Reliable SHA-1 sum generator?

From: Adam McLaurin (blueeskimo_at_phreaker.net)
Date: 08/07/03 

Date: Thu, 07 Aug 2003 15:22:41 -0400

I am trying to find a reliable SHA-1 sum generator, but I'm encountering
problems deciding which one to trust.

There is one available here:
http://www.netsw.org/crypto/hash/

But there is a report that it does not generate correct sums:
http://freshmeat.net/projects/shasum/?topic_id=861

Subsequently, the above-mentioned fellow released a new version, which
resembles the original version very little.:
http://people.debian.org/~bug1/shasum-1.2.tar.gz

Anyhow, peering into its source code reveals this:
/* The sha1 method described at
 * http://www.itl.nist.gov/fipspubs/fip180-1.htm
 * incorectly says this is supposed to be
 * #define f1(X,Y,Z) (X & Y) | ((!X) & Z)
 */
#define f1(X,Y,Z) (Z ^ (X & (Y ^ Z)))

Holding NIST in high regard (perhaps I shouldn't), I'd like to believe
that a published standard would not contain such a bad error. However, I
am not in any position to say one way or the other.

I vaguely remember a SHA-1 sum generator that linked against OpenSSL,
but I cannot remember what it was called, or where/how I found it.
Surely linking against OpenSSL somehow 'guarantees' that the
implementation is correct.

Perhaps someone can shed some light on this for me. Thanks.
-Adam McLaurin
Toronto, Canada

Loading