Reworked GetDigestInCryptFormat and all other methods relevant for that one to work on Unicode string (Delphi's UTF16 based Unicode string type). We still have some memory leaks though.

Author: MHumm

Source/DECHash.pas

@@ -1060,7 +1060,6 @@   THash_BCrypt = class(TDECPasswordHash)
       TBFBlock   = packed array[0..7]  of UInt8;
       PBFBlock   = ^TBFBlock;
 
-      TBCSalt    = packed array[0..15] of byte;
       TBCDigest  = packed array[0..23] of byte;
 
       TBF2Long   = packed record
@@ -1121,7 +1120,7 @@   THash_BCrypt = class(TDECPasswordHash)
         ///   Cost factor which might be used to adapt the algorithm to increased
         ///   processing power.
         /// </summary>
-        FCost   : UInt32;
+        FCost   : UInt8;
     /// <summary>
     ///   Sets the cost factor. Throws an EDECHashException when a value of 0
     ///   is to be set.
@@ -1130,7 +1129,7 @@   THash_BCrypt = class(TDECPasswordHash)
     ///   Exception raised if <c>Value</c> is lower than <c>MinCost</c> or
     ///   higher than <c>MaxCost</c>.
     /// </exception>
-    procedure SetCost(const Value: UInt32);
+    procedure SetCost(const Value: UInt8);
     /// <summary>
     ///   Special setup for the bcrypt variant of the blowfish implementation.
     ///   Designed to be unavoidably slow.
@@ -1188,7 +1187,7 @@   THash_BCrypt = class(TDECPasswordHash)
     /// <returns>
     ///   A Crypt/BSD ID
     /// </returns>
-    class function GetCryptID:RawByteString; override;
+    class function GetCryptID:string; override;
 
     /// <summary>
     ///   Returns the parameters required for the crypt-like password storing
@@ -1202,8 +1201,8 @@   THash_BCrypt = class(TDECPasswordHash)
     ///   Format class for formatting the output
     /// </param>
     class function GetCryptParams(
-                     const Params : RawByteString;
-                     Format : TDECFormatClass):RawByteString; override;
+                     const Params : string;
+                     Format : TDECFormatClass):string; override;
     /// <summary>
     ///   Returns the hash required for the crypt-like password storing
     ///   in that format. If a salt etc. is needed that needs to be specified
@@ -1216,13 +1215,8 @@   THash_BCrypt = class(TDECPasswordHash)
     ///   In case of BCrypt this has to be the numeric integer value of "Cost"
     /// </param>
     /// <param name="Salt">
-    ///   Salt value used by the password hash calculation. Depending on the
-    ///   value of SaltIsRaw, the salt needs to specified in raw encoding or
-    ///   in the encoding used in the Crypt/BSD password storage string.
-    /// </param>
-    /// <param name="SaltIsRaw">
-    ///   If true the passed salt value is a raw value. If false it is encoded
-    ///   like in the Crypt/BSD password storage string.
+    ///   Salt value used by the password hash calculation in binary raw format,
+    ///   means not Radix64 encoded or so.
     /// </param>
     /// <param name="Format">
     ///   Format class for formatting the output
@@ -1231,11 +1225,10 @@   THash_BCrypt = class(TDECPasswordHash)
     ///   Calculated hash value
     /// </returns>
     class function GetCryptHash(
-                     const Password : RawByteString;
-                     const Params   : RawByteString;
-                     const Salt     : RawByteString;
-                     SaltIsRaw      : Boolean;
-                     Format         : TDECFormatClass):RawByteString; override;
+                     const Password : string;
+                     const Params   : string;
+                     const Salt     : TBytes;
+                     Format         : TDECFormatClass):string; override;
     {$EndRegion}
   public
     /// <summary>
@@ -1298,7 +1291,7 @@   THash_BCrypt = class(TDECPasswordHash)
     /// <exception cref="EDECHashException">
     ///   Exception raised if a value outside of the range 4..31 is given.
     /// </exception>
-    property Cost: UInt32
+    property Cost: UInt8
       read   FCost
       write  SetCost;
   end;
@@ -5198,37 +5191,34 @@ procedure THash_BCrypt.Expandkey(Salt             : TBytes;
 end;
 
 class function THash_BCrypt.GetCryptHash(
-                              const Password : RawByteString;
-                              const Params   : RawByteString;
-                              const Salt     : RawByteString;
-                              SaltIsRaw      : Boolean;
-                              Format         : TDECFormatClass): RawByteString;
+                              const Password : string;
+                              const Params   : string;
+                              const Salt     : TBytes;
+                              Format         : TDECFormatClass): string;
 var
   Hash : THash_BCrypt;
 begin
   Hash := THash_BCrypt.Create;
   try
     Hash.Cost := StrToInt(string(Params));
-    if SaltIsRaw then
-      Hash.Salt := BytesOf(Salt)
-    else
-      Hash.Salt := Format.Decode(BytesOf(Salt));
+    Hash.Salt := Salt;
 
     // BCrypt leaves off the $ in front of the actual password hash value
-    Result := Hash.CalcString(Password, Format);
+    Result := TEncoding.ASCII.GetString(
+                Format.Encode(Hash.CalcBytes(TEncoding.UTF8.GetBytes(Password))));
   finally
     Hash.Free;
   end;
 end;
 
-class function THash_BCrypt.GetCryptID: RawByteString;
+class function THash_BCrypt.GetCryptID: string;
 begin
   Result := '$2a';
 end;
 
 class function THash_BCrypt.GetCryptParams(
-                              const Params : RawByteString;
-                              Format       : TDECFormatClass): RawByteString;
+                              const Params : string;
+                              Format       : TDECFormatClass): string;
 begin
   Result := Params;
   if (Length(Result) < 2) then
@@ -5347,7 +5337,7 @@ class function THash_BCrypt.MinSaltLength: UInt8;
   Result := 16;
 end;
 
-procedure THash_BCrypt.SetCost(const Value: UInt32);
+procedure THash_BCrypt.SetCost(const Value: UInt8);
 begin
   if (Value in [MinCost..MaxCost]) then
     FCost := Value

Source/DECHashAuthentication.pas

@@ -640,6 +640,11 @@   TDECPasswordHash = class(TDECHashAuthentication)
     /// </summary>
     FSalt : TBytes;
 
+    /// <summary>
+    ///   Overwrite the salt value
+    /// </summary>
+    procedure DoDone; override;
+
     {$Region CryptFormatHandling}
     /// <summary>
     ///   Returns the ID code for Crypt/BSD like storing of passwords. The ID
@@ -650,7 +655,7 @@   TDECPasswordHash = class(TDECHashAuthentication)
     ///   If the algorithm on which this is being used is a Crypt/BSD compatible
     ///   password hash algorithm the ID is returned otherwise an empty string.
     /// </returns>
-    class function GetCryptID:RawByteString; virtual;
+    class function GetCryptID:string; virtual;
 
     /// <summary>
     ///   Returns the parameters required for the crypt-like password storing
@@ -667,8 +672,8 @@   TDECPasswordHash = class(TDECHashAuthentication)
     ///   Returns an empty string if the the algorithm on which this is being
     ///   used is not a Crypt/BSD compatible password hash algorithm
     /// </returns>
-    class function GetCryptParams(const Params : RawByteString;
-                                  Format       : TDECFormatClass):RawByteString; virtual;
+    class function GetCryptParams(const Params : string;
+                                  Format       : TDECFormatClass):string; virtual;
     /// <summary>
     ///   Returns the salt required for the crypt-like password storing
     ///   in that format.
@@ -679,8 +684,8 @@   TDECPasswordHash = class(TDECHashAuthentication)
     /// <param name="Format">
     ///   Format class for formatting the output
     /// </param>
-    class function GetCryptSalt(const Salt : RawByteString;
-                                Format     : TDECFormatClass):RawByteString; virtual;
+    class function GetCryptSalt(const Salt : TBytes;
+                                Format     : TDECFormatClass):string; virtual;
     /// <summary>
     ///   Returns the hash required for the crypt-like password storing
     ///   in that format. If a salt etc. is needed that needs to be scepcified
@@ -698,9 +703,9 @@   TDECPasswordHash = class(TDECHashAuthentication)
     ///   value of SaltIsRaw, the salt needs to specified in raw encoding or
     ///   in the encoding used in the Crypt/BSD password storage string.
     /// </param>
-    /// <param name="SaltIsRaw">
-    ///   If true the passed salt value is a raw value. If false it is encoded
-    ///   like in the Crypt/BSD password storage string.
+    /// <param name="Salt">
+    ///   Salt value used by the password hash calculation in binary raw format,
+    ///   means not Radix64 encoded or so.
     /// </param>
     /// <param name="Format">
     ///   Format class for formatting the output
@@ -709,11 +714,10 @@   TDECPasswordHash = class(TDECHashAuthentication)
     ///   Returns an empty string if the the algorithm on which this is being
     ///   used is not a Crypt/BSD compatible password hash algorithm.
     /// </returns>
-    class function GetCryptHash(const Password : RawByteString;
-                                const Params   : RawByteString;
-                                const Salt     : RawByteString;
-                                SaltIsRaw      : Boolean;
-                                Format         : TDECFormatClass):RawByteString; virtual;
+    class function GetCryptHash(const Password : string;
+                                const Params   : string;
+                                const Salt     : TBytes;
+                                Format         : TDECFormatClass):string; virtual;
     {$EndRegion}
   public
     /// <summary>
@@ -789,10 +793,10 @@   TDECPasswordHash = class(TDECHashAuthentication)
     /// </exception>
     class function GetDigestInCryptFormat(
                      const Password : RawByteString;
-                     const Params   : RawByteString;
-                     const Salt     : RawByteString;
+                     const Params   : string;
+                     const Salt     : string;
                      SaltIsRaw      : Boolean;
-                     Format         : TDECFormatClass):RawByteString; virtual;
+                     Format         : TDECFormatClass):string; virtual;
 
 //    /// <summary>
 //    ///   Calculates a passwort hash for the given password and returns it in
@@ -1479,27 +1483,29 @@ procedure TDECPasswordHash.SetSalt(const Value: TBytes);
   FSalt := Value;
 end;
 
-class function TDECPasswordHash.GetCryptID: RawByteString;
+class function TDECPasswordHash.GetCryptID: string;
 begin
   Result := '';
 end;
 
 class function TDECPasswordHash.GetCryptParams(
-                 const Params : RawByteString;
-                 Format       : TDECFormatClass): RawByteString;
+                 const Params : string;
+                 Format       : TDECFormatClass): string;
 begin
   Result := '';
 end;
 
-class function TDECPasswordHash.GetCryptSalt(const Salt : RawByteString;
-                                             Format     : TDECFormatCLass): RawByteString;
+class function TDECPasswordHash.GetCryptSalt(const Salt : TBytes;
+                                             Format     : TDECFormatCLass): string;
 var
   FormattedSalt : TBytes;
 begin
-  FormattedSalt := Format.Encode(BytesOf(Salt));
-  SetLength(Result, Length(FormattedSalt) + 1);
-  Move(FormattedSalt[0], Result[Low(Result) + 1], Length(FormattedSalt));
-  Result[Low(Result)] := '$';
+  FormattedSalt := Format.Encode(Salt);
+//  SetLength(Result, Length(FormattedSalt) + 1);
+//  Move(FormattedSalt[0], Result[Low(Result) + 1], Length(FormattedSalt));
+//  Result[Low(Result)] := '$';
+
+  Result := '$' + TEncoding.ASCII.GetString(FormattedSalt);
 end;
 
 class function TDECPasswordHash.ClassByCryptIdentity(
@@ -1527,24 +1533,31 @@ class function TDECPasswordHash.ClassByCryptIdentity(
                                                      [Identity]);
 end;
 
+procedure TDECPasswordHash.DoDone;
+begin
+  inherited;
+
+  ProtectBuffer(FSalt, SizeOf(FSalt));
+  SetLength(FSalt, 0);
+end;
+
 class function TDECPasswordHash.GetCryptHash(
-                                  const Password : RawByteString;
-                                  const Params   : RawByteString;
-                                  const Salt     : RawByteString;
-                                  SaltIsRaw      : Boolean;
-                                  Format         : TDECFormatClass): RawByteString;
+                                  const Password : string;
+                                  const Params   : string;
+                                  const Salt     : TBytes;
+                                  Format         : TDECFormatClass): string;
 begin
   Result := '';
 end;
 
 class function TDECPasswordHash.GetDigestInCryptFormat(
                                   const Password : RawByteString;
-                                  const Params   : RawByteString;
-                                  const Salt     : RawByteString;
+                                  const Params   : string;
+                                  const Salt     : string;
                                   SaltIsRaw      : Boolean;
-                                  Format         : TDECFormatClass): RawByteString;
+                                  Format         : TDECFormatClass): string;
 var
-  SaltStr : RawByteString;
+  SaltBytes : TBytes;
 begin
   // generic format used by Crypt, but not every algorithm sticks 100% to it
   // $<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]]
@@ -1554,13 +1567,13 @@ class function TDECPasswordHash.GetDigestInCryptFormat(
   if (Result <> '') then
   begin
     if SaltIsRaw then
-      SaltStr := Salt
+      SaltBytes := TEncoding.UTF8.GetBytes(Salt)
     else
-      SaltStr := Format.Decode(salt);
+      SaltBytes := Format.Decode(TEncoding.UTF8.GetBytes(Salt));
 
     Result := Result + GetCryptParams(Params, Format) +
-                       GetCryptSalt(SaltStr, Format) +
-                       GetCryptHash(Password, Params, Salt, SaltIsRaw, Format);
+                       GetCryptSalt(SaltBytes, Format) +
+                       GetCryptHash(Password, Params, SaltBytes, Format);
   end;
 end;