HMAC_SHA1 and FPC

classic Classic list List threaded Threaded
57 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

silvioprog
2013/3/26 Anthony Walter <[hidden email]>
On Tue, Mar 26, 2013 at 1:20 AM, silvioprog <[hidden email]> wrote:
I don't know if you noticed, but I sent the ALL test cases required by the RFC 2202 (http://tools.ietf.org/html/rfc2202), i.e., it's enough to check whether the algorithm it's well implemented or not.

I'll await the answer of the staff of Core, because for me the final answer is theirs.

--
Silvio Clécio
My public projects - github.com/silvioprog

I wasn't asking you to stop your work, rather I was attempting to share insights and my opinions with the group. My point in the previous message was that many times it make sense to reuse something which works, and possibly part of the operating system, rather than recreating that which already exists.

OK, sorry.

I'm rooting for them implement it direct in FCL. The routines in hmac.pp will fall like a glove.

--
Silvio Clécio
My public projects - github.com/silvioprog

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Sven Barth-2
In reply to this post by Anthony Walter-3
Am 26.03.2013 06:53, schrieb Anthony Walter:
On Tue, Mar 26, 2013 at 1:20 AM, silvioprog <[hidden email]> wrote:
I don't know if you noticed, but I sent the ALL test cases required by the RFC 2202 (http://tools.ietf.org/html/rfc2202), i.e., it's enough to check whether the algorithm it's well implemented or not.

I'll await the answer of the staff of Core, because for me the final answer is theirs.

--
Silvio Clécio
My public projects - github.com/silvioprog

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal

I wasn't asking you to stop your work, rather I was attempting to share insights and my opinions with the group. My point in the previous message was that many times it make sense to reuse something which works, and possibly part of the operating system, rather than recreating that which already exists.
We already have a "hash" package and I'm all for improving/extending it. This can prove especially useful for platforms where OpenSSL is not supported (think the embedded targets or similar here). Also I'm a big fan of "as less non-Pascal dependencies as possible" :)

Regards,
Sven

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Marcos Douglas B. Santos
In reply to this post by Anthony Walter-3
On Tue, Mar 26, 2013 at 12:43 AM, Anthony Walter <[hidden email]> wrote:

>
> On Mon, Mar 25, 2013 at 11:24 PM, silvioprog <[hidden email]> wrote:
>>
>> Nice.
>>
>> But there situations that the user does not have the OpenSSL lib.
>>
>> The routines I sent does not depend on external libs.
>>
>> --
>> Silvio Clécio
>> My public projects - github.com/silvioprog
>
>
> It's possible to build static lib files for Win 32 and 64 on Linux.
>
> ...  download the sources from here http://www.openssl.org/source/ then ...
>
> sudo apt-get install mingw-w64
>
> ... goto the OpenSSL source directory and ...
>
> CROSS_COMPILE="i686-w64-mingw32-" ./Configure mingw64 no-asm shared
> make
> CROSS_COMPILE="x86_64-w64-mingw32-" ./Configure mingw64 no-asm shared
> make
>
> ... and copy libcrypto.a and libssl.a to a FPC lib path ...
>
> Now you can compile for Win 32/64 using OpenSSL static lib files.

Hi,
Is possible to make that only using Windows for any lib?

Best regards,
Marcos Douglas
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Anthony Walter-3
On Tue, Mar 26, 2013 at 5:57 AM, Marcos Douglas <[hidden email]> wrote:
Hi,
Is possible to make that only using Windows for any lib?

Best regards,
Marcos Douglas

Marcos,

Are you asking, "Is it possible to build any static lib for Windows and link it to a free pascal project"?

No, not all the time. Libraries may depend on systems function on one platform which are not available on another.

But, many times you can if the library can compile with mingw64. When this is the case you build a C project using mingw64, copy the lib files to a directory free pascal is using (see environment settings in lazarus), list the functions in a unit, then put {$linklib youlibname.a} in the implementation section. You may need a few {$ifdef}s for your different platforms.

The benefit of this is that you can easily incorporate (much more easily rewriting) *complex* functionality into your free pascal projects knowing what you are reusing is probably faster, has more features, is more robust, and better tested than a implementation of X that someone reinvented again for free pascal.

Sometimes though you might be are better off using dynamic linking (so, dll on windows) if you know the OS is going to provide features. Examples are msxml.dll vs libxml2.so, gdiplus.dll vs libcario.so, ect. Of course in these cases what probably you need to do is write some lite wrappers, since the apis vary in form (but not function). In those cases I typically use interfaces...

IXmlDocument, IXmlNode // for pasring or building Xml
ICanvas, IBrush // for drawing

and then

function CreateXmlDocument: IXmlDocument; {$fidef}s
function CreateCanvas: ICanvas; {$fidef}s

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Ludo Brands
In reply to this post by Sven Barth-2
On 03/26/2013 10:40 AM, Sven Barth wrote:
> Am 26.03.2013 06:53, schrieb Anthony Walter:

>> I wasn't asking you to stop your work, rather I was attempting to
>> share insights and my opinions with the group. My point in the
>> previous message was that many times it make sense to reuse something
>> which works, and possibly part of the operating system, rather than
>> recreating that which already exists.
> We already have a "hash" package and I'm all for improving/extending it.
> This can prove especially useful for platforms where OpenSSL is not
> supported (think the embedded targets or similar here). Also I'm a big
> fan of "as less non-Pascal dependencies as possible" :)
>

Another advantage of OpenSSL is performance. Especially on x64 where
OpenSSL is an order of magnitude faster than fe. the synapse sha1
implementation. It uses assembly to optimize code. I doubt that will
ever be done in a FPC library.

Ludo

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Marcos Douglas B. Santos
In reply to this post by Anthony Walter-3
On Tue, Mar 26, 2013 at 10:05 AM, Anthony Walter <[hidden email]> wrote:

> On Tue, Mar 26, 2013 at 5:57 AM, Marcos Douglas <[hidden email]> wrote:
>>
>> Hi,
>> Is possible to make that only using Windows for any lib?
>>
>> Best regards,
>> Marcos Douglas
>
>
> Marcos,
>
> Are you asking, "Is it possible to build any static lib for Windows and link
> it to a free pascal project"?

Yes, that's it. Thank you.

> No, not all the time. Libraries may depend on systems function on one
> platform which are not available on another.
>
> But, many times you can if the library can compile with mingw64. When this
> is the case you build a C project using mingw64, copy the lib files to a
> directory free pascal is using (see environment settings in lazarus), list
> the functions in a unit, then put {$linklib youlibname.a} in the
> implementation section. You may need a few {$ifdef}s for your different
> platforms.

I had seen this $linklib but I did not know what it was for.

> The benefit of this is that you can easily incorporate (much more easily
> rewriting) *complex* functionality into your free pascal projects knowing
> what you are reusing is probably faster, has more features, is more robust,
> and better tested than a implementation of X that someone reinvented again
> for free pascal.
>
> Sometimes though you might be are better off using dynamic linking (so, dll
> on windows) if you know the OS is going to provide features. Examples are
> msxml.dll vs libxml2.so, gdiplus.dll vs libcario.so, ect. Of course in these
> cases what probably you need to do is write some lite wrappers, since the
> apis vary in form (but not function). In those cases I typically use
> interfaces...
>
> IXmlDocument, IXmlNode // for pasring or building Xml
> ICanvas, IBrush // for drawing
>
> and then
>
> function CreateXmlDocument: IXmlDocument; {$fidef}s
> function CreateCanvas: ICanvas; {$fidef}s

Good ideas. Thank you for share.

Marcos Douglas
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

silvioprog
In reply to this post by Sven Barth-2
2013/3/26 Sven Barth <[hidden email]>
Am 26.03.2013 06:53, schrieb Anthony Walter:
On Tue, Mar 26, 2013 at 1:20 AM, silvioprog <[hidden email]> wrote:
I don't know if you noticed, but I sent the ALL test cases required by the RFC 2202 (http://tools.ietf.org/html/rfc2202), i.e., it's enough to check whether the algorithm it's well implemented or not.

I'll await the answer of the staff of Core, because for me the final answer is theirs.

--
Silvio Clécio
My public projects - github.com/silvioprog

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal

I wasn't asking you to stop your work, rather I was attempting to share insights and my opinions with the group. My point in the previous message was that many times it make sense to reuse something which works, and possibly part of the operating system, rather than recreating that which already exists.
We already have a "hash" package and I'm all for improving/extending it. This can prove especially useful for platforms where OpenSSL is not supported (think the embedded targets or similar here). Also I'm a big fan of "as less non-Pascal dependencies as possible" :)

Regards,
Sven

+1.

And I'm sure the hmac is fast as anything else out there who write, even using libs maked in C/C+. :)

--
Silvio Clécio
My public projects - github.com/silvioprog

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Sven Barth-2
In reply to this post by Ludo Brands

Am 26.03.2013 14:26 schrieb "Ludo Brands" <[hidden email]>:
>
> On 03/26/2013 10:40 AM, Sven Barth wrote:
> > Am 26.03.2013 06:53, schrieb Anthony Walter:
>
> >> I wasn't asking you to stop your work, rather I was attempting to
> >> share insights and my opinions with the group. My point in the
> >> previous message was that many times it make sense to reuse something
> >> which works, and possibly part of the operating system, rather than
> >> recreating that which already exists.
> > We already have a "hash" package and I'm all for improving/extending it.
> > This can prove especially useful for platforms where OpenSSL is not
> > supported (think the embedded targets or similar here). Also I'm a big
> > fan of "as less non-Pascal dependencies as possible" :)
> >
>
> Another advantage of OpenSSL is performance. Especially on x64 where
> OpenSSL is an order of magnitude faster than fe. the synapse sha1
> implementation. It uses assembly to optimize code. I doubt that will
> ever be done in a FPC library.

If someone provides a patch to additionally add assembly versions to cryptographic algorithms I doubt that we'll turn them down...

Regards,
Sven


_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

shiruba2012
In reply to this post by Anthony Walter-3
Hi,

Actually I think on OS X and Linux it makes sense to depend on OpenSSL, but not for the reasons you mentioned so much as one more: Security.  If you are using doing encryption, then it's better to use a library that is updated more often for bug fixes, and to have the updates be applied to your program automatically.  If you static-link it in, it will never be updated until you update it and ship a new version of your program and everyone installs it.  If you dynamically link to it, then then the operating system updates it, you get the updates "for free".  

After bad past experiences with VB and OCX files that broke all the time, and Java (enough said), I vastly prefer to use Pascal code in most cases and have everything linked static (less moving parts = less to break) - but there can be exceptions. (I use SQLite a lot, which isn't included by default in Windows).  For HMAC only though I just use Synapse.  

Thank you,
    Noah Silva

2013/3/26 Anthony Walter <[hidden email]>
On Tue, Mar 26, 2013 at 12:23 AM, silvioprog <[hidden email]> wrote:
Don't know why so much work if you can use it directly from the FCL.

Because...

OpenSSL is quite robust, well documented. tested, and proven
OpenSSL provides a full compilement of cryptography and hashing functions
On Linux/OSX you can link to external shared object files, which further reduces project build size and system resources

Side benefit: OpenSSL also provides a simple secure socket implementation, which many times pairs nicely along with SHA/HMAC

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal


_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

silvioprog
2013/4/2 Noah Silva <[hidden email]>
Hi,

Actually I think on OS X and Linux it makes sense to depend on OpenSSL, but not for the reasons you mentioned so much as one more: Security.  If you are using doing encryption, then it's better to use a library that is updated more often for bug fixes, and to have the updates be applied to your program automatically.  If you static-link it in, it will never be updated until you update it and ship a new version of your program and everyone installs it.  If you dynamically link to it, then then the operating system updates it, you get the updates "for free".  

After bad past experiences with VB and OCX files that broke all the time, and Java (enough said), I vastly prefer to use Pascal code in most cases and have everything linked static (less moving parts = less to break) - but there can be exceptions. (I use SQLite a lot, which isn't included by default in Windows).  For HMAC only though I just use Synapse.  

Thank you,
    Noah Silva

Well, who wants to link and configure an entire DLL to use only a single function, so be it. Who wants to use and configure an entire lib (Synapse, DCPcrypt etc) to use only a single function, so be it. But nothing prevents that it being implemented directly in the FCL, quick to declare/use.

Sorry, but I'll stop commenting in this topic. Now I feel like a dog trying to chasing its own tail (http://stream1.gifsoup.com/webroot/animatedgifs6/2077970_o.gif). :p

--
Silvio Clécio
My public projects - github.com/silvioprog

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Reinier Olislagers
In reply to this post by shiruba2012
On 2-4-2013 5:13, Noah Silva wrote:
> Actually I think on OS X and Linux it makes sense to depend on OpenSSL,
> but not for the reasons you mentioned so much as one more: Security.

That's probably why the previous poster wrote robust etc. Sounds like
security attributes to me.

> If
> you are using doing encryption, then it's better to use a library that
> is updated more often for bug fixes, and to have the updates be applied
> to your program automatically.  If you static-link it in, it will never
> be updated until you update it and ship a new version of your program
> and everyone installs it.  If you dynamically link to it, then then the
> operating system updates it, you get the updates "for free".  


If you feel so strongly about it, why not submit a patch that uses
OpenSSL on platforms that are sure to have it and use Silvio's native
code for others?

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

shiruba2012
Hi Reinier,

2013/4/2 Reinier Olislagers <[hidden email]>
... 
> be updated until you update it and ship a new version of your program
> and everyone installs it.  If you dynamically link to it, then then the
> operating system updates it, you get the updates "for free".

If you feel so strongly about it, why not submit a patch that uses
OpenSSL on platforms that are sure to have it and use Silvio's native
code for others?

Haha I was just mentioning one positive benefit.  Also, I am pretty sure Synapse can use the OpenSSL DLLs.
 
I am much more likely to submit some patches to the OS X GUI for Lazarus that I have been fixing in the last week or so.  We'll see.

Thank you,
    Noah Silva

p.s.: I don't see a big deal in pulling in something like Synapse so long as it compiles easily for your platform.  You don't have to use all the units, and the linker shouldn't even include all of the code from the units you do use.  If you only use one function that is mostly contained (like HMAC), then it shouldn't add much to your program's size in the scheme of things.  I don't like when people use things that aren't really needed mainly because you have to then download them and pray they compile on your setup.  (And in some cases, recompile Lazarus!).  For more common things that "just work", I have no issue.

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Mark Morgan Lloyd-5
In reply to this post by Reinier Olislagers
Reinier Olislagers wrote:

> On 2-4-2013 5:13, Noah Silva wrote:
>> Actually I think on OS X and Linux it makes sense to depend on OpenSSL,
>> but not for the reasons you mentioned so much as one more: Security.
>
> That's probably why the previous poster wrote robust etc. Sounds like
> security attributes to me.
>
>> If
>> you are using doing encryption, then it's better to use a library that
>> is updated more often for bug fixes, and to have the updates be applied
>> to your program automatically.  If you static-link it in, it will never
>> be updated until you update it and ship a new version of your program
>> and everyone installs it.  If you dynamically link to it, then then the
>> operating system updates it, you get the updates "for free".  

Depends. If you're using (say) a hash function to store a token in lieu
of a password then the important thing is that this behaves consistently
across platforms and program versions. If an external library eliminated
a potential security flaw (the most common case being when null text was
processed) that might be significant in the case of key scheduling for
data transfer over an insecure channel, but not for purely local storage.

As usual, there's little substitute for the original programmer knowing
what he's doing, and for him documenting what he's done so that
maintainers know what sort of external event can cause an issue.

--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Reinier Olislagers
In reply to this post by shiruba2012
On 2-4-2013 10:04, Noah Silva wrote:
> 2013/4/2 Reinier Olislagers <[hidden email]
> <mailto:[hidden email]>>
>     If you feel so strongly about it, why not submit a patch that uses
>     OpenSSL on platforms that are sure to have it and use Silvio's native
>     code for others?
>
>
> Haha I was just mentioning one positive benefit.  Also, I am pretty sure
> Synapse can use the OpenSSL DLLs.

Yep.

> I am much more likely to submit some patches to the OS X GUI for Lazarus
> that I have been fixing in the last week or so.  We'll see.

That does seem like a more worthwhile area, yes....
>
> Thank you,
>     Noah Silva

No worries,
Reinier

> p.s.: I don't see a big deal in pulling in something like Synapse so
> long as it compiles easily for your platform.  You don't have to use all
> the units, and the linker shouldn't even include all of the code from
> the units you do use.  If you only use one function that is mostly
> contained (like HMAC), then it shouldn't add much to your program's size
> in the scheme of things.  I don't like when people use things that
> aren't really needed mainly because you have to then download them and
> pray they compile on your setup.  (And in some cases, recompile
> Lazarus!).  For more common things that "just work", I have no issue.

Agreed - Synapse is nicely self-contained and modular.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Reinier Olislagers
In reply to this post by Mark Morgan Lloyd-5
On 2-4-2013 10:08, Mark Morgan Lloyd wrote:
> Reinier Olislagers wrote:
>> On 2-4-2013 5:13, Noah Silva wrote:
> Depends. If you're using (say) a hash function to store a token in lieu
> of a password then the important thing is that this behaves consistently
> across platforms and program versions. If an external library eliminated
> a potential security flaw (the most common case being when null text was
> processed) that might be significant in the case of key scheduling for
> data transfer over an insecure channel, but not for purely local storage.

Well, yes. But you can hardly limit use of the function to local storage
only.

> As usual, there's little substitute for the original programmer knowing
> what he's doing, and for him documenting what he's done so that
> maintainers know what sort of external event can cause an issue.

... and prove it works/interoperates by including a test set, as I think
Silvio has done.

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

wkitty42
In reply to this post by shiruba2012
On 4/2/2013 03:04, Noah Silva wrote:
> Haha I was just mentioning one positive benefit.  Also, I am pretty sure Synapse
> can use the OpenSSL DLLs.

it does... and on at least three platforms, too... winwhatever, *nix and OS2...

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
Reply | Threaded
Open this post in threaded view
|

Re: HMAC_SHA1 and FPC

Victor Campillo
In reply to this post by silvioprog
On 25/03/13 23:56, silvioprog wrote:
Done.


The patch includes source, examples and test cases (7 for MD5 and 7 for SHA1).

--
Silvio Clécio
My public projects - github.com/silvioprog

Hi

Thank very much Silvio for share this, today I was looking for a code for HMACMD5 and I don't wanna use a big library like Dcpcrypt or Synapse or Opennssl, when I develop for embedded platform I try to avoid dependencies as much as possible.

Best regards.


_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/mailman/listinfo/fpc-pascal
123