20 files changed, 99 insertions, 24 deletions

diff --git a/tests/loop.py b/tests/loop.py
index 40179a64..6de4b164 100644
--- a/tests/loop.py
+++ b/tests/loop.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 import socket
 import threading
diff --git a/tests/stub_sftp.py b/tests/stub_sftp.py
index 1528a0b8..0c0372e9 100644
--- a/tests/stub_sftp.py
+++ b/tests/stub_sftp.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 A stub SFTP server for loopback SFTP testing.
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 01fbac5b..0f0a6169 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for authenticating over a Transport.
diff --git a/tests/test_buffered_pipe.py b/tests/test_buffered_pipe.py
index 61c99cc0..35e2cded 100644
--- a/tests/test_buffered_pipe.py
+++ b/tests/test_buffered_pipe.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for BufferedPipe.
diff --git a/tests/test_client.py b/tests/test_client.py
index 21694e28..3db4cd22 100644
--- a/tests/test_client.py
+++ b/tests/test_client.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for SSHClient.
@@ -41,7 +41,7 @@ from paramiko import SSHClient
 from paramiko.pkey import PublicBlob
 from paramiko.ssh_exception import SSHException, AuthenticationException
 
-from .util import _support, slow
+from .util import _support, requires_sha1_signing, slow
 
 
 requires_gss_auth = unittest.skipUnless(
@@ -244,33 +244,39 @@ class ClientTest(unittest.TestCase):
 
 
 class SSHClientTest(ClientTest):
+    @requires_sha1_signing
     def test_client(self):
         """
         verify that the SSHClient stuff works too.
         """
         self._test_connection(password="pygmalion")
 
+    @requires_sha1_signing
     def test_client_dsa(self):
         """
         verify that SSHClient works with a DSA key.
         """
         self._test_connection(key_filename=_support("test_dss.key"))
 
+    @requires_sha1_signing
     def test_client_rsa(self):
         """
         verify that SSHClient works with an RSA key.
         """
         self._test_connection(key_filename=_support("test_rsa.key"))
 
+    @requires_sha1_signing
     def test_client_ecdsa(self):
         """
         verify that SSHClient works with an ECDSA key.
         """
         self._test_connection(key_filename=_support("test_ecdsa_256.key"))
 
+    @requires_sha1_signing
     def test_client_ed25519(self):
         self._test_connection(key_filename=_support("test_ed25519.key"))
 
+    @requires_sha1_signing
     def test_multiple_key_files(self):
         """
         verify that SSHClient accepts and tries multiple key files.
@@ -302,6 +308,7 @@ class SSHClientTest(ClientTest):
                 self.tearDown()
                 self.setUp()
 
+    @requires_sha1_signing
     def test_multiple_key_files_failure(self):
         """
         Expect failure when multiple keys in play and none are accepted
@@ -315,6 +322,7 @@ class SSHClientTest(ClientTest):
             allowed_keys=["ecdsa-sha2-nistp256"],
         )
 
+    @requires_sha1_signing
     def test_certs_allowed_as_key_filename_values(self):
         # NOTE: giving cert path here, not key path. (Key path test is below.
         # They're similar except for which path is given; the expected auth and
@@ -328,6 +336,7 @@ class SSHClientTest(ClientTest):
                 public_blob=PublicBlob.from_file(cert_path),
             )
 
+    @requires_sha1_signing
     def test_certs_implicitly_loaded_alongside_key_filename_keys(self):
         # NOTE: a regular test_connection() w/ test_rsa.key would incidentally
         # test this (because test_xxx.key-cert.pub exists) but incidental tests
@@ -361,9 +370,11 @@ class SSHClientTest(ClientTest):
             == "{}-cert-v01@openssh.com".format(alg)
         )
 
+    @requires_sha1_signing
     def test_old_openssh_needs_ssh_rsa_for_certs_not_rsa_sha2(self):
         self._cert_algo_test(ver="7.7", alg="ssh-rsa")
 
+    @requires_sha1_signing
     def test_newer_openssh_uses_rsa_sha2_for_certs_not_ssh_rsa(self):
         # NOTE: 512 happens to be first in our list and is thus chosen
         self._cert_algo_test(ver="7.8", alg="rsa-sha2-512")
@@ -501,6 +512,7 @@ class SSHClientTest(ClientTest):
         kwargs = dict(self.connect_kwargs, banner_timeout=0.5)
         self.assertRaises(paramiko.SSHException, self.tc.connect, **kwargs)
 
+    @requires_sha1_signing
     def test_auth_trickledown(self):
         """
         Failed key auth doesn't prevent subsequent pw auth from succeeding
@@ -521,6 +533,7 @@ class SSHClientTest(ClientTest):
         )
         self._test_connection(**kwargs)
 
+    @requires_sha1_signing
     @slow
     def test_auth_timeout(self):
         """
@@ -623,6 +636,7 @@ class SSHClientTest(ClientTest):
         host_key = paramiko.ECDSAKey.generate()
         self._client_host_key_bad(host_key)
 
+    @requires_sha1_signing
     def test_host_key_negotiation_2(self):
         host_key = paramiko.RSAKey.generate(2048)
         self._client_host_key_bad(host_key)
@@ -630,6 +644,7 @@ class SSHClientTest(ClientTest):
     def test_host_key_negotiation_3(self):
         self._client_host_key_good(paramiko.ECDSAKey, "test_ecdsa_256.key")
 
+    @requires_sha1_signing
     def test_host_key_negotiation_4(self):
         self._client_host_key_good(paramiko.RSAKey, "test_rsa.key")
 
@@ -713,6 +728,7 @@ class PasswordPassphraseTests(ClientTest):
     # instead of suffering a real connection cycle.
     # TODO: in that case, move the below to be part of an integration suite?
 
+    @requires_sha1_signing
     def test_password_kwarg_works_for_password_auth(self):
         # Straightforward / duplicate of earlier basic password test.
         self._test_connection(password="pygmalion")
@@ -720,10 +736,12 @@ class PasswordPassphraseTests(ClientTest):
     # TODO: more granular exception pending #387; should be signaling "no auth
     # methods available" because no key and no password
     @raises(SSHException)
+    @requires_sha1_signing
     def test_passphrase_kwarg_not_used_for_password_auth(self):
         # Using the "right" password in the "wrong" field shouldn't work.
         self._test_connection(passphrase="pygmalion")
 
+    @requires_sha1_signing
     def test_passphrase_kwarg_used_for_key_passphrase(self):
         # Straightforward again, with new passphrase kwarg.
         self._test_connection(
@@ -731,6 +749,7 @@ class PasswordPassphraseTests(ClientTest):
             passphrase="television",
         )
 
+    @requires_sha1_signing
     def test_password_kwarg_used_for_passphrase_when_no_passphrase_kwarg_given(
         self
     ):  # noqa
@@ -741,6 +760,7 @@ class PasswordPassphraseTests(ClientTest):
         )
 
     @raises(AuthenticationException)  # TODO: more granular
+    @requires_sha1_signing
     def test_password_kwarg_not_used_for_passphrase_when_passphrase_kwarg_given(  # noqa
         self
     ):
diff --git a/tests/test_config.py b/tests/test_config.py
index fcc47734..017d4bbf 100644
--- a/tests/test_config.py
+++ b/tests/test_config.py
@@ -211,6 +211,25 @@ Host test
         assert got == expected
 
     @patch("paramiko.config.getpass")
+    def test_proxyjump_token_expansion(self, getpass):
+        getpass.getuser.return_value = "gandalf"
+        config = SSHConfig.from_text(
+            """
+Host justhost
+    ProxyJump jumpuser@%h
+Host userhost
+    ProxyJump %r@%h:222
+Host allcustom
+    ProxyJump %r@%h:%p
+"""
+        )
+        assert config.lookup("justhost")["proxyjump"] == "jumpuser@justhost"
+        assert config.lookup("userhost")["proxyjump"] == "gandalf@userhost:222"
+        assert (
+            config.lookup("allcustom")["proxyjump"] == "gandalf@allcustom:22"
+        )
+
+    @patch("paramiko.config.getpass")
     def test_controlpath_token_expansion(self, getpass, socket):
         getpass.getuser.return_value = "gandalf"
         config = SSHConfig.from_text(
diff --git a/tests/test_file.py b/tests/test_file.py
index 2a3da74b..d4062c02 100644
--- a/tests/test_file.py
+++ b/tests/test_file.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for the BufferedFile abstraction.
diff --git a/tests/test_gssapi.py b/tests/test_gssapi.py
index acdc7c82..23c3ef42 100644
--- a/tests/test_gssapi.py
+++ b/tests/test_gssapi.py
@@ -16,7 +16,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Test the used APIs for GSS-API / SSPI authentication
diff --git a/tests/test_hostkeys.py b/tests/test_hostkeys.py
index 41a9244f..723ea1a5 100644
--- a/tests/test_hostkeys.py
+++ b/tests/test_hostkeys.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for HostKeys.
diff --git a/tests/test_kex.py b/tests/test_kex.py
index b73989c2..b6463558 100644
--- a/tests/test_kex.py
+++ b/tests/test_kex.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for the key exchange protocols.
diff --git a/tests/test_kex_gss.py b/tests/test_kex_gss.py
index 6f5625dc..26659ae3 100644
--- a/tests/test_kex_gss.py
+++ b/tests/test_kex_gss.py
@@ -17,7 +17,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Unit Tests for the GSS-API / SSPI SSHv2 Diffie-Hellman Key Exchange and user
diff --git a/tests/test_message.py b/tests/test_message.py
index 57766d90..23b06858 100644
--- a/tests/test_message.py
+++ b/tests/test_message.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for ssh protocol message blocks.
diff --git a/tests/test_packetizer.py b/tests/test_packetizer.py
index de80770e..27dee358 100644
--- a/tests/test_packetizer.py
+++ b/tests/test_packetizer.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for the ssh2 protocol in Transport.
diff --git a/tests/test_pkey.py b/tests/test_pkey.py
index f8b7eb42..a2376fa9 100644
--- a/tests/test_pkey.py
+++ b/tests/test_pkey.py
@@ -15,7 +15,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for public/private key objects.
@@ -44,7 +44,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateNumbers
 from mock import patch, Mock
 import pytest
 
-from .util import _support, is_low_entropy
+from .util import _support, is_low_entropy, requires_sha1_signing
 
 
 # from openssh's ssh-keygen
@@ -261,6 +261,7 @@ class KeyTest(unittest.TestCase):
         pub = RSAKey(data=key.asbytes())
         self.assertTrue(pub.verify_ssh_sig(b"ice weasels", msg))
 
+    @requires_sha1_signing
     def test_sign_and_verify_ssh_rsa(self):
         self._sign_and_verify_rsa("ssh-rsa", SIGNED_RSA)
 
@@ -285,6 +286,7 @@ class KeyTest(unittest.TestCase):
         pub = DSSKey(data=key.asbytes())
         self.assertTrue(pub.verify_ssh_sig(b"ice weasels", msg))
 
+    @requires_sha1_signing
     def test_generate_rsa(self):
         key = RSAKey.generate(1024)
         msg = key.sign_ssh_data(b"jerri blank")
diff --git a/tests/test_sftp.py b/tests/test_sftp.py
index 2152d885..b53ece7d 100644
--- a/tests/test_sftp.py
+++ b/tests/test_sftp.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 some unit tests to make sure sftp works.
diff --git a/tests/test_sftp_big.py b/tests/test_sftp_big.py
index fc556faf..4643bcaa 100644
--- a/tests/test_sftp_big.py
+++ b/tests/test_sftp_big.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 some unit tests to make sure sftp works well with large files.
diff --git a/tests/test_ssh_gss.py b/tests/test_ssh_gss.py
index 92801c20..4d171854 100644
--- a/tests/test_ssh_gss.py
+++ b/tests/test_ssh_gss.py
@@ -17,7 +17,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Unit Tests for the GSS-API / SSPI SSHv2 Authentication (gssapi-with-mic)
diff --git a/tests/test_transport.py b/tests/test_transport.py
index fa7a3c1a..98a7d30d 100644
--- a/tests/test_transport.py
+++ b/tests/test_transport.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for the ssh2 protocol in Transport.
@@ -61,7 +61,7 @@ from paramiko.common import (
 from paramiko.py3compat import bytes, byte_chr
 from paramiko.message import Message
 
-from .util import needs_builtin, _support, slow
+from .util import needs_builtin, _support, requires_sha1_signing, slow
 from .loop import LoopSocket
 
 
@@ -196,9 +196,9 @@ class TransportTest(unittest.TestCase):
     def test_security_options(self):
         o = self.tc.get_security_options()
         self.assertEqual(type(o), SecurityOptions)
-        self.assertTrue(("aes256-cbc", "blowfish-cbc") != o.ciphers)
-        o.ciphers = ("aes256-cbc", "blowfish-cbc")
-        self.assertEqual(("aes256-cbc", "blowfish-cbc"), o.ciphers)
+        self.assertTrue(("aes256-cbc", "aes192-cbc") != o.ciphers)
+        o.ciphers = ("aes256-cbc", "aes192-cbc")
+        self.assertEqual(("aes256-cbc", "aes192-cbc"), o.ciphers)
         try:
             o.ciphers = ("aes256-cbc", "made-up-cipher")
             self.assertTrue(False)
@@ -1289,6 +1289,7 @@ class TestSHA2SignatureKeyExchange(unittest.TestCase):
     # are new tests in test_pkey.py which use known signature blobs to prove
     # the SHA2 family was in fact used!
 
+    @requires_sha1_signing
     def test_base_case_ssh_rsa_still_used_as_fallback(self):
         # Prove that ssh-rsa is used if either, or both, participants have SHA2
         # algorithms disabled
@@ -1411,6 +1412,7 @@ class TestSHA2SignaturePubkeys(unittest.TestCase):
         ) as (tc, ts, err):
             assert isinstance(err, AuthenticationException)
 
+    @requires_sha1_signing
     def test_ssh_rsa_still_used_when_sha2_disabled(self):
         privkey = RSAKey.from_private_key_file(_support("test_rsa.key"))
         # NOTE: this works because key obj comparison uses public bytes
diff --git a/tests/test_util.py b/tests/test_util.py
index 8ce260d1..0e485759 100644
--- a/tests/test_util.py
+++ b/tests/test_util.py
@@ -14,7 +14,7 @@
 #
 # You should have received a copy of the GNU Lesser General Public License
 # along with Paramiko; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA.
+# 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301 USA.
 
 """
 Some unit tests for utility functions.
diff --git a/tests/util.py b/tests/util.py
index 1355ce8a..3ec5d092 100644
--- a/tests/util.py
+++ b/tests/util.py
@@ -9,6 +9,10 @@ import pytest
 from paramiko.py3compat import builtins, PY2
 from paramiko.ssh_gss import GSS_AUTH_AVAILABLE
 
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding, rsa
 
 tests_dir = dirname(realpath(__file__))
 
@@ -144,3 +148,31 @@ def is_low_entropy():
         # I don't see a way to tell internally if the hash seed was set this
         # way, but env should be plenty sufficient, this is only for testing.
         return is_32bit and os.environ.get("PYTHONHASHSEED", None) == "0"
+
+
+def sha1_signing_unsupported():
+    """
+    This is used to skip tests in environments where SHA-1 signing is
+    not supported by the backend.
+    """
+    private_key = rsa.generate_private_key(
+        public_exponent=65537, key_size=2048, backend=default_backend()
+    )
+    message = b"Some dummy text"
+    try:
+        private_key.sign(
+            message,
+            padding.PSS(
+                mgf=padding.MGF1(hashes.SHA1()),
+                salt_length=padding.PSS.MAX_LENGTH,
+            ),
+            hashes.SHA1(),
+        )
+        return False
+    except UnsupportedAlgorithm as e:
+        return e._reason is _Reasons.UNSUPPORTED_HASH
+
+
+requires_sha1_signing = unittest.skipIf(
+    sha1_signing_unsupported(), "SHA-1 signing not supported"
+)