Merge pull request #1551 from fail2ban/sebres-patch-fips-gh-1540

filter.py: FIPS compliant fix (use sha1 instead of md5 if not allowed)
2016-09-21 09:35:25 +02:00 · 2016-09-21 09:35:25 +02:00 · 28e286cd2d
parent fad953ade6 0f1d1a0d4d
commit 28e286cd2d
2 changed files with 7 additions and 1 deletions
--- a/1
+++ b/1
@ -23,6 +23,7 @@ releases.
 * Fixed test case "testSetupInstallRoot" for not default python version (also
  using direct call, out of virtualenv);
 * Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
+* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
 * `filter.d/asterisk.conf`
    - Fixed to match different asterisk log prefix (source file: method:)
 * `filter.d/ignorecommands/apache-fakegooglebot`
--- a/fail2ban/server/filter.py
+++ b/fail2ban/server/filter.py
@ -742,7 +742,12 @@ class FileFilter(Filter):

 try:
 	import hashlib
-	md5sum = hashlib.md5
+	try:
+		md5sum = hashlib.md5
+		# try to use it (several standards like FIPS forbid it):
+		md5sum(' ').hexdigest()
+	except: # pragma: no cover
+		md5sum = hashlib.sha1
 except ImportError: # pragma: no cover
 	# hashlib was introduced in Python 2.5.  For compatibility with those
 	# elderly Pythons, import from md5