1:mod:`hmac` --- Keyed-Hashing for Message Authentication
2========================================================
3
4.. module:: hmac
5   :synopsis: Keyed-Hashing for Message Authentication (HMAC) implementation
6.. moduleauthor:: Gerhard Häring <ghaering@users.sourceforge.net>
7.. sectionauthor:: Gerhard Häring <ghaering@users.sourceforge.net>
8
9
10.. versionadded:: 2.2
11
12**Source code:** :source:`Lib/hmac.py`
13
14--------------
15
16This module implements the HMAC algorithm as described by :rfc:`2104`.
17
18
19.. function:: new(key[, msg[, digestmod]])
20
21   Return a new hmac object.  If *msg* is present, the method call ``update(msg)``
22   is made. *digestmod* is the digest constructor or module for the HMAC object to
23   use. It defaults to  the :data:`hashlib.md5` constructor.
24
25
26An HMAC object has the following methods:
27
28.. method:: HMAC.update(msg)
29
30   Update the hmac object with the string *msg*.  Repeated calls are equivalent to
31   a single call with the concatenation of all the arguments: ``m.update(a);
32   m.update(b)`` is equivalent to ``m.update(a + b)``.
33
34
35.. method:: HMAC.digest()
36
37   Return the digest of the strings passed to the :meth:`update` method so far.
38   This string will be the same length as the *digest_size* of the digest given to
39   the constructor.  It may contain non-ASCII characters, including NUL bytes.
40
41   .. warning::
42
43      When comparing the output of :meth:`digest` to an externally-supplied
44      digest during a verification routine, it is recommended to use the
45      :func:`compare_digest` function instead of the ``==`` operator
46      to reduce the vulnerability to timing attacks.
47
48
49.. method:: HMAC.hexdigest()
50
51   Like :meth:`digest` except the digest is returned as a string twice the length
52   containing only hexadecimal digits.  This may be used to exchange the value
53   safely in email or other non-binary environments.
54
55   .. warning::
56
57      When comparing the output of :meth:`hexdigest` to an externally-supplied
58      digest during a verification routine, it is recommended to use the
59      :func:`compare_digest` function instead of the ``==`` operator
60      to reduce the vulnerability to timing attacks.
61
62
63.. method:: HMAC.copy()
64
65   Return a copy ("clone") of the hmac object.  This can be used to efficiently
66   compute the digests of strings that share a common initial substring.
67
68
69This module also provides the following helper function:
70
71.. function:: compare_digest(a, b)
72
73   Return ``a == b``.  This function uses an approach designed to prevent
74   timing analysis by avoiding content-based short circuiting behaviour,
75   making it appropriate for cryptography.  *a* and *b* must both be of the
76   same type: either :class:`unicode` or a :term:`bytes-like object`.
77
78   .. note::
79
80      If *a* and *b* are of different lengths, or if an error occurs,
81      a timing attack could theoretically reveal information about the
82      types and lengths of *a* and *b*—but not their values.
83
84
85   .. versionadded:: 2.7.7
86
87
88.. seealso::
89
90   Module :mod:`hashlib`
91      The Python module providing secure hash functions.
92
93