===============================
11.9 ç®€å•çš„å®¢æˆ·ç«¯è®¤è¯
===============================

----------
é—®é¢˜
----------
ä½ æƒ³åœ¨åˆ†å¸ƒå¼ç³»ç»Ÿä¸å®žçŽ°ä¸€ä¸ªç®€å•çš„å®¢æˆ·ç«¯è¿žæŽ¥è®¤è¯åŠŸèƒ½ï¼Œåˆä¸æƒ³åƒSSLé‚£æ ·çš„å¤æ‚ã€‚

----------
è§£å†³æ–¹æ¡ˆ
----------
å¯ä»¥åˆ©ç”¨ ``hmac`` æ¨¡å—å®žçŽ°ä¸€ä¸ªè¿žæŽ¥æ¡æ‰‹ï¼Œä»Žè€Œå®žçŽ°ä¸€ä¸ªç®€å•è€Œé«˜æ•ˆçš„è®¤è¯è¿‡ç¨‹ã€‚ä¸‹é¢æ˜¯ä»£ç ç¤ºä¾‹ï¼š

.. code-block:: python

    import hmac
    import os

    def client_authenticate(connection, secret_key):
        '''
        Authenticate client to a remote service.
        connection represents a network connection.
        secret_key is a key known only to both client/server.
        '''
        message = connection.recv(32)
        hash = hmac.new(secret_key, message)
        digest = hash.digest()
        connection.send(digest)

    def server_authenticate(connection, secret_key):
        '''
        Request client authentication.
        '''
        message = os.urandom(32)
        connection.send(message)
        hash = hmac.new(secret_key, message)
        digest = hash.digest()
        response = connection.recv(len(digest))
        return hmac.compare_digest(digest,response)

åŸºæœ¬åŽŸç†æ˜¯å½“è¿žæŽ¥å»ºç«‹åŽï¼ŒæœåŠ¡å™¨ç»™å®¢æˆ·ç«¯å‘é€ä¸€ä¸ªéšæœºçš„å—èŠ‚æ¶ˆæ¯ï¼ˆè¿™é‡Œä¾‹åä¸ä½¿ç”¨äº† ``os.urandom()`` è¿”å›žå€¼ï¼‰ã€‚
å®¢æˆ·ç«¯å’ŒæœåŠ¡å™¨åŒæ—¶åˆ©ç”¨hmacå’Œä¸€ä¸ªåªæœ‰åŒæ–¹çŸ¥é“çš„å¯†é’¥æ¥è®¡ç®—å‡ºä¸€ä¸ªåŠ å¯†å“ˆå¸Œå€¼ã€‚ç„¶åŽå®¢æˆ·ç«¯å°†å®ƒè®¡ç®—å‡ºçš„æ‘˜è¦å‘é€ç»™æœåŠ¡å™¨ï¼Œ
æœåŠ¡å™¨é€šè¿‡æ¯”è¾ƒè¿™ä¸ªå€¼å’Œè‡ªå·±è®¡ç®—çš„æ˜¯å¦ä¸€è‡´æ¥å†³å®šæŽ¥å—æˆ–æ‹’ç»è¿žæŽ¥ã€‚æ‘˜è¦çš„æ¯”è¾ƒéœ€è¦ä½¿ç”¨ ``hmac.compare_digest()`` å‡½æ•°ã€‚
ä½¿ç”¨è¿™ä¸ªå‡½æ•°å¯ä»¥é¿å…éåˆ°æ—¶é—´åˆ†æžæ”»å‡»ï¼Œä¸è¦ç”¨ç®€å•çš„æ¯”è¾ƒæ“ä½œç¬¦ï¼ˆ==ï¼‰ã€‚
ä¸ºäº†ä½¿ç”¨è¿™äº›å‡½æ•°ï¼Œä½ éœ€è¦å°†å®ƒé›†æˆåˆ°å·²æœ‰çš„ç½‘ç»œæˆ–æ¶ˆæ¯ä»£ç ä¸ã€‚ä¾‹å¦‚ï¼Œå¯¹äºŽsocketsï¼ŒæœåŠ¡å™¨ä»£ç åº”è¯¥ç±»ä¼¼ä¸‹é¢ï¼š

.. code-block:: python

    from socket import socket, AF_INET, SOCK_STREAM

    secret_key = b'peekaboo'
    def echo_handler(client_sock):
        if not server_authenticate(client_sock, secret_key):
            client_sock.close()
            return
        while True:

            msg = client_sock.recv(8192)
            if not msg:
                break
            client_sock.sendall(msg)

    def echo_server(address):
        s = socket(AF_INET, SOCK_STREAM)
        s.bind(address)
        s.listen(5)
        while True:
            c,a = s.accept()
            echo_handler(c)

    echo_server(('', 18000))

    Within a client, you would do this:

    from socket import socket, AF_INET, SOCK_STREAM

    secret_key = b'peekaboo'

    s = socket(AF_INET, SOCK_STREAM)
    s.connect(('localhost', 18000))
    client_authenticate(s, secret_key)
    s.send(b'Hello World')
    resp = s.recv(1024)

----------
è®¨è®º
----------
``hmac`` è®¤è¯çš„ä¸€ä¸ªå¸¸è§ä½¿ç”¨åœºæ™¯æ˜¯å†…éƒ¨æ¶ˆæ¯é€šä¿¡ç³»ç»Ÿå’Œè¿›ç¨‹é—´é€šä¿¡ã€‚
ä¾‹å¦‚ï¼Œå¦‚æžœä½ ç¼–å†™çš„ç³»ç»Ÿæ¶‰åŠåˆ°ä¸€ä¸ªé›†ç¾¤ä¸å¤šä¸ªå¤„ç†å™¨ä¹‹é—´çš„é€šä¿¡ï¼Œ
ä½ å¯ä»¥ä½¿ç”¨æœ¬èŠ‚æ–¹æ¡ˆæ¥ç¡®ä¿åªæœ‰è¢«å…è®¸çš„è¿›ç¨‹ä¹‹é—´æ‰èƒ½å½¼æ¤é€šä¿¡ã€‚
äº‹å®žä¸Šï¼ŒåŸºäºŽ ``hmac`` çš„è®¤è¯è¢« ``multiprocessing`` æ¨¡å—ä½¿ç”¨æ¥å®žçŽ°åè¿›ç¨‹ç›´æŽ¥çš„é€šä¿¡ã€‚

è¿˜æœ‰ä¸€ç‚¹éœ€è¦å¼ºè°ƒçš„æ˜¯è¿žæŽ¥è®¤è¯å’ŒåŠ å¯†æ˜¯ä¸¤ç äº‹ã€‚
è®¤è¯æˆåŠŸä¹‹åŽçš„é€šä¿¡æ¶ˆæ¯æ˜¯ä»¥æ˜Žæ–‡å½¢å¼å‘é€çš„ï¼Œä»»ä½•äººåªè¦æƒ³ç›‘å¬è¿™ä¸ªè¿žæŽ¥çº¿è·¯éƒ½èƒ½çœ‹åˆ°æ¶ˆæ¯ï¼ˆå°½ç®¡åŒæ–¹çš„å¯†é’¥ä¸ä¼šè¢«ä¼ è¾“ï¼‰ã€‚

hmacè®¤è¯ç®—æ³•åŸºäºŽå“ˆå¸Œå‡½æ•°å¦‚MD5å’ŒSHA-1ï¼Œå…³äºŽè¿™ä¸ªåœ¨IETF RFC 2104ä¸æœ‰è¯¦ç»†ä»‹ç»ã€‚