From: Milan Broz <gmazyland@gmail.com>
To: gcrypt-devel@gnupg.org
Cc: dm-crypt <dm-crypt@saout.de>
Subject: Re: [dm-crypt] Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)?
Date: Fri, 17 Jan 2014 21:58:07 +0100 [thread overview]
Message-ID: <52D9995F.1070808@gmail.com> (raw)
In-Reply-To: <87sismz76l.fsf@vigenere.g10code.de>
On 01/17/2014 09:26 PM, Werner Koch wrote:
> On Fri, 17 Jan 2014 19:25, gmazyland@gmail.com said:
>
>> Is my assumption that all whirlpool implementations before
>> libgcrypt 1.6.0 are broken if used this way?
>
> Right. Now why are you using a non-standard algorithm and then also hit
> the 62 byte problem :-(
Whirlpool was never default but people like to fiddle with things :)
No idea how many devices use this but with more systems using libgcrypt 1.6.0,
more problems will appear...
> Anyway, I see that we need to do something about it. Changing the
> correct implementation is not a good idea but I would be possible to add
> a bug emulation flag. We do something similar in GnuPG to workaround a
> pgp-2 incompatibility.
>
> I can see two ways to implement it: If you only hash small amounts of
> data, retrying with the hash operation with the bug emulation flag set
> would be the easiest way. The other option would be to implement a
> variant of Whirlpool with this bug not fixed. Then you could add this
> as a second hash algorithm to the same context and hash only one. That
> is practical for streamed data but it does not save time because it
> always hashes twice (could be optimized but we would end up with quite
> some complexity).
The problem is in AF filter
http://code.google.com/p/cryptsetup/source/browse/lib/luks1/af.c
which uses hash to diffuse key to several encrypted sectors, hash is called
a lot of times there.
But I really do not care about speed here - the goal is create to some
easy way how to fix existing LUKS headers to work with new gcrypt.
> I would really prefer to add a bug emulation flag so that you could go
> and re-encrypt the data on the fly (using the fixed Whirlpool or SHA-x
> for better performance).
Yes, I prefer this as well. I had already code to reencrypt device, here we
need only to reencrypt header and keyslots.
I just need to have access to both whirlpool variants.
So if there is a "bug emulation flag" it could help to implement it.
Thanks,
Milan
next prev parent reply other threads:[~2014-01-17 20:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-17 18:25 [dm-crypt] Whirlpool in gcrypt <= 1.5.3 broken (if writes in chunks)? Milan Broz
2014-01-17 20:26 ` Werner Koch
2014-01-17 20:58 ` Milan Broz [this message]
2014-01-19 14:13 ` Werner Koch
2014-01-19 19:49 ` Milan Broz
2014-01-20 7:56 ` Werner Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52D9995F.1070808@gmail.com \
--to=gmazyland@gmail.com \
--cc=dm-crypt@saout.de \
--cc=gcrypt-devel@gnupg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox