bpo-9216: Add usedforsecurity to hashlib constructors (GH-16044)

The usedforsecurity keyword only argument added to the hash constructors is useful for FIPS builds and similar restrictive environment with non-technical requirements that legacy algorithms be forbidden by their implementations without being explicitly annotated as not being used for any security related purposes. Linux distros with FIPS support benefit from this being standard rather than making up their own way(s) to do it. Contributed and Signed-off-by: Christian Heimes christian@python.org
2025-08-04 00:48:58 +00:00 · 2019-09-13 02:30:00 +02:00 · 2019-09-13 02:30:00 +02:00 · 7cad53e6b0
commit 7cad53e6b0
parent 3a4f66707e
20 changed files with 495 additions and 165 deletions
--- a/Modules/_blake2/blake2b_impl.c
+++ b/Modules/_blake2/blake2b_impl.c
@ -81,6 +81,7 @@ _blake2.blake2b.__new__ as py_blake2b_new
    node_depth: int = 0
    inner_size: int = 0
    last_node: bool = False
+    usedforsecurity: bool = True

 Return a new BLAKE2b hash object.
 [clinic start generated code]*/
@ -90,8 +91,8 @@ py_blake2b_new_impl(PyTypeObject *type, PyObject *data, int digest_size,
                    Py_buffer *key, Py_buffer *salt, Py_buffer *person,
                    int fanout, int depth, unsigned long leaf_size,
                    unsigned long long node_offset, int node_depth,
-                    int inner_size, int last_node)
-/*[clinic end generated code: output=65e732c66c2297a0 input=82be35a4e6a9daa2]*/
+                    int inner_size, int last_node, int usedforsecurity)
+/*[clinic end generated code: output=32bfd8f043c6896f input=b947312abff46977]*/
 {
    BLAKE2bObject *self = NULL;
    Py_buffer buf;