Ticket #2329: xpra-1.0.13.fips-md5-sha256.patch

xpra/client/gtk2/client.py

@@ -70 +70 @@
         color_str = color_str.replace(":off", "")
         if color_str=="auto" or color_str=="":
             try:
+                from hashlib import md5
                 try:
-                    from hashlib import md5
-                except ImportError:
-                    from md5 import md5
-                m = md5()
+                    m = md5()
+                except ValueError:
+                    from hashlib import sha1
+                    m = sha1()
                 for x in extra_args:
                     m.update(str(x))
                 color_str = "#%s" % m.hexdigest()[:6]

xpra/client/window_backing_base.py

@@ -468 +468 @@
                 l = options.get("z.len")
                 if l:
                     assert l==len(img_data), "compressed pixel data failed length integrity check: expected %i bytes but got %i" % (l, len(img_data))
-                md5 = options.get("z.md5")
-                if md5:
-                    h = hashlib.md5(img_data)
+                try:
+                    chksum = options.get("z.md5")
+                    if chksum:
+                        h = hashlib.md5(img_data)
+                except ValueError:
+                    chksum = options.get("z.sha1")
+                    if chksum:
+                        h = hashlib.sha1(img_data)
+                if h:
                     hd = h.hexdigest()
-                    assert md5==hd, "pixel data failed compressed md5 integrity check: expected %s but got %s" % (md5, hd)
-                deltalog("passed compressed data integrity checks: len=%s, md5=%s (type=%s)", l, md5, type(img_data))
+                    assert chksum==hd, "pixel data failed compressed chksum integrity check: expected %s but got %s" % (chksum, hd)
+                deltalog("passed compressed data integrity checks: len=%s, chksum=%s (type=%s)", l, chksum, type(img_data))
             if coding == "mmap":
                 self.idle_add(self.paint_mmap, img_data, x, y, width, height, rowstride, options, callbacks)
             elif coding == "rgb24" or coding == "rgb32":

xpra/server/auth/file_auth.py

@@ -29 +29 @@
             log.error("Error: authentication failed")
             log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
             return False
-        verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
+        verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=hashlib.sha256).hexdigest()
         log("authenticate(%s) password='%s', hex(salt)=%s, hash=%s", challenge_response, nonl(password), binascii.hexlify(strtobytes(salt)), verify)
         if hasattr(hmac, "compare_digest"):
             eq = hmac.compare_digest(verify, challenge_response)

xpra/server/auth/multifile_auth.py

@@ -132 +132 @@
             log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
             return None
         fpassword, uid, gid, displays, env_options, session_options = entry
-        verify = hmac.HMAC(strtobytes(fpassword), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
+        verify = hmac.HMAC(strtobytes(fpassword), strtobytes(salt), digestmod=hashlib.sha1).hexdigest()
         log("authenticate(%s) password='%s', hex(salt)=%s, hash=%s", challenge_response, fpassword, binascii.hexlify(strtobytes(salt)), verify)
         if hasattr(hmac, "compare_digest"):
             eq = hmac.compare_digest(verify, challenge_response)

xpra/server/auth/sys_auth_base.py

@@ -115 +115 @@
             log.error("Error: %s authentication failed", self)
             log.error(" no password defined for '%s'", self.username)
             return False
-        verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
+        verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=hashlib.sha256).hexdigest()
         log("authenticate(%s) password=%s, hex(salt)=%s, hash=%s", challenge_response, password, hexstr(strtobytes(salt)), verify)
         if hasattr(hmac, "compare_digest"):
             eq = hmac.compare_digest(verify, challenge_response)

xpra/server/proxy/proxy_instance_process.py

@@ -652 +652 @@
             import hmac, hashlib
             password = strtobytes(password)
             salt = strtobytes(salt)
-            challenge_response = hmac.HMAC(password, salt, digestmod=hashlib.md5).hexdigest()
+            challenge_response = hmac.HMAC(password, salt, digestmod=hashlib.sha1).hexdigest()
             log.info("sending %s challenge response", digest)
             self.send_hello(challenge_response, client_salt)
             return

xpra/server/window/window_source.py

@@ -1872 +1872 @@
                 v = data.data
             except:
                 v = data
-            md5 = hashlib.md5(v).hexdigest()
-            client_options["z.md5"] = md5
+            try:
+                chksum = hashlib.md5(v).hexdigest()
+                client_options["z.md5"] = chksum
+            except ValueError:
+                chksum = hashlib.sha1().hexdigest()
+                client_options["z.sha1"] = chksum
             client_options["z.len"] = len(data)
-            log("added len and hash of compressed data integrity %19s: %8i / %s", type(v), len(v), md5)
+            log("added len and hash of compressed data integrity %19s: %8i / %s", type(v), len(v), chksum)
         #actual network packet:
         if self.supports_flush and flush not in (None, 0):
             client_options["flush"] = flush