diff options
| author | Jeff Forcier <jeff@bitprophet.org> | 2014-09-18 16:42:29 -0700 |
|---|---|---|
| committer | Jeff Forcier <jeff@bitprophet.org> | 2014-09-18 16:42:29 -0700 |
| commit | 0999fda545a859b423ebe188ab4e020333dd6894 (patch) | |
| tree | 5bf270daebc25e12cd9baceebdbe99a986acdab8 | |
| parent | fb3c81bf423b673526768fe4b506e3d74d295ac5 (diff) | |
| parent | 381e86171e28ebfaa64c3dabe0e394448eb03aa3 (diff) | |
Merge branch 'master' into 216-int
| -rw-r--r-- | .travis.yml | 2 | ||||
| -rw-r--r-- | paramiko/kex_gss.py | 10 | ||||
| -rw-r--r-- | sites/www/changelog.rst | 8 | ||||
| -rw-r--r-- | sites/www/installing.rst | 11 | ||||
| -rw-r--r-- | tasks.py | 14 | ||||
| -rw-r--r-- | tests/test_gssapi.py | 40 |
6 files changed, 39 insertions, 46 deletions
diff --git a/.travis.yml b/.travis.yml index 3f6f7331..a9a04c89 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,7 +13,7 @@ install: - pip install -r dev-requirements.txt script: # Main tests, with coverage! - - invoke coverage + - inv test --coverage # Ensure documentation & invoke pipeline run OK. # Run 'docs' first since its objects.inv is referred to by 'www'. # Also force warnings to be errors since most of them tend to be actual diff --git a/paramiko/kex_gss.py b/paramiko/kex_gss.py index a319b33b..4e8380ef 100644 --- a/paramiko/kex_gss.py +++ b/paramiko/kex_gss.py @@ -36,8 +36,8 @@ This module provides GSS-API / SSPI Key Exchange as defined in RFC 4462. .. versionadded:: 1.15 """ +from hashlib import sha1 -from Crypto.Hash import SHA from paramiko.common import * from paramiko import util from paramiko.message import Message @@ -196,7 +196,7 @@ class KexGSSGroup1(object): hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) - self.transport._set_K_H(K, SHA.new(str(hm)).digest()) + self.transport._set_K_H(K, sha1(str(hm)).digest()) if srv_token is not None: self.kexgss.ssh_init_sec_context(target=self.gss_host, recv_token=srv_token) @@ -229,7 +229,7 @@ class KexGSSGroup1(object): hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) - H = SHA.new(hm.asbytes()).digest() + H = sha1(hm.asbytes()).digest() self.transport._set_K_H(K, H) srv_token = self.kexgss.ssh_accept_sec_context(self.gss_host, client_token) @@ -463,7 +463,7 @@ class KexGSSGex(object): hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) - H = SHA.new(hm.asbytes()).digest() + H = sha1(hm.asbytes()).digest() self.transport._set_K_H(K, H) srv_token = self.kexgss.ssh_accept_sec_context(self.gss_host, client_token) @@ -555,7 +555,7 @@ class KexGSSGex(object): hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) - H = SHA.new(hm.asbytes()).digest() + H = sha1(hm.asbytes()).digest() self.transport._set_K_H(K, H) if srv_token is not None: self.kexgss.ssh_init_sec_context(target=self.gss_host, diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 1dab5219..38a56101 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,10 +2,18 @@ Changelog ========= +* :support:`393` Replace internal use of PyCrypto's ``SHA.new`` with the + stdlib's ``hashlib.sha1``. Thanks to Alex Gaynor. * :feature:`267` (also :issue:`250`, :issue:`241`, :issue:`228`) Add GSS-API / SSPI (e.g. Kerberos) key exchange and authentication support (:ref:`installation docs here <gssapi>`). Mega thanks to Sebastian Deiß, with assist by Torsten Landschoff. + + .. note:: + Unix users should be aware that the ``python-gssapi`` library (a + requirement for using this functionality) only appears to support + Python 2.7 and up at this time. + * :bug:`346 major` Fix an issue in private key files' encryption salts that could cause tracebacks and file corruption if keys were re-encrypted. Credit to Xavier Nunn. diff --git a/sites/www/installing.rst b/sites/www/installing.rst index 5528b28a..a657c3fc 100644 --- a/sites/www/installing.rst +++ b/sites/www/installing.rst @@ -109,14 +109,19 @@ installation of Paramiko via ``pypm``:: Optional dependencies for GSS-API / SSPI / Kerberos =================================================== -In order to use Kerberos & related functionality, a couple of additional -dependencies are required (these are not listed in our ``setup.py`` due to -their infrequent utility & non-platform-agnostic requirements): +In order to use GSS-API/Kerberos & related functionality, a couple of +additional dependencies are required (these are not listed in our ``setup.py`` +due to their infrequent utility & non-platform-agnostic requirements): +* It hopefully goes without saying but **all platforms** need **a working + installation of GSS-API itself**, e.g. Heimdal. * **All platforms** need `pyasn1 <https://pypi.python.org/pypi/pyasn1>`_ ``0.1.7`` or better. * **Unix** needs `python-gssapi <https://pypi.python.org/pypi/python-gssapi/>`_ ``0.6.1`` or better. + + .. note:: This library appears to only function on Python 2.7 and up. + * **Windows** needs `pywin32 <https://pypi.python.org/pypi/pywin32>`_ ``2.1.8`` or better. @@ -27,12 +27,12 @@ www = Collection.from_module(_docs, name='www', config={ # Until we move to spec-based testing @task -def test(ctx): - ctx.run("python test.py --verbose", pty=True) - -@task -def coverage(ctx): - ctx.run("coverage run --source=paramiko test.py --verbose") +def test(ctx, coverage=False): + runner = "python" + if coverage: + runner = "coverage run --source=paramiko" + flags = "--verbose" + ctx.run("{0} test.py {1}".format(runner, flags), pty=True) # Until we stop bundling docs w/ releases. Need to discover use cases first. @@ -48,4 +48,4 @@ def release(ctx): publish(ctx, wheel=True) -ns = Collection(test, coverage, release, docs=docs, www=www) +ns = Collection(test, release, docs=docs, www=www) diff --git a/tests/test_gssapi.py b/tests/test_gssapi.py index 0d3df72c..a328dd65 100644 --- a/tests/test_gssapi.py +++ b/tests/test_gssapi.py @@ -72,9 +72,7 @@ class GSSAPITest(unittest.TestCase): gss_flags = (gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG, gssapi.C_DELEG_FLAG) - """ - Initialize a GSS-API context. - """ + # Initialize a GSS-API context. ctx = gssapi.Context() ctx.flags = gss_flags krb5_oid = gssapi.OID.mech_from_string(krb5_mech) @@ -87,41 +85,31 @@ class GSSAPITest(unittest.TestCase): c_token = gss_ctxt.step(c_token) gss_ctxt_status = gss_ctxt.established self.assertEquals(False, gss_ctxt_status) - """ - Accept a GSS-API context. - """ + # Accept a GSS-API context. gss_srv_ctxt = gssapi.AcceptContext() s_token = gss_srv_ctxt.step(c_token) gss_ctxt_status = gss_srv_ctxt.established self.assertNotEquals(None, s_token) self.assertEquals(True, gss_ctxt_status) - """ - Establish the client context - """ + # Establish the client context c_token = gss_ctxt.step(s_token) self.assertEquals(None, c_token) else: while not gss_ctxt.established: c_token = gss_ctxt.step(c_token) self.assertNotEquals(None, c_token) - """ - Build MIC - """ + # Build MIC mic_token = gss_ctxt.get_mic(mic_msg) if server_mode: - """ - Check MIC - """ + # Check MIC status = gss_srv_ctxt.verify_mic(mic_msg, mic_token) self.assertEquals(0, status) else: gss_flags = sspicon.ISC_REQ_INTEGRITY |\ sspicon.ISC_REQ_MUTUAL_AUTH |\ sspicon.ISC_REQ_DELEGATE - """ - Initialize a GSS-API context. - """ + # Initialize a GSS-API context. target_name = "host/" + socket.getfqdn(targ_name) gss_ctxt = sspi.ClientAuth("Kerberos", scflags=gss_flags, @@ -130,26 +118,18 @@ class GSSAPITest(unittest.TestCase): error, token = gss_ctxt.authorize(c_token) c_token = token[0].Buffer self.assertEquals(0, error) - """ - Accept a GSS-API context. - """ + # Accept a GSS-API context. gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=target_name) error, token = gss_srv_ctxt.authorize(c_token) s_token = token[0].Buffer - """ - Establish the context. - """ + # Establish the context. error, token = gss_ctxt.authorize(s_token) c_token = token[0].Buffer self.assertEquals(None, c_token) self.assertEquals(0, error) - """ - Build MIC - """ + # Build MIC mic_token = gss_ctxt.sign(mic_msg) - """ - Check MIC - """ + # Check MIC gss_srv_ctxt.verify(mic_msg, mic_token) else: error, token = gss_ctxt.authorize(c_token) |