#2612 blacklist 'sha1' and 'md5'

git-svn-id: https://xpra.org/svn/Xpra/trunk@25344 3bb7dfac-3a0b-4e04-842a-767bc560f471
Xpra-org · Feb 26, 2020 · 7d7812c · 7d7812c
1 parent 7514652
commit 7d7812c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/src/unittests/unit/net/digest_test.py b/src/unittests/unit/net/digest_test.py
@@ -34,7 +34,7 @@ def test_all_digests(self):
             verify_digest(digest, password, salt, d)
 
     def test_choose_digest(self):
-        for h in ("hmac+sha512", "hmac+sha384", "hmac+sha256", "hmac+sha224", "hmac+sha1", "hmac+md5",
+        for h in ("hmac+sha512", "hmac+sha384", "hmac+sha256", "hmac+sha224",
                   "xor", "des"):
             assert choose_digest((h,))==h
             assert choose_digest((h, "hmac+sha512"))=="hmac+sha512"

diff --git a/src/xpra/net/digest.py b/src/xpra/net/digest.py
@@ -13,11 +13,14 @@
 
 log = Logger("network", "crypto")
 
+BLACKLISTED_HASHES = ("sha1", "md5")
+
 
 def get_digests():
     digests = ["xor"]
     avail = hashlib.algorithms_available
-    digests += ["hmac+%s" % x for x in tuple(reversed(sorted([x for x in avail if not x.startswith("shake_")])))]
+    digests += ["hmac+%s" % x for x in tuple(reversed(sorted([
+        x for x in avail if not x.startswith("shake_") and x not in BLACKLISTED_HASHES])))]
     try:
         from xpra.net import d3des
         assert d3des
@@ -43,7 +46,7 @@ def choose_digest(options) -> str:
     assert len(options)>0, "no digest options"
     log("choose_digest(%s)", options)
     #prefer stronger hashes:
-    for h in ("sha512", "sha384", "sha256", "sha224", "sha1", "md5"):
+    for h in ("sha512", "sha384", "sha256", "sha224"):
         hname = "hmac+%s" % h
         if hname in options:
             return hname