17db96d56Sopenharmony_ci:mod:`hmac` --- Keyed-Hashing for Message Authentication 27db96d56Sopenharmony_ci======================================================== 37db96d56Sopenharmony_ci 47db96d56Sopenharmony_ci.. module:: hmac 57db96d56Sopenharmony_ci :synopsis: Keyed-Hashing for Message Authentication (HMAC) implementation 67db96d56Sopenharmony_ci 77db96d56Sopenharmony_ci.. moduleauthor:: Gerhard Häring <ghaering@users.sourceforge.net> 87db96d56Sopenharmony_ci.. sectionauthor:: Gerhard Häring <ghaering@users.sourceforge.net> 97db96d56Sopenharmony_ci 107db96d56Sopenharmony_ci**Source code:** :source:`Lib/hmac.py` 117db96d56Sopenharmony_ci 127db96d56Sopenharmony_ci-------------- 137db96d56Sopenharmony_ci 147db96d56Sopenharmony_ciThis module implements the HMAC algorithm as described by :rfc:`2104`. 157db96d56Sopenharmony_ci 167db96d56Sopenharmony_ci 177db96d56Sopenharmony_ci.. function:: new(key, msg=None, digestmod='') 187db96d56Sopenharmony_ci 197db96d56Sopenharmony_ci Return a new hmac object. *key* is a bytes or bytearray object giving the 207db96d56Sopenharmony_ci secret key. If *msg* is present, the method call ``update(msg)`` is made. 217db96d56Sopenharmony_ci *digestmod* is the digest name, digest constructor or module for the HMAC 227db96d56Sopenharmony_ci object to use. It may be any name suitable to :func:`hashlib.new`. 237db96d56Sopenharmony_ci Despite its argument position, it is required. 247db96d56Sopenharmony_ci 257db96d56Sopenharmony_ci .. versionchanged:: 3.4 267db96d56Sopenharmony_ci Parameter *key* can be a bytes or bytearray object. 277db96d56Sopenharmony_ci Parameter *msg* can be of any type supported by :mod:`hashlib`. 287db96d56Sopenharmony_ci Parameter *digestmod* can be the name of a hash algorithm. 297db96d56Sopenharmony_ci 307db96d56Sopenharmony_ci .. deprecated-removed:: 3.4 3.8 317db96d56Sopenharmony_ci MD5 as implicit default digest for *digestmod* is deprecated. 327db96d56Sopenharmony_ci The digestmod parameter is now required. Pass it as a keyword 337db96d56Sopenharmony_ci argument to avoid awkwardness when you do not have an initial msg. 347db96d56Sopenharmony_ci 357db96d56Sopenharmony_ci 367db96d56Sopenharmony_ci.. function:: digest(key, msg, digest) 377db96d56Sopenharmony_ci 387db96d56Sopenharmony_ci Return digest of *msg* for given secret *key* and *digest*. The 397db96d56Sopenharmony_ci function is equivalent to ``HMAC(key, msg, digest).digest()``, but 407db96d56Sopenharmony_ci uses an optimized C or inline implementation, which is faster for messages 417db96d56Sopenharmony_ci that fit into memory. The parameters *key*, *msg*, and *digest* have 427db96d56Sopenharmony_ci the same meaning as in :func:`~hmac.new`. 437db96d56Sopenharmony_ci 447db96d56Sopenharmony_ci CPython implementation detail, the optimized C implementation is only used 457db96d56Sopenharmony_ci when *digest* is a string and name of a digest algorithm, which is 467db96d56Sopenharmony_ci supported by OpenSSL. 477db96d56Sopenharmony_ci 487db96d56Sopenharmony_ci .. versionadded:: 3.7 497db96d56Sopenharmony_ci 507db96d56Sopenharmony_ci 517db96d56Sopenharmony_ciAn HMAC object has the following methods: 527db96d56Sopenharmony_ci 537db96d56Sopenharmony_ci.. method:: HMAC.update(msg) 547db96d56Sopenharmony_ci 557db96d56Sopenharmony_ci Update the hmac object with *msg*. Repeated calls are equivalent to a 567db96d56Sopenharmony_ci single call with the concatenation of all the arguments: 577db96d56Sopenharmony_ci ``m.update(a); m.update(b)`` is equivalent to ``m.update(a + b)``. 587db96d56Sopenharmony_ci 597db96d56Sopenharmony_ci .. versionchanged:: 3.4 607db96d56Sopenharmony_ci Parameter *msg* can be of any type supported by :mod:`hashlib`. 617db96d56Sopenharmony_ci 627db96d56Sopenharmony_ci 637db96d56Sopenharmony_ci.. method:: HMAC.digest() 647db96d56Sopenharmony_ci 657db96d56Sopenharmony_ci Return the digest of the bytes passed to the :meth:`update` method so far. 667db96d56Sopenharmony_ci This bytes object will be the same length as the *digest_size* of the digest 677db96d56Sopenharmony_ci given to the constructor. It may contain non-ASCII bytes, including NUL 687db96d56Sopenharmony_ci bytes. 697db96d56Sopenharmony_ci 707db96d56Sopenharmony_ci .. warning:: 717db96d56Sopenharmony_ci 727db96d56Sopenharmony_ci When comparing the output of :meth:`digest` to an externally supplied 737db96d56Sopenharmony_ci digest during a verification routine, it is recommended to use the 747db96d56Sopenharmony_ci :func:`compare_digest` function instead of the ``==`` operator 757db96d56Sopenharmony_ci to reduce the vulnerability to timing attacks. 767db96d56Sopenharmony_ci 777db96d56Sopenharmony_ci 787db96d56Sopenharmony_ci.. method:: HMAC.hexdigest() 797db96d56Sopenharmony_ci 807db96d56Sopenharmony_ci Like :meth:`digest` except the digest is returned as a string twice the 817db96d56Sopenharmony_ci length containing only hexadecimal digits. This may be used to exchange the 827db96d56Sopenharmony_ci value safely in email or other non-binary environments. 837db96d56Sopenharmony_ci 847db96d56Sopenharmony_ci .. warning:: 857db96d56Sopenharmony_ci 867db96d56Sopenharmony_ci When comparing the output of :meth:`hexdigest` to an externally supplied 877db96d56Sopenharmony_ci digest during a verification routine, it is recommended to use the 887db96d56Sopenharmony_ci :func:`compare_digest` function instead of the ``==`` operator 897db96d56Sopenharmony_ci to reduce the vulnerability to timing attacks. 907db96d56Sopenharmony_ci 917db96d56Sopenharmony_ci 927db96d56Sopenharmony_ci.. method:: HMAC.copy() 937db96d56Sopenharmony_ci 947db96d56Sopenharmony_ci Return a copy ("clone") of the hmac object. This can be used to efficiently 957db96d56Sopenharmony_ci compute the digests of strings that share a common initial substring. 967db96d56Sopenharmony_ci 977db96d56Sopenharmony_ci 987db96d56Sopenharmony_ciA hash object has the following attributes: 997db96d56Sopenharmony_ci 1007db96d56Sopenharmony_ci.. attribute:: HMAC.digest_size 1017db96d56Sopenharmony_ci 1027db96d56Sopenharmony_ci The size of the resulting HMAC digest in bytes. 1037db96d56Sopenharmony_ci 1047db96d56Sopenharmony_ci.. attribute:: HMAC.block_size 1057db96d56Sopenharmony_ci 1067db96d56Sopenharmony_ci The internal block size of the hash algorithm in bytes. 1077db96d56Sopenharmony_ci 1087db96d56Sopenharmony_ci .. versionadded:: 3.4 1097db96d56Sopenharmony_ci 1107db96d56Sopenharmony_ci.. attribute:: HMAC.name 1117db96d56Sopenharmony_ci 1127db96d56Sopenharmony_ci The canonical name of this HMAC, always lowercase, e.g. ``hmac-md5``. 1137db96d56Sopenharmony_ci 1147db96d56Sopenharmony_ci .. versionadded:: 3.4 1157db96d56Sopenharmony_ci 1167db96d56Sopenharmony_ci 1177db96d56Sopenharmony_ci.. deprecated:: 3.9 1187db96d56Sopenharmony_ci 1197db96d56Sopenharmony_ci The undocumented attributes ``HMAC.digest_cons``, ``HMAC.inner``, and 1207db96d56Sopenharmony_ci ``HMAC.outer`` are internal implementation details and will be removed in 1217db96d56Sopenharmony_ci Python 3.10. 1227db96d56Sopenharmony_ci 1237db96d56Sopenharmony_ciThis module also provides the following helper function: 1247db96d56Sopenharmony_ci 1257db96d56Sopenharmony_ci.. function:: compare_digest(a, b) 1267db96d56Sopenharmony_ci 1277db96d56Sopenharmony_ci Return ``a == b``. This function uses an approach designed to prevent 1287db96d56Sopenharmony_ci timing analysis by avoiding content-based short circuiting behaviour, 1297db96d56Sopenharmony_ci making it appropriate for cryptography. *a* and *b* must both be of the 1307db96d56Sopenharmony_ci same type: either :class:`str` (ASCII only, as e.g. returned by 1317db96d56Sopenharmony_ci :meth:`HMAC.hexdigest`), or a :term:`bytes-like object`. 1327db96d56Sopenharmony_ci 1337db96d56Sopenharmony_ci .. note:: 1347db96d56Sopenharmony_ci 1357db96d56Sopenharmony_ci If *a* and *b* are of different lengths, or if an error occurs, 1367db96d56Sopenharmony_ci a timing attack could theoretically reveal information about the 1377db96d56Sopenharmony_ci types and lengths of *a* and *b*—but not their values. 1387db96d56Sopenharmony_ci 1397db96d56Sopenharmony_ci .. versionadded:: 3.3 1407db96d56Sopenharmony_ci 1417db96d56Sopenharmony_ci .. versionchanged:: 3.10 1427db96d56Sopenharmony_ci 1437db96d56Sopenharmony_ci The function uses OpenSSL's ``CRYPTO_memcmp()`` internally when 1447db96d56Sopenharmony_ci available. 1457db96d56Sopenharmony_ci 1467db96d56Sopenharmony_ci 1477db96d56Sopenharmony_ci.. seealso:: 1487db96d56Sopenharmony_ci 1497db96d56Sopenharmony_ci Module :mod:`hashlib` 1507db96d56Sopenharmony_ci The Python module providing secure hash functions. 151