summaryrefslogtreecommitdiffstats
path: root/Doc/library/hashlib.rst
diff options
context:
space:
mode:
Diffstat (limited to 'Doc/library/hashlib.rst')
-rw-r--r--Doc/library/hashlib.rst79
1 files changed, 70 insertions, 9 deletions
diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst
index a2e96ca..2cb3c78 100644
--- a/Doc/library/hashlib.rst
+++ b/Doc/library/hashlib.rst
@@ -44,8 +44,8 @@ Hash algorithms
---------------
There is one constructor method named for each type of :dfn:`hash`. All return
-a hash object with the same simple interface. For example: use :func:`sha1` to
-create a SHA1 hash object. You can now feed this object with :term:`bytes-like
+a hash object with the same simple interface. For example: use :func:`sha256` to
+create a SHA-256 hash object. You can now feed this object with :term:`bytes-like
objects <bytes-like object>` (normally :class:`bytes`) using the :meth:`update` method.
At any point you can ask it for the :dfn:`digest` of the
concatenation of the data fed to it so far using the :meth:`digest` or
@@ -64,21 +64,33 @@ concatenation of the data fed to it so far using the :meth:`digest` or
.. index:: single: OpenSSL; (use in module hashlib)
Constructors for hash algorithms that are always present in this module are
-:func:`md5`, :func:`sha1`, :func:`sha224`, :func:`sha256`, :func:`sha384`,
-and :func:`sha512`. Additional algorithms may also be available depending upon
-the OpenSSL library that Python uses on your platform.
+:func:`sha1`, :func:`sha224`, :func:`sha256`, :func:`sha384`,
+:func:`sha512`, :func:`blake2b`, and :func:`blake2s`.
+:func:`md5` is normally available as well, though it
+may be missing if you are using a rare "FIPS compliant" build of Python.
+Additional algorithms may also be available depending upon the OpenSSL
+library that Python uses on your platform. On most platforms the
+:func:`sha3_224`, :func:`sha3_256`, :func:`sha3_384`, :func:`sha3_512`,
+:func:`shake_128`, :func:`shake_256` are also available.
+
+.. versionadded:: 3.6
+ SHA3 (Keccak) and SHAKE constructors :func:`sha3_224`, :func:`sha3_256`,
+ :func:`sha3_384`, :func:`sha3_512`, :func:`shake_128`, :func:`shake_256`.
+
+.. versionadded:: 3.6
+ :func:`blake2b` and :func:`blake2s` were added.
For example, to obtain the digest of the byte string ``b'Nobody inspects the
spammish repetition'``::
>>> import hashlib
- >>> m = hashlib.md5()
+ >>> m = hashlib.sha256()
>>> m.update(b"Nobody inspects")
>>> m.update(b" the spammish repetition")
>>> m.digest()
- b'\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9'
+ b'\x03\x1e\xdd}Ae\x15\x93\xc5\xfe\\\x00o\xa5u+7\xfd\xdf\xf7\xbcN\x84:\xa6\xaf\x0c\x95\x0fK\x94\x06'
>>> m.digest_size
- 16
+ 32
>>> m.block_size
64
@@ -107,7 +119,9 @@ Hashlib provides the following constant attributes:
.. data:: algorithms_guaranteed
A set containing the names of the hash algorithms guaranteed to be supported
- by this module on all platforms.
+ by this module on all platforms. Note that 'md5' is in this list despite
+ some upstream vendors offering an odd "FIPS compliant" Python build that
+ excludes it.
.. versionadded:: 3.2
@@ -181,6 +195,28 @@ A hash object has the following methods:
compute the digests of data sharing a common initial substring.
+SHAKE variable length digests
+-----------------------------
+
+The :func:`shake_128` and :func:`shake_256` algorithms provide variable
+length digests with length_in_bits//2 up to 128 or 256 bits of security.
+As such, their digest methods require a length. Maximum length is not limited
+by the SHAKE algorithm.
+
+.. method:: shake.digest(length)
+
+ Return the digest of the data passed to the :meth:`update` method so far.
+ This is a bytes object of size ``length`` which may contain bytes in
+ the whole range from 0 to 255.
+
+
+.. method:: shake.hexdigest(length)
+
+ Like :meth:`digest` except the digest is returned as a string object of
+ double length, containing only hexadecimal digits. This may be used to
+ exchange the value safely in email or other non-binary environments.
+
+
Key derivation
--------------
@@ -221,6 +257,29 @@ include a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_.
Python implementation uses an inline version of :mod:`hmac`. It is about
three times slower and doesn't release the GIL.
+.. function:: scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64)
+
+ The function provides scrypt password-based key derivation function as
+ defined in :rfc:`7914`.
+
+ *password* and *salt* must be bytes-like objects. Applications and
+ libraries should limit *password* to a sensible length (e.g. 1024). *salt*
+ should be about 16 or more bytes from a proper source, e.g. :func:`os.urandom`.
+
+ *n* is the CPU/Memory cost factor, *r* the block size, *p* parallelization
+ factor and *maxmem* limits memory (OpenSSL 1.1.0 defaults to 32 MB).
+ *dklen* is the length of the derived key.
+
+ Availability: OpenSSL 1.1+
+
+ .. versionadded:: 3.6
+
+
+BLAKE2
+------
+
+BLAKE2 takes additional arguments, see :ref:`hashlib-blake2`.
+
.. seealso::
@@ -230,6 +289,8 @@ include a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_.
Module :mod:`base64`
Another way to encode binary hashes for non-binary environments.
+ See :ref:`hashlib-blake2`.
+
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
The FIPS 180-2 publication on Secure Hash Algorithms.