- {
- /* XXX: This is how HMAC is supposed to be done:
- *
- * sha256( (pass xor 0x5c) + sha256((pass xor 0x36) + m) )
- *
- * Note that we are encoding the hex hash, not the binary
- * output of the hash which is slightly different to standard.
- *
- * 5c and 36 were chosen as part of the HMAC standard, because they
- * flip the bits in a way likely to strengthen the function.
- */
- std::string hmac1, hmac2;
-
- for (size_t n = 0; n < password.length(); n++)
- {
- hmac1 += static_cast<char>(password[n] ^ 0x5C);
- hmac2 += static_cast<char>(password[n] ^ 0x36);
- }
-
- hmac2 += challenge;
- hmac2 = HashRequest(Utils->Creator, sha256, hmac2).result;
-
- std::string hmac = hmac1 + hmac2;
- hmac = HashRequest(Utils->Creator, sha256, hmac).result;