bpo-9216: Add usedforsecurity to hashlib constructors (GH-16044)

The usedforsecurity keyword only argument added to the hash constructors is useful for FIPS builds and similar restrictive environment with non-technical requirements that legacy algorithms be forbidden by their implementations without being explicitly annotated as not being used for any security related purposes. Linux distros with FIPS support benefit from this being standard rather than making up their own way(s) to do it. Contributed and Signed-off-by: Christian Heimes christian@python.org
2025-11-01 18:51:43 +00:00 · 2019-09-13 02:30:00 +02:00 · 2019-09-13 02:30:00 +02:00 · 7cad53e6b0
commit 7cad53e6b0
parent 3a4f66707e
20 changed files with 495 additions and 165 deletions
--- a/Modules/_blake2/blake2s_impl.c
+++ b/Modules/_blake2/blake2s_impl.c
@ -81,6 +81,7 @@ _blake2.blake2s.__new__ as py_blake2s_new
    node_depth: int = 0
    inner_size: int = 0
    last_node: bool = False
+    usedforsecurity: bool = True

 Return a new BLAKE2s hash object.
 [clinic start generated code]*/
@ -90,8 +91,8 @@ py_blake2s_new_impl(PyTypeObject *type, PyObject *data, int digest_size,
                    Py_buffer *key, Py_buffer *salt, Py_buffer *person,
                    int fanout, int depth, unsigned long leaf_size,
                    unsigned long long node_offset, int node_depth,
-                    int inner_size, int last_node)
-/*[clinic end generated code: output=b95806be0514dcf7 input=641c0509debf714d]*/
+                    int inner_size, int last_node, int usedforsecurity)
+/*[clinic end generated code: output=556181f73905c686 input=4dda87723f23abb0]*/
 {
    BLAKE2sObject *self = NULL;
    Py_buffer buf;