diff options
| author | Terry Chia <terrycwk1994@gmail.com> | 2016-07-16 22:22:32 +0800 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-07-16 08:22:32 -0600 |
| commit | 69617caca7ff98f1a991b476669f1afcdfb01fb0 (patch) | |
| tree | eef6034da6f6ddc8faa691b7787c7b3d7389a79c /docs/hazmat/primitives/twofactor.rst | |
| parent | c0f5a8272988c7b93b301d2b3a53cd6f1a350dff (diff) | |
| download | cryptography-69617caca7ff98f1a991b476669f1afcdfb01fb0.tar.gz cryptography-69617caca7ff98f1a991b476669f1afcdfb01fb0.tar.bz2 cryptography-69617caca7ff98f1a991b476669f1afcdfb01fb0.zip | |
Add flag to toggle key length check for HOTP and TOTP. (#3012)
* Add an enforce_key_length parameter to HOTP and TOTP.
* Document changes in docs.
* Add some words to the wordlist.
* Add versionadded to docs.
Diffstat (limited to 'docs/hazmat/primitives/twofactor.rst')
| -rw-r--r-- | docs/hazmat/primitives/twofactor.rst | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/docs/hazmat/primitives/twofactor.rst b/docs/hazmat/primitives/twofactor.rst index 9268f2fa..a1391fae 100644 --- a/docs/hazmat/primitives/twofactor.rst +++ b/docs/hazmat/primitives/twofactor.rst @@ -18,7 +18,7 @@ codes (HMAC). .. currentmodule:: cryptography.hazmat.primitives.twofactor.hotp -.. class:: HOTP(key, length, algorithm, backend) +.. class:: HOTP(key, length, algorithm, backend, enforce_key_length=True) .. versionadded:: 0.3 @@ -50,6 +50,16 @@ codes (HMAC). :param backend: A :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` provider. + :param enforce_key_length: A boolean flag defaulting to True that toggles + whether a minimum key length of 128 bits is enforced. This exists to + work around the fact that as documented in `Issue #2915`, the + Google Authenticator PAM module by default generates 80 bit keys. If + this flag is set to False, the application develop should implement + additional checks of the key length before passing it into + :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP`. + + .. versionadded:: 1.5 + :raises ValueError: This is raised if the provided ``key`` is shorter than 128 bits or if the ``length`` parameter is not 6, 7 or 8. :raises TypeError: This is raised if the provided ``algorithm`` is not @@ -129,7 +139,7 @@ similar to the following code. .. currentmodule:: cryptography.hazmat.primitives.twofactor.totp -.. class:: TOTP(key, length, algorithm, time_step, backend) +.. class:: TOTP(key, length, algorithm, time_step, backend, enforce_key_length=True) TOTP objects take a ``key``, ``length``, ``algorithm`` and ``time_step`` parameter. The ``key`` should be :doc:`randomly generated bytes @@ -163,6 +173,15 @@ similar to the following code. :param backend: A :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` provider. + :param enforce_key_length: A boolean flag defaulting to True that toggles + whether a minimum key length of 128 bits is enforced. This exists to + work around the fact that as documented in `Issue #2915`, the + Google Authenticator PAM module by default generates 80 bit keys. If + this flag is set to False, the application develop should implement + additional checks of the key length before passing it into + :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP`. + + .. versionadded:: 1.5 :raises ValueError: This is raised if the provided ``key`` is shorter than 128 bits or if the ``length`` parameter is not 6, 7 or 8. :raises TypeError: This is raised if the provided ``algorithm`` is not @@ -222,3 +241,4 @@ A common usage is encoding the provisioning URI into QR code and guiding users to scan it with Two-Factor authentication applications in their mobile devices. .. _`spec of Google Authenticator`: https://github.com/google/google-authenticator/wiki/Key-Uri-Format +.. _`Issue #2915`: https://github.com/pyca/cryptography/issues/2915 |