diff options
-rw-r--r-- | paramiko/transport.py | 30 | ||||
-rw-r--r-- | sites/www/changelog.rst | 4 |
2 files changed, 4 insertions, 30 deletions
diff --git a/paramiko/transport.py b/paramiko/transport.py index 7693c354..67c52e6a 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -74,7 +74,6 @@ from paramiko.ssh_exception import ( from paramiko.util import retry_on_signal, ClosingContextManager, clamp_value - # for thread cleanup _active_threads = [] @@ -114,8 +113,6 @@ class Transport(threading.Thread, ClosingContextManager): 'aes192-cbc', 'aes256-cbc', '3des-cbc', - 'arcfour128', - 'arcfour256', ) _preferred_macs = ( 'hmac-sha2-256', @@ -193,18 +190,6 @@ class Transport(threading.Thread, ClosingContextManager): 'block-size': 8, 'key-size': 24 }, - 'arcfour128': { - 'class': algorithms.ARC4, - 'mode': None, - 'block-size': 8, - 'key-size': 16 - }, - 'arcfour256': { - 'class': algorithms.ARC4, - 'mode': None, - 'block-size': 8, - 'key-size': 32 - }, } @@ -1756,21 +1741,6 @@ class Transport(threading.Thread, ClosingContextManager): def _get_cipher(self, name, key, iv, operation): if name not in self._cipher_info: raise SSHException('Unknown client cipher ' + name) - if name in ('arcfour128', 'arcfour256'): - # arcfour cipher - cipher = Cipher( - self._cipher_info[name]['class'](key), - None, - backend=default_backend() - ) - if operation is self._ENCRYPT: - engine = cipher.encryptor() - else: - engine = cipher.decryptor() - # as per RFC 4345, the first 1536 bytes of keystream - # generated by the cipher MUST be discarded - engine.encrypt(" " * 1536) - return engine else: cipher = Cipher( self._cipher_info[name]['class'](key), diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 0db12afe..78e1920a 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,10 @@ Changelog ========= +* :bug:`667` The RC4/arcfour family of ciphers has been broken since version + 2.0; but since the algorithm is now known to be completely insecure, we are + opting to remove support outright instead of fixing it. Thanks to Alex Gaynor + for catch & patch. * :feature:`857` Allow `SSHClient.set_missing_host_key_policy <paramiko.client.SSHClient.set_missing_host_key_policy>` to accept policy classes _or_ instances, instead of only instances, thus fixing a |