secdevcollaborated
diff --git a/‎Doc/ACKS‎
Lines changed: 1 addition & 0 deletions b/‎Doc/ACKS‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Doc/Makefile.deps‎
Lines changed: 1 addition & 0 deletions b/‎Doc/Makefile.deps‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Doc/lib/lib.tex‎
Lines changed: 1 addition & 0 deletions b/‎Doc/lib/lib.tex‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Doc/lib/libhmac.tex‎
Lines changed: 13 additions & 7 deletions b/‎Doc/lib/libhmac.tex‎
Lines changed: 13 additions & 7 deletions
diff --git a/‎Doc/lib/libmd5.tex‎
Lines changed: 1 addition & 0 deletions b/‎Doc/lib/libmd5.tex‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Doc/lib/libsha.tex‎
Lines changed: 2 additions & 0 deletions b/‎Doc/lib/libsha.tex‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Doc/whatsnew/whatsnew25.tex‎
Lines changed: 9 additions & 0 deletions b/‎Doc/whatsnew/whatsnew25.tex‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎Lib/hashlib.py‎
Lines changed: 110 additions & 0 deletions b/‎Lib/hashlib.py‎
Lines changed: 110 additions & 0 deletions
diff --git a/‎Lib/hmac.py‎
Lines changed: 15 additions & 9 deletions b/‎Lib/hmac.py‎
Lines changed: 15 additions & 9 deletions
diff --git a/‎Lib/md5.py‎
Lines changed: 10 additions & 0 deletions b/‎Lib/md5.py‎
Lines changed: 10 additions & 0 deletions
@@ -164,6 +164,7 @@ Joakim Sernbrant
 Justin Sheehy
 Michael Simcich
 Ionel Simionescu
+Gregory P. Smith
 Roy Smith
 Clay Spence
 Nicholas Spies
 
@@ -202,6 +202,7 @@ LIBFILES= $(MANSTYLES) $(INDEXSTYLES) $(COMMONTEX) \
 	lib/librgbimg.tex \
 	lib/libossaudiodev.tex \
 	lib/libcrypto.tex \
+	lib/libhashlib.tex \
 	lib/libmd5.tex \
 	lib/libsha.tex \
 	lib/libhmac.tex \
 
@@ -303,6 +303,7 @@ \chapter*{Front Matter\label{front}}
 
 \input{libcrypto}               % Cryptographic Services
 \input{libhmac}
+\input{libhashlib}
 \input{libmd5}
 \input{libsha}
 
 
@@ -14,8 +14,10 @@ \section{\module{hmac} ---
 \begin{funcdesc}{new}{key\optional{, msg\optional{, digestmod}}}
   Return a new hmac object.  If \var{msg} is present, the method call
   \code{update(\var{msg})} is made. \var{digestmod} is the digest
-  module for the HMAC object to use. It defaults to the
-  \refmodule{md5} module.
+  constructor or module for the HMAC object to use. It defaults to 
+  the \code{\refmodule{hashlib}.md5} constructor.  \note{The md5 hash
+  has known weaknesses but remains the default for backwards compatibility.
+  Choose a better one for your application.}
 \end{funcdesc}
 
 An HMAC object has the following methods:
@@ -29,14 +31,14 @@ \section{\module{hmac} ---
 
 \begin{methoddesc}[hmac]{digest}{}
   Return the digest of the strings passed to the \method{update()}
-  method so far.  This is a 16-byte string (for \refmodule{md5}) or a
-  20-byte string (for \refmodule{sha}) which may contain non-\ASCII{}
-  characters, including NUL bytes.
+  method so far.  This string will be the same length as the
+  \var{digest_size} of the digest given to the constructor.  It
+  may contain non-\ASCII{} characters, including NUL bytes.
 \end{methoddesc}
 
 \begin{methoddesc}[hmac]{hexdigest}{}
-  Like \method{digest()} except the digest is returned as a string of
-  length 32 for \refmodule{md5} (40 for \refmodule{sha}), containing
+  Like \method{digest()} except the digest is returned as a string
+  twice the length containing
   only hexadecimal digits.  This may be used to exchange the value
   safely in email or other non-binary environments.
 \end{methoddesc}
@@ -46,3 +48,7 @@ \section{\module{hmac} ---
   efficiently compute the digests of strings that share a common
   initial substring.
 \end{methoddesc}
+
+\begin{seealso}
+  \seemodule{hashlib}{The python module providing secure hash functions.}
+\end{seealso}
@@ -4,6 +4,7 @@ \section{\module{md5} ---
 \declaremodule{builtin}{md5}
 \modulesynopsis{RSA's MD5 message digest algorithm.}
 
+\deprecated{2.5}{Use the \refmodule{hashlib} module instead.}
 
 This module implements the interface to RSA's MD5 message digest
 \index{message digest, MD5}
 
@@ -5,6 +5,8 @@ \section{\module{sha} ---
 \modulesynopsis{NIST's secure hash algorithm, SHA.}
 \sectionauthor{Fred L. Drake, Jr.}{fdrake@acm.org}
 
+\deprecated{2.5}{Use the \refmodule{hashlib} module instead.}
+
 
 This module implements the interface to NIST's\index{NIST} secure hash 
 algorithm,\index{Secure Hash Algorithm} known as SHA-1.  SHA-1 is an
 
@@ -247,6 +247,15 @@ \section{New, Improved, and Deprecated Modules}
 a different directory as the extraction target, and to unpack only a
 subset of the archive's members.  (Contributed by Lars Gust\"abel.)
 
+\item A new \module{hashlib} module has been added to replace the
+\module{md5} and \module{sha} modules and adds support for additional
+secure hashes such as SHA-256 and SHA-512.  The \module{hashlib} module
+uses OpenSSL for fast platform optimized implementations of algorithms
+when available.  The old \module{md5} and \module{sha} modules still
+exist as wrappers around hashlib to preserve backwards compatibility.
+
+(Contributed by Gregory P. Smith.)
+
 \end{itemize}
 
 
 
@@ -0,0 +1,110 @@
+# $Id$
+#
+#  Copyright (C) 2005   Gregory P. Smith (greg@electricrain.com)
+#  Licensed to PSF under a Contributor Agreement.
+#
+
+__doc__ = """hashlib module - A common interface to many hash functions.
+
+new(name, string='') - returns a new hash object implementing the
+                       given hash function; initializing the hash
+                       using the given string data.
+
+Named constructor functions are also available, these are much faster
+than using new():
+
+md5(), sha1(), sha224(), sha256(), sha384(), and sha512()
+
+More algorithms may be available on your platform but the above are
+guaranteed to exist.
+
+Choose your hash function wisely.  Some have known weaknesses.
+sha384 and sha512 will be slow on 32 bit platforms.
+"""
+
+
+def __get_builtin_constructor(name):
+    if name in ('SHA1', 'sha1'):
+        import _sha
+        return _sha.new
+    elif name in ('MD5', 'md5'):
+        import _md5
+        return _md5.new
+    elif name in ('SHA256', 'sha256', 'SHA224', 'sha224'):
+        import _sha256
+        bs = name[3:]
+        if bs == '256':
+            return _sha256.sha256
+        elif bs == '224':
+            return _sha256.sha224
+    elif name in ('SHA512', 'sha512', 'SHA384', 'sha384'):
+        import _sha512
+        bs = name[3:]
+        if bs == '512':
+            return _sha512.sha512
+        elif bs == '384':
+            return _sha512.sha384
+
+    raise ValueError, "unsupported hash type"
+
+
+def __py_new(name, string=''):
+    """new(name, string='') - Return a new hashing object using the named algorithm;
+    optionally initialized with a string.
+    """
+    return __get_builtin_constructor(name)(string)
+
+
+def __hash_new(name, string=''):
+    """new(name, string='') - Return a new hashing object using the named algorithm;
+    optionally initialized with a string.
+    """
+    try:
+        return _hashlib.new(name, string)
+    except ValueError:
+        # If the _hashlib module (OpenSSL) doesn't support the named
+        # hash, try using our builtin implementations.
+        # This allows for SHA224/256 and SHA384/512 support even though
+        # the OpenSSL library prior to 0.9.8 doesn't provide them.
+        return __get_builtin_constructor(name)(string)
+
+
+try:
+    import _hashlib
+    # use the wrapper of the C implementation
+    new = __hash_new
+
+    for opensslFuncName in filter(lambda n: n.startswith('openssl_'), dir(_hashlib)):
+        funcName = opensslFuncName[len('openssl_'):]
+        try:
+            # try them all, some may not work due to the OpenSSL
+            # version not supporting that algorithm.
+            f = getattr(_hashlib, opensslFuncName)
+            f()
+            # Use the C function directly (very fast)
+            exec funcName + ' = f'
+        except ValueError:
+            try:
+                # Use the builtin implementation directly (fast)
+                exec funcName + ' = __get_builtin_constructor(funcName)'
+            except ValueError:
+                # this one has no builtin implementation, don't define it
+                pass
+    # clean up our locals
+    del f
+    del opensslFuncName
+    del funcName
+
+except ImportError:
+    # We don't have the _hashlib OpenSSL module?
+    # use the built in legacy interfaces via a wrapper function
+    new = __py_new
+
+    # lookup the C function to use directly for the named constructors
+    md5 = __get_builtin_constructor('md5')
+    sha1 = __get_builtin_constructor('sha1')
+    sha224 = __get_builtin_constructor('sha224')
+    sha256 = __get_builtin_constructor('sha256')
+    sha384 = __get_builtin_constructor('sha384')
+    sha512 = __get_builtin_constructor('sha512')
+
@@ -28,27 +28,33 @@ def __init__(self, key, msg = None, digestmod = None):
 
         key:       key for the keyed hash object.
         msg:       Initial input for the hash, if provided.
-        digestmod: A module supporting PEP 247. Defaults to the md5 module.
+        digestmod: A module supporting PEP 247.  *OR*
+                   A hashlib constructor returning a new hash object.
+                   Defaults to hashlib.md5.
         """
 
         if key is _secret_backdoor_key: # cheap
             return
 
         if digestmod is None:
-            import md5
-            digestmod = md5
+            import hashlib
+            digestmod = hashlib.md5
 
-        self.digestmod = digestmod
-        self.outer = digestmod.new()
-        self.inner = digestmod.new()
-        self.digest_size = digestmod.digest_size
+        if callable(digestmod):
+            self.digest_cons = digestmod
+        else:
+            self.digest_cons = lambda d='': digestmod.new(d)
+
+        self.outer = self.digest_cons()
+        self.inner = self.digest_cons()
+        self.digest_size = self.inner.digest_size
 
         blocksize = 64
         ipad = "\x36" * blocksize
         opad = "\x5C" * blocksize
 
         if len(key) > blocksize:
-            key = digestmod.new(key).digest()
+            key = self.digest_cons(key).digest()
 
         key = key + chr(0) * (blocksize - len(key))
         self.outer.update(_strxor(key, opad))
@@ -70,7 +76,7 @@ def copy(self):
         An update to this copy won't affect the original object.
         """
         other = HMAC(_secret_backdoor_key)
-        other.digestmod = self.digestmod
+        other.digest_cons = self.digest_cons
         other.digest_size = self.digest_size
         other.inner = self.inner.copy()
         other.outer = self.outer.copy()
 
@@ -0,0 +1,10 @@
+# $Id$
+#
+#  Copyright (C) 2005   Gregory P. Smith (greg@electricrain.com)
+#  Licensed to PSF under a Contributor Agreement.
+
+from hashlib import md5
+new = md5
+
+blocksize = 1        # legacy value (wrong in any useful sense)
+digest_size = 16