Create a MAC based on authkey and message The MAC algorithm defaults to HMAC-MD5, unless MD5 is not available or the message has a '{digest_name}' prefix. For legacy HMAC-MD5, the response is the raw MAC, otherwise the response is prefixed with '{digest_name}', e.g. b'{sha256}abcdef
(authkey, message)
| 873 | |
| 874 | |
| 875 | def _create_response(authkey, message): |
| 876 | """Create a MAC based on authkey and message |
| 877 | |
| 878 | The MAC algorithm defaults to HMAC-MD5, unless MD5 is not available or |
| 879 | the message has a '{digest_name}' prefix. For legacy HMAC-MD5, the response |
| 880 | is the raw MAC, otherwise the response is prefixed with '{digest_name}', |
| 881 | e.g. b'{sha256}abcdefg...' |
| 882 | |
| 883 | Note: The MAC protects the entire message including the digest_name prefix. |
| 884 | """ |
| 885 | import hmac |
| 886 | digest_name = _get_digest_name_and_payload(message)[0] |
| 887 | # The MAC protects the entire message: digest header and payload. |
| 888 | if not digest_name: |
| 889 | # Legacy server without a {digest} prefix on message. |
| 890 | # Generate a legacy non-prefixed HMAC-MD5 reply. |
| 891 | try: |
| 892 | return hmac.new(authkey, message, 'md5').digest() |
| 893 | except ValueError: |
| 894 | # HMAC-MD5 is not available (FIPS mode?), fall back to |
| 895 | # HMAC-SHA2-256 modern protocol. The legacy server probably |
| 896 | # doesn't support it and will reject us anyways. :shrug: |
| 897 | digest_name = 'sha256' |
| 898 | # Modern protocol, indicate the digest used in the reply. |
| 899 | response = hmac.new(authkey, message, digest_name).digest() |
| 900 | return b'{%s}%s' % (digest_name.encode('ascii'), response) |
| 901 | |
| 902 | |
| 903 | def _verify_challenge(authkey, message, response): |
no test coverage detected