commit 7cad53e6b084435a220e6604010f1fa5778bd0b1
author Christian Heimes <christian@python.org> Fri Sep 13 02:30:00 2019 +0200
committer Gregory P. Smith <greg@krypto.org> Thu Sep 12 19:30:00 2019 -0500
tree a54b4906b9e9fc18bd5319fe87ad8a7fc071b3a7
parent 3a4f66707e824ef3a8384827590ebaa6ca463dc0

bpo-9216: Add usedforsecurity to hashlib constructors (GH-16044)

The usedforsecurity keyword only argument added to the hash constructors is useful for FIPS builds and similar restrictive environment with non-technical requirements that legacy algorithms be forbidden by their implementations without being explicitly annotated as not being used for any security related purposes.  Linux distros with FIPS support benefit from this being standard rather than making up their own way(s) to do it.

Contributed and Signed-off-by: Christian Heimes christian@python.org

Lib/test/test_hashlib.py

diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
index b7b04a3..46088e5 100644
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -190,6 +190,15 @@
         self.assertTrue(set(hashlib.algorithms_guaranteed).
                             issubset(hashlib.algorithms_available))
 
+    def test_usedforsecurity(self):
+        for cons in self.hash_constructors:
+            cons(usedforsecurity=True)
+            cons(usedforsecurity=False)
+            cons(b'', usedforsecurity=True)
+            cons(b'', usedforsecurity=False)
+        hashlib.new("sha256", usedforsecurity=True)
+        hashlib.new("sha256", usedforsecurity=False)
+
     def test_unknown_hash(self):
         self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam')
         self.assertRaises(TypeError, hashlib.new, 1)