diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2016-01-28 08:53:16 -0500 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2016-01-28 08:53:16 -0500 |
| commit | 4b02a9b424be448aef5e00abe3bb22f56c84144b (patch) | |
| tree | 709be444e0661d906d6b911a233016556d1481cf | |
| parent | e3b11da1ff61655838e7dd75735685adfa30bc64 (diff) | |
| download | paramiko-4b02a9b424be448aef5e00abe3bb22f56c84144b.tar.gz | |
Drop support for RC4.
It's cryptoanalytically completely 100% broken, and practical attacks have been demonstrated against it's usage in TLS.
As far as I'm aware, there's no use case for RC4 based on compatibility.
| -rw-r--r-- | paramiko/transport.py | 25 |
1 files changed, 2 insertions, 23 deletions
diff --git a/paramiko/transport.py b/paramiko/transport.py index 18fb103b..5b440a4d 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -64,7 +64,7 @@ from paramiko.ssh_exception import (SSHException, BadAuthenticationType, ChannelException, ProxyCommandFailure) from paramiko.util import retry_on_signal, ClosingContextManager, clamp_value -from Crypto.Cipher import Blowfish, AES, DES3, ARC4 +from Crypto.Cipher import Blowfish, AES, DES3 try: from Crypto.Util import Counter except ImportError: @@ -106,8 +106,6 @@ class Transport (threading.Thread, ClosingContextManager): 'aes192-cbc', 'aes256-cbc', '3des-cbc', - 'arcfour128', - 'arcfour256', ) _preferred_macs = ( 'hmac-sha2-256', @@ -179,18 +177,6 @@ class Transport (threading.Thread, ClosingContextManager): 'block-size': 8, 'key-size': 24 }, - 'arcfour128': { - 'class': ARC4, - 'mode': None, - 'block-size': 8, - 'key-size': 16 - }, - 'arcfour256': { - 'class': ARC4, - 'mode': None, - 'block-size': 8, - 'key-size': 32 - }, } _mac_info = { @@ -1636,14 +1622,7 @@ class Transport (threading.Thread, ClosingContextManager): def _get_cipher(self, name, key, iv): if name not in self._cipher_info: raise SSHException('Unknown client cipher ' + name) - if name in ('arcfour128', 'arcfour256'): - # arcfour cipher - cipher = self._cipher_info[name]['class'].new(key) - # as per RFC 4345, the first 1536 bytes of keystream - # generated by the cipher MUST be discarded - cipher.encrypt(" " * 1536) - return cipher - elif name.endswith("-ctr"): + if name.endswith("-ctr"): # CTR modes, we need a counter counter = Counter.new(nbits=self._cipher_info[name]['block-size'] * 8, initial_value=util.inflate_long(iv, True)) return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, counter) |