cpython/Doc/library/hmac.rst

93 lines
3.1 KiB
ReStructuredText
Raw Normal View History

2007-08-15 11:28:22 -03:00
:mod:`hmac` --- Keyed-Hashing for Message Authentication
========================================================
.. module:: hmac
:synopsis: Keyed-Hashing for Message Authentication (HMAC) implementation
for Python.
2007-08-15 11:28:22 -03:00
.. moduleauthor:: Gerhard Häring <ghaering@users.sourceforge.net>
.. sectionauthor:: Gerhard Häring <ghaering@users.sourceforge.net>
2011-01-27 16:38:46 -04:00
**Source code:** :source:`Lib/hmac.py`
--------------
2007-08-15 11:28:22 -03:00
This module implements the HMAC algorithm as described by :rfc:`2104`.
.. function:: new(key, msg=None, digestmod=None)
2007-08-15 11:28:22 -03:00
Return a new hmac object. *key* is a bytes object giving the secret key. If
*msg* is present, the method call ``update(msg)`` is made. *digestmod* is
the digest constructor or module for the HMAC object to use. It defaults to
the :data:`hashlib.md5` constructor.
2007-08-15 11:28:22 -03:00
An HMAC object has the following methods:
2007-08-15 11:28:22 -03:00
.. method:: HMAC.update(msg)
2007-08-15 11:28:22 -03:00
Update the hmac object with the bytes object *msg*. Repeated calls are
equivalent to a single call with the concatenation of all the arguments:
``m.update(a); m.update(b)`` is equivalent to ``m.update(a + b)``.
2007-08-15 11:28:22 -03:00
.. method:: HMAC.digest()
2007-08-15 11:28:22 -03:00
Return the digest of the bytes passed to the :meth:`update` method so far.
This bytes object will be the same length as the *digest_size* of the digest
given to the constructor. It may contain non-ASCII bytes, including NUL
bytes.
2007-08-15 11:28:22 -03:00
.. warning::
When comparing the output of :meth:`digest` to an externally-supplied
digest during a verification routine, it is recommended to use the
:func:`compare_digest` function instead of the ``==`` operator
to reduce the vulnerability to timing attacks.
2007-08-15 11:28:22 -03:00
.. method:: HMAC.hexdigest()
2007-08-15 11:28:22 -03:00
Like :meth:`digest` except the digest is returned as a string twice the
length containing only hexadecimal digits. This may be used to exchange the
value safely in email or other non-binary environments.
2007-08-15 11:28:22 -03:00
.. warning::
When comparing the output of :meth:`hexdigest` to an externally-supplied
digest during a verification routine, it is recommended to use the
:func:`compare_digest` function instead of the ``==`` operator
to reduce the vulnerability to timing attacks.
2007-08-15 11:28:22 -03:00
.. method:: HMAC.copy()
2007-08-15 11:28:22 -03:00
Return a copy ("clone") of the hmac object. This can be used to efficiently
compute the digests of strings that share a common initial substring.
This module also provides the following helper function:
.. function:: compare_digest(a, b)
Return ``a == b``. This function uses an approach designed to prevent
timing analysis by avoiding content-based short circuiting behaviour,
making it appropriate for cryptography. *a* and *b* must both be of the
same type: either :class:`str` (ASCII only, as e.g. returned by
:meth:`HMAC.hexdigest`), or a :term:`bytes-like object`.
.. note::
2012-06-24 11:21:10 -03:00
If *a* and *b* are of different lengths, or if an error occurs,
a timing attack could theoretically reveal information about the
types and lengths of *a* and *b*--but not their values.
2012-06-24 11:21:10 -03:00
.. versionadded:: 3.3
2007-08-15 11:28:22 -03:00
.. seealso::
Module :mod:`hashlib`
The Python module providing secure hash functions.