# HG changeset patch
# User Dan
# Date 1235628267 18000
# Node ID 83bb60402f51925e9bfbc8edc588b46fcfcea48e
# Parent  6b99e02ad57778288ba4cd8430f44f6755171ff6
HMAC functions are now standards-compliant (not a security issue). This BREAKS 1.1.6-hg passwords!

diff -r 6b99e02ad577 -r 83bb60402f51 includes/hmac.php
--- a/includes/hmac.php	Thu Feb 26 01:03:22 2009 -0500
+++ b/includes/hmac.php	Thu Feb 26 01:04:27 2009 -0500
@@ -13,35 +13,28 @@
  * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
  */
 
-function hmac_gen_padding($val, $len = 32)
-{
-  $ret = array();
-  for ( $i = 0; $i < $len; $i++ )
-  {
-    $ret[] = $val;
-  }
-  return $ret;
-}
-
 function hmac_core($message, $key, $hashfunc)
 {
-  static $block_sizes = array();
-  if ( !isset($block_sizes[$hashfunc]) )
+  if ( strlen($key) % 2 == 1 )
+    $key .= '0';
+  
+  if ( strlen($key) > 128 )
+    $key = $hashfunc($key);
+  
+  while ( strlen($key) < 128 )
   {
-    $block_sizes[$hashfunc] = strlen($hashfunc(''))/2;
+    $key .= '00';
   }
-  $blocksize = $block_sizes[$hashfunc];
-  $ipad = hmac_gen_padding(0x5c, $blocksize);
-  $opad = hmac_gen_padding(0x36, $blocksize);
-  if ( strlen($key) != ( $blocksize * 2 ) )
-    $key = $hashfunc($key);
-  $key = hmac_hexbytearray($key);
-  for ( $i = 0; $i < count($key); $i++ )
+  $opad = hmac_hexbytearray($key);
+  $ipad = $opad;
+  for ( $i = 0; $i < count($ipad); $i++ )
   {
-    $ipad[$i] = $ipad[$i] ^ $key[$i];
-    $opad[$i] = $opad[$i] ^ $key[$i];
+    $opad[$i] = $opad[$i] ^ 0x5c;
+    $ipad[$i] = $ipad[$i] ^ 0x36;
   }
-  return $hashfunc(hmac_bytearraytostring($opad) . $hashfunc(hmac_bytearraytostring($ipad) . $message));
+  $opad = hmac_bytearraytostring($opad);
+  $ipad = hmac_bytearraytostring($ipad);
+  return $hashfunc($opad . hexdecode($hashfunc($ipad . $message)));
 }
 
 function hmac_hexbytearray($val)