PBKDF2 implementation in 7.0.0 preview 3 produces wrong keys

[rhino feroce]

Hi all,

I was testing my Innosetup unpacker (malcat) against the 7.0.0 preview 3 and noticed a bug in your PDBKF2 implementation.  This is a bug introduced with the commit f251289f ("Security tweaks", 2026-03-30):

for var Block := 1 to L do begin
    var SaltAndBlock := Salt + [...];
    var U := THashSHA2.GetHMACAsBytes(SaltAndBlock, WorkingPassword, HashVersion);
    var F := U;                                   // <-- F aliases U's backing memory

    for var I := 2 to Iterations do begin
      const NewU = THashSHA2.GetHMACAsBytes(U, WorkingPassword, HashVersion);
      FillChar(U[0], Length(U), 0);               // <-- also zeros F
      U := NewU;
      for var J := 0 to High(F) do
        F[J] := F[J] xor U[J];                    // F starts at 0, so U_1 is never XORed in
    end;
    ...
  end;

The bug is silent, since the same code is used for encryption and decryption. It makes the crypto a little bit weaker and more important, it's not PBKDF2 anymore.

I'm not a Delphi programmer so I won't suggest a fix, but I guess you will want to address this issue.

Best regards,

[Martijn Laan]

Hi,

Op 21-4-2026 om 16:50 schreef rhino feroce:

This is a bug introduced with the commit f251289f ("Security tweaks", 2026-03-30):

Thanks for reporting, I will fix this.

I misremembered this. I thought the tests against PBKDF2 reference values (at the bottom of the unit) would always run automatically when debugging, but they don't. My own tests also suffered from this being a silent bug, as you described.

Greetings,
Martijn