From owner-freebsd-ports@FreeBSD.ORG  Thu Jan  5 15:52:23 2006
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: ports@freebsd.org
Delivered-To: freebsd-ports@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EBA2916A41F;
	Thu,  5 Jan 2006 15:52:22 +0000 (GMT)
	(envelope-from ben@algroup.co.uk)
Received: from mail.links.org (mail.links.org [217.155.92.109])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7172443D58;
	Thu,  5 Jan 2006 15:52:21 +0000 (GMT)
	(envelope-from ben@algroup.co.uk)
Received: from [193.133.15.218] (localhost [127.0.0.1])
	by mail.links.org (Postfix) with ESMTP id 91E4733C3F;
	Thu,  5 Jan 2006 15:52:19 +0000 (GMT)
Message-ID: <43BD40B7.9070905@algroup.co.uk>
Date: Thu, 05 Jan 2006 15:52:23 +0000
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: apeiron+ports@coitusmentis.info, 
	FreeBSD Security Team <secteam@freebsd.org>, ports@freebsd.org
X-Enigmail-Version: 0.93.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Ben Laurie <ben.laurie@thebunker.net>
Subject: Digest::SHA256 produces the wrong digest
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2006 15:52:23 -0000

$ apps/openssl dgst -sha256
test9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

$ perl -e "use Digest::SHA256; print
Digest::SHA256::new(256)->hexhash('test');"
d0933eee ad930c56 5827f6aa 5887f852 2140f90d cf9fa07e 40fd7abf 27992307

This is using version 0.01b of p5-Digest-SHA256.

It is not clear what the security impact of this bug is, but it is
potentially serious, depending on the nature of the bug, so I've copied
in the security team.

Can I suggest that ports implementing cryptographic functions should not
be released without at least checking some test vectors?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff