Jump to content

TurboMagic

Members
 View Profile  See their activity

  • Content Count

    255

  • Joined

  • Last visited

  • Days Won

    9

Posts posted by TurboMagic

  3. Posted

    Another small info: I implemented your PBKDF2 implementation along with the unit tests meanwhile.

     

    I also toy with the idea to create a new descendend class from TDECHashBase where I move all KDF, MGF, HMAC and
    PBKDF2 implementations into and all other classes inherit from that one. That might introduce a new unit to keep the
    individual parts a bit shorter.

  4. Posted

    16 minutes ago, Kas Ob. said:

    @TurboMagic I want to point few things i don't like in the library and i am sorry asking you to look into them and not doing myself.

    1) the over use of ProtectBuffer , it been called form both TDECHash.Destroy and TDECHash.Done , this is waste of time, i am not a fan of creating false sense of security by using such not useful defense, see if an attacker is watching and reading the memory then he easily could slow the CPU for that process 200 times (if needed) and grab any changes along the way, yet even better if he is the controlling the PC and can read the memory of any process then he already owned it, right ?
    So my suggestion either remove that protect buffer from both and introduce a new procedure for secure erase that will call ProtectBuffer (overwrite the buffer, digest, counter..)

     

    2) TDECHash.Done is calling ReallocMemory(FBuffer,0) , this also unneeded leave it there, no point of removing the buffer on Done call, if the user is using TDECHash wrong then this is will not help or secure anything.

    3) We have this for Init

    FBuffer should be allocated within the Algorithm itself (the child) or you can make it as : allocate if not allocated and make sure to initialize it to nil in the constructor.

    While coding I didn't see you already answered. As I'm finishing coding for now I made a note about your suggestion of a modified HMAC implementation which doesn't trigger overflows. And yes, turning of the checks should always be a last ressort!
    That's why I was asking.

     

    About your protect buffer points:
    I did sort of inherit this DEC library and thought it's too good to let it die, but I'm no really expert in these things.
    I learned quite a few things along already though.

     

    I will look at removing those, you might be right. I just didn't want to remove something not causing me real trouble from an inherited library
    when I don't completely understand the implications/effects this creates.

    That's also the thing with ReallocMemory. I never really understood its purpose and when I asked a few months ago in German DP because of some
    C++ Builder compatibility issues I didn't get really useful pointers why this might be used here. I only got some vague C++ Builder compatibility
    information as answers. So I left as is. But we can remove this as well.

     

    Just clearing the memory somehow at some point might reduce attack surface a bit. Yes, if the attacker can slow down that process well enough to
    be able to have enough time to read out memory while it runs that protection will not help. It  just helps not having possibly sensible information
    lying around for longer than necessary.

    • Thanks 1

  5. Posted

    I get a crash when implementing HMAC unit tests for your other test vectors!

    When performing the first test (using MD5) for long key/data test vectors from https://tools.ietf.org/html/rfc2202

    I get a crash ERangeError on the first assignment in this part of the HMAC method:

      

        while I <= KeyLength - SizeOf(NativeUInt) do
    begin
      PNativeUInt(@InnerKeyPad[I])^ := PNativeUInt(@Result[I])^ xor CONST_UINT_OF_0x36;
      PNativeUInt(@OuterKeyPad[I])^ := PNativeUInt(@Result[I])^ xor CONST_UINT_OF_0x5C;
      Inc(I, SizeOf(NativeUInt));
    end;

    The right hand side of the first assignment results, according to the debugger in this: 3906369333279686841

    Size of native UInt in Win32 is 4 byte thus maximum number is this: 4294967296.

     

    Turning off range/index/ E/A compiler checking would fix this, but is this a good idea?
    If so I'd do this locally in the method.

     

    What's your opinion?

     

  8. Posted

    On 1/20/2021 at 5:36 PM, Kas Ob. said:

    The tests are just samples, and for the name mentioning, it doesn't worth it, as i think you might want to implement class for it or something.

    I just implemented your HMAC code. It is in the development branch now. Unit tests still need to follow.

    If you look at my solution you can see how I was able to spare the hash class parameter...

  9. Posted

    Hello,
     

    thanks for this implementation and your effort doing it!
    I have saved the stuff locally so I will include, this as soon as time permits, into the development branch in some form.
    I need to look at this HMAC stuff myself first (today I've got lack of time) and then decide where to put it.

    Your test will have to be changed into a DUnit test.

    And I would put your name Kas Ob. into the list of contributors contained in the project if you don't object.

     

    Thanks

    TurboMagic

    • Thanks 1

  10. Posted

    On 10/21/2020 at 7:13 PM, Kas Ob. said:

    DEC library will not work, as that script uses Rfc2898DeriveBytes https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rfc2898derivebytes?view=netcore-3.1

    So you need PBKDF2 with HMACSHA1, both i believe supported and available in mOrMot library as Kryvich suggested.

    Not sure, but the hash classes support KDF2. After fixing bugs even KDF1 and 3.

  14. Posted

    Hello,

     

    here's a small Christmas present for you:

    There is a new release 6.0 of DEC - Delphi Encryption Compendium available,

    or put otherwise: DEC is back on track! 😉

     

    The release can be found here:


    inlink.gifhttps://github.com/MHumm/DelphiEncry...eases/tag/V6.0

     

    What is DEC?

    DEC is the Delphi Encryption Compendium open source library,

    a library containing cryptographic algorithms of the following categories:

     

    • hash algorithms
    • encryption algorithms
    • key deviation functions
    • CRC
    • cryptographic pseudo random number generator
    • format conversion classes

    What's new in V6.0 compared with the 5 year old V5.2 release?

    A complete list can be found in the last chapter of the included documentation.

     

    • Supports D2009 - 10.4.1 Sydney
    • Cross platform compatible if you turn off use of ASM in DECOptions.inc
    • the hard to understand test program got reworked into unit tests
    • test coverage got increased
    • some bugfixes, like fixing the XTEA encryption algorithm or the included KDF2 turned
      out to be KDF1 instead
    • implementation of the newest Whirlpool hash algorithm version
    • implementation of KDF1, KDF2 and KDF3 key deviation algorithms
    • changed unit structure to be more modular and better maintainable
    • added some demo applications. The two FMX based ones are even available
      from Google Play (stemming from an earlier commit)
    • added a 40+ A4 sized pages documentation
    • most methods contain XMLDOC comments now

     

    So is it all over now, or are there plans for the future?

    Of course I know that this release didn't bring much new algorithms.
    But as far as my time allowes development shall continue (further project members are welcome!)
    I do have some plans for V6.1:

    • Add the SHA224 hash, this is still missing
    • Add SHA3
    • Add GCM block chaining mode for ciphers
    • Add a first pasword hash algorithm, most likely bcrypt

     

    So much for today 😉

    Cheers
    TurboMagic

    • Like 3
    • Thanks 5

  16. Posted

    I added unit tests for usage with objects now, testing the OwnsObjects semantics. After fixing a bug in destructor, where I tried to free one object too much (which even got the IDE into trouble)
    it seems to work as it should.

     

    But: I have a memory leak problem with two of the unit tests which I don't know how to fix.

    These are unit tests testing exceptions and the program flow doesn't seem to get to the point in the test method after the exception has been raised.

    So the code I put there for cleaning up seems not to be run.

     

    The circular buffer doesn't free the objects in such an exception case either.

    I thought that the user wouldn't expect me to do this. Or would a user expect me freeing

    objects the user tried to add but couldn't because the buffer is full and my implementation has no "overwrite the oldest items in such a case" semantics?

    (if I would be thinking about adding this I'd make it configurable)

  19. Posted

    11 minutes ago, Fr0sT.Brutal said:

    Why do you need Socket.MessagePump at all?

    I know that it would be better to not use it. It often works, but just not always.

    In my case the routine running this shall already return the list of the search so after the code fragment shown in my post above,
    which is in a loop going through all interfaces determined as plausible ones, I have a waiting loop so received answers which are
    noted in some list have time to arrive. It's just to find out if a device answers to this request so it is present and to get it's IP.

  20. Posted · Edited by TurboMagic

    In order to obtain the list of interfaces I loop through I use IcsGetInterfaceList.

    This returns 3 interfaces to me: 127.0.0.1 (loopback), which I skip, 10.149.x.y (x and y have valid numbers)
    which is the IP of that VM I'm running in and the last one is 0.0.0.0.

     

    This is my code: 

    Socket := TWSocket.Create(nil);

Socket.Proto           := 'UDP';
Socket.Addr            := '255.255.255.255';
Socket.Port            := '1234';
Socket.LineMode        := false;
Socket.OnDataAvailable := OnUDPDataAvailable;

Addr.S_addr := IfList[i]^.iiAddress.AddressIn.sin_addr.S_addr;
Socket.LocalAddr       := string(WSocket_inet_ntoa(Addr));
Socket.LocalPort       := '0';

Socket.Connect;

Socket.MessagePump;
Socket.SendLine('Hallo?');

    OnUDPDataAvailable is declared as method like this:

     

    procedure TMyClass.OnUDPDataAvailable(Sender: TObject; ErrCode: Word);

  22. Posted

    Hello,

     

    in my project I ue ICS V8.62 in Delphi 10.3.3 to detect some devices on the network per UDP.

    Sometimes my routine works as expected and sometimes it crashes.

     

    When it crashes it happens on a call to Socket.MessagePump and inside that one
    on the call to Application.ProcessMessages.

     

    My code is inside an Button click handler and it immediately crashes when pressing F7 in
    the debugger on Application.ProcessMessages. Since it's a VCL app unit forms is used.

     

    Application is assigned.
    My socket is a plain TWSocket, Proto is 'UDP' and local IP is set to one of the interfaces the computer
    has to search on that one and LocalPort is 0.

     

    I call Socket.Connect and then immediately Socket.MessagePump where it crashes in.

     

    Anybody any clue?

  23. Posted

    One issue with this is, that there didn't ask enough people about this yet. That's at least what SmartBear the company behind TestComplete told me.

    Why don't all users liking to have such a thing ask all these vendors about it to show there's demand?

    I'd start with TestComplete and with Ranorex, which even belongs to Idera but can only do VCL so far, as far as I know.

×