

[Milan Broz]

On 01/17/2014 12:57 PM, Fabrice Bongartz wrote:
> Alright, thank you and sorry for posting this here. FYI A distro specific bug has been opened at https://bugs.archlinux.org/task/38550 

Seems to be this commit in gcrypt
"md: Fix Whirlpool flaw."
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=0a28b2d2c9181a536fc894e24626714832619923

(It cannot be easily reversed but gcrypt build before this works.)

Unfortunately it seems that gcrypt had broken whirlpool.

TBH no idea what to do with it now...

(I wonder if other backends works, I will add some test to testsuite for this later.)

Milan