The built in functions provided by Inno Setup GetSHA256OfUnicodeString and GetSHA256OfString do not seem to generate the same results as any other implementation I could find.
I need to generate the SHA256 of a String that is provided during installation and check against it later from a piece of Java code.
However, the SHA256 values generated by the Inno Setup functions do not match anything I can create with other implementations or online calculators.
E.g., the Inno Setup manual provides this example:
var SHA256: String;
begin
SHA256 := GetSHA256OfUnicodeString('Test');
// SHA256 = 'fe520676b1a1d93dabab2319eea03674f3632eaeeb163d1e88244f5eb1de10eb'
end;
However, using for example this online calculator, the result for 'Test' is:
532eaabd9574880dbf76b9b8cc00832c20a6ec113d682299550d7a6e0f345e25
I found the implementation of the Inno Setup SHA256 functions here, however, the buck stops there for me as I cannot find the source for the THashSHA2 class used there.
Is there some length byte(s) included in the SHA256 or why is the result different? Any hint is highly appreciated.
Putting together what others posted in the comments:
The example is wrong, as it shows a hash of test, not Test.
I have submitted a correction.
The Pascal Script UnicodeString uses UTF-16LE, not the UTF-8 (ASCII) that your online calculator uses by default.
So this gives you the hash shown in the example:
https://dencode.com/hash/sha256?v=test&oe=UTF-16LE&nl=crlf
Related
I have implemented this http://jacob.jkrall.net/totp/ in vbscript.
My code given the same hex gives the right 6-digit otp, so that part is working.
I've also verified the HMAC-SHA-1. encoding against an online generator, http://www.freeformatter.com/hmac-generator.html#ad-output, same input gives same output.
My time is the same as http://www.currenttimestamp.com/
I've generated a qrcode at http://www.qr-koder.dk/ with the string otpauth://totp/$LABEL?secret=$SECRET and the google authenticator app reads the code and starts outputting the 6 digit code changing every 30 seconds.
BUT THE CODES FROM THE APP DOES NOT MATCH THE 6-DIGIT CODE THE VBSCRIPT GENERATES!
I've even tried trunc(time/30) +/-7500 steps to see if it was a timezone/daylight saving problem, to no avail.
As the other parts of the routine to generate the 6 digits seem to work I've come to the conclusion I don't understand this:
the url on the qr-code is
otpauth://totp/$LABEL?secret=$SECRET
with the explanation
LABEL can be used to describe the key in your app, while SECRET is the
16-character base32-encoded shared secret, which is now known to both
the client and the server.
So when I calculate HMAC-SHA-1(SECRET, time()/30)
should the SECRET be the same string given to both the app and the calculation?
If I select a secret of 1234567890, the base32 is GEZDGNBVGY3TQOJQ according to http://emn178.github.io/online-tools/base32_encode.html.
Should I then take
HMAC-SHA-1("1234567890", time()/30)
or
HMAC-SHA-1("GEZDGNBVGY3TQOJQ", time()/30)
?
I believe I've tried both, and neither works.
The system unix time is correct.
I guess the problem might be with the secret in your HMAC-SHA-1 function. It very much depends on what the HMAC-SHA-1 expects.
Your string "123456790" might be a binary string. Is it an ascii representation or utf8? I.e. is this string 10 bytes or 20 bytes long?
I recommend getting the input string in your VBScript right.
On the other hand, instead of writing your own VBScript, you can also use a ready made solution like the privacyIDEA authentication server, which is open source and also comes with TOTP.
How should is use yy_scan_buffer in (.y) file( lex and yacc). The return type of yy_scan_buffer is YY_BUFFER_STATE which is in lex.yy.c .
For background: it is an special function called from yy_scan_bytes, which in turn is called from yy_scan_string (likewise can be overridden).
According to String input to flex lexer, the return-type corresponds to a handle which should be deleted using yy_delete_buffer, but that yy_scan_buffer does the deletion. However (looking at the generated code), that does not appear to be correct — perhaps this depends upon the version of flex which is used.
According to these questions, you might want to use yy_scan_string, etc., in writing reentrant code (although the functions predate any work on flex to provide reentrancy):
how to use yy_scan_string(const char *str) (generated by lex yacc) in a separated file
how to use yy_scan_string in lex
Flex's current documentation mentions its use for multiple input buffers:
Some scanners (such as those which support “include” files) require reading from several input streams. As flex scanners do a large amount of buffering, one cannot control where the next input will be read from by simply writing a YY_INPUT() which is sensitive to the scanning context. YY_INPUT() is only called when the scanner reaches the end of its buffer, which may be a long time after scanning a statement such as an include statement which requires switching the input source.
The documentation goes on to provide examples of usage. Depending on what you want to do, those may be useful.
What're the differences between them?
gulp-newer:
gulp.src(imgSrc)
.pipe(newer(imgDest))
.pipe(imagemin())
.pipe(gulp.dest(imgDest));
gulp-changed:
gulp.src(SRC)
.pipe(changed(DEST))
// ngmin will only get the files that
// changed since the last time it was run
.pipe(ngmin())
.pipe(gulp.dest(DEST));
It seems gulp-changed is more powerful, because it provides an option
hasChanged: changed.compareLastModifiedTime
I hope it's not too late to answer this question. I have had to evaluated both of them at a source-code level for a recent project, and here is my take.
gulp-newer
At the core, this plugin compares the source and dest file's modified time (see node API) to decide whether the source file is newer than the dest file or if there is no dest file at all. Here is the related code in the plugin:
var newer = !destFileStats || srcFile.stat.mtime > destFileStats.mtime;
gulp-changed
This plugin by default also uses a file's modified time to decide which to pass through the stream
function compareLastModifiedTime(stream, cb, sourceFile, targetPath) {}
but it goes one step further by offering an option to compare the file's content SHA1 hash:
function compareSha1Digest(stream, cb, sourceFile, targetPath) {}
This information is nicely documented.
Conclusion
So theoretically speaking, if you use gulp-changed's default hasChanged: changed.compareLastModifiedTime, each plugin is relatively as fast as the other. If you use gulp-changed's hasChanged: changed.compareSha1Digest, it's reasonable to expect gulp-changed to be a bit slower because it does create a SHA1 hash of the file content. I didn't benchmark but I'm also interested in seeing some number.
Which to choose
gulp-changed, purely because of the developer behind it (sindresorhus). If one day this awesome man decides that he will stop supporting his gulp plugins, I think I will stop using gulp altogether.
Joking aside, though, gulp-changed's source code is gulp-y, while gulp-newer's source reads pretty much like just another node module's source with lots of promises. So another +1 for gulp-changed :)
HUGE EDIT
Gulp-changed only works with 1:1 source:dest mapping. If you need many:1, e.g. when using with gulp concat, choose gulp-newer instead.
May I suggest gulp-newy in which you can manipulate the path and filename in your own function. Then, just use the function as the callback to the newy(). This gives you complete control of the files you would like to compare.
This will allow 1:1 or many to 1 compares.
newy(function(projectDir, srcFile, absSrcFile) {
// do whatever you want to here.
// construct your absolute path, change filename suffix, etc.
// then return /foo/bar/filename.suffix as the file to compare against
}
In order to answer this question you will have to compare both plugins source code.
Seems that gulp-changed has more options as you have said, more used (it was downloading more time) and more contributors, thus, it could be more updated and refactored, as it was being used more.
Something that can make a difference, due to them documentation.
On the example, for gulp-newer, its used like this:
gulp.task('default', function() {
gulp.watch(imgSrc, ['images']);
});
Thus, seems that once this task is running, it will only notice files that are changing while you are using this plugin.
On gulp-changed, they say: "will only get the files that changed since the last time it was run". So, and I didnt try this on a working example, that gulp-changed proccess all files and then only the ones that have been changed since last execution, so seems it will always "look" at all files and internally (md5 hash? no clue, didnt check the source) decide whereas a file has changed since last execution. Do not need a watcher for that.
All this, was only reading their official documentation.
A "on the wild test" would be very welcomed !
The app I have is using intarray extension of the PostgreSQL.
Unfortunately it doesn't seem to be available according to the docs and the command line:
> echo 'show extwlist.extensions' | heroku pg:psql
extwlist.extensions
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
btree_gist,chkpass,cube,dblink,dict_int,dict_xsyn,earthdistance,fuzzystrmatch,hstore,isn,ltree,pg_trgm,pgcrypto,pgrowlocks,pgstattuple,plpgsql,unaccent,uuid-ossp,citext,tablefunc
(1 row)
Also:
> heroku pg:psql
psql (9.1.5, server 9.1.6)
SSL connection
Type "help" for help.
=> CREATE EXTENSION intarray;
WARNING: extension "intarray" is not whitelisted
CREATE EXTENSION
So does it mean I can't use Heroku or there IS a way to add intarray extension (using idx function for example).
Thanks.
The general consensus from the Postgres community I got was that intarray is obsoleted by just using int[] and that it's only kept around for backwards compatibility for very old applications. That's why we haven't added support for it.
So far everyone who asked for it was actually happier with int[] and just hadn't found it. Is there some usecase where you actually want an intarray column instead? We can just turn it on.
intarray has been whitelisted on Heroku since March 2014, so you should be able to enable the extension directly. If you provisioned your database before that you will first need to upgrade your database.
Have to answer my own question just to provide a little bit more details.
The intarray was used for extracting path information from columns containing strings like 123/312/56/9863. That was stored (poorly) as string instead of an array in the first place.
The reason we needed intarray is because we it had the idx function.
What was happening is this:
convert string to an array
find the given number using the idx
return the next number in sequence.
All that was done as a temporary measure. But since heroku couldn't support idx the only way to use it was by adding a custom function.
But instead we converted the queries and data structure to to use ltree and its index function.
Apart from not needing a dependency on idx (but introducing another dependency on ltree), we also improved the performance of the queries by a factor of x200.
I have a database application that generates a MD5 hash and compares the hash value to a value in our DB (SQL 2K). The original application was written in Visual Studio 2003 and a deployed version has been working for years.
Recently, some new machines on the .NET framework 3.5 have been having unrelated issues with our runtime. This has forced us to port our code path from Visual Studio 2003 to Visual Studio 2008.
Since that time the hash produced by the code is different than the values in the database.
The original call to the function posted in code is:
RemoveInvalidPasswordCharactersFromHashedPassword(Text_Scrub(GenerateMD5Hash(strPSW)))
I am looking for expert guidance as to whether or not the MD5 methods have changed since VS 2K3 (causing this point of failure), or where other possible problems may be originating from.
I realize this may not be the best method to hash, but utimately any changes to the MD5 code would force us to change some 300 values in our DB table and would cost us a lot of time. In addition, I am trying to avoid having to redeploy all of the functioning versions of this application.
I am more than happy to post other code including the RemoveInvalidPasswordCharactersFromHashedPassword function, or our Text_Scrub if it is necessary to recieve appropriate feedback.
Thank you in advance for your input.
Public Function GenerateMD5Hash(ByVal strInput As String) As String
Dim md5Provider As MD5
' generate bytes for the input string
Dim inputData() As Byte = ASCIIEncoding.ASCII.GetBytes(strInput)
' compute MD5 hash
md5Provider = New MD5CryptoServiceProvider
Dim hashResult() As Byte = md5Provider.ComputeHash(inputData)
Return ASCIIEncoding.ASCII.GetString(hashResult)
End Function
You are basically asking if the MD5 implementation in .Net 1.1 was broken.
I do not think so. I think the problem lies elsewhere.
I don't think the .Net MD5 hash code have changed in VisualStudio 2008.
But I think that:
Return ASCIIEncoding.ASCII.GetString(hashResult)
You are converting binary data to ASCII, and loosing characters, maybe the problem is in a new database driver. And probably you will need to change your stored values and start using a blob field or converting to base64 and using a text field.
Trying to be more productive than my comment ...
You could try using an independent md5 hashing algorithm to verify the encoding, there are some web based ones or use openssl.