Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / 7feb9f42258ff72ce1d3628c5ccc261c2ca238b9 / . / Doc / library / hmac.rst
blob: e8f6488b557ff703629829e402430ce83205e7cd [file] [log] [blame]
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]1:mod:`hmac` --- Keyed-Hashing for Message Authentication
2========================================================
3
4.. module:: hmac
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]5 :synopsis: Keyed-Hashing for Message Authentication (HMAC) implementation
6 for Python.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]7.. moduleauthor:: Gerhard Häring <ghaering@users.sourceforge.net>
8.. sectionauthor:: Gerhard Häring <ghaering@users.sourceforge.net>
9
Raymond Hettinger469271d2011-01-27 20:38:46 +0000[diff] [blame]10**Source code:** :source:`Lib/hmac.py`
11
12--------------
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]13
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]14This module implements the HMAC algorithm as described by :rfc:`2104`.
15
16
Georg Brandl036490d2009-05-17 13:00:36 +0000[diff] [blame]17.. function:: new(key, msg=None, digestmod=None)
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]18
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]19 Return a new hmac object. *key* is a bytes object giving the secret key. If
20 *msg* is present, the method call ``update(msg)`` is made. *digestmod* is
21 the digest constructor or module for the HMAC object to use. It defaults to
22 the :func:`hashlib.md5` constructor.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]23
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]24
25An HMAC object has the following methods:
26
Georg Brandl9701eb62012-02-05 09:25:22 +0100[diff] [blame]27.. method:: HMAC.update(msg)
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]28
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]29 Update the hmac object with the bytes object *msg*. Repeated calls are
30 equivalent to a single call with the concatenation of all the arguments:
31 ``m.update(a); m.update(b)`` is equivalent to ``m.update(a + b)``.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]32
33
Georg Brandl9701eb62012-02-05 09:25:22 +0100[diff] [blame]34.. method:: HMAC.digest()
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]35
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]36 Return the digest of the bytes passed to the :meth:`update` method so far.
37 This bytes object will be the same length as the *digest_size* of the digest
38 given to the constructor. It may contain non-ASCII bytes, including NUL
39 bytes.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]40
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame^]41 .. warning::
42
43 When comparing the output of :meth:`digest` to an externally-supplied
44 digest during a verification routine, it is recommended to use the
45 :func:`hmac.secure_compare` function instead of the ``==`` operator
46 to avoid potential timing attacks.
47
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]48
Georg Brandl9701eb62012-02-05 09:25:22 +0100[diff] [blame]49.. method:: HMAC.hexdigest()
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]50
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]51 Like :meth:`digest` except the digest is returned as a string twice the
52 length containing only hexadecimal digits. This may be used to exchange the
53 value safely in email or other non-binary environments.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]54
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame^]55 .. warning::
56
57 When comparing the output of :meth:`hexdigest` to an externally-supplied
58 digest during a verification routine, it is recommended to use the
59 :func:`hmac.secure_compare` function instead of the ``==`` operator
60 to avoid potential timing attacks.
61
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]62
Georg Brandl9701eb62012-02-05 09:25:22 +0100[diff] [blame]63.. method:: HMAC.copy()
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]64
65 Return a copy ("clone") of the hmac object. This can be used to efficiently
66 compute the digests of strings that share a common initial substring.
67
68
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame^]69This module also provides the following helper function:
70
71.. function:: secure_compare(a, b)
72
73 Returns the equivalent of ``a == b``, but using a time-independent
74 comparison method. Comparing the full lengths of the inputs *a* and *b*,
75 instead of short-circuiting the comparison upon the first unequal byte,
76 prevents leaking information about the inputs being compared and mitigates
77 potential timing attacks. The inputs must be either :class:`str` or
78 :class:`bytes` instances.
79
80 .. note::
81
82 While the :func:`hmac.secure_compare` function prevents leaking the
83 contents of the inputs via a timing attack, it does leak the length
84 of the inputs. However, this generally is not a security risk.
85
86
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]87.. seealso::
88
89 Module :mod:`hashlib`
Ezio Melotti0639d5a2009-12-19 23:26:38 +0000[diff] [blame]90 The Python module providing secure hash functions.