Recent

Author Topic: Heads Up about Bug in DCPCrypt Library  (Read 931 times)

Xor-el

  • Sr. Member
  • ****
  • Posts: 395
Heads Up about Bug in DCPCrypt Library
« on: December 16, 2019, 11:21:15 am »
Hi all,
while poking around DCPCrypt Library, I encountered a bug and decided to make you all aware of it.
This bug affects MD5, SHA1 and SHA256 when performing Hashes of Byte Arrays of up to 1GB in size and above.

Below is a simple console program that reproduces this bug.

Code: Pascal  [Select]
  1. program HashingBug;
  2.  
  3. uses
  4.   SysUtils,
  5.   DCPmd5,
  6.   DCPsha1,
  7.   DCPsha256;
  8.  
  9. var
  10.   bytes: TBytes;
  11.   OutputMD5: array[0..15] of byte;
  12.   OutputSHA1: array[0..19] of byte;
  13.   OutputSHA256: array[0..31] of byte;
  14.   HashMD5: TDCP_MD5;
  15.   HashSHA1: TDCP_SHA1;
  16.   HashSHA256: TDCP_SHA256;
  17.   Result: string;
  18.   Idx: Int32;
  19. begin
  20.   System.SetLength(bytes, 1024 * 1024 * 1024); // 1 GB Byte Array filled with Zeros
  21.   FillChar(OutputMD5, SizeOf(OutputMD5), 0);
  22.   FillChar(OutputSHA1, SizeOf(OutputSHA1), 0);
  23.   FillChar(OutputSHA256, SizeOf(OutputSHA256), 0);
  24.   WriteLn('Performing Hash Operation');
  25.  
  26.   HashMD5 := TDCP_MD5.Create(nil);
  27.   HashMD5.Init;
  28.   HashMD5.Update(bytes[0], System.Length(bytes));
  29.   HashMD5.Final(OutputMD5);
  30.  
  31.   Result := '';
  32.   for Idx := Low(OutputMD5) to High(OutputMD5) do
  33.     Result := Result + IntToHex(OutputMD5[Idx], 2);
  34.  
  35.   WriteLn(Format('Expected "%s" As MD5 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  36.     ['CD573CFAACE07E7949BC0C46028904FF', Result]));
  37.  
  38.   HashSHA1 := TDCP_SHA1.Create(nil);
  39.   HashSHA1.Init;
  40.   HashSHA1.Update(bytes[0], System.Length(bytes));
  41.   HashSHA1.Final(OutputSHA1);
  42.  
  43.   Result := '';
  44.   for Idx := Low(OutputSHA1) to High(OutputSHA1) do
  45.     Result := Result + IntToHex(OutputSHA1[Idx], 2);
  46.  
  47.   WriteLn(Format('Expected "%s" As SHA1 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  48.     ['2A492F15396A6768BCBCA016993F4B4C8B0B5307', Result]));
  49.  
  50.   HashSHA256 := TDCP_SHA256.Create(nil);
  51.   HashSHA256.Init;
  52.   HashSHA256.Update(bytes[0], System.Length(bytes));
  53.   HashSHA256.Final(OutputSHA256);
  54.  
  55.   Result := '';
  56.   for Idx := Low(OutputSHA256) to High(OutputSHA256) do
  57.     Result := Result + IntToHex(OutputSHA256[Idx], 2);
  58.  
  59.   WriteLn(Format(
  60.     'Expected "%s" As SHA256 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  61.     ['49BC20DF15E412A64472421E13FE86FF1C5165E18B2AFCCF160D4DC19FE68A14', Result]));
  62.  
  63.   WriteLn('Finish');
  64.  
  65.   ReadLn();
  66. end.

while looking around, I discovered that this bug has been reported here https://bugs.freepascal.org/view.php?id=31934 and here https://bugs.freepascal.org/view.php?id=33853 but unfortunately no fix or feedback was provided.

maybe the current maintainer of this package can take a look at it?  :)

Thaddy

  • Hero Member
  • *****
  • Posts: 9399
Re: Heads Up about Bug in DCPCrypt Library
« Reply #1 on: December 16, 2019, 11:29:20 am »
There is no maintainer(afaik): it was a once of straight Delphi translation.
(Actually, it should be removed)
also related to equus asinus.

MarkMLl

  • Hero Member
  • *****
  • Posts: 590
Re: Heads Up about Bug in DCPCrypt Library
« Reply #2 on: December 16, 2019, 11:39:45 am »
[Shudder] I've used that set of units for hashes but wouldn't know where to start maintaining it.

Is there any easy way of implementing a (Lazarus etc.) lookup, such that a unit or procedure could be reported as problematic if there were reported bugs against it which hadn't been identified as spurious by an administrator?

MarkML
Turbo Pascal v1 on CCP/M-86, multitasking with LAN and graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.

Xor-el

  • Sr. Member
  • ****
  • Posts: 395
Re: Heads Up about Bug in DCPCrypt Library
« Reply #3 on: December 16, 2019, 03:19:54 pm »
There is no maintainer(afaik): it was a once of straight Delphi translation.
(Actually, it should be removed)
I agree that it should be removed (or at least clearly indicated to be buggy) if it can't be fixed because this will give people wrong results which will cause incompatibilities.

Xor-el

  • Sr. Member
  • ****
  • Posts: 395
Re: Heads Up about Bug in DCPCrypt Library
« Reply #4 on: December 16, 2019, 03:24:37 pm »
[Shudder] I've used that set of units for hashes but wouldn't know where to start maintaining it.

MarkML

I guess you can start by familiarising yourself with the codebase.


Bart

  • Hero Member
  • *****
  • Posts: 3588
    • Bart en Mariska's Webstek
Re: Heads Up about Bug in DCPCrypt Library
« Reply #5 on: December 16, 2019, 03:30:58 pm »
The wiki page says that Graeme Geldenhuys is the current maintainer.

Bart

Xor-el

  • Sr. Member
  • ****
  • Posts: 395
Re: Heads Up about Bug in DCPCrypt Library
« Reply #6 on: December 16, 2019, 03:32:14 pm »
Is there any easy way of implementing a (Lazarus etc.) lookup, such that a unit or procedure could be reported as problematic if there were reported bugs against it which hadn't been identified as spurious by an administrator?

MarkML

I don't really know unfortunately.