New Hash code in v2018?

I just upgraded from v2017r3 to v2018r3 and I notice that after running an app under v2018r3, stored hash strings were not recognized by the app’s Password Login routine, so the user has to run the Forgot Password routine to create a new hash string. This is no problem at all. I’m just curious if something changed in terms of hash creation in v2018.

I also just ran a copy of the app with v2017r3 (in a different folder, of course) and see the user must again create a new hash because the sqlite database has the new hash created by v2018r3, of course.

Does this mean the crypto library was changed from one version of Xojo to the other?

Take a look a this discussion: https://forum.xojo.com/49901-hashed-password-values-saved-with-2017r2-don-t-work-when-checke

Could be your current code is not explicit when defining INT vs UINT? Or you are now compiling on 64-bit, the previous version was 32-bit, but your integer definitions are not explicit?

Thanks, Langue.

Definitely was 32-bit using v2017r3 and 32-bit using v2018r3. So this must have to do with Int8 vs UInt8. I read that thread you cited. This is the code I’ve been using to return hashed text:

[code]// Returns Hashed t As Text.

Dim tData As Xojo.Core.MemoryBlock
tData = Xojo.Core.TextEncoding.UTF8.ConvertTextToData(t)

Dim salt As Text = “”
Dim saltData As Xojo.Core.MemoryBlock
saltData = Xojo.Core.TextEncoding.UTF8.ConvertTextToData(salt)

Dim combinedData As New Xojo.Core.MutableMemoryBlock(tData)
If Not salt.Empty Then
combinedData.Append(saltData)
End If

Dim hashData As Xojo.Core.MemoryBlock
hashData = Xojo.Crypto.PBKDF2(saltData, tData, 500, 32, Xojo.Crypto.HashAlgorithms.SHA256)

Return ConvertToHex(hashData)[/code]

And ConvertToHex looks like this, where mb is a passed MemoryBlock:

[code]Dim t As Text

For b As Int8 = 0 To mb.Size - 1
t = t + mb.Int8Value(b).ToHex(2)
Next

Return t[/code]

So all I have to do is change ConvertToHex to this?:

[code]Dim t As Text

For b As UInt8 = 0 To mb.Size - 1
t = t + mb.UInt8Value(b).ToHex(2)
Next

Return t[/code]

I assume each user will have to generate a new password so new hash is stored, but that’s okay. There aren’t that many users right now. Am I to understand this change is needed for security reasons?

Ralph, you don’t need to change the code. The UInt8 is a workaround to make Xojo2017 create the correct hash. Xojo2018 create the correct hash with Int8 and UInt8.

Your options:

  • don’t change the code and use Xojo2018, your users need to create a new password (different hash)
  • change the code and use Xojo2017 or Xojo2018, your users need to create a new password (different hash but the same a Xojo2018 without changing the code)
  • use Gino’s code (not tested by me), your users don’t need to change the password because the code will calculate 2 hash and let them in if there is a match.

At least this is how I understand the problem.

[quote=414212:@Alberto De Poo]Ralph, you don’t need to change the code. The UInt8 is a workaround to make Xojo2017 create the correct hash. Xojo2018 create the correct hash with Int8 and UInt8.

Your options:

  • don’t change the code and use Xojo2018, your users need to create a new password (different hash)
  • change the code and use Xojo2017 or Xojo2018, your users need to create a new password (different hash but the same a Xojo2018 without changing the code)
  • use Gino’s code (not tested by me), your users don’t need to change the password because the code will calculate 2 hash and let them in if there is a match.

At least this is how I understand the problem.[/quote]
This is being discussed here now: https://forum.xojo.com/49901-hashed-password-values-saved-with-2017r2-don-t-work-when-checke/last