Create a MAC based on authkey and message The MAC algorithm defaults to HMAC-MD5, unless MD5 is not available or the message has a '{digest_name}' prefix. For legacy HMAC-MD5, the response is the raw MAC, otherwise the response is prefixed with '{digest_name}', e.g. b'{sha256}abcdef
(authkey, message)
| 911 | |
| 912 | |
| 913 | def _create_response(authkey, message): |
| 914 | """Create a MAC based on authkey and message |
| 915 | |
| 916 | The MAC algorithm defaults to HMAC-MD5, unless MD5 is not available or |
| 917 | the message has a '{digest_name}' prefix. For legacy HMAC-MD5, the response |
| 918 | is the raw MAC, otherwise the response is prefixed with '{digest_name}', |
| 919 | e.g. b'{sha256}abcdefg...' |
| 920 | |
| 921 | Note: The MAC protects the entire message including the digest_name prefix. |
| 922 | """ |
| 923 | import hmac |
| 924 | digest_name = _get_digest_name_and_payload(message)[0] |
| 925 | # The MAC protects the entire message: digest header and payload. |
| 926 | if not digest_name: |
| 927 | # Legacy server without a {digest} prefix on message. |
| 928 | # Generate a legacy non-prefixed HMAC-MD5 reply. |
| 929 | try: |
| 930 | return hmac.new(authkey, message, 'md5').digest() |
| 931 | except ValueError: |
| 932 | # HMAC-MD5 is not available (FIPS mode?), fall back to |
| 933 | # HMAC-SHA2-256 modern protocol. The legacy server probably |
| 934 | # doesn't support it and will reject us anyways. :shrug: |
| 935 | digest_name = 'sha256' |
| 936 | # Modern protocol, indicate the digest used in the reply. |
| 937 | response = hmac.new(authkey, message, digest_name).digest() |
| 938 | return b'{%s}%s' % (digest_name.encode('ascii'), response) |
| 939 | |
| 940 | |
| 941 | def _verify_challenge(authkey, message, response): |
no test coverage detected
searching dependent graphs…