TurboMagic

Another small info: I implemented your PBKDF2 implementation along with the unit tests meanwhile. I also toy with the idea to create a new descendend class from TDECHashBase where I move all KDF, MGF, HMAC and PBKDF2 implementations into and all other classes inherit from that one. That might introduce a new unit to keep the individual parts a bit shorter.

While coding I didn't see you already answered. As I'm finishing coding for now I made a note about your suggestion of a modified HMAC implementation which doesn't trigger overflows. And yes, turning of the checks should always be a last ressort! That's why I was asking. About your protect buffer points: I did sort of inherit this DEC library and thought it's too good to let it die, but I'm no really expert in these things. I learned quite a few things along already though. I will look at removing those, you might be right. I just didn't want to remove something not causing me real trouble from an inherited library when I don't completely understand the implications/effects this creates. That's also the thing with ReallocMemory. I never really understood its purpose and when I asked a few months ago in German DP because of some C++ Builder compatibility issues I didn't get really useful pointers why this might be used here. I only got some vague C++ Builder compatibility information as answers. So I left as is. But we can remove this as well. Just clearing the memory somehow at some point might reduce attack surface a bit. Yes, if the attacker can slow down that process well enough to be able to have enough time to read out memory while it runs that protection will not help. It just helps not having possibly sensible information lying around for longer than necessary.

I get a crash when implementing HMAC unit tests for your other test vectors! When performing the first test (using MD5) for long key/data test vectors from https://tools.ietf.org/html/rfc2202 I get a crash ERangeError on the first assignment in this part of the HMAC method: while I <= KeyLength - SizeOf(NativeUInt) do begin PNativeUInt(@InnerKeyPad[I])^ := PNativeUInt(@Result[I])^ xor CONST_UINT_OF_0x36; PNativeUInt(@OuterKeyPad[I])^ := PNativeUInt(@Result[I])^ xor CONST_UINT_OF_0x5C; Inc(I, SizeOf(NativeUInt)); end; The right hand side of the first assignment results, according to the debugger in this: 3906369333279686841 Size of native UInt in Win32 is 4 byte thus maximum number is this: 4294967296. Turning off range/index/ E/A compiler checking would fix this, but is this a good idea? If so I'd do this locally in the method. What's your opinion?

I implemented first unit tests for the HMAC implementation you contributed the basis for now and set the array length of the two internal arrays dynamically now. It's in the development branch. Further unit tests and implementation of your other code donation later.

Thanks for sharing this, but I don't see what this provides compared to what the other mentioned solutions here already provide.

I just implemented your HMAC code. It is in the development branch now. Unit tests still need to follow. If you look at my solution you can see how I was able to spare the hash class parameter...

Hello, thanks for this implementation and your effort doing it! I have saved the stuff locally so I will include, this as soon as time permits, into the development branch in some form. I need to look at this HMAC stuff myself first (today I've got lack of time) and then decide where to put it. Your test will have to be changed into a DUnit test. And I would put your name Kas Ob. into the list of contributors contained in the project if you don't object. Thanks TurboMagic

Not sure, but the hash classes support KDF2. After fixing bugs even KDF1 and 3.

Another solution would be DEC: Delphi Encryption Compendium. Freely available in GitHub. https://github.com/MHumm/DelphiEncryptionCompendium Two FMX based demos are even in Google Play: DEC Cipher Demo and DEC Hash Demo. A Lite version containing the hashes only is in GetIt now as well. EMBT doesn't want Crypto there due to export rules...

Hello, here's a small Christmas present for you: There is a new release 6.0 of DEC - Delphi Encryption Compendium available, or put otherwise: DEC is back on track! 😉 The release can be found here: https://github.com/MHumm/DelphiEncry...eases/tag/V6.0 What is DEC? DEC is the Delphi Encryption Compendium open source library, a library containing cryptographic algorithms of the following categories: hash algorithms encryption algorithms key deviation functions CRC cryptographic pseudo random number generator format conversion classes What's new in V6.0 compared with the 5 year old V5.2 release? A complete list can be found in the last chapter of the included documentation. Supports D2009 - 10.4.1 Sydney Cross platform compatible if you turn off use of ASM in DECOptions.inc the hard to understand test program got reworked into unit tests test coverage got increased some bugfixes, like fixing the XTEA encryption algorithm or the included KDF2 turned out to be KDF1 instead implementation of the newest Whirlpool hash algorithm version implementation of KDF1, KDF2 and KDF3 key deviation algorithms changed unit structure to be more modular and better maintainable added some demo applications. The two FMX based ones are even available from Google Play (stemming from an earlier commit) added a 40+ A4 sized pages documentation most methods contain XMLDOC comments now So is it all over now, or are there plans for the future? Of course I know that this release didn't bring much new algorithms. But as far as my time allowes development shall continue (further project members are welcome!) I do have some plans for V6.1: Add the SHA224 hash, this is still missing Add SHA3 Add GCM block chaining mode for ciphers Add a first pasword hash algorithm, most likely bcrypt So much for today 😉 Cheers TurboMagic

By the way: a lite version of it is available via GetIt meanwhile. What's lite? The ciphers had to be removed due to export control regulations EMBT didn't want to mess around with... It contains all the rest: the hashes, CRCs, formattings and the random number generator

Sorry, no CPU acceleration yet. On x86 and at least in parts on x64 you can enable use of ASM for some of those which is notably faster than a Delphi only implementation.

So have you looked at my newest commit? Did you find any failure in it? I'm asking because I'm tempted to "do a release"...

I added unit tests for usage with objects now, testing the OwnsObjects semantics. After fixing a bug in destructor, where I tried to free one object too much (which even got the IDE into trouble) it seems to work as it should. But: I have a memory leak problem with two of the unit tests which I don't know how to fix. These are unit tests testing exceptions and the program flow doesn't seem to get to the point in the test method after the exception has been raised. So the code I put there for cleaning up seems not to be run. The circular buffer doesn't free the objects in such an exception case either. I thought that the user wouldn't expect me to do this. Or would a user expect me freeing objects the user tried to add but couldn't because the buffer is full and my implementation has no "overwrite the oldest items in such a case" semantics? (if I would be thinking about adding this I'd make it configurable)

Hello, in my project I ue ICS V8.62 in Delphi 10.3.3 to detect some devices on the network per UDP. Sometimes my routine works as expected and sometimes it crashes. When it crashes it happens on a call to Socket.MessagePump and inside that one on the call to Application.ProcessMessages. My code is inside an Button click handler and it immediately crashes when pressing F7 in the debugger on Application.ProcessMessages. Since it's a VCL app unit forms is used. Application is assigned. My socket is a plain TWSocket, Proto is 'UDP' and local IP is set to one of the interfaces the computer has to search on that one and LocalPort is 0. I call Socket.Connect and then immediately Socket.MessagePump where it crashes in. Anybody any clue?

Ok, now I better understand. Have to find the time to properly refactor this code. Thanks so far.

Is there really such an OnSessionConnected event on a connection less UDP socket? Remember: I'm using UDP here.

I know that it would be better to not use it. It often works, but just not always. In my case the routine running this shall already return the list of the search so after the code fragment shown in my post above, which is in a loop going through all interfaces determined as plausible ones, I have a waiting loop so received answers which are noted in some list have time to arrive. It's just to find out if a device answers to this request so it is present and to get it's IP.

In order to obtain the list of interfaces I loop through I use IcsGetInterfaceList. This returns 3 interfaces to me: 127.0.0.1 (loopback), which I skip, 10.149.x.y (x and y have valid numbers) which is the IP of that VM I'm running in and the last one is 0.0.0.0. This is my code: Socket := TWSocket.Create(nil); Socket.Proto := 'UDP'; Socket.Addr := '255.255.255.255'; Socket.Port := '1234'; Socket.LineMode := false; Socket.OnDataAvailable := OnUDPDataAvailable; Addr.S_addr := IfList[i]^.iiAddress.AddressIn.sin_addr.S_addr; Socket.LocalAddr := string(WSocket_inet_ntoa(Addr)); Socket.LocalPort := '0'; Socket.Connect; Socket.MessagePump; Socket.SendLine('Hallo?'); OnUDPDataAvailable is declared as method like this: procedure TMyClass.OnUDPDataAvailable(Sender: TObject; ErrCode: Word);

I do set the interface because it is a broadcast to 255.255.255.255 and I want it to go out to all interfaces. But: would that be really connected to the MessagePump crash in Application.ProcessMessages?

One issue with this is, that there didn't ask enough people about this yet. That's at least what SmartBear the company behind TestComplete told me. Why don't all users liking to have such a thing ask all these vendors about it to show there's demand? I'd start with TestComplete and with Ranorex, which even belongs to Idera but can only do VCL so far, as far as I know.

Oh and to help your decision what to do: participate in this nice project! Look at missing algorithms and how to implement them so they fit to the architecture or create some more unit tests and turn them in... There's a lot you can do to help! 😉

Confident now? Remember: this is an open source project so could have implemented the proposed addition of readme.md yourself and either turned it in as issue or created a pull request. Another possible answer would have been: look at the source Luke! 😉

Hello, ICS is now moving to those SSL named classes, which is fine. The question now is: in order to have a FTP client not using SSL is it enough to set the SSLType of the client component to "none"? Best regards TurboMagic

You know that arrays can be concatenated with + since XE7? And delete etc. is available for them as well!