Closed gxx777 closed 6 months ago
Thanks for pointing out the existence of this flag in the standard lib - I didn't realize it was added back in 2020 ...
Still, I am not convinced and will not implement the proposal, because I don't agree it is a good idea in the first place.
1) It was not introduced in hashlib
for security reasons (e.g., to combat misuse) but to make compliance to FIPS easier, and especially because of OpenSSL FIPS. This is described fully in the old GH issue that proposed the flag. Simply put, it is a way to demonstrate to an auditor that the Python program will not use non-FIPS hashes for security purposes (after having somehow convinced the auditor that the developer set the flag in the right way at each place, which is dubious... - and I wonder how your Detector establishes that? Does it simply trust the flag?).
2) It is simply ugly and a bad pattern. FIPS doesn't cover only hashes, so by the same token that flag needs to be added to every single security algorithm (ciphers, MACs, etc). API calls will become much more verbose, for little value.
Thanks for your prompt response. As you mentioned:
Hello,
Thank you for maintaining the Python cryptographic library.
I am a research student with an interest in cryptographic engineering. Recently, we developed a Cryptographic APIs Misuse Detector to identify potential misuses. We have also adapted our rules for the mainstream
pycryptodome
library. In comparing the use of insecure hash functions between thepycryptodome
library and thehashlib
standard library, we identified numerous misuses in real-world applications. Unfortunately, unlike thehashlib
standard library, thepycryptodome
library does not have a keyword-only argument likeusedforsecurity
to explicitly indicate whether it is used in a security context. I believe it would be beneficial to consider adding this feature. As a reference, in the official library, there is a set keyword-only argument usedforsecurity with the default valueTrue
. A false value allows the use of insecure and blocked hashing algorithms in restricted environments.Reference: hashlib
Usage
I am grateful for your dedication to the cryptographic library. If this enhancement is considered, I would be delighted to contribute to the Python cryptographic library.
Thank you for your time and consideration.