Kas Ob.

Hi, I am having hard time understand the problem or the proposed solution, so to recap what i get you have non-overlapped integer ranges in a list, and want to implement the best solution to check for an integer to get its range if exist, right ? In that case then make sure to sort them by the left side ( the start point of the each range), and check for the middle item in that list for the required value, by checking i mean use >Ri or <Li "here Li and Ri are start of and the end of range i, i in the range [0..Last] which is the list of ranges, starting i with (Last div 2)" then based on these comparison you either get i the range, or the value is in bigger i or smaller i ( i will become i div 2 or i+(Last-i) div 2 ) , repeat. This will should be fast to handle even thousands of ranges.

For plain text editor it is indeed strange, but NotePad++ is not plain text editor it is more like everything editor with huge plugins database. I think i saw that behavior in editing Word documents and in editing HTML, it was useful to change font style and color in one go. TRichView doesn't support such multi selection, but might be easier to emulate selection by simply highlighting.

Hi, While having the full HTTP request and including the HTTP header for the response is best for switching between the connections type, you can do this by striping all of that and changing the request to pure and simple JSON ,(like a JSON object with a field called apicmd and its value is codelookup with a second field numhistory ), here i want to point an important thing is to put a separator for this simple API request like one CRLF or double CRLF to indicate the end of the request, same can be with the response, also want to point that is very important and will pay in future to put the request parameters in the response for each request, this will prevent the confusion and remove all the tracking for request-response pairs, web socket allows you to send many request from the client and the server can response when it is ready and doesn't require serialization, some queries might/could be executed on the server different threads but the response always known for the client. Not really important, but i prefer to send one request establishing the timeout and the frequency of the ping to be expected, this way, server have some knowledge on how to handle stale connections, remember that web sockets connection will stale without ping, so the best approach here is make sure the client to ping periodically, and the server will close the connection if this period violated, the ping form the client could be 3 minutes and the server will close the connection on 5-6 minutes if nothing being received in that period(ping or not).

He was asking about the memory leak and i pointed where the leak came form, an AV is his wrong design/approach.

It is from the above that this is one time leak, which is caused by not freeing the stringlist class operator TTaskDialogParams.Finalize(var Dest: TTaskDialogParams); begin // Dest.CustomButtons.Free; end; So where is the problem ? What happen if you did uncomment that line ?

Nice thing with async networking is that you can start many connections simultaneously and react for connection/timeout in event handlers. In fact, it is amazing it is 8ms not 50-200ms for TCP first packet, TCP have Nagle algorithm enabled by default, even with TCP_NODELAY enabled on the socket for the TCP, there is 3 ACK packet for establishing and connecting, which is unneeded for merely a ping simulation, or just checking for presence. I always send my ping (or keep alive on TCP or UDP) with current tick on the and measure against the response, this simplify the tracking for timeout, with this you have two mechanism to check one on pong and the other on background thread periodically checking (1/5 of the allowed timeout time ) for timeout, such thread is needed if IOCP is used, but otherwise i use the events on socket poll or the overlapped operation to trigger timeout from the last ping and mark the connection as down/lost. Again the best way to do it is with UDP and broadcasting on the broadcast IP for the network.

Hi, Well, while waiting for Angus or François to answer, i can give a few thoughts: 1) Ping is ICMP not UDP and not TCP. 2) There is no down side to use it at all, on the contrary most firewalls by default allowing it on local net (NAT) 3) You need the LAN subnet mask (aka range) and you can scan them, also no downside, but i am talking here about ICMP, and migt work for UDP too, in case UDP then it must be your own protocol/message. 4) If the devices you are looking for are running your application, then don't use ICMP, switch to UDP and broadcast, this will be faster and more accurate as your LAN router (or switch) will forward these on your behave, and your application on other devices can answer or just broadcast too. 5) there is ways to detect invisible devices (device with black hole firewall) and even know what system they are running, but this somewhat harder to implement in Delphi, you can test such functionality with nmap https://nmap.org/ https://github.com/nmap/nmap it is really fun to play with !

Good question ! The thing is AES is an algorithm, not a solution, and not all protection library, look at it as a brick in a wall, so encryption is defined and there is padding algorithm also a brick and should go in such wall when needed, libraries that use algorithm should and must provide padding algorithm or at least have one included and activated all the time. So when even you want to encrypt then pick a library that provide both, like mORMot2 it has all these bricks, and i think it have also a higher level implementation to provide both encryption and padding in one class, but that for Arnaud to answer. Now for salting as term in encryption, it is about obfuscating or mixing, so it is about changing the value by adding entropy, it doesn't matter at the beginning or at the end, may be it is just hash step after the fact with extended value, like hash the password then calculate the hash of that hash with the user name. As for IV mentioned by Arnaud, IV is crucial to be used right with cipher blocks, it is critical as the key itself, and the rule is you must not use the symmetric key twice for encryption unless IV is different or unique, so random is not necessary, and just a serial number will do, but again IV in AES (as example) is block and should be 16 bytes long, so i would use the index (or a unique identifier ) in the users/password database to then hash it into 16 byte long IV, then encrypt the user personal data there (or his cards...). One very important note, IV is not secret and it doesn't need to be, meaning it is absolutely safe to be public as the encrypted data, the key on other hand should not be leaked, but for IV you can ship the encrypted data with its IV without a problem. Because the rule is don't use the key twice, so we can instead of changing the key we change the IV and keep the key, this is usage is to prevent the very powerful deferential analysis attack, also comparison leak attack. Hope that clear things.

Hi, Not sure what is your question is, but from what Arnaud wrote and where did he mentioned the salting, i can expand on this, The only place he mentioned salting is storing password, and the right way to store password is not to store them to begin with but to store something unique like a hash form them, this will eliminate the possibility get the password in its readable form, also will protect against dictionary attacks, also to store the password it is better to salt it first meaning if you users had the same password like this great one "12345" then the hash will be different because they were salted by adding something to them like the their login name ! before hashing, this will render dictionary attacks useless, even for the administrator or who people who can access the DB, it is useless and leaking such DB will be useless too, in case users used their password in different online accounts or services. AES is symmetric block cipher, will operate only on block of bytes, 16 bytes to be exact, so if you are going to encrypt "Tommi" then you need to pass it within 16 byte block, here comes the question what to be filled with the rest of this 16 byte and how the decryption process will recognize it was "Tommi" and remove the extra bytes, because AES decryption is also works only on 16 bytes blocks, padding is the solution, pkcs7 is the best to solve this, just remember when using encryption to check the padding algorithms.

Sure and agree, just more portability and in case Dave will be faster.

@Daniel Looking at this lookup result C:\Users\Kas>nslookup -type=TXT -debug delphipraxis.net 1.1.1.1 Server: 1.1.1.1 Address: 1.1.1.1#53 ------------ QUESTIONS: delphipraxis.net, type = TXT, class = IN ANSWERS: -> delphipraxis.net text = "v=spf1 a mx ~all" ttl = 86330 -> delphipraxis.net text = "google-site-verification=axHu87aSc4n6ry1pc4VMwdNcEsrBD8WbBeYO-jA1sl0" ttl = 86330 AUTHORITY RECORDS: ADDITIONAL RECORDS: ------------ Non-authoritative answer: delphipraxis.net text = "v=spf1 a mx ~all" delphipraxis.net text = "google-site-verification=axHu87aSc4n6ry1pc4VMwdNcEsrBD8WbBeYO-jA1sl0" Authoritative answers can be found from: I see few problems: 1) The TTL is way long, i prefer 6 minutes at most instead of 24 hours. 2) there is Sender Policy Framework (SPF) and it is correct, but it is useless in this format, literally it is saying i am here, nothing else, accepting/allowing form any IP ("~all" parameter will relax the usage too much too), doesn't help at all, mx in this format with the actual domain also saying SMTP mx domain can send an email using this domain, but reverse resolving the IP will result in your other ".eu" domain !!.... in short this SPF can/should be better and more secure, hence will help a lot with spam flagging. 3) No DomainKeys Identified Mail (DKIM) ?! 4) No Domain-based Message Authentication, Reporting and Conformance (DMARC) ?! Here is headers i got from an email form this forum Authentication-Results: spf=none (sender IP is 138.201.18.17) smtp.mailfrom=mail.danielwolf.eu; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=delphipraxis.net; Received-SPF: None (protection.outlook.com: mail.danielwolf.eu does not designate permitted sender hosts) // these are values from Outlook (the general score) X-MS-Exchange-Organization-PCL: 2 X-MS-Exchange-Organization-SCL: 1 X-Microsoft-Antispam: BCL:0; So to break these 1) SPF should be more restrictive at least, it should list the IPs that SMTP will use, mx field is good but as mentioned above, it should be pointing to the actual mx for this domain not leaving it to the receiver to guess. 2) DKIM is helpful and will not cost you anything, just one extra layer of authentication like SPF. 3) DMARC will consolidate the SPF and DKIM together and provide one brilliant way to saty on top of things by reporting. Suggestions: 1) If you can then transfer your domain to more robust and concrete domain registrar, my self since moving all my domain to CloudFlare DNS, i never looked back, even if i am not using their services like protection of any, i just want them to serve domains and have control with API over my DNS records and subdomains. 2) change the TTL to shorter period, and here you must be very careful, if you want to start enhancing and tweaking your domains and DNS record, make sure it is 1 minute and wait until that 24h to pass then tweak it, don't touch it today if you decide you tweak something. 3) Enhance the SPF, most likely you have static IP for the mx which also serving another one or more, it is acceptable to be more than mx record on one IP, but declare these IP for each domain/subdomain, another tricky thing here, if you are allowing sending and using IPv6, then you should be 100% it will not change, it is static and controlled by you, or just disable it, also you can use and IP or a range, both will be OK and better form leaving it empty for any IP. 4) DKIM, well it is as simple at it sound generate key with hash... there is so many resources on internet so i am not getting there, on side note we can ask Angus to expand his built binary tools to include generating DKIM key, if i would do it it will be on his style with many checkboxes and radio buttons, i love doing that, "Just don't use any online service to generate the key !" use command for OpenSSL or ICS or what ever local for you. 5) there is so many to explain what mx in the SPF and its interaction with DKIM should be, but if you are delegating the sender for your domain lets say delphipraxis.net to Gmail or Outlook, it can be secure and validate , but one of these (SPF or DKIM) will fail as per designed, hence DMARC will come to rescue, also there is many resources on how to do it right, i love https://dmarcian.com/ it is free and can be paid if you prefer, DMARC will inform the receivers of email sent from your servers/SMTP.. to report the failures and may be even the success, the reported data are not private, so you should not care about an IP trying to spam other impersonating your domain, dmarcian have tools to analyze your domain parameters, so it will help you a lot, and if you used it right then services like GMail will email you back on daily/weekly/whenneeded basis a report of success delivery and failure or most important the spam recognized as pretending to be you, you can also receive these report and parse them on you own, it is just more beautiful to see their charts in work ! Extra info : About reducing TTL: TTL is there to prevent DNS attacks, yet it is two side blade (it can be debated both ways), so in my opinion the longer TTL was helping in the past, but not so relevant in modern days with DNSSEC and DNS-over-HTTPS (DoH), and here is the thing building an attack on mail/mx DNS with very shorter is rendered useless with the existence of SPF, DKIM and DMARC ! I see you are using Gmail site-verification and it is good wo work with Gmail, but that is not enough, they still have their own score, and the above will help, OutLook on other hand does use these record in their score system and consolidate with their own register method attached to your account and verified for more https://sendersupport.olc.protection.outlook.com/snds/JMRP.aspx Some additional reources https://en.wikipedia.org/wiki/Sender_Policy_Framework https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail https://en.wikipedia.org/wiki/DMARC https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-spam-confidence-level-scl-about?view=o365-worldwide https://support.google.com/a/answer/174124?hl=en https://support.google.com/a/answer/2466580?sjid=17120824358789328945-EU Hope that helps, not only for Daniel !

I would suggest to ditch the stack and return to heap, but without allocation, see, i have very similar to David implementation, (David's can be refactored easily to do so), with differences that i refactored the converting code into a function take a pointer to 24 char ( two in fact one ansichar and one widechar) this function take three parameters : 1) pointer to this buffer ( hence it could be on stack or on the heap) guaranteed by the caller to have the space of 24 char or 24 byte based on the version. 2) the value to parse 3) var to receive the length in char, this will be as same as the result but in chars, to trim in char in case needed. the result will be in byte the actual length being used, to trim in bytes in case needed. with such you can convert your csv numbers at really great number with 0 allocation per operation, and you don't need the limited stack space. example SetLength( T, 24 ); LenByte := IntToStrMem( T[1], Value, CharsLen); SetLength(T,CharsLen); // or // Loop over this, for buffer (as in array of bytes) LenByte := IntToStrMem(@Buffer[P], Value[i], CharsLen); Inc(P,LenBye); Buffer[P]:=','; Inc(P); .... //use PBufferWC : PWideChar; .. LenByte := IntToStrMem(PBufferWC, Value[i], CharsLen); Inc(OverallLength,LenByte); Inc(PBufferWC,CharsLen); PBufferWC^:=','; Inc(PBufferWC);

Also thank you for this link, it is nice reading.

That is perfect, i did the same with SBB, as it was implemented to compare many things and went all the way to validate the chain, so its caching was paranoid, the thing that confused (a little doubt confusion) me in that binary compare is the declaration of x (TX509) and f(ICryptCert) so that compare (in theory) could be just for the the key or something else, hence i preferred to present this to you instead. One thing that is easy to miss: specified curves and implicit curves are allowed in PKIX and X.509 certificates, but such certificate are not allowed to be used with TLS 1.2 ( 1.3 + ), https://datatracker.ietf.org/doc/html/rfc5480#section-2.1.1 That Section 2.1.1 is important and packing few restrictions, you can check (faster than anyone else) for these, since mORMot have full x.509 parser now. Congratulations again !

@Arnaud Bouchez That is awesome indeed !, really nice work. I have one concern about this ( from https://blog.synopse.info/?post/2023/12/09/Native-X.509-and-RSA-Support ) maintaining a cache of ICryptCert instances, which makes a huge performance benefit in the context of a PKI (e.g. you don't need to parse the X.509 binary, or verify the chain of trust each time). This made me try to follow the implementation and this is not easy, so i want to explain form my past counters with such a possible weak point, and i believe you are the one to check if the implementation is prone to such attack, you have the better understanding and the internal work flow. The code in question is this , (well this is mainly from what caught my eyes, but not limited to that , again it is you who should check and decide) The attack i will (try to) explain in details here is was real vulnerability in Chrome and Windows and even in OpenSSL, and concern caching the validation, this sound silly, yet the attack was at the CA of the certificate not the certificate itself, this will allow MITM to replace the certificate at real time. So, the scenario goes like this: 1) Client initiate the handshake with its ClientHello. 2) MITM will pass it without changing to server. 3) Server respond as usual, and in its response the certificate, here by TLS and SSL reference the suggested behavior is to send at least one CA with the certificate, it is recommended to send full chain excluding the root as best practice, this might not be relevant as all what we need is that the MITM to have the CA, so even if the server didn't send the CA, it might be publicly known (like letsencrypt ...) , anyway MITM will pass this records/packets without touching to the client. 4) Client received the secure untouched traffic and validated and the certificate and its CA (this is the important part), the CA is verified and trusted and most likely cached ! 5) Client proceed to establish the handshake procedure, here MITM cut the traffic and drop the connection, forcing the client to reestablish the connection with new handshake, as the TLS resumption ticket or session were not confirmed, this will not help the client/server connection. 6) MITM pass the traffic for this new ClientHello to the server untouched, or can start its own process impersonating the server, for just recording/watching, in that case it must start a connection on its own to the server and that can easily be passed. 7) MITM as a response to the client, will forge new fake CA, and here the attack part, with this new CA that have identical parts (some only, and it could be very easy indeed) to the real CA, then issue a new certificate signed by this FakeCA, here if the client will validate the certificate for everything and will pass, except for the CA, logically !, but if the cache and its access way and due the short time between the validating the real CA and checking against FakeCA, it might pass, hence the FakeCert will be valid for the client. The attack is really about attacking the CA and abusing the caching mechanism, so, about caching and find the CA in the cache, and how to fake it, if the cache does have a bValid boolean (and may be with a time for the last validation check), this attack is possible, how it is possible? , some implementation find them by FingerPrint , or by public key ( SubjectKey), ( on side note faking public key for EC certificates is was easier than you can imagine, unless a named curved is exclusively used, in other word you can choose the the same curve with specific generator point (Gx and Gy) to make any public you need, hence making the FakeCA public key matching the real CA public key, ... So, the point is : Is caching CA prone for similar attacks ? because it will defeat and override all the checking of the server certificate itself. Hope that was clear, and if there is question, please don't hesitate to ask, i would love to explain, ( side note, that code is not easy to track hence i want to explain and i trust you can find weak point if there is any ) Additional source for similar scenario ECC faking like the mentioned above https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/ Can't find more resources searching now !, but i remember similar cases were in WolfSSL and OpenSSL (multiple times), in fact it has long history of such. Anyway, you more than qualified and armed to check such cases, this post is merely food for thought or reminder. Ps: there is many RSA implementation miss rare cases and allow such manipulation, like allowing/processing non primes, or one "1" as exponent, allowing public key to be faked....

I've been looking at that - since the DelphiGRPC makes use of it. Down the rabbit hole I go.. Well, i see sgcWebSockets folder there, this means the porting to sgcWebSockets is possible if not easy (or already there), DTLS with 1(or 0) handshake round-trip (with TLS1.3) and HTTP/2 are available, this will should get your attention, for performance and bandwidth utilization.

I can answer that, the stability and responsiveness of the GUI edit (Form Editor) and switching between it unit editor will be visible, this will slow and delay the need to restart IDE to get it responsive. If a project doesn't use DevArt Unidac, then disabling will help, this goes for all the big libraries, and most notably LiveBindings, that thing has its heavy impact on the GUI editor.

Well, i can share their contact, and if that is a problem for Rafael, then let it be, Also you can simply ask them and/or contact their Selling Service (like Digital River in my invoice )and confirm any public info or clear your doubts, it is not like you are violating anyone privacy, just doing your diligence. There was a forum years back and they closed it as it was wasting their time and confusing the clients more than resolving problem, look at EurekaLog they did closed their forum, is their support is trust worthy now ? the answer is nope ! You are judging a book by its cover, and if that have any impact in real world, then Amazon site is the worst designed interface with ugliest/stupidest UI search algorithm you will ever see, this doesn't mean they are not the leaders in their business sector. Now to one of many things that is not mentioned in the site but i am familiar with it, code virtualization and their VMs, One day, in fact one of the old days when i decided to test Winlicense VM engine on my own, i used OllyDbg with custom script, i adjusted and tested that script to work as fast as it can and even dropped valuable information from its logging to speed it, i am doing controlled test and i am looking for already know code, all these i am familiar with, and built a simple application with one VM, inside it a specific code that i will recognize, and wanted to know how hard/easy to analyze WL VM, the chosen VM was one of the smallest and the fastest, the debugger script was to perform step into and log the instructions and the modified register, so i can find my own code, of course disabled most the other protection in WL like allowd debugging ..etc and ran the script right before entering the VM, and the process reached and break point out side the protected code which was three Delphi lines, the process took around 45 minutes, and generated a log with around 300mb in size, also took me hours to pin point the exact place where my 3 lines executes, great and was happy with my finding, now i changed to a heavier VM one of the upper middle in complexity and size but not the most complex or the biggest, and ran the script, the is that i remembered that i have a life to live, and stopped at after 3-4 hours with 3.5 Gb of log file, and there was no evidence that my 3 lines were executed yet. The result was very happy with WL, i know its limit or at least i have an idea, specially my protected projects have something around 3-6 different VMs and code flow must pass at least 10 VM macros before giving the user (or hacker/cracker) any useful place to pin anything useful. in general i use 50 VM macros for these few VM, and if some hacker/cracker want to spend weeks/months to crack it, then let it be, most likely my application will be updated and rendered his work as obsolete, also the way i do it, he might be successful but this will work for one PC, his own PC and that is worst scenario for me. These VM run at full speed and they have an impact on the application performance even the heaviest my take up to a second, but with care you can minimize that impact and at least hide that effect from the application user. Hope that helps. Edit the invoice now doesn't have full address.

Of course they are dead slow. I would suggest to build your own class that handle drawing a a single text string on its own small BMP (sized according to the text and the font), so there texts strings will have their own BMP that will invalidate only when you change the text, and simple draw procedure needing canvas and coordinates ( and may be a rect for clipping if needed), this what i do and this will make things faster enough for drawing on your own BMP or directly on the needed canvas.

Windows has a specific infrastructure and interface to recognize standardized cryptographic service providers (CSP), it will initialize its own driver to communicate with it, notice that, USB specification has its own interface standard, meaning, an USB device can introduce itself to the host device as it designed to, (trying to simplify and yet it is sound bla bla bla, so sorry) Let try again, a USB may be a keyboard and a soundcard and mp3 player at the same time in compliant with Windows default driver and also have thermostat ability but for this one you need the manufacturer driver, so what ever you USB hardware is or manufacturer was it might use the default Windows compliant driver with CSP interface ! USB (Universal Serial Bus) in fact is standard hardware communication protocol, and that it is, USB device can declare itself anything, and it can multiple devices with literally no limit to how many protocols or devices it can handle, impersonate, provide functionality to. Fun fact: my android mobile is rooted, and i installed a Magisk module that allowed me to to boot my PC from the mobile using my Acronis ISO file, it booted beautifully ! Also you may have came across these 3G/4G USB modems where acted like read only (or readwrite) disk drive with the drivers for their custom modem, so plug them and an autorun will kick in the offer to install the modem driver if it is not present, if the driver is there it will run its modem UI. So returning to the Microsoft CSP, a Windows compliant hardware token will be recognized and the driver will interact with it in standardized way, get the certificate(s) and manage the private key operation knowing it is there and unexportable and it is the device job to perform specific operation and get the result. to read more https://learn.microsoft.com/en-us/windows/win32/seccrypto/csps-and-the-cryptography-process also this is more details on the design https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptoapi-system-architecture Hope that help and explain few things, and sorry for the English too.

That is correct behavior. See, even Windows OS while loads and unload all the needed libraries (DLL) for application and their dependencies too, require explicit call to FreeLibrary if you called LoadLibrary on your own https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-freelibrary So the shortcoming from the RTL management from not reference counting the libraries from the manual load, i think it is a bless and prevent many hidden bugs and memory leaks, in other words you load it, you unload it.

A question may me a little off topic Did anyone tried https://www.nsoftware.com/pkiproxy ?

Me too like Angus, don't see this as thing from the past, on contrary i think it is the future and the only way forward with all new security measures the world need now. PKCS#12/pfx is highly customizable format, securely design and very extendable, it can encapsulate PKCS#7 and PKCS#8 and most (usable part) of PKCS#5, as example PKCS#12 can hold a certificate/token to decrypt another PKCS#12, in my opinion this what should have been done with Code Signing Certificates, the issuer should have issued i hardware token for the client that passed their verification, then after that issued the certificate in PKCS#12 (as simple file) to be decrypted by that hardware key, that is way easier to use the encrypted certificate that can be handled in all your infrastructure safely, also there can be multiple token to decrypt the same certificate, also another important thing i see gaining necessity, the need to cross singing but more than one certificate, PKCS#12 allow that, also something like two people have to use their hardware security card to allow the singing, and all in standardized and vetted procedure.

That is SEH, a normal SEH, has nothing to do with SafeSEH from Windows OS. The resources about it are scarce but here a pointer https://stackoverflow.com/questions/25081033/what-safesehno-option-actually-do For SafeSEH you need the compiler and the linker to jointly produce Windows SafeSEH compliant structure. This will not help too, it will only make the OS more aggressive against your application with near zero tolerance for page faults. Code Flow Guard (CFG) is very similar to SafeSEH from https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide#control-flow-guard-cfg Hope that clear things.

To my knowledge, Delphi compiler doesn't support both, both are specific structures and code snippets generated by the compiler to help Windows OS, where the compiler must add specific structures/procedures in the code (and data/heap/stack) in very specific way to help the OS monitor intrusions or malicious interventions But i can be mistaken and Delphi compiler is already doing that, (highly unlikely!)