Use SHA256 instead of SHA1 for the password hashing.

Projects/Compil32.dpr

@@ -60,12 +60,13 @@ uses
   Shared.TaskDialogFunc in 'Src\Shared.TaskDialogFunc.pas',
   IDE.RegistryDesignerForm in 'Src\IDE.RegistryDesignerForm.pas' {RegistryDesignerForm},
   IDE.Wizard.WizardFormRegistryHelper in 'Src\IDE.Wizard.WizardFormRegistryHelper.pas',
-  MD5 in '..\Components\MD5.pas',
   ScintInt.InnoSetup in '..\Components\ScintInt.InnoSetup.pas',
   Shared.ScriptFunc in 'Src\Shared.ScriptFunc.pas',
   Shared.SetupTypes in 'Src\Shared.SetupTypes.pas',
   Shared.Struct in 'Src\Shared.Struct.pas',
+  MD5 in '..\Components\MD5.pas',
   SHA1 in '..\Components\SHA1.pas',
+  SHA256 in '..\Components\SHA256.pas',
   Shared.DotNetVersion in 'Src\Shared.DotNetVersion.pas',
   isxclasses_wordlists_generated in '..\ISHelp\isxclasses_wordlists_generated.pas',
   IDE.ImagesModule in 'Src\IDE.ImagesModule.pas' {ImagesModule: TDataModule};

Projects/Compil32.dproj

@@ -140,12 +140,13 @@
             <Form>RegistryDesignerForm</Form>
         </DCCReference>
         <DCCReference Include="Src\IDE.Wizard.WizardFormRegistryHelper.pas"/>
-        <DCCReference Include="..\Components\MD5.pas"/>
         <DCCReference Include="..\Components\ScintInt.InnoSetup.pas"/>
         <DCCReference Include="Src\Shared.ScriptFunc.pas"/>
         <DCCReference Include="Src\Shared.SetupTypes.pas"/>
         <DCCReference Include="Src\Shared.Struct.pas"/>
+        <DCCReference Include="..\Components\MD5.pas"/>
         <DCCReference Include="..\Components\SHA1.pas"/>
+        <DCCReference Include="..\Components\SHA256.pas"/>
         <DCCReference Include="Src\Shared.DotNetVersion.pas"/>
         <DCCReference Include="..\ISHelp\isxclasses_wordlists_generated.pas"/>
         <DCCReference Include="Src\IDE.ImagesModule.pas">

Projects/ISCmplr.dpr

@@ -39,6 +39,7 @@ uses
   Shared.CommonFunc in 'Src\Shared.CommonFunc.pas',
   Shared.Int64Em in 'Src\Shared.Int64Em.pas',
   SHA1 in '..\Components\SHA1.pas',
+  SHA256 in '..\Components\SHA256.pas',
   Shared.DebugStruct in 'Src\Shared.DebugStruct.pas',
   Shared.LangOptionsSectionDirectives in 'Src\Shared.LangOptionsSectionDirectives.pas',
   Shared.SetupMessageIDs in 'Src\Shared.SetupMessageIDs.pas',

Projects/ISCmplr.dproj

@@ -105,6 +105,7 @@
         <DCCReference Include="Src\Shared.CommonFunc.pas"/>
         <DCCReference Include="Src\Shared.Int64Em.pas"/>
         <DCCReference Include="..\Components\SHA1.pas"/>
+        <DCCReference Include="..\Components\SHA256.pas"/>
         <DCCReference Include="Src\Shared.DebugStruct.pas"/>
         <DCCReference Include="Src\Shared.LangOptionsSectionDirectives.pas"/>
         <DCCReference Include="Src\Shared.SetupMessageIDs.pas"/>

Projects/ISPP.dpr

@@ -33,6 +33,7 @@ uses
   Shared.Int64Em in 'Src\Shared.Int64Em.pas',
   MD5 in '..\Components\MD5.pas',
   SHA1 in '..\Components\SHA1.pas',
+  SHA256 in '..\Components\SHA256.pas',
   Shared.Struct in 'Src\Shared.Struct.pas';
   
 {$IMAGEBASE $01800000}

Projects/ISPP.dproj

@@ -94,6 +94,7 @@
         <DCCReference Include="Src\Shared.Int64Em.pas"/>
         <DCCReference Include="..\Components\MD5.pas"/>
         <DCCReference Include="..\Components\SHA1.pas"/>
+        <DCCReference Include="..\Components\SHA256.pas"/>
         <DCCReference Include="Src\Shared.Struct.pas"/>
         <BuildConfiguration Include="Base">
             <Key>Base</Key>

Projects/Setup.dpr

@@ -48,6 +48,7 @@ uses
   Shared.FileClass in 'Src\Shared.FileClass.pas',
   MD5 in '..\Components\MD5.pas',
   SHA1 in '..\Components\SHA1.pas',
+  SHA256 in '..\Components\SHA256.pas',
   Setup.LoggingFunc in 'Src\Setup.LoggingFunc.pas',
   Setup.DebugClient in 'Src\Setup.DebugClient.pas',
   Shared.DebugStruct in 'Src\Shared.DebugStruct.pas',

Projects/Setup.dproj

@@ -117,6 +117,7 @@
         <DCCReference Include="Src\Shared.FileClass.pas"/>
         <DCCReference Include="..\Components\MD5.pas"/>
         <DCCReference Include="..\Components\SHA1.pas"/>
+        <DCCReference Include="..\Components\SHA256.pas"/>
         <DCCReference Include="Src\Setup.LoggingFunc.pas"/>
         <DCCReference Include="Src\Setup.DebugClient.pas"/>
         <DCCReference Include="Src\Shared.DebugStruct.pas"/>

Projects/SetupLdr.dpr

@@ -26,8 +26,9 @@ uses
   SetupLdrAndSetup.InstFunc in 'Src\SetupLdrAndSetup.InstFunc.pas',
   Shared.FileClass in 'Src\Shared.FileClass.pas',
   Shared.Int64Em in 'Src\Shared.Int64Em.pas',
-  SHA1 in '..\Components\SHA1.pas',
   MD5 in '..\Components\MD5.pas',
+  SHA1 in '..\Components\SHA1.pas',
+  SHA256 in '..\Components\SHA256.pas',
   SetupLdrAndSetup.RedirFunc in 'Src\SetupLdrAndSetup.RedirFunc.pas',
   Shared.SetupTypes in 'Src\Shared.SetupTypes.pas',
   Shared.VerInfoFunc in 'Src\Shared.VerInfoFunc.pas';

Projects/SetupLdr.dproj

@@ -83,8 +83,9 @@
         <DCCReference Include="Src\SetupLdrAndSetup.InstFunc.pas"/>
         <DCCReference Include="Src\Shared.FileClass.pas"/>
         <DCCReference Include="Src\Shared.Int64Em.pas"/>
-        <DCCReference Include="..\Components\SHA1.pas"/>
         <DCCReference Include="..\Components\MD5.pas"/>
+        <DCCReference Include="..\Components\SHA1.pas"/>
+        <DCCReference Include="..\Components\SHA256.pas"/>
         <DCCReference Include="Src\SetupLdrAndSetup.RedirFunc.pas"/>
         <DCCReference Include="Src\Shared.SetupTypes.pas"/>
         <DCCReference Include="Src\Shared.VerInfoFunc.pas"/>

Projects/Src/Compiler.SetupCompiler.pas

@@ -19,7 +19,7 @@ interface
 
 uses
   Windows, SysUtils, Classes, Generics.Collections,
-  SimpleExpression,
+  SimpleExpression, SHA256,
   Shared.Struct, Shared.CompilerInt, Shared.PreprocInt, Shared.SetupMessageIDs,
   Shared.SetupSectionDirectives, Shared.VerInfoFunc, Shared.Int64Em, Shared.DebugStruct,
   Compiler.ScriptCompiler, Compiler.StringLists, Compression.LZMACompressor;
@@ -2351,9 +2351,9 @@ var
   end;
 
   procedure GeneratePasswordHashAndSalt(const Password: String;
-    var Hash: TSHA1Digest; var Salt: TSetupSalt);
+    var Hash: TSHA256Digest; var Salt: TSetupSalt);
   var
-    Context: TSHA1Context;
+    Context: TSHA256Context;
   begin
     { Random salt is mixed into the password hash to make it more difficult
       for someone to tell that two installations use the same password. A
@@ -2361,11 +2361,11 @@ var
       broken -- this hash must never be the same as the hash used for
       encryption. }
     GenerateRandomBytes(Salt, SizeOf(Salt));
-    SHA1Init(Context);
-    SHA1Update(Context, PAnsiChar('PasswordCheckHash')^, Length('PasswordCheckHash'));
-    SHA1Update(Context, Salt, SizeOf(Salt));
-    SHA1Update(Context, Pointer(Password)^, Length(Password)*SizeOf(Password[1]));
-    Hash := SHA1Final(Context);
+    SHA256Init(Context);
+    SHA256Update(Context, PAnsiChar('PasswordCheckHash')^, Length('PasswordCheckHash'));
+    SHA256Update(Context, Salt, SizeOf(Salt));
+    SHA256Update(Context, Pointer(Password)^, Length(Password)*SizeOf(Password[1]));
+    Hash := SHA256Final(Context);
   end;
 
   procedure GenerateEncryptionBaseNonce(var Nonce: TSetupNonce);

Projects/Src/Setup.MainFunc.pas

@@ -237,15 +237,15 @@ function IsWindows11: Boolean;
 implementation
 
 uses
-  ShellAPI, ShlObj, StrUtils,
+  ShellAPI, ShlObj, StrUtils, SHA256, ActiveX, RegStr,
   SetupLdrAndSetup.Messages, Shared.SetupMessageIDs, Setup.Install, SetupLdrAndSetup.InstFunc,
   Setup.InstFunc, SetupLdrAndSetup.RedirFunc, PathFunc,
   Compression.Base, Compression.Zlib, Compression.bzlib, Compression.LZMADecompressor,
   Shared.SetupEntFunc, Setup.SelectLanguageForm,
   Setup.WizardForm, Setup.DebugClient, Shared.VerInfoFunc, Setup.FileExtractor,
-  Shared.FileClass, Setup.LoggingFunc, SHA1, ActiveX,
+  Shared.FileClass, Setup.LoggingFunc,
   SimpleExpression, Setup.Helper, Setup.SpawnClient, Setup.SpawnServer,
-  Setup.DotNetFunc, Shared.TaskDialogFunc, RegStr, Setup.MainForm;
+  Setup.DotNetFunc, Shared.TaskDialogFunc, Setup.MainForm;
 
 var
   ShellFolders: array[Boolean, TShellFolderID] of String;
@@ -373,15 +373,15 @@ end;
 
 function TestPassword(const Password: String): Boolean;
 var
-  Context: TSHA1Context;
-  Hash: TSHA1Digest;
-begin
-  SHA1Init(Context);
-  SHA1Update(Context, PAnsiChar('PasswordCheckHash')^, Length('PasswordCheckHash'));
-  SHA1Update(Context, SetupHeader.PasswordSalt, SizeOf(SetupHeader.PasswordSalt));
-  SHA1Update(Context, Pointer(Password)^, Length(Password)*SizeOf(Password[1]));
-  Hash := SHA1Final(Context);
-  Result := SHA1DigestsEqual(Hash, SetupHeader.PasswordHash);
+  Context: TSHA256Context;
+  Hash: TSHA256Digest;
+begin
+  SHA256Init(Context);
+  SHA256Update(Context, PAnsiChar('PasswordCheckHash')^, Length('PasswordCheckHash'));
+  SHA256Update(Context, SetupHeader.PasswordSalt, SizeOf(SetupHeader.PasswordSalt));
+  SHA256Update(Context, Pointer(Password)^, Length(Password)*SizeOf(Password[1]));
+  Hash := SHA256Final(Context);
+  Result := SHA256DigestsEqual(Hash, SetupHeader.PasswordHash);
 end;
 
 class function TDummyClass.ExpandCheckOrInstallConstant(Sender: TSimpleExpression;

Projects/Src/Shared.Struct.pas

@@ -13,7 +13,7 @@ unit Shared.Struct;
 interface
 
 uses
-  Windows, Shared.Int64Em, SHA1;
+  Windows, Shared.Int64Em, SHA1, SHA256;
 
 const
   SetupTitle = 'Inno Setup';
@@ -109,7 +109,7 @@ type
     WizardStyle: TSetupWizardStyle;
     WizardSizePercentX, WizardSizePercentY: Integer;
     WizardImageAlphaFormat: (afIgnored, afDefined, afPremultiplied); // Must be same as Graphics.TAlphaFormat
-    PasswordHash: TSHA1Digest;
+    PasswordHash: TSHA256Digest;
     PasswordSalt: TSetupSalt;
     EncryptionBaseNonce: TSetupNonce;
     ExtraDiskSpaceRequired: Integer64;