View Full Version : Security Library Version 1.1.0 released

André de Vries
22-Jun-2022, 08:00 AM
Free DataFlex Security Library available for DataFlex 2021 and 2022

These days it’s important to secure your applications and your data. Adding good security measures to your projects can be difficult,
and technological progress will force you to stay up to date. The DataFlex Security Library makes it a lot easier to secure your DataFlex applications.

We are pleased to announce the availability of the free DataFlex Security Library version 1.1 for DataFlex 19.0, 19.1, 20.0 and 20.1.
With this new release we added support for Unicode and 64-bit to the security library. Also, the libsodium DLL is updated to the latest version 1.0.18.

With the DataFlex Security Library attached to your application workspace, you can create and verify hashes, store passcodes securely, add 2-factor
authentication to your web application, and use encryption. This library provides access to some of today’s most popular and secure algorithms.

The installer executable that you can download installs up to three library workspaces. The main library provides only a framework, which ensures
that every security engine will be accessible using a single, easy to use API. This workspace also contains a manual (PDF) to help you get started.

The additional libraries provide access to CNG (CryptoAPI Next Generation) and libsodium. CNG is a part of Windows itself. Libsodium requires
distribution of the dll, as well as (potentially) installation of the MS Visual C++ Runtime 2017.

More information?

Read more about the Security Library here (https://www.dataaccess.eu/Products/Security-Library-1711)
Watch the DataFlex Learning Center course ’Security the Basics’ (https://learning.dataaccess.com/courses/security-the-basics/)
Support for this library is given via the support forums (https://support.dataaccess.com/Forums/forumdisplay.php?68-DataFlex-Security-Library)


Joseph Mullins
22-Jun-2022, 07:43 PM
Awesome job, so far working as drop in replacement for us.

* Encrypted Passwords

Raphael Theiler
27-Jun-2022, 02:29 AM
After a few tests, it seems to work well with 32-bit, but the WebApp refuses to start with 64 bits (Not sure why. We don't get any error messages, etc). It ran with 20.0 in 64bit mode (but the login did not work, everthing you entered was accepted as a valid password)

----Compiling WebApp.src (64-bit) ----
- No changes detected, skipping compile
----Compile Finished in 0.3 seconds ----
----Executable written: C:\....\Programs\WebApp.exe
----Loading Program In Debugger----
- "C:\....\Programs\WebApp.exe"
----Exiting Program In Debugger----

The crash might be caused by something else, but since there is no output, I don't know where to start ;)
There are no related entries in the windows event log.

Joseph Mullins
27-Jun-2022, 08:55 AM
I do recall an issue with any password being accepted, but I can't reproduce / find my notes for it again. From memory, I think it's why I swapped to scrypt. But just testing now, I can't reproduce. Using the latest DF20.1

Object oLoginPasscodeStorageMethod is a cSecurePasscodeStorageMethod
// Set piPasscodeHashImplementation to C_SEC_PWHASH_LIBSODIUM_SCRYPT
Set piPasscodeHashImplementation to C_SEC_PWHASH_LIBSODIUM_ARGON2ID
Set piMemLimit to (256*1024*1024)
Set piOpsLimit to 3
Send Initialize

I find these 2 handy for testing, they are the passwords 'admin' in each encryption.


$libsodium$argon2id$v=19$m=65536,t=2,p=1$EafQjLDAE M4leUZQ17d5dg$MMe4Na7YTQX9joDysok2e9JRXdf19SofG0O0 ZXiji6Y


$libsodium$7$/6.....6...cWeo0OHo0fuO4oCiGz/EhpBQwV7m0VB9nUHMZdMPnL1$LLIN2U7ASdaJquDvvVKqTCyIn Mb9O2yNWKDJhRcMKp7

I do note I had to copy the libsodium64.dll from the library directory into my programs folder. But that gives a clear error when it happens.

Raphael Theiler
28-Jun-2022, 04:26 AM
We use CNG instead of libsodium and the problem was that one of the hash functions was not called properly (misaligned structs or parameters?) and thus returned an empty string. The library then trimmed the string from the database to the same length and both strings now matches, as both had length 0.

In the 32bit bit version everything works fine (as before) and all the compiler warnings have disappeared (finally :D).

With the 64bit version either the studio freezes/crashed or the WebApp immediately stops after running it. But I'm still not sure if the security library is at fault or one of our other libraries, or wether this is a problem with 20.1 (the last time we tried to run it in 64bit was with 20.0)