#. Copyright (C) 2005-2010 Gregory P. Smith (greg@krypto.org)

[0] Fix | Delete

# Licensed to PSF under a Contributor Agreement.

[1] Fix | Delete

#

[2] Fix | Delete

[3] Fix | Delete

__doc__ = """hashlib module - A common interface to many hash functions.

[4] Fix | Delete

[5] Fix | Delete

new(name, data=b'', **kwargs) - returns a new hash object implementing the

[6] Fix | Delete

given hash function; initializing the hash

[7] Fix | Delete

using the given binary data.

[8] Fix | Delete

[9] Fix | Delete

Named constructor functions are also available, these are faster

[10] Fix | Delete

than using new(name):

[11] Fix | Delete

[12] Fix | Delete

md5(), sha1(), sha224(), sha256(), sha384(), sha512(), blake2b(), blake2s(),

[13] Fix | Delete

sha3_224, sha3_256, sha3_384, sha3_512, shake_128, and shake_256.

[14] Fix | Delete

[15] Fix | Delete

More algorithms may be available on your platform but the above are guaranteed

[16] Fix | Delete

to exist. See the algorithms_guaranteed and algorithms_available attributes

[17] Fix | Delete

to find out what algorithm names can be passed to new().

[18] Fix | Delete

[19] Fix | Delete

NOTE: If you want the adler32 or crc32 hash functions they are available in

[20] Fix | Delete

the zlib module.

[21] Fix | Delete

[22] Fix | Delete

Choose your hash function wisely. Some have known collision weaknesses.

[23] Fix | Delete

sha384 and sha512 will be slow on 32 bit platforms.

[24] Fix | Delete

[25] Fix | Delete

Hash objects have these methods:

[26] Fix | Delete

- update(data): Update the hash object with the bytes in data. Repeated calls

[27] Fix | Delete

are equivalent to a single call with the concatenation of all

[28] Fix | Delete

the arguments.

[29] Fix | Delete

- digest(): Return the digest of the bytes passed to the update() method

[30] Fix | Delete

so far as a bytes object.

[31] Fix | Delete

- hexdigest(): Like digest() except the digest is returned as a string

[32] Fix | Delete

of double length, containing only hexadecimal digits.

[33] Fix | Delete

- copy(): Return a copy (clone) of the hash object. This can be used to

[34] Fix | Delete

efficiently compute the digests of datas that share a common

[35] Fix | Delete

initial substring.

[36] Fix | Delete

[37] Fix | Delete

For example, to obtain the digest of the byte string 'Nobody inspects the

[38] Fix | Delete

spammish repetition':

[39] Fix | Delete

[40] Fix | Delete

>>> import hashlib

[41] Fix | Delete

>>> m = hashlib.md5()

[42] Fix | Delete

>>> m.update(b"Nobody inspects")

[43] Fix | Delete

>>> m.update(b" the spammish repetition")

[44] Fix | Delete

>>> m.digest()

[45] Fix | Delete

b'\\xbbd\\x9c\\x83\\xdd\\x1e\\xa5\\xc9\\xd9\\xde\\xc9\\xa1\\x8d\\xf0\\xff\\xe9'

[46] Fix | Delete

[47] Fix | Delete

More condensed:

[48] Fix | Delete

[49] Fix | Delete

>>> hashlib.sha224(b"Nobody inspects the spammish repetition").hexdigest()

[50] Fix | Delete

'a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2'

[51] Fix | Delete

[52] Fix | Delete

"""

[53] Fix | Delete

[54] Fix | Delete

# This tuple and __get_builtin_constructor() must be modified if a new

[55] Fix | Delete

# always available algorithm is added.

[56] Fix | Delete

__always_supported = ('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512',

[57] Fix | Delete

'blake2b', 'blake2s',

[58] Fix | Delete

'sha3_224', 'sha3_256', 'sha3_384', 'sha3_512',

[59] Fix | Delete

'shake_128', 'shake_256')

[60] Fix | Delete

[61] Fix | Delete

[62] Fix | Delete

algorithms_guaranteed = set(__always_supported)

[63] Fix | Delete

algorithms_available = set(__always_supported)

[64] Fix | Delete

[65] Fix | Delete

__all__ = __always_supported + ('new', 'algorithms_guaranteed',

[66] Fix | Delete

'algorithms_available', 'pbkdf2_hmac')

[67] Fix | Delete

[68] Fix | Delete

try:

[69] Fix | Delete

from _hashlib import get_fips_mode as _hashlib_get_fips_mode

[70] Fix | Delete

except ImportError:

[71] Fix | Delete

def _hashlib_get_fips_mode():

[72] Fix | Delete

return 0

[73] Fix | Delete

[74] Fix | Delete

[75] Fix | Delete

if not _hashlib_get_fips_mode():

[76] Fix | Delete

__builtin_constructor_cache = {}

[77] Fix | Delete

[78] Fix | Delete

def __get_builtin_constructor(name):

[79] Fix | Delete

cache = __builtin_constructor_cache

[80] Fix | Delete

constructor = cache.get(name)

[81] Fix | Delete

if constructor is not None:

[82] Fix | Delete

return constructor

[83] Fix | Delete

try:

[84] Fix | Delete

if name in ('SHA1', 'sha1'):

[85] Fix | Delete

import _sha1

[86] Fix | Delete

cache['SHA1'] = cache['sha1'] = _sha1.sha1

[87] Fix | Delete

elif name in ('MD5', 'md5'):

[88] Fix | Delete

import _md5

[89] Fix | Delete

cache['MD5'] = cache['md5'] = _md5.md5

[90] Fix | Delete

elif name in ('SHA256', 'sha256', 'SHA224', 'sha224'):

[91] Fix | Delete

import _sha256

[92] Fix | Delete

cache['SHA224'] = cache['sha224'] = _sha256.sha224

[93] Fix | Delete

cache['SHA256'] = cache['sha256'] = _sha256.sha256

[94] Fix | Delete

elif name in ('SHA512', 'sha512', 'SHA384', 'sha384'):

[95] Fix | Delete

import _sha512

[96] Fix | Delete

cache['SHA384'] = cache['sha384'] = _sha512.sha384

[97] Fix | Delete

cache['SHA512'] = cache['sha512'] = _sha512.sha512

[98] Fix | Delete

elif name in ('blake2b', 'blake2s'):

[99] Fix | Delete

import _blake2

[100] Fix | Delete

cache['blake2b'] = _blake2.blake2b

[101] Fix | Delete

cache['blake2s'] = _blake2.blake2s

[102] Fix | Delete

elif name in {'sha3_224', 'sha3_256', 'sha3_384', 'sha3_512',

[103] Fix | Delete

'shake_128', 'shake_256'}:

[104] Fix | Delete

import _sha3

[105] Fix | Delete

cache['sha3_224'] = _sha3.sha3_224

[106] Fix | Delete

cache['sha3_256'] = _sha3.sha3_256

[107] Fix | Delete

cache['sha3_384'] = _sha3.sha3_384

[108] Fix | Delete

cache['sha3_512'] = _sha3.sha3_512

[109] Fix | Delete

cache['shake_128'] = _sha3.shake_128

[110] Fix | Delete

cache['shake_256'] = _sha3.shake_256

[111] Fix | Delete

except ImportError:

[112] Fix | Delete

pass # no extension module, this hash is unsupported.

[113] Fix | Delete

[114] Fix | Delete

constructor = cache.get(name)

[115] Fix | Delete

if constructor is not None:

[116] Fix | Delete

return constructor

[117] Fix | Delete

[118] Fix | Delete

raise ValueError('unsupported hash type ' + name)

[119] Fix | Delete

[120] Fix | Delete

[121] Fix | Delete

def __get_openssl_constructor(name):

[122] Fix | Delete

if not _hashlib.get_fips_mode():

[123] Fix | Delete

if name in {

[124] Fix | Delete

'blake2b', 'blake2s', 'shake_256', 'shake_128',

[125] Fix | Delete

#'sha3_224', 'sha3_256', 'sha3_384', 'sha3_512',

[126] Fix | Delete

}:

[127] Fix | Delete

# Prefer our blake2 implementation.

[128] Fix | Delete

return __get_builtin_constructor(name)

[129] Fix | Delete

try:

[130] Fix | Delete

f = getattr(_hashlib, 'openssl_' + name)

[131] Fix | Delete

# Allow the C module to raise ValueError. The function will be

[132] Fix | Delete

# defined but the hash not actually available thanks to OpenSSL.

[133] Fix | Delete

if not _hashlib.get_fips_mode():

[134] Fix | Delete

# N.B. In "FIPS mode", there is no fallback.

[135] Fix | Delete

# If this test fails, we want to export the broken hash

[136] Fix | Delete

# constructor anyway.

[137] Fix | Delete

f()

[138] Fix | Delete

# Use the C function directly (very fast)

[139] Fix | Delete

return f

[140] Fix | Delete

except (AttributeError, ValueError):

[141] Fix | Delete

return __get_builtin_constructor(name)

[142] Fix | Delete

[143] Fix | Delete

if not _hashlib_get_fips_mode():

[144] Fix | Delete

def __py_new(name, data=b'', **kwargs):

[145] Fix | Delete

"""new(name, data=b'', **kwargs) - Return a new hashing object using the

[146] Fix | Delete

named algorithm; optionally initialized with data (which must be

[147] Fix | Delete

a bytes-like object).

[148] Fix | Delete

"""

[149] Fix | Delete

return __get_builtin_constructor(name)(data, **kwargs)

[150] Fix | Delete

[151] Fix | Delete

[152] Fix | Delete

def __hash_new(name, data=b'', **kwargs):

[153] Fix | Delete

"""new(name, data=b'') - Return a new hashing object using the named algorithm;

[154] Fix | Delete

optionally initialized with data (which must be a bytes-like object).

[155] Fix | Delete

"""

[156] Fix | Delete

if _hashlib.get_fips_mode():

[157] Fix | Delete

# Use OpenSSL names for Python built-in hashes

[158] Fix | Delete

orig_name = name

[159] Fix | Delete

name = {

[160] Fix | Delete

'sha3_224': "sha3-224",

[161] Fix | Delete

'sha3_256': "sha3-256",

[162] Fix | Delete

'sha3_384': "sha3-384",

[163] Fix | Delete

'sha3_512': "sha3-512",

[164] Fix | Delete

'shake_128': "shake128",

[165] Fix | Delete

'shake_256': "shake256",

[166] Fix | Delete

}.get(name, name)

[167] Fix | Delete

else:

[168] Fix | Delete

if name in {'blake2b', 'blake2s'}:

[169] Fix | Delete

# Prefer our blake2 implementation.

[170] Fix | Delete

# OpenSSL 1.1.0 comes with a limited implementation of blake2b/s.

[171] Fix | Delete

# It does neither support keyed blake2 nor advanced features like

[172] Fix | Delete

# salt, personal, tree hashing or SSE.

[173] Fix | Delete

return __get_builtin_constructor(name)(data, **kwargs)

[174] Fix | Delete

try:

[175] Fix | Delete

usedforsecurity = kwargs.pop('usedforsecurity', True)

[176] Fix | Delete

retval = _hashlib.new(

[177] Fix | Delete

name, data, usedforsecurity=usedforsecurity)

[178] Fix | Delete

if _hashlib.get_fips_mode() and name != orig_name:

[179] Fix | Delete

retval._set_name(orig_name)

[180] Fix | Delete

return retval

[181] Fix | Delete

except ValueError:

[182] Fix | Delete

# If the _hashlib module (OpenSSL) doesn't support the named

[183] Fix | Delete

# hash, try using our builtin implementations.

[184] Fix | Delete

# This allows for SHA224/256 and SHA384/512 support even though

[185] Fix | Delete

# the OpenSSL library prior to 0.9.8 doesn't provide them.

[186] Fix | Delete

if _hashlib.get_fips_mode():

[187] Fix | Delete

raise

[188] Fix | Delete

return __get_builtin_constructor(name)(data)

[189] Fix | Delete

[190] Fix | Delete

[191] Fix | Delete

try:

[192] Fix | Delete

import _hashlib

[193] Fix | Delete

new = __hash_new

[194] Fix | Delete

__get_hash = __get_openssl_constructor

[195] Fix | Delete

algorithms_available = algorithms_available.union(

[196] Fix | Delete

_hashlib.openssl_md_meth_names)

[197] Fix | Delete

except ImportError:

[198] Fix | Delete

if _hashlib_get_fips_mode():

[199] Fix | Delete

raise

[200] Fix | Delete

new = __py_new

[201] Fix | Delete

__get_hash = __get_builtin_constructor

[202] Fix | Delete

[203] Fix | Delete

[204] Fix | Delete

# OpenSSL's PKCS5_PBKDF2_HMAC requires OpenSSL 1.0+ with HMAC and SHA

[205] Fix | Delete

from _hashlib import pbkdf2_hmac

[206] Fix | Delete

[207] Fix | Delete

try:

[208] Fix | Delete

# OpenSSL's scrypt requires OpenSSL 1.1+

[209] Fix | Delete

from _hashlib import scrypt

[210] Fix | Delete

except ImportError:

[211] Fix | Delete

pass

[212] Fix | Delete

[213] Fix | Delete

for __func_name in __always_supported:

[214] Fix | Delete

# try them all, some may not work due to the OpenSSL

[215] Fix | Delete

# version not supporting that algorithm.

[216] Fix | Delete

try:

[217] Fix | Delete

globals()[__func_name] = __get_hash(__func_name)

[218] Fix | Delete

except ValueError:

[219] Fix | Delete

import logging

[220] Fix | Delete

logging.exception('code for hash %s was not found.', __func_name)

[221] Fix | Delete

[222] Fix | Delete

[223] Fix | Delete

# Cleanup locals()

[224] Fix | Delete

del __always_supported, __func_name, __get_hash

[225] Fix | Delete

del __hash_new, __get_openssl_constructor

[226] Fix | Delete

if not _hashlib.get_fips_mode():

[227] Fix | Delete

del __py_new

[228] Fix | Delete

del _hashlib_get_fips_mode

[229] Fix | Delete

[230] Fix | Delete