slight irritation using digest (from the ports)

Hello Folks!

For a special application I needed to create digests (or hashes) using
the whirlpool algorithem. It was kind of hard to find something that
actually did that. But I found digest in the ports tree - ok, with some
help from someone who seemed to know what to look for. :-)

What irritates me is the Wikipedia-page on Whirlpool:
http://en.wikipedia.org/wiki/Whirlpool_%28algorithm%29

There is a chance that the author of the article messed up somehow but
when you are handling sensitive stuff, chances aren't really the things
you want to take.

My irritations in detail:

My zero-hash is the same as the example shown for whirlpool
(whirlpool-2). That's a good sign so far.

My hash for "The quick brown fox jumps over the lazy dog" is: 
72687676756b91ad986f2e56df761b354b748bc20098354b017b924e82cc67ae
059da85f009d1a17c0f12ec0e644c0c3a193f3fc0fee22f053edbfcd95cbf873
And that is nowhere near the examples shown in the article. The same
basic thing applies for the change of "dog" to "eog". My hashes are
completely different - as in "no chance the hashes were transfered by
typing and a typo snuck in". I've tried changing the first letter to a
small 't' in case the author didn't hash the sentence with a capital,
but that didn't resolve the problem, nor did adding a full stop. I even
added the quotes to the string that whirlpool digested - didn't change
anything. I know I could try changing the input until kingdom come
without finding the error, so I left it at that.

I could however verify (using a few tests, if you want to call that
"veryfying") that the results were the same on both i386 and sparc64
plattforms - but since the port was taken from NetBSD, there aren't any
surprises in that.

Just to make things a little more complex, I encoded "Telegraph Road"
off one of my Dire Straits CDs to mp3, hashed that with digest and
compared the hash to the result a friend of mine got with Jacksum[1] on a
Windows box. These were the same and Jacksum says the algorithm is
WHIRLPOOL-2 (which is usually named without the number).

This may be only a small irritation but since we are talking about a
security issue, I don't want to dismiss it too easily either. Are there
any opinions to this out there?

Regards
Chris

[1] http://www.jonelo.de/java/jacksum/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"