Swift SHA256 hash doedn't match PHP SHA256 hash

Question

Has anyone had difficulty getting the hash results from swift to match the same input hash result in PHP? Here's my swift code:

let longPassword = myTextField.text!+email
let pword: Array<UInt8> = Array(longPassword.utf8)
let keyString = self.runHashOnPassword(text: pword, salt: Array(salt.utf8))

func runHashOnPassword(text: Array<UInt8>, salt: Array<UInt8>) -> String {
    do {
        let key = try PKCS5.PBKDF2(password: text,salt: salt, iterations: 4096, variant: .sha256).calculate()
        let jEncoder = JSONEncoder.init()
        let byteString = try jEncoder.encode(key)
        return byteString.base64EncodedString()
    } catch {
        return ""
    }
}

And here is my PHP code:

$longPassword = $pword . $email . $salt;
$newHash = hash('sha256',$longPassword,false);

I have tried altering the boolean flag to true in the PHP hash function but it didn't help. Any ideas? Thank you.

are you certain the strings are _exactly equal_? same value and same encoding? — Franz Gleichmann, Mar 06 '19 at 19:13
I am sure that the password and email and salt are the same. I just tried putting the salt in front in the PHP in case that's what the swift function is doing but it still didn't match. I'm wondering if it has to do with the uft8 array format that the swift function PBKDF2 seems to need? Do I need to use that format in PHP as well? — Paul K., Mar 06 '19 at 19:35
This might help: [SHA256 in swift](https://stackoverflow.com/q/25388747/1187415). — Martin R, Mar 06 '19 at 20:07
Thank you for the link. I will try that method. As you can see in my code, the call to PBKDF2 uses the .sha256 value in the variant parameter so I would have thought it would be the same hash calculation. — Paul K., Mar 06 '19 at 21:01
I was using CryptoSwift https://cryptoswift.io/ and it looked like PBKDF2 is what you use for a sha256 hash of a password. But there is another HMAC example using sha256. Maybe I should use the HMAC version? — Paul K., Mar 07 '19 at 17:34
I tried the HMAC version and you get something that doesn't equal the PBKDF2 method but it looks similar. The PHP hash looks very different. (Different length, etc.) Both the PBKDF2 and HMAC methods return byte arrays that have to be converted to base64EncodedStrings while the PHP method seems to return a string. Is that the difference? — Paul K., Mar 07 '19 at 17:48

score 3 · Accepted Answer · answered Mar 07 '19 at 21:19

3

PBKDF2 is not a Digest. You can't compare those two values.

Anyway, this is how you calculate hash: https://github.com/krzyzanowskim/CryptoSwift#calculate-digest, basically:

let hash = bytes.sha256()

in PHP hash('sha256',$longPassword,false); outputs lowercase hexits, so you need something like this:

let hash = bytes.sha256().toHexString()

answered Mar 07 '19 at 21:19

Marcin

3,694
5
32
52

Great answer! Thank you so much. The only thing I would add to this is how to get your variable bytes from a string. I used this (where my string is longPasswordWithSalt): let bytes:Array = Array(longPasswordWithSalt.utf8) – Paul K. Mar 08 '19 at 21:00

Swift SHA256 hash doedn't match PHP SHA256 hash

1 Answers1