X-Git-Url: https://git-public.kairo.at/?p=authserver.git;a=blobdiff_plain;f=app%2Fauthutils.php-class;fp=app%2Fauthutils.php-class;h=81ae2a7fdc9fb47df2b16d53e3d93bc75997d064;hp=447a744857846cb93ccaa73e338a2ed9e3d58a67;hb=a3184df6d7d969935a72d5809bcf2faf9ff5b234;hpb=651356998ad790ee2c059419f2b21568ae3e644d

diff --git a/app/authutils.php-class b/app/authutils.php-class
index 447a744..81ae2a7 100755
--- a/app/authutils.php-class
+++ b/app/authutils.php-class
@@ -372,9 +372,9 @@ class AuthUtils {
     $time = time();
     $rest = is_null($offset)?($time % $valid_seconds):intval($offset); // T0, will be sent as part of code to make it valid for the full duration.
     $counter = floor(($time - $rest) / $valid_seconds);
-    $hmac = mhash(MHASH_SHA1, $counter, $session['id'].$session['sesskey']);
-    $offset = hexdec(substr(bin2hex(substr($hmac, -1)), -1)); // Get the last 4 bits as a number.
-    $totp = hexdec(bin2hex(substr($hmac, $offset, 4))) & 0x7FFFFFFF; // Take 4 bytes at the offset, discard highest bit.
+    $hmac_hex = hash_hmac('sha1', $counter, $session['id'].$session['sesskey']);
+    $offset = hexdec(substr($hmac_hex, -1)); // Get the last 4 bits as a number.
+    $totp = hexdec(substr($hmac_hex, $offset, 8)) & 0x7FFFFFFF; // Take 4 bytes (8 hex chars) at the offset, discard highest bit.
     $totp_value = sprintf('%0'.$code_digits.'d', substr($totp, -$code_digits));
     return $rest.'.'.$totp_value;
   }