Verify MAC challenge If our message did not include a digest_name prefix, the client is allowed to select a stronger digest_name from _ALLOWED_DIGESTS. In case our message is prefixed, a client cannot downgrade to a weaker algorithm, because the MAC is calculated over the entire me
(authkey, message, response)
| 939 | |
| 940 | |
| 941 | def _verify_challenge(authkey, message, response): |
| 942 | """Verify MAC challenge |
| 943 | |
| 944 | If our message did not include a digest_name prefix, the client is allowed |
| 945 | to select a stronger digest_name from _ALLOWED_DIGESTS. |
| 946 | |
| 947 | In case our message is prefixed, a client cannot downgrade to a weaker |
| 948 | algorithm, because the MAC is calculated over the entire message |
| 949 | including the '{digest_name}' prefix. |
| 950 | """ |
| 951 | import hmac |
| 952 | response_digest, response_mac = _get_digest_name_and_payload(response) |
| 953 | response_digest = response_digest or 'md5' |
| 954 | try: |
| 955 | expected = hmac.new(authkey, message, response_digest).digest() |
| 956 | except ValueError: |
| 957 | raise AuthenticationError(f'{response_digest=} unsupported') |
| 958 | if len(expected) != len(response_mac): |
| 959 | raise AuthenticationError( |
| 960 | f'expected {response_digest!r} of length {len(expected)} ' |
| 961 | f'got {len(response_mac)}') |
| 962 | if not hmac.compare_digest(expected, response_mac): |
| 963 | raise AuthenticationError('digest received was wrong') |
| 964 | |
| 965 | |
| 966 | def deliver_challenge(connection, authkey: bytes, digest_name='sha256'): |
no test coverage detected
searching dependent graphs…