Recent

Author Topic: Heads Up about Bug in DCPCrypt Library  (Read 2833 times)

Xor-el

  • Sr. Member
  • ****
  • Posts: 404
Heads Up about Bug in DCPCrypt Library
« on: December 16, 2019, 11:21:15 am »
Hi all,
while poking around DCPCrypt Library, I encountered a bug and decided to make you all aware of it.
This bug affects MD5, SHA1 and SHA256 when performing Hashes of Byte Arrays of up to 1GB in size and above.

Below is a simple console program that reproduces this bug.

Code: Pascal  [Select][+][-]
  1. program HashingBug;
  2.  
  3. uses
  4.   SysUtils,
  5.   DCPmd5,
  6.   DCPsha1,
  7.   DCPsha256;
  8.  
  9. var
  10.   bytes: TBytes;
  11.   OutputMD5: array[0..15] of byte;
  12.   OutputSHA1: array[0..19] of byte;
  13.   OutputSHA256: array[0..31] of byte;
  14.   HashMD5: TDCP_MD5;
  15.   HashSHA1: TDCP_SHA1;
  16.   HashSHA256: TDCP_SHA256;
  17.   Result: string;
  18.   Idx: Int32;
  19. begin
  20.   System.SetLength(bytes, 1024 * 1024 * 1024); // 1 GB Byte Array filled with Zeros
  21.   FillChar(OutputMD5, SizeOf(OutputMD5), 0);
  22.   FillChar(OutputSHA1, SizeOf(OutputSHA1), 0);
  23.   FillChar(OutputSHA256, SizeOf(OutputSHA256), 0);
  24.   WriteLn('Performing Hash Operation');
  25.  
  26.   HashMD5 := TDCP_MD5.Create(nil);
  27.   HashMD5.Init;
  28.   HashMD5.Update(bytes[0], System.Length(bytes));
  29.   HashMD5.Final(OutputMD5);
  30.  
  31.   Result := '';
  32.   for Idx := Low(OutputMD5) to High(OutputMD5) do
  33.     Result := Result + IntToHex(OutputMD5[Idx], 2);
  34.  
  35.   WriteLn(Format('Expected "%s" As MD5 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  36.     ['CD573CFAACE07E7949BC0C46028904FF', Result]));
  37.  
  38.   HashSHA1 := TDCP_SHA1.Create(nil);
  39.   HashSHA1.Init;
  40.   HashSHA1.Update(bytes[0], System.Length(bytes));
  41.   HashSHA1.Final(OutputSHA1);
  42.  
  43.   Result := '';
  44.   for Idx := Low(OutputSHA1) to High(OutputSHA1) do
  45.     Result := Result + IntToHex(OutputSHA1[Idx], 2);
  46.  
  47.   WriteLn(Format('Expected "%s" As SHA1 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  48.     ['2A492F15396A6768BCBCA016993F4B4C8B0B5307', Result]));
  49.  
  50.   HashSHA256 := TDCP_SHA256.Create(nil);
  51.   HashSHA256.Init;
  52.   HashSHA256.Update(bytes[0], System.Length(bytes));
  53.   HashSHA256.Final(OutputSHA256);
  54.  
  55.   Result := '';
  56.   for Idx := Low(OutputSHA256) to High(OutputSHA256) do
  57.     Result := Result + IntToHex(OutputSHA256[Idx], 2);
  58.  
  59.   WriteLn(Format(
  60.     'Expected "%s" As SHA256 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  61.     ['49BC20DF15E412A64472421E13FE86FF1C5165E18B2AFCCF160D4DC19FE68A14', Result]));
  62.  
  63.   WriteLn('Finish');
  64.  
  65.   ReadLn();
  66. end.

while looking around, I discovered that this bug has been reported here https://bugs.freepascal.org/view.php?id=31934 and here https://bugs.freepascal.org/view.php?id=33853 but unfortunately no fix or feedback was provided.

maybe the current maintainer of this package can take a look at it?  :)

Thaddy

  • Hero Member
  • *****
  • Posts: 14205
  • Probably until I exterminate Putin.
Re: Heads Up about Bug in DCPCrypt Library
« Reply #1 on: December 16, 2019, 11:29:20 am »
There is no maintainer(afaik): it was a once of straight Delphi translation.
(Actually, it should be removed)
Specialize a type, not a var.

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: Heads Up about Bug in DCPCrypt Library
« Reply #2 on: December 16, 2019, 11:39:45 am »
[Shudder] I've used that set of units for hashes but wouldn't know where to start maintaining it.

Is there any easy way of implementing a (Lazarus etc.) lookup, such that a unit or procedure could be reported as problematic if there were reported bugs against it which hadn't been identified as spurious by an administrator?

MarkML
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Xor-el

  • Sr. Member
  • ****
  • Posts: 404
Re: Heads Up about Bug in DCPCrypt Library
« Reply #3 on: December 16, 2019, 03:19:54 pm »
There is no maintainer(afaik): it was a once of straight Delphi translation.
(Actually, it should be removed)
I agree that it should be removed (or at least clearly indicated to be buggy) if it can't be fixed because this will give people wrong results which will cause incompatibilities.

Xor-el

  • Sr. Member
  • ****
  • Posts: 404
Re: Heads Up about Bug in DCPCrypt Library
« Reply #4 on: December 16, 2019, 03:24:37 pm »
[Shudder] I've used that set of units for hashes but wouldn't know where to start maintaining it.

MarkML

I guess you can start by familiarising yourself with the codebase.


Bart

  • Hero Member
  • *****
  • Posts: 5275
    • Bart en Mariska's Webstek
Re: Heads Up about Bug in DCPCrypt Library
« Reply #5 on: December 16, 2019, 03:30:58 pm »
The wiki page says that Graeme Geldenhuys is the current maintainer.

Bart

Xor-el

  • Sr. Member
  • ****
  • Posts: 404
Re: Heads Up about Bug in DCPCrypt Library
« Reply #6 on: December 16, 2019, 03:32:14 pm »
Is there any easy way of implementing a (Lazarus etc.) lookup, such that a unit or procedure could be reported as problematic if there were reported bugs against it which hadn't been identified as spurious by an administrator?

MarkML

I don't really know unfortunately.

 

TinyPortal © 2005-2018