[PR #126] [MERGED] Support for sha256 & sha512 HMAC Algorithms #631

New issue

Closed

opened 2026-03-14 12:17:06 +03:00 by kerem · 0 comments

kerem commented 2026-03-14 12:17:06 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/antonioribeiro/google2fa/pull/126
Author: @wells
Created: 9/20/2019
Status: ✅ Merged
Merged: 9/23/2019
Merged by: @antonioribeiro

Base: master ← Head: support-sha256-sha512

---

📝 Commits (4)

• e74d4cf Update Constants.php
• c1bb594 Update Google2FA.php
• 5900d71 Update QRCode.php
• 82e6afe Update Google2FATest.php

📊 Changes

4 files changed (+396 additions, -13 deletions)

View changed files

📝 src/Google2FA.php (+45 -5)
📝 src/Support/Constants.php (+15 -0)
📝 src/Support/QRCode.php (+6 -0)
📝 tests/Google2FATest.php (+330 -8)

📄 Description

According to RFC6238 (https://tools.ietf.org/html/rfc6238), TOTP should be able to support SHA256 and SHA512 HMAC algorithms, in addition to SHA1.

To start off, I added the &algorithm=SHA1 query parameter to the end of OTP URL in getQRCodeUrl(). This allows QR codes from the package to specify which algorithm to use with HMAC hashing.

In my initial tests, I was unable to get SHA256 and SHA512 to validate until I found a mistake in the oathTruncate() function. I updated the offset line to match what was in the RFC. Once I did that, all 3 algorithms worked as expected.

See page 13 of RFC6238 within the generateTOTP() function:

int offset = hash[hash.length - 1] & 0xf;

What I changed in the oathTruncate() function of this package:

// Instead of ord($hash[19])
$offset = ord($hash[strlen($hash) - 1]) & 0xf;

That one line was the only thing in the way of supporting SHA256 and SHA512. I have added the necessary tests to confirm that these alternate hashing algorithms do in fact work.

Note: This package still defaults to SHA1, to avoid any breaking changes for existing usage.

It also would appear that most authenticator apps ONLY support SHA1 HMAC hashing. Let's hope this eventually changes.

Authenticator apps tested:

• Google Authenticator (SHA1, SHA256, SHA512 supported)
• Authy (SHA1 support only)
• Microsoft Authenticator (SHA1 support only)

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/antonioribeiro/google2fa/pull/126 **Author:** [@wells](https://github.com/wells) **Created:** 9/20/2019 **Status:** ✅ Merged **Merged:** 9/23/2019 **Merged by:** [@antonioribeiro](https://github.com/antonioribeiro) **Base:** `master` ← **Head:** `support-sha256-sha512` --- ### 📝 Commits (4) - [`e74d4cf`](https://github.com/antonioribeiro/google2fa/commit/e74d4cfd16c08ea66c8a6ffc95405bf669c2e045) Update Constants.php - [`c1bb594`](https://github.com/antonioribeiro/google2fa/commit/c1bb594de16107210142148d2961c107ae06737f) Update Google2FA.php - [`5900d71`](https://github.com/antonioribeiro/google2fa/commit/5900d71dfd738c1a9f26ba09320c782f267a41e4) Update QRCode.php - [`82e6afe`](https://github.com/antonioribeiro/google2fa/commit/82e6afe9d2694212bb99bc263df368416bb3c84d) Update Google2FATest.php ### 📊 Changes **4 files changed** (+396 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `src/Google2FA.php` (+45 -5) 📝 `src/Support/Constants.php` (+15 -0) 📝 `src/Support/QRCode.php` (+6 -0) 📝 `tests/Google2FATest.php` (+330 -8) </details> ### 📄 Description According to RFC6238 (https://tools.ietf.org/html/rfc6238), TOTP should be able to support SHA256 and SHA512 HMAC algorithms, in addition to SHA1. To start off, I added the `&algorithm=SHA1` query parameter to the end of OTP URL in `getQRCodeUrl()`. This allows QR codes from the package to specify which algorithm to use with HMAC hashing. In my initial tests, I was unable to get SHA256 and SHA512 to validate until I found a mistake in the `oathTruncate()` function. I updated the offset line to match what was in the RFC. Once I did that, all 3 algorithms worked as expected. See page 13 of RFC6238 within the `generateTOTP()` function: ```java int offset = hash[hash.length - 1] & 0xf; ``` What I changed in the `oathTruncate()` function of this package: ```php // Instead of ord($hash[19]) $offset = ord($hash[strlen($hash) - 1]) & 0xf; ``` That one line was the only thing in the way of supporting SHA256 and SHA512. I have added the necessary tests to confirm that these alternate hashing algorithms do in fact work. **Note:** This package still defaults to SHA1, *to avoid any breaking changes* for existing usage. It also would appear that most authenticator apps ONLY support SHA1 HMAC hashing. Let's hope this eventually changes. Authenticator apps tested: - Google Authenticator (SHA1, SHA256, SHA512 supported) - Authy (**SHA1 support only**) - Microsoft Authenticator (**SHA1 support only**) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-03-14 12:17:06 +03:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

9.x

fix-coverage

bump-to-version-9

10.x

reformat-code

add-linting

reorder-imports

8.x

install-php-84

test-on-php84

github-actions

master

7.x

pspstan

revert-124-123-google2fa_fix

v9.0.0

v8.0.3

v8.0.2

v8.0.1

8.0.0

v7.0.0

v6.1.3

v6.1.0

v6.0.1

v6.0.0

v4.0.2

v4.0.1

v5.0.0

v4.0.0

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.0.1

v1.0.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.0

v0.1.0

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/google2fa#631

No description provided.