bpo-9216: Add usedforsecurity to hashlib constructors (GH-16044)
The usedforsecurity keyword only argument added to the hash constructors is useful for FIPS builds and similar restrictive environment with non-technical requirements that legacy algorithms be forbidden by their implementations without being explicitly annotated as not being used for any security related purposes. Linux distros with FIPS support benefit from this being standard rather than making up their own way(s) to do it.
Contributed and Signed-off-by: Christian Heimes christian@python.org
diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index b7b04a3..46088e5 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -190,6 +190,15 @@
self.assertTrue(set(hashlib.algorithms_guaranteed).
issubset(hashlib.algorithms_available))
+ def test_usedforsecurity(self):
+ for cons in self.hash_constructors:
+ cons(usedforsecurity=True)
+ cons(usedforsecurity=False)
+ cons(b'', usedforsecurity=True)
+ cons(b'', usedforsecurity=False)
+ hashlib.new("sha256", usedforsecurity=True)
+ hashlib.new("sha256", usedforsecurity=False)
+
def test_unknown_hash(self):
self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam')
self.assertRaises(TypeError, hashlib.new, 1)
diff --git a/Lib/uuid.py b/Lib/uuid.py
index 188e16b..5f3bc9e 100644
--- a/Lib/uuid.py
+++ b/Lib/uuid.py
@@ -772,8 +772,11 @@
def uuid3(namespace, name):
"""Generate a UUID from the MD5 hash of a namespace UUID and a name."""
from hashlib import md5
- hash = md5(namespace.bytes + bytes(name, "utf-8")).digest()
- return UUID(bytes=hash[:16], version=3)
+ digest = md5(
+ namespace.bytes + bytes(name, "utf-8"),
+ usedforsecurity=False
+ ).digest()
+ return UUID(bytes=digest[:16], version=3)
def uuid4():
"""Generate a random UUID."""