diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst index 769f96f0176..73a7555e457 100644 --- a/Doc/library/hashlib.rst +++ b/Doc/library/hashlib.rst @@ -185,22 +185,23 @@ brute-force attacks. A good password hashing function must be tunable, slow, and include a `salt `_. -.. function:: pbkdf2_hmac(name, password, salt, rounds, dklen=None) +.. function:: pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) The function provides PKCS#5 password-based key derivation function 2. It uses HMAC as pseudorandom function. - The string *name* is the desired name of the hash digest algorithm for + The string *hash_name* is the desired name of the hash digest algorithm for HMAC, e.g. 'sha1' or 'sha256'. *password* and *salt* are interpreted as buffers of bytes. Applications and libraries should limit *password* to - a sensible value (e.g. 1024). *salt* should be about 16 or more bytes from + a sensible length (e.g. 1024). *salt* should be about 16 or more bytes from a proper source, e.g. :func:`os.urandom`. - The number of *rounds* should be chosen based on the hash algorithm and - computing power. As of 2013, at least 100,000 rounds of SHA-256 is suggested. + The number of *iterations* should be chosen based on the hash algorithm and + computing power. As of 2013, at least 100,000 iterations of SHA-256 are + suggested. *dklen* is the length of the derived key. If *dklen* is ``None`` then the - digest size of the hash algorithm *name* is used, e.g. 64 for SHA-512. + digest size of the hash algorithm *hash_name* is used, e.g. 64 for SHA-512. >>> import hashlib, binascii >>> dk = hashlib.pbkdf2_hmac('sha256', b'password', b'salt', 100000) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py index 85ec2f96dba..8a297dd45ea 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -513,6 +513,9 @@ class KDFTests(unittest.TestCase): self.assertRaises(ValueError, pbkdf2, 'sha1', b'pass', b'salt', 1, -1) with self.assertRaisesRegex(ValueError, 'unsupported hash type'): pbkdf2('unknown', b'pass', b'salt', 1) + out = pbkdf2(hash_name='sha1', password=b'password', salt=b'salt', + iterations=1, dklen=None) + self.assertEqual(out, self.pbkdf2_results['sha1'][0][0]) def test_pbkdf2_hmac_py(self): self._test_pbkdf2_hmac(py_hashlib.pbkdf2_hmac)