From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4wt8odUMO1up for ; Fri, 17 Jan 2014 11:00:35 +0100 (CET) Received: from mail.demetec.net (mail.demetec.net [194.78.155.40]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 17 Jan 2014 11:00:35 +0100 (CET) Received: from mail.ge.lan ([194.78.151.114]) by mail.demetec.net (Demetec Mailserver v 10.4.3) with ESMTP id 201401171048359283 for ; Fri, 17 Jan 2014 10:48:35 +0100 Received: from mail.ge.lan (localhost [127.0.0.1]) by mail.ge.lan (Postfix) with ESMTP id 261ADB4607C for ; Fri, 17 Jan 2014 10:48:35 +0100 (CET) Received: from mail.ge.lan (mail.ge.lan [192.168.4.1]) by mail.ge.lan (Postfix) with ESMTP id 1DD39B4607B for ; Fri, 17 Jan 2014 10:48:35 +0100 (CET) Date: Fri, 17 Jan 2014 10:48:34 +0100 (CET) From: Fabrice Bongartz Message-ID: <1358734863.2409630.1389952114847.JavaMail.root@grenzecho.be> In-Reply-To: <234831248.2409552.1389952059649.JavaMail.root@grenzecho.be> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_2409629_849389096.1389952114844" Subject: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux Reply-To: fabrice.bongartz@grenzecho.be List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de ------=_Part_2409629_849389096.1389952114844 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Hi, After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from 1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux package manager), I am unable to open my luks encrypted partitions using the corrent passphrase. As can be seen here https://bbs.archlinux.org/viewtopic.php?id=175737 I'm not the only Arch linux user who has encountered this problem. Forum user "eisensheng" pointed out that it seems to be related to the whirlpool hash which I am also using: " Appears to be a problem with the whirlpool hash option. I've created the following LUKS containers on an older system with libgcrypt 1.5.3-1 cryptsetup 1.6.3-1 and tried to open those LUKS containers on an updated system with libgcrypt 1.6.0-1 cryptsetup 1.6.3-2 # cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c aes-cbc-plain -s 128 -> can't open # cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c serpent-xts-essiv:sha256 -s 128 -> can't open # cryptsetup luksFormat /dev/sdj1 --hash sha1 -c serpent-xts-essiv:sha256 -s 128 -> can open " Cheers, Fabrice Bongartz ------=_Part_2409629_849389096.1389952114844 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit

Hi,

After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from 1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux
package manager), I am unable to open my luks encrypted partitions using the corrent passphrase.

As can be seen here https://bbs.archlinux.org/viewtopic.php?id=175737 I'm not the only Arch linux user who has encountered this problem.

Forum user "eisensheng" pointed out that it seems to be related to the whirlpool hash which I am also using:

"
Appears to be a problem with the whirlpool hash option.

I've created the following LUKS containers on an older system with

    libgcrypt 1.5.3-1

    cryptsetup 1.6.3-1

and tried to open those LUKS containers on an updated system with

    libgcrypt 1.6.0-1

    cryptsetup 1.6.3-2

# cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c aes-cbc-plain -s 128

-> can't open

# cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c serpent-xts-essiv:sha256 -s 128

-> can't open

# cryptsetup luksFormat /dev/sdj1 --hash sha1 -c serpent-xts-essiv:sha256 -s 128

-> can open
"

Cheers,

Fabrice Bongartz

------=_Part_2409629_849389096.1389952114844-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjQJ4BNfi9zl for ; Fri, 17 Jan 2014 12:14:40 +0100 (CET) Received: from mail-ee0-x234.google.com (mail-ee0-x234.google.com [IPv6:2a00:1450:4013:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Fri, 17 Jan 2014 12:14:40 +0100 (CET) Received: by mail-ee0-f52.google.com with SMTP id e53so2049651eek.39 for ; Fri, 17 Jan 2014 03:14:38 -0800 (PST) Message-ID: <52D9109B.2040906@gmail.com> Date: Fri, 17 Jan 2014 12:14:35 +0100 From: Milan Broz MIME-Version: 1.0 References: <1358734863.2409630.1389952114847.JavaMail.root@grenzecho.be> In-Reply-To: <1358734863.2409630.1389952114847.JavaMail.root@grenzecho.be> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt Cc: fabrice.bongartz@grenzecho.be On 01/17/2014 10:48 AM, Fabrice Bongartz wrote: > Hi, > > After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from > 1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux > package manager), I am unable to open my luks encrypted partitions > using the corrent passphrase. > > As can be seen here https://bbs.archlinux.org/viewtopic.php?id=175737 > I'm not the only Arch linux user who has encountered this problem. Hi, please use you distro bugzilla and once distro maintainer has enough info, create upstream issue Distro specific bug is https://bugs.archlinux.org/task/38550 I bet it is another problem in libgcrypt 1.6 (the first one is http://code.google.com/p/cryptsetup/issues/detail?id=199 where I already sent fix directly to gcrypt upstream) Please try to downgrade libgcrypt, rebuild cryptsetup 1.6.3 and try again. (There is no whirlpool specific code in cryptsetup. I will check gcrypt how gcrypt use whirlpool later though...) I plan to release 1.6.4 soon with disabling slow pbkdf2 from gcrypt, so if there is another issue it should be fixed as well. Thanks, Milan p.s. As upstream maintainer, I have really no time to fix distro specific issues I personally use Debian/Gentoo/Fedora/CentoOS where I can do some distro specific things but I cannot simply test everything. Distro maintainer understand distro details, so he can send me all relevant debug logs etc. Just one warning: if anyone said he tested "cryptsetup-nuke-keys (AUR) 1.6.3-2" or so these report will go directly to /dev/null. Please always use upstream code when reporting to upstream. Thanks. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFi_GGIK4sC3 for ; Fri, 17 Jan 2014 12:57:14 +0100 (CET) Received: from mail.demetec.net (mail.demetec.net [194.78.155.40]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 17 Jan 2014 12:57:13 +0100 (CET) Date: Fri, 17 Jan 2014 12:57:11 +0100 (CET) From: Fabrice Bongartz Message-ID: <909167002.2417000.1389959831549.JavaMail.root@grenzecho.be> In-Reply-To: <52D9109B.2040906@gmail.com> References: <1358734863.2409630.1389952114847.JavaMail.root@grenzecho.be> <52D9109B.2040906@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux Reply-To: fabrice.bongartz@grenzecho.be List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt Cc: Milan Broz Alright, thank you and sorry for posting this here. FYI A distro specific b= ug has been opened at https://bugs.archlinux.org/task/38550=20 Fabrice=20 ----- Urspr=C3=BCngliche Mail -----=20 Von: "Milan Broz" =20 An: "dm-crypt" =20 CC: "fabrice bongartz" =20 Gesendet: Freitag, 17. Januar 2014 12:14:35=20 Betreff: Re: [dm-crypt] luks passphrase stopped working after cryptsetup+li= bgcrypt update on arch linux=20 On 01/17/2014 10:48 AM, Fabrice Bongartz wrote:=20 > Hi,=20 >=20 > After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from=20 > 1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux=20 > package manager), I am unable to open my luks encrypted partitions=20 > using the corrent passphrase.=20 >=20 > As can be seen here https://bbs.archlinux.org/viewtopic.php?id=3D175737= =20 > I'm not the only Arch linux user who has encountered this problem.=20 Hi,=20 please use you distro bugzilla and once distro maintainer has enough info,= =20 create upstream issue=20 Distro specific bug is https://bugs.archlinux.org/task/38550=20 I bet it is another problem in libgcrypt 1.6=20 (the first one is http://code.google.com/p/cryptsetup/issues/detail?id=3D19= 9 where=20 I already sent fix directly to gcrypt upstream)=20 Please try to downgrade libgcrypt, rebuild cryptsetup 1.6.3 and try again.= =20 (There is no whirlpool specific code in cryptsetup. I will check gcrypt=20 how gcrypt use whirlpool later though...)=20 I plan to release 1.6.4 soon with disabling slow pbkdf2 from gcrypt, so if = there=20 is another issue it should be fixed as well.=20 Thanks,=20 Milan=20 p.s.=20 As upstream maintainer, I have really no time to fix distro specific issues= =20 I personally use Debian/Gentoo/Fedora/CentoOS where I can do some distro sp= ecific things=20 but I cannot simply test everything. Distro maintainer understand distro de= tails,=20 so he can send me all relevant debug logs etc.=20 Just one warning: if anyone said he tested "cryptsetup-nuke-keys (AUR) 1.6.= 3-2" or so=20 these report will go directly to /dev/null.=20 Please always use upstream code when reporting to upstream. Thanks.=20 _______________________________________________=20 dm-crypt mailing list=20 dm-crypt@saout.de=20 http://www.saout.de/mailman/listinfo/dm-crypt=20 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZjLmMg3U85D for ; Fri, 17 Jan 2014 13:47:15 +0100 (CET) Received: from mail-ee0-x230.google.com (mail-ee0-x230.google.com [IPv6:2a00:1450:4013:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Fri, 17 Jan 2014 13:47:15 +0100 (CET) Received: by mail-ee0-f48.google.com with SMTP id t10so2061582eei.35 for ; Fri, 17 Jan 2014 04:47:14 -0800 (PST) Message-ID: <52D9264F.8070905@gmail.com> Date: Fri, 17 Jan 2014 13:47:11 +0100 From: Milan Broz MIME-Version: 1.0 References: <1358734863.2409630.1389952114847.JavaMail.root@grenzecho.be> <52D9109B.2040906@gmail.com> <909167002.2417000.1389959831549.JavaMail.root@grenzecho.be> In-Reply-To: <909167002.2417000.1389959831549.JavaMail.root@grenzecho.be> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: fabrice.bongartz@grenzecho.be, dm-crypt On 01/17/2014 12:57 PM, Fabrice Bongartz wrote: > Alright, thank you and sorry for posting this here. FYI A distro specific bug has been opened at https://bugs.archlinux.org/task/38550 Seems to be this commit in gcrypt "md: Fix Whirlpool flaw." http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=0a28b2d2c9181a536fc894e24626714832619923 (It cannot be easily reversed but gcrypt build before this works.) Unfortunately it seems that gcrypt had broken whirlpool. TBH no idea what to do with it now... (I wonder if other backends works, I will add some test to testsuite for this later.) Milan From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GtCKSY1o6CxC for ; Fri, 17 Jan 2014 10:54:59 +0100 (CET) Received: from slow1-d.mail.gandi.net (slow1-d.mail.gandi.net [217.70.178.86]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 17 Jan 2014 10:54:59 +0100 (CET) Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by slow1-d.mail.gandi.net (Postfix) with ESMTP id 060D747AC31 for ; Fri, 17 Jan 2014 10:40:26 +0100 (CET) Received: from mfilter18-d.gandi.net (mfilter18-d.gandi.net [217.70.178.146]) by relay3-d.mail.gandi.net (Postfix) with ESMTP id 1EEA2A80D3 for ; Fri, 17 Jan 2014 10:40:25 +0100 (CET) Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by mfilter18-d.gandi.net (mfilter18-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id DbGbE5c2nIc1 for ; Fri, 17 Jan 2014 10:40:23 +0100 (CET) Received: from webmail.eu.com (unknown [10.58.1.144]) (Authenticated sender: accounts@fabrice.me) by relay3-d.mail.gandi.net (Postfix) with ESMTPA id C8CFFA80B4 for ; Fri, 17 Jan 2014 10:40:23 +0100 (CET) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 17 Jan 2014 10:40:23 +0100 From: accounts@fabrice.me Message-ID: <80751eaed34692c4fe300186cc0e293b@fabrice.me> Subject: [dm-crypt] luks passphrase stopped working after cryptsetup+libgcrypt update on arch linux List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Hi, After upgrading cryptsetup from 1.6.3-1 to 1.6.3-2 and libgcrypt from 1.5.3-1 to 1.6.0-1 (those are the version number from the arch linux package manager), I am unable to open my luks encrypted partitions using the corrent passphrase. As can be seen here https://bbs.archlinux.org/viewtopic.php?id=175737 I'm not the only Arch linux user who encountered this problem. Forum user "eisensheng" pointed out that it seems to be related to the whirlpool hash which I am also using: " Appears to be a problem with the whirlpool hash option. I've created the following LUKS containers on an older system with libgcrypt 1.5.3-1 cryptsetup 1.6.3-1 and tried to open those LUKS containers on an updated system with libgcrypt 1.6.0-1 cryptsetup 1.6.3-2 # cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c aes-cbc-plain -s 128 -> can't open # cryptsetup luksFormat /dev/sdj1 --hash whirlpool -c serpent-xts-essiv:sha256 -s 128 -> can't open # cryptsetup luksFormat /dev/sdj1 --hash sha1 -c serpent-xts-essiv:sha256 -s 128 -> can open " Cheers, Fabrice Bongartz