Lazarus

Programming => Packages and Libraries => Topic started by: Xor-el on December 16, 2019, 11:21:15 am

Title: Heads Up about Bug in DCPCrypt Library
Post by: Xor-el on December 16, 2019, 11:21:15 am
Hi all,
while poking around DCPCrypt Library, I encountered a bug and decided to make you all aware of it.
This bug affects MD5, SHA1 and SHA256 when performing Hashes of Byte Arrays of up to 1GB in size and above.

Below is a simple console program that reproduces this bug.

Code: Pascal  [Select][+][-]
  1. program HashingBug;
  2.  
  3. uses
  4.   SysUtils,
  5.   DCPmd5,
  6.   DCPsha1,
  7.   DCPsha256;
  8.  
  9. var
  10.   bytes: TBytes;
  11.   OutputMD5: array[0..15] of byte;
  12.   OutputSHA1: array[0..19] of byte;
  13.   OutputSHA256: array[0..31] of byte;
  14.   HashMD5: TDCP_MD5;
  15.   HashSHA1: TDCP_SHA1;
  16.   HashSHA256: TDCP_SHA256;
  17.   Result: string;
  18.   Idx: Int32;
  19. begin
  20.   System.SetLength(bytes, 1024 * 1024 * 1024); // 1 GB Byte Array filled with Zeros
  21.   FillChar(OutputMD5, SizeOf(OutputMD5), 0);
  22.   FillChar(OutputSHA1, SizeOf(OutputSHA1), 0);
  23.   FillChar(OutputSHA256, SizeOf(OutputSHA256), 0);
  24.   WriteLn('Performing Hash Operation');
  25.  
  26.   HashMD5 := TDCP_MD5.Create(nil);
  27.   HashMD5.Init;
  28.   HashMD5.Update(bytes[0], System.Length(bytes));
  29.   HashMD5.Final(OutputMD5);
  30.  
  31.   Result := '';
  32.   for Idx := Low(OutputMD5) to High(OutputMD5) do
  33.     Result := Result + IntToHex(OutputMD5[Idx], 2);
  34.  
  35.   WriteLn(Format('Expected "%s" As MD5 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  36.     ['CD573CFAACE07E7949BC0C46028904FF', Result]));
  37.  
  38.   HashSHA1 := TDCP_SHA1.Create(nil);
  39.   HashSHA1.Init;
  40.   HashSHA1.Update(bytes[0], System.Length(bytes));
  41.   HashSHA1.Final(OutputSHA1);
  42.  
  43.   Result := '';
  44.   for Idx := Low(OutputSHA1) to High(OutputSHA1) do
  45.     Result := Result + IntToHex(OutputSHA1[Idx], 2);
  46.  
  47.   WriteLn(Format('Expected "%s" As SHA1 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  48.     ['2A492F15396A6768BCBCA016993F4B4C8B0B5307', Result]));
  49.  
  50.   HashSHA256 := TDCP_SHA256.Create(nil);
  51.   HashSHA256.Init;
  52.   HashSHA256.Update(bytes[0], System.Length(bytes));
  53.   HashSHA256.Final(OutputSHA256);
  54.  
  55.   Result := '';
  56.   for Idx := Low(OutputSHA256) to High(OutputSHA256) do
  57.     Result := Result + IntToHex(OutputSHA256[Idx], 2);
  58.  
  59.   WriteLn(Format(
  60.     'Expected "%s" As SHA256 Hash of Zero Filled 1GB Dummy Byte Array But Got "%s"',
  61.     ['49BC20DF15E412A64472421E13FE86FF1C5165E18B2AFCCF160D4DC19FE68A14', Result]));
  62.  
  63.   WriteLn('Finish');
  64.  
  65.   ReadLn();
  66. end.

while looking around, I discovered that this bug has been reported here https://bugs.freepascal.org/view.php?id=31934 (https://bugs.freepascal.org/view.php?id=31934) and here https://bugs.freepascal.org/view.php?id=33853 (https://bugs.freepascal.org/view.php?id=33853) but unfortunately no fix or feedback was provided.

maybe the current maintainer of this package can take a look at it?  :)
Title: Re: Heads Up about Bug in DCPCrypt Library
Post by: Thaddy on December 16, 2019, 11:29:20 am
There is no maintainer(afaik): it was a once of straight Delphi translation.
(Actually, it should be removed)
Title: Re: Heads Up about Bug in DCPCrypt Library
Post by: MarkMLl on December 16, 2019, 11:39:45 am
[Shudder] I've used that set of units for hashes but wouldn't know where to start maintaining it.

Is there any easy way of implementing a (Lazarus etc.) lookup, such that a unit or procedure could be reported as problematic if there were reported bugs against it which hadn't been identified as spurious by an administrator?

MarkML
Title: Re: Heads Up about Bug in DCPCrypt Library
Post by: Xor-el on December 16, 2019, 03:19:54 pm
There is no maintainer(afaik): it was a once of straight Delphi translation.
(Actually, it should be removed)
I agree that it should be removed (or at least clearly indicated to be buggy) if it can't be fixed because this will give people wrong results which will cause incompatibilities.
Title: Re: Heads Up about Bug in DCPCrypt Library
Post by: Xor-el on December 16, 2019, 03:24:37 pm
[Shudder] I've used that set of units for hashes but wouldn't know where to start maintaining it.

MarkML

I guess you can start by familiarising yourself with the codebase.

Title: Re: Heads Up about Bug in DCPCrypt Library
Post by: Bart on December 16, 2019, 03:30:58 pm
The wiki page (https://wiki.lazarus.freepascal.org/DCPcrypt) says that Graeme Geldenhuys (http://geldenhuys.co.uk/) is the current maintainer.

Bart
Title: Re: Heads Up about Bug in DCPCrypt Library
Post by: Xor-el on December 16, 2019, 03:32:14 pm
Is there any easy way of implementing a (Lazarus etc.) lookup, such that a unit or procedure could be reported as problematic if there were reported bugs against it which hadn't been identified as spurious by an administrator?

MarkML

I don't really know unfortunately.
TinyPortal © 2005-2018