From owner-freebsd-security@FreeBSD.ORG Tue Jul 10 10:49:49 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 644FA16A468 for ; Tue, 10 Jul 2007 10:49:49 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id 4022F13C448 for ; Tue, 10 Jul 2007 10:49:49 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 412E55C5A; Tue, 10 Jul 2007 06:36:55 -0400 (EDT) Date: Tue, 10 Jul 2007 06:36:55 -0400 From: Wesley Shields To: Christian Baer Message-ID: <20070710103655.GA87426@atarininja.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: slight irritation using digest (from the ports) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2007 10:49:49 -0000 On Tue, Jul 10, 2007 at 11:28:10AM +0200, Christian Baer wrote: > Hello Folks! > > For a special application I needed to create digests (or hashes) using > the whirlpool algorithem. It was kind of hard to find something that > actually did that. But I found digest in the ports tree - ok, with some > help from someone who seemed to know what to look for. :-) > > What irritates me is the Wikipedia-page on Whirlpool: > http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29 > > There is a chance that the author of the article messed up somehow but > when you are handling sensitive stuff, chances aren't really the things > you want to take. > > My irritations in detail: > > My zero-hash is the same as the example shown for whirlpool > (whirlpool-2). That's a good sign so far. > > My hash for "The quick brown fox jumps over the lazy dog" is: > 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae > 059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 > And that is nowhere near the examples shown in the article. The same > basic thing applies for the change of "dog" to "eog". My hashes are > completely different - as in "no chance the hashes were transfered by > typing and a typo snuck in". I've tried changing the first letter to a > small 't' in case the author didn't hash the sentence with a capital, > but that didn't resolve the problem, nor did adding a full stop. I even > added the quotes to the string that whirlpool digested - didn't change > anything. I know I could try changing the input until kingdom come > without finding the error, so I left it at that. I think this illustrates what you're seeing... wxs@rst wxs > echo "The quick brown fox jumps over the lazy dog" > foo wxs@rst wxs > digest whirlpool foo WHIRLPOOL (foo) = 72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873 wxs@rst wxs > echo -n "The quick brown fox jumps over the lazy dog" > wxs@rst wxs > digest whirlpool foo WHIRLPOOL (foo) = b97de512e91e3828b40d2b0fdce9ceb3c4a71f9bea8d88e75c4fa854df36725fd2b52eb6544edcacd6f8beddfea403cb55ae31f03ad62a5ef54e42ee82c3fb35 wxs@rst wxs > It was including the trailing newline character in your example. -- WXS