* Fix `hashlib.file_digest()` versionchanged description of `BlockingIOError`
The sentence was missing a negation and contradicted the other two
descriptions in the same commit. I believe code behaviour is correct.
* fixup! Fix `hashlib.file_digest()` versionchanged description of `BlockingIOError`
* Remove unncessary NEWS.d entry
* gh-129327: revise hashlib documentation to account for FIPS removing sha1
More generally, the current documentation is a bit scattered, talking
about what terms are "equal" despite those terms not being very
interesting and given the term "secure hash", probably wrong (because
md5 and sha1 are not secure anymore).
Let's talk about cryptographically secure instead, and note that two of
them aren't. And then we can also link to the source for NIST going
through the removal process for SHA1.
* Add Gregors Suggestion
* Clean up
---------
Co-authored-by: Eli Schwartz <eschwartz@gentoo.org>
Remove the pure Python implementation of hashlib.pbkdf2_hmac(),
deprecated in Python 3.10. Python 3.10 and newer requires OpenSSL
1.1.1 or newer (PEP 644), this OpenSSL version provides a C
implementation of pbkdf2_hmac() which is faster.
Less specific number wording (as there is no one right number - the old 100k is too big for some applications and woefully small for others). We now link to NIST SP 800-132 to tell people what to read in there on how to decide for their application.
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
ripemd160 is not available in OpenSSL 3.0.0's default crypto provider.
It's only present in legacy provider.
Signed-off-by: Christian Heimes <christian@python.org>
* "Return true/false" is replaced with "Return ``True``/``False``"
if the function actually returns a bool.
* Fixed formatting of some True and False literals (now in monospace).
* Replaced "True/False" with "true/false" if it can be not only bool.
* Replaced some 1/0 with True/False if it corresponds the code.
* "Returns <bool>" is replaced with "Return <bool>".
The usedforsecurity keyword only argument added to the hash constructors is useful for FIPS builds and similar restrictive environment with non-technical requirements that legacy algorithms be forbidden by their implementations without being explicitly annotated as not being used for any security related purposes. Linux distros with FIPS support benefit from this being standard rather than making up their own way(s) to do it.
Contributed and Signed-off-by: Christian Heimes christian@python.org
* help(hashlib) didn't work because of incorrect module name in blake2b and
blake2s classes.
* Constructors blake2*(), sha3_*(), shake_*() and keccak_*() incorrectly
accepted keyword argument "string" for binary data, but documented as
accepting the "data" keyword argument. Now this parameter is positional-only.
* Keyword-only parameters in blake2b() and blake2s() were not documented as
keyword-only.
* Default value for some parameters of blake2b() and blake2s() was None,
which is not acceptable value.
* The length argument for shake_*.digest() was wrapped out to 32 bits.
* The argument for shake_128.digest() and shake_128.hexdigest() was not
positional-only as intended.
* TypeError messages for incorrect arguments in all constructors sha3_*(),
shake_*() and keccak_*() incorrectly referred to sha3_224.
Also made the following enhancements:
* More accurately specified input and result types for strings, bytes and
bytes-like objects.
* Unified positional parameter names for update() and constructors.
* Improved formatting.
kB (*kilo* byte) unit means 1000 bytes, whereas KiB ("kibibyte")
means 1024 bytes. KB was misused: replace kB or KB with KiB when
appropriate.
Same change for MB and GB which become MiB and GiB.
Change the output of Tools/iobench/iobench.py.
Round also the size of the documentation from 5.5 MB to 5 MiB.
The `blake2b` function does not take the `data` keyword argument.
The hex digest returned by sign was a string, whereas compare_digest expects bytes-like objects.
Typo fix: compare_digesty -> compare_digest
