From 7d7812c09432d26da46fad9fffccf987fa126f3f Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 26 Feb 2020 12:45:22 +0000 Subject: [PATCH] #2612 blacklist 'sha1' and 'md5' git-svn-id: https://xpra.org/svn/Xpra/trunk@25344 3bb7dfac-3a0b-4e04-842a-767bc560f471 --- src/unittests/unit/net/digest_test.py | 2 +- src/xpra/net/digest.py | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/unittests/unit/net/digest_test.py b/src/unittests/unit/net/digest_test.py index a7e379b736..9406014c56 100755 --- a/src/unittests/unit/net/digest_test.py +++ b/src/unittests/unit/net/digest_test.py @@ -34,7 +34,7 @@ def test_all_digests(self): verify_digest(digest, password, salt, d) def test_choose_digest(self): - for h in ("hmac+sha512", "hmac+sha384", "hmac+sha256", "hmac+sha224", "hmac+sha1", "hmac+md5", + for h in ("hmac+sha512", "hmac+sha384", "hmac+sha256", "hmac+sha224", "xor", "des"): assert choose_digest((h,))==h assert choose_digest((h, "hmac+sha512"))=="hmac+sha512" diff --git a/src/xpra/net/digest.py b/src/xpra/net/digest.py index 8c3d258772..9c92bef112 100644 --- a/src/xpra/net/digest.py +++ b/src/xpra/net/digest.py @@ -13,11 +13,14 @@ log = Logger("network", "crypto") +BLACKLISTED_HASHES = ("sha1", "md5") + def get_digests(): digests = ["xor"] avail = hashlib.algorithms_available - digests += ["hmac+%s" % x for x in tuple(reversed(sorted([x for x in avail if not x.startswith("shake_")])))] + digests += ["hmac+%s" % x for x in tuple(reversed(sorted([ + x for x in avail if not x.startswith("shake_") and x not in BLACKLISTED_HASHES])))] try: from xpra.net import d3des assert d3des @@ -43,7 +46,7 @@ def choose_digest(options) -> str: assert len(options)>0, "no digest options" log("choose_digest(%s)", options) #prefer stronger hashes: - for h in ("sha512", "sha384", "sha256", "sha224", "sha1", "md5"): + for h in ("sha512", "sha384", "sha256", "sha224"): hname = "hmac+%s" % h if hname in options: return hname