Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / a1bc35f07fbd4a60135ddc48845d542597d0f5d1 / . / Doc / library / hmac.rst
blob: 3fa0bd66ae5b9d35cd22c5fd29f3d8695c42ff72 [file] [log] [blame]
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]1:mod:`hmac` --- Keyed-Hashing for Message Authentication
2========================================================
3
4.. module:: hmac
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]5 :synopsis: Keyed-Hashing for Message Authentication (HMAC) implementation
6 for Python.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]7.. moduleauthor:: Gerhard Häring <ghaering@users.sourceforge.net>
8.. sectionauthor:: Gerhard Häring <ghaering@users.sourceforge.net>
9
Raymond Hettinger469271d2011-01-27 20:38:46 +0000[diff] [blame]10**Source code:** :source:`Lib/hmac.py`
11
12--------------
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]13
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]14This module implements the HMAC algorithm as described by :rfc:`2104`.
15
16
Georg Brandl036490d2009-05-17 13:00:36 +0000[diff] [blame]17.. function:: new(key, msg=None, digestmod=None)
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]18
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]19 Return a new hmac object. *key* is a bytes object giving the secret key. If
20 *msg* is present, the method call ``update(msg)`` is made. *digestmod* is
21 the digest constructor or module for the HMAC object to use. It defaults to
22 the :func:`hashlib.md5` constructor.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]23
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]24
25An HMAC object has the following methods:
26
Georg Brandl9701eb62012-02-05 09:25:22 +0100[diff] [blame]27.. method:: HMAC.update(msg)
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]28
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]29 Update the hmac object with the bytes object *msg*. Repeated calls are
30 equivalent to a single call with the concatenation of all the arguments:
31 ``m.update(a); m.update(b)`` is equivalent to ``m.update(a + b)``.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]32
33
Georg Brandl9701eb62012-02-05 09:25:22 +0100[diff] [blame]34.. method:: HMAC.digest()
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]35
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]36 Return the digest of the bytes passed to the :meth:`update` method so far.
37 This bytes object will be the same length as the *digest_size* of the digest
38 given to the constructor. It may contain non-ASCII bytes, including NUL
39 bytes.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]40
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]41 .. warning::
42
43 When comparing the output of :meth:`digest` to an externally-supplied
44 digest during a verification routine, it is recommended to use the
Nick Coghlan807770e2012-06-15 21:14:08 +1000[diff] [blame]45 :func:`compare_digest` function instead of the ``==`` operator
46 to reduce the vulnerability to timing attacks.
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]47
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]48
Georg Brandl9701eb62012-02-05 09:25:22 +0100[diff] [blame]49.. method:: HMAC.hexdigest()
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]50
Georg Brandl80b75fd2010-10-17 09:43:35 +0000[diff] [blame]51 Like :meth:`digest` except the digest is returned as a string twice the
52 length containing only hexadecimal digits. This may be used to exchange the
53 value safely in email or other non-binary environments.
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]54
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]55 .. warning::
56
Nick Coghlan807770e2012-06-15 21:14:08 +1000[diff] [blame]57 The output of :meth:`hexdigest` should not be compared directly to an
58 externally-supplied digest during a verification routine. Instead, the
59 externally supplied digest should be converted to a :class:`bytes`
60 value and compared to the output of :meth:`digest` with
61 :func:`compare_digest`.
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]62
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]63
Georg Brandl9701eb62012-02-05 09:25:22 +0100[diff] [blame]64.. method:: HMAC.copy()
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]65
66 Return a copy ("clone") of the hmac object. This can be used to efficiently
67 compute the digests of strings that share a common initial substring.
68
69
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]70This module also provides the following helper function:
71
Nick Coghlan807770e2012-06-15 21:14:08 +1000[diff] [blame]72.. function:: compare_digest(a, b)
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]73
Georg Brandla1bc35f2012-06-24 16:07:33 +0200[diff] [blame^]74 Return ``a == b``. This function uses an approach designed to prevent timing
75 analysis by avoiding content based short circuiting behaviour. The inputs
76 must either both support the buffer protocol (e.g. :class:`bytes` and
77 :class:`bytearray` instances) or be ASCII-only :class:`str` instances as
78 returned by :meth:`hexdigest`. :class:`bytes` and :class:`str` instances
79 can't be mixed.
Nick Coghlan807770e2012-06-15 21:14:08 +1000[diff] [blame]80
Georg Brandla1bc35f2012-06-24 16:07:33 +0200[diff] [blame^]81 Using a short circuiting comparison (that is, one that terminates as soon as
82 it finds any difference between the values) to check digests for correctness
83 can be problematic, as it introduces a potential vulnerability when an
84 attacker can control both the message to be checked *and* the purported
85 signature value. By keeping the plaintext consistent and supplying different
86 signature values, an attacker may be able to use timing variations to search
87 the signature space for the expected value in O(n) time rather than the
88 desired O(2**n).
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]89
90 .. note::
91
Georg Brandla1bc35f2012-06-24 16:07:33 +0200[diff] [blame^]92 While this function reduces the likelihood of leaking the contents of the
93 expected digest via a timing attack, it still may leak some timing
Christian Heimes6cea6552012-06-24 13:48:32 +0200[diff] [blame]94 information when the input values differ in lengths as well as in error
Georg Brandla1bc35f2012-06-24 16:07:33 +0200[diff] [blame^]95 cases like unsupported types or non ASCII strings. When the inputs have
96 different length the timing depends solely on the length of ``b``. It is
97 assumed that the expected length of the digest is not a secret, as it is
98 typically published as part of a file format, network protocol or API
99 definition.
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]100
Charles-François Natali9b704ec2012-05-15 21:00:32 +0200[diff] [blame]101 .. versionadded:: 3.3
Charles-François Natali7feb9f42012-05-13 19:53:07 +0200[diff] [blame]102
Georg Brandla1bc35f2012-06-24 16:07:33 +0200[diff] [blame^]103
Georg Brandl116aa622007-08-15 14:28:22 +0000[diff] [blame]104.. seealso::
105
106 Module :mod:`hashlib`
Ezio Melotti0639d5a2009-12-19 23:26:38 +0000[diff] [blame]107 The Python module providing secure hash functions.