Thursday, August 1, 2013

Strangeness with cryptography

I've been working on user logins for OttoJotts over the past few days. I made quite a few changes to the back-end and now need to make sure the app on the device can access the database. Unfortunately, I've been running into a bit of strangeness around the cryptography that, quite honestly, really makes me "wanna go Hmmmm". And here's what's going on.
I originally compiled this application for iOS 4.2 because I was looking for the broadest acceptable application I could make. And things seemed to be okay. But when I started compiling for other versions (different makes of iPhone and different iOS versions), I started running into problems matching the hashed password I created with the one in the database. At first, I thought I might have just entered the password incorrectly. Then I thought that perhaps I'd forgotten the password I used. But as I've been experimenting, I've been seeing some extremely odd behavior. I've been using the awesome HashValue.m/.h from Matt Gallagher over at I thought it was going fantastically until this weirdness. So, here's the weirdness:
  • iOS 5.0 hashed password:
    • 688c25748beb3803ad93d8988517c460bb15b6373d0d67ad7167726a0ecafaa6
  • iOS 5.1 hashed password:
    • 1199821a832d0101cec47672ad52dfeba2fc72e9e4afbe1d9d2f53918d9fb581
  • iOS 6.0 hashed password:
    • 0640e82d98943f4856dc687618e458178caaf696151235271f689d634f861c69
  • iOS 7.0 hashed password:
    • c19c441adbd2f45366d28a9dcb45cb9858bc721f09d11cd958a7b065a4976f19
I have to assume that I'm doing something wrong here. I mean - SHA256 and MD5 should be the same result regardless of what kind of OS is calculating it, otherwise it would be worthless as a check. But I'm definitely seeing different behavior from the different iOS versions. Changing devices doesn't seem to change anything - just the iOS version.
I dug into the HashValue.m code and all it does is call CC_MD5 and CC_SHA256, which is standard iOS. So I'm a bit perplexed, at this point, as to what I'm doing wrong. If anyone has any idea what's going on, I would really appreciate what you think is the problem.

Update: 01 Aug 13 @ 21:51
Looks like the wrapper I was using had some oddness about it. When I changed over to calling it directly, everything worked perfectly - I get the same hash every time, regardless of the OS version. Which is exactly what I expected. So now that I've resolved that, I need to stick all of this stuff in the keychain and I can call it a day. F*k me.