Index: head/lib/libmd/mdX.3 =================================================================== --- head/lib/libmd/mdX.3 (revision 348072) +++ head/lib/libmd/mdX.3 (revision 348073) @@ -1,213 +1,215 @@ .\" .\" ---------------------------------------------------------------------------- .\" "THE BEER-WARE LICENSE" (Revision 42): .\" wrote this file. As long as you retain this notice you .\" can do whatever you want with this stuff. If we meet some day, and you think .\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp .\" ---------------------------------------------------------------------------- .\" .\" $FreeBSD$ .\" .Dd May 21, 2019 .Dt MDX 3 .Os .Sh NAME .Nm MDXInit , .Nm MDXUpdate , .Nm MDXPad , .Nm MDXFinal , .Nm MDXEnd , .Nm MDXFile , .Nm MDXFileChunk , .Nm MDXData .Nd calculate the RSA Data Security, Inc., ``MDX'' message digest .Sh LIBRARY .Lb libmd .Sh SYNOPSIS .In sys/types.h .In mdX.h .Ft void .Fn MDXInit "MDX_CTX *context" .Ft void .Fn MDXUpdate "MDX_CTX *context" "const void *data" "unsigned int len" .Ft void .Fn MDXPad "MDX_CTX *context" .Ft void .Fn MDXFinal "unsigned char digest[16]" "MDX_CTX *context" .Ft "char *" .Fn MDXEnd "MDX_CTX *context" "char *buf" .Ft "char *" .Fn MDXFile "const char *filename" "char *buf" .Ft "char *" .Fn MDXFileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn MDXData "const void *data" "unsigned int len" "char *buf" .Sh DESCRIPTION The MDX functions calculate a 128-bit cryptographic checksum (digest) for any number of input bytes. A cryptographic checksum is a one-way hash-function, that is, you cannot find (except by exhaustive search) the input corresponding to a particular output. This net result is a .Dq fingerprint of the input-data, which does not disclose the actual input. .Pp MD4 is the fastest and MD5 is somewhat slower. MD4 has now been broken; it should only be used where necessary for backward compatibility. MD5 has not yet (1999-02-11) been broken, but sufficient attacks have been made that its security is in some doubt. The attacks on both MD4 and MD5 are both in the nature of finding .Dq collisions \[en] that is, multiple inputs which hash to the same value; it is still unlikely for an attacker to be able to determine the exact original input given a hash value. .Pp The .Fn MDXInit , .Fn MDXUpdate , and .Fn MDXFinal functions are the core functions. Allocate an .Vt MDX_CTX , initialize it with .Fn MDXInit , run over the data with .Fn MDXUpdate , and finally extract the result using .Fn MDXFinal , which will also erase the .Vt MDX_CTX . .Pp The .Fn MDXPad function can be used to pad message data in same way as done by .Fn MDXFinal without terminating calculation. .Pp The .Fn MDXEnd function is a wrapper for .Fn MDXFinal which converts the return value to a 33-character (including the terminating '\e0') .Tn ASCII string which represents the 128 bits in hexadecimal. .Pp The .Fn MDXFile function calculates the digest of a file, and uses .Fn MDXEnd to return the result. If the file cannot be opened, a null pointer is returned. The .Fn MDXFileChunk function is similar to .Fn MDXFile , but it only calculates the digest over a byte-range of the file specified, starting at .Fa offset and spanning .Fa length bytes. If the .Fa length parameter is specified as 0, or more than the length of the remaining part of the file, .Fn MDXFileChunk calculates the digest from .Fa offset to the end of file. The .Fn MDXData function calculates the digest of a chunk of data in memory, and uses .Fn MDXEnd to return the result. .Pp When using .Fn MDXEnd , .Fn MDXFile , or .Fn MDXData , the .Fa buf argument can be a null pointer, in which case the returned string is allocated with .Xr malloc 3 and subsequently must be explicitly deallocated using .Xr free 3 after use. If the .Fa buf argument is non-null it must point to at least 33 characters of buffer space. .Sh ERRORS The .Fn MDXEnd function called with a null buf argument may fail and return NULL if: .Bl -tag -width Er .It Bq Er ENOMEM Insufficient storage space is available. .El .Pp The .Fn MDXFile and .Fn MDXFileChunk may return NULL when underlying .Xr open 2 , .Xr fstat 2 , .Xr lseek 2 , or .Xr MDXEnd 2 fail. .Sh SEE ALSO .Xr md4 3 , .Xr md5 3 , .Xr ripemd 3 , .Xr sha 3 , .Xr sha256 3 , .Xr sha512 3 , .Xr skein 3 .Rs .%A R. Rivest .%T The MD4 Message-Digest Algorithm .%O RFC 1186 .Re .Rs .%A R. Rivest .%T The MD5 Message-Digest Algorithm .%O RFC 1321 .Re .Rs .%A H. Dobbertin .%T Alf Swindles Ann .%J CryptoBytes .%N 1(3):5 .%D 1995 .Re .Rs .%A MJ. B. Robshaw .%T On Recent Results for MD2, MD4 and MD5 .%J RSA Laboratories Bulletin .%N 4 .%D November 12, 1996 .Re .Sh HISTORY These functions appeared in .Fx 2.0 . .Sh AUTHORS The original MDX routines were developed by .Tn RSA Data Security, Inc., and published in the above references. This code is derived directly from these implementations by .An Poul-Henning Kamp Aq Mt phk@FreeBSD.org . .Pp Phk ristede runen. .Sh BUGS -No method is known to exist which finds two files having the same hash value, -nor to find a file with a specific hash value. -There is on the other hand no guarantee that such a method does not exist. +The +.Tn MD5 +algorithm has been proven to be vulnerable to practical collision +attacks and should not be relied upon to produce unique outputs, +.Em nor should they be used as part of a cryptographic signature scheme. Index: head/lib/libmd/sha.3 =================================================================== --- head/lib/libmd/sha.3 (revision 348072) +++ head/lib/libmd/sha.3 (revision 348073) @@ -1,208 +1,210 @@ .\" .\" ---------------------------------------------------------------------------- .\" "THE BEER-WARE LICENSE" (Revision 42): .\" wrote this file. As long as you retain this notice you .\" can do whatever you want with this stuff. If we meet some day, and you think .\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp .\" ---------------------------------------------------------------------------- .\" .\" From: Id: mdX.3,v 1.14 1999/02/11 20:31:49 wollman Exp .\" $FreeBSD$ .\" .Dd May 21, 2019 .Dt SHA 3 .Os .Sh NAME .Nm SHA_Init , .Nm SHA_Update , .Nm SHA_Final , .Nm SHA_End , .Nm SHA_File , .Nm SHA_FileChunk , .Nm SHA_Data , .Nm SHA1_Init , .Nm SHA1_Update , .Nm SHA1_Final , .Nm SHA1_End , .Nm SHA1_File , .Nm SHA1_FileChunk , .Nm SHA1_Data .Nd calculate the FIPS 160 and 160-1 ``SHA'' message digests .Sh LIBRARY .Lb libmd .Sh SYNOPSIS .In sys/types.h .In sha.h .Ft void .Fn SHA_Init "SHA_CTX *context" .Ft void .Fn SHA_Update "SHA_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA_Final "unsigned char digest[20]" "SHA_CTX *context" .Ft "char *" .Fn SHA_End "SHA_CTX *context" "char *buf" .Ft "char *" .Fn SHA_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA_Data "const unsigned char *data" "unsigned int len" "char *buf" .Ft void .Fn SHA1_Init "SHA_CTX *context" .Ft void .Fn SHA1_Update "SHA_CTX *context" "const unsigned char *data" "size_t len" .Ft void .Fn SHA1_Final "unsigned char digest[20]" "SHA_CTX *context" .Ft "char *" .Fn SHA1_End "SHA_CTX *context" "char *buf" .Ft "char *" .Fn SHA1_File "const char *filename" "char *buf" .Ft "char *" .Fn SHA1_FileChunk "const char *filename" "char *buf" "off_t offset" "off_t length" .Ft "char *" .Fn SHA1_Data "const unsigned char *data" "unsigned int len" "char *buf" .Sh DESCRIPTION The .Li SHA_ and .Li SHA1_ functions calculate a 160-bit cryptographic checksum (digest) for any number of input bytes. A cryptographic checksum is a one-way hash function; that is, it is computationally impractical to find the input corresponding to a particular output. This net result is a .Dq fingerprint of the input-data, which does not disclose the actual input. .Pp .Tn SHA (or .Tn SHA-0 ) is the original Secure Hash Algorithm specified in .Tn FIPS 160. It was quickly proven insecure, and has been superseded by .Tn SHA-1 . .Tn SHA-0 is included for compatibility purposes only. .Pp The .Fn SHA1_Init , .Fn SHA1_Update , and .Fn SHA1_Final functions are the core functions. Allocate an .Vt SHA_CTX , initialize it with .Fn SHA1_Init , run over the data with .Fn SHA1_Update , and finally extract the result using .Fn SHA1_Final , which will also erase the .Vt SHA_CTX . .Pp .Fn SHA1_End is a wrapper for .Fn SHA1_Final which converts the return value to a 41-character (including the terminating '\e0') .Tn ASCII string which represents the 160 bits in hexadecimal. .Pp .Fn SHA1_File calculates the digest of a file, and uses .Fn SHA1_End to return the result. If the file cannot be opened, a null pointer is returned. .Fn SHA1_FileChunk is similar to .Fn SHA1_File , but it only calculates the digest over a byte-range of the file specified, starting at .Fa offset and spanning .Fa length bytes. If the .Fa length parameter is specified as 0, or more than the length of the remaining part of the file, .Fn SHA1_FileChunk calculates the digest from .Fa offset to the end of file. .Fn SHA1_Data calculates the digest of a chunk of data in memory, and uses .Fn SHA1_End to return the result. .Pp When using .Fn SHA1_End , .Fn SHA1_File , or .Fn SHA1_Data , the .Fa buf argument can be a null pointer, in which case the returned string is allocated with .Xr malloc 3 and subsequently must be explicitly deallocated using .Xr free 3 after use. If the .Fa buf argument is non-null it must point to at least 41 characters of buffer space. .Sh ERRORS The .Fn SHA1_End function called with a null buf argument may fail and return NULL if: .Bl -tag -width Er .It Bq Er ENOMEM Insufficient storage space is available. .El .Pp The .Fn SHA1_File and .Fn SHA1_FileChunk may return NULL when underlying .Xr open 2 , .Xr fstat 2 , .Xr lseek 2 , or .Xr SHA1_End 2 fail. .Sh SEE ALSO .Xr md4 3 , .Xr md5 3 , .Xr ripemd 3 , .Xr sha256 3 , .Xr sha512 3 , .Xr skein 3 .Sh HISTORY These functions appeared in .Fx 4.0 . .Sh AUTHORS The core hash routines were implemented by Eric Young based on the published .Tn FIPS standards. .Sh BUGS -No method is known to exist which finds two files having the same hash value, -nor to find a file with a specific hash value. -There is on the other hand no guarantee that such a method does not exist. +The +.Tn SHA1 +algorithm has been proven to be vulnerable to practical collision +attacks and should not be relied upon to produce unique outputs, +.Em nor should they be used as part of a cryptographic signature scheme. .Pp The .Tn IA32 (Intel) implementation of .Tn SHA-1 makes heavy use of the .Ql bswapl instruction, which is not present on the original 80386. Attempts to use .Tn SHA-1 on those processors will cause an illegal instruction trap. (Arguably, the kernel should simply emulate this instruction.)