Removed FastMM4 from uses, fixed IsValid password and implemented tests for it, also declared that TDECPasswordHash uses the IDECHashPassword interface and added the GetDigestInCryptFormat and IsValidPassword methods to it.

Author: MHumm

Source/DECHash.pas

@@ -1197,7 +1197,18 @@       TBCryptBSDData = record
     /// <summary>
     ///   Splits a given Crypt/BSD style password record into its parts
     /// </summary>
-    class function SplitTestVector(const Vector: string):TBCryptBSDData;
+    /// <param name="Vector">
+    ///   Data to split
+    /// </param>
+    /// <param name="SplittedData">
+    ///   Data splitted in ID, Cost and Salt
+    /// </param>
+    /// <returns>
+    ///   true if splitting resulted in the right number of parts,
+    ///   otherwise false
+    /// </returns>
+    function SplitTestVector(const Vector     : string;
+                             var SplittedData : TBCryptBSDData):Boolean;
   strict protected
     procedure DoInit; override;
     procedure DoTransform(Buffer: PUInt32Array); override;
@@ -5281,17 +5292,23 @@ function THash_BCrypt.IsValidPassword(const Password  : string;
 begin
   Result := false;
 
-  SplittedCryptData := SplitTestVector(CryptData);
-  // Is the CryptData for this algorithm?
-  if SplittedCryptData.ID <> GetCryptID then
-    exit;
+  if (Length(CryptData) = 60) then
+  begin
+    if SplitTestVector(CryptData, SplittedCryptData) then
+    begin
+      // Is the CryptData for this algorithm?
+      if '$' + SplittedCryptData.ID <> GetCryptID then
+        exit;
 
-  GetCryptHash(Password,
-               SplittedCryptData.Cost,
-               Format.Decode(TEncoding.UTF8.GetBytes(SplittedCryptData.Salt)),
-               Format);
+      Hash := GetDigestInCryptFormat(Password,
+                                     SplittedCryptData.Cost,
+                                     SplittedCryptData.Salt,
+                                     False,
+                                     Format);
 
-  Result := hash = CryptData;
+      Result := Hash = CryptData;
+    end;
+  end;
 end;
 
 procedure THash_BCrypt.BF_Encrypt(const BI: TBFBlock; var BO: TBFBlock);
@@ -5412,14 +5429,22 @@ procedure THash_BCrypt.SetCost(const Value: UInt8);
     raise EDECHashException.CreateFmt(sCostFactorInvalid, [MinCost, MaxCost]);
 end;
 
-class function THash_BCrypt.SplitTestVector(const Vector: string): TBCryptBSDData;
+function THash_BCrypt.SplitTestVector(const Vector     : string;
+                                      var SplittedData : TBCryptBSDData): Boolean;
 var
   Parts : TArray<string>;
 begin
-  Parts := Vector.Split(['$'], TStringSplitOptions.ExcludeEmpty);
-  Result.ID   := Parts[0];
-  Result.Cost := Copy(Parts[1], Low(Parts[1]), Length(Parts[1]));
-  Result.Salt := Copy(Parts[2], Low(Parts[2]), 22);
+  Result := false;
+
+  Parts             := Vector.Split(['$'], TStringSplitOptions.ExcludeEmpty);
+
+  if (Length(Parts) = 3) then
+  begin
+    SplittedData.ID   := Parts[0];
+    SplittedData.Cost := Copy(Parts[1], Low(Parts[1]), Length(Parts[1]));
+    SplittedData.Salt := Copy(Parts[2], Low(Parts[2]), 22);
+    Result := true;
+  end;
 end;
 
 {$IFDEF RESTORE_RANGECHECKS}{$R+}{$ENDIF}

Source/DECHashAuthentication.pas

@@ -618,7 +618,7 @@   TDECHashExtended = class(TDECHashAuthentication, IDECHashExtended)
   ///   those from normal hash algorithms not really meant to be used for password
   ///   hashing.
   /// </summary>
-  TDECPasswordHash = class(TDECHashAuthentication)
+  TDECPasswordHash = class(TDECHashAuthentication, IDECHashPassword)
   strict private
     /// <summary>
     ///   Sets the salt value given. Throws an EDECHashException if a salt is
@@ -807,6 +807,7 @@   TDECPasswordHash = class(TDECHashAuthentication)
     /// <param name="CryptData">
     ///   The data needed to "compare" the password against in Crypt/BSD like
     ///   format: $<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]]
+    ///   The exact format depends on the algorithm used.
     /// </param>
     /// <param name="Format">
     ///   Must be the right type for the Crypt/BSD encoding used by the

Source/DECHashInterface.pas

@@ -387,6 +387,73 @@ interface
 
   IDECHashPassword = Interface(IDECHash)
   ['{B4D8A80C-1F42-46F8-9288-D71ECCFE6F02}']
+      /// <summary>
+    ///   Calculates a passwort hash for the given password and returns it in
+    ///   a BSDCrypt compatible format. This method only works for those hash
+    ///   algorithms implementing the necessary GetBSDCryptID method.
+    /// </summary>
+    /// <param name="Password">
+    ///   Entered password for which to calculate the hash. The caller is
+    ///   responsible to ensure the maximum password length is adhered to.
+    ///   Any exceptions raised due to too long passwords are not caught here!
+    /// </param>
+    /// <param name="Params">
+    ///   Algorithm specific parameters used for initialization. For details see
+    ///   documentation of the concrete implementation in the algorithm.
+    /// </param>
+    /// <param name="Salt">
+    ///   Salt value used by the password hash calculation. Depending on the
+    ///   value of SaltIsRaw, the salt needs to specified in raw encoding or
+    ///   in the encoding used in the Crypt/BSD password storage string.
+    /// </param>
+    /// <param name="SaltIsRaw">
+    ///   If true the passed salt value is a raw value. If false it is encoded
+    ///   like in the Crypt/BSD password storage string.
+    /// </param>
+    /// <param name="Format">
+    ///   Formatting class used to format the calculated password. Different
+    ///   algorithms in BSDCrypt use different algorithms so one needs to know
+    ///   which one to pass. See description of the hash class used.
+    /// </param>
+    /// <returns>
+    ///   Calculated hash value in BSD crypt style format. Returns an empty
+    ///   string if the algorithm is not a Crypt/BSD style password hash algorithm.
+    /// </returns>
+    /// <exception cref="EDECHashException">
+    ///   Exception raised if length of <c>Password</c> is higher than
+    ///   <c>MaxPasswordLength</c> or if a salt with a different length than
+    ///   128 bit has been specified.
+    /// </exception>
+    function GetDigestInCryptFormat(const Password : string;
+                                    const Params   : string;
+                                    const Salt     : string;
+                                    SaltIsRaw      : Boolean;
+                                    Format         : TDECFormatClass):string;
+
+    /// <summary>
+    ///   Checks whether a given password is the correct one for a password
+    ///   storage "record"/entry in Crypt/BSD format.
+    /// </summary>
+    /// <param name="Password">
+    ///   Password to check for validity
+    /// </param>
+    /// <param name="CryptData">
+    ///   The data needed to "compare" the password against in Crypt/BSD like
+    ///   format: $<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]].
+    ///   The exact format depends on the algorithm used.
+    /// </param>
+    /// <param name="Format">
+    ///   Must be the right type for the Crypt/BSD encoding used by the
+    ///   algorithm used. This was implemented this way to avoid making the
+    ///   DECHashAuthentication unit dependant on the DECFormat unit not needed
+    ///   otherwise.
+    /// </param>
+    /// <returns>
+    ///    True if the password given is correct.
+    /// </returns>
+    function IsValidPassword(const Password  : string;
+                             const CryptData : string;
+                             Format          : TDECFormatClass): Boolean;
     /// <summary>
     ///   Sets the salt value given. Throws an EDECHashException if a salt is
     ///   passed which is longer than MaxSaltLength.

Unit Tests/DECDUnitTestSuite.dpr

@@ -16,6 +16,7 @@ program DECDUnitTestSuite;
 {$ENDIF}
 
 uses
+//  FastMM4,
   Vcl.Forms,
   {$IFDEF TESTINSIGHT}
   TestInsight.Client,