--- paramiko-1.7.4.orig/paramiko/transport.py 2008-07-07 02:12:55.000000000 +0100 +++ paramiko-1.7.4/paramiko/transport.py 2009-05-14 23:26:26.087789799 +0100 @@ -20,6 +20,7 @@ L{Transport} handles the core SSH2 protocol. """ +import array import os import socket import string @@ -50,8 +51,9 @@ # i believe this on the standards track. # PyCrypt compiled for Win32 can be downloaded from the HashTar homepage: # http://nitace.bsd.uchicago.edu:8080/hashtar -from Crypto.Cipher import Blowfish, AES, DES3 +from Crypto.Cipher import Blowfish, AES, DES3, ARC4 from Crypto.Hash import SHA, MD5 +from Crypto import Util # for thread cleanup @@ -196,17 +198,22 @@ _PROTO_ID = '2.0' _CLIENT_ID = 'paramiko_1.7.4' - _preferred_ciphers = ( 'aes128-cbc', 'blowfish-cbc', 'aes256-cbc', '3des-cbc' ) + _preferred_ciphers = ( 'aes128-ctr', 'aes256-ctr', 'aes128-cbc', 'blowfish-cbc', 'aes256-cbc', '3des-cbc', + 'arcfour128', 'arcfour256' ) _preferred_macs = ( 'hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96' ) _preferred_keys = ( 'ssh-rsa', 'ssh-dss' ) _preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha1' ) _preferred_compression = ( 'none', ) _cipher_info = { + 'aes128-ctr': { 'class': AES, 'mode': AES.MODE_CTR, 'block-size': 16, 'key-size': 16 }, + 'aes256-ctr': { 'class': AES, 'mode': AES.MODE_CTR, 'block-size': 16, 'key-size': 32 }, 'blowfish-cbc': { 'class': Blowfish, 'mode': Blowfish.MODE_CBC, 'block-size': 8, 'key-size': 16 }, 'aes128-cbc': { 'class': AES, 'mode': AES.MODE_CBC, 'block-size': 16, 'key-size': 16 }, 'aes256-cbc': { 'class': AES, 'mode': AES.MODE_CBC, 'block-size': 16, 'key-size': 32 }, '3des-cbc': { 'class': DES3, 'mode': DES3.MODE_CBC, 'block-size': 8, 'key-size': 24 }, + 'arcfour128': { 'class': ARC4, 'mode': None, 'block-size': 8, 'key-size': 16 }, + 'arcfour256': { 'class': ARC4, 'mode': None, 'block-size': 8, 'key-size': 32 }, } _mac_info = { @@ -1359,6 +1366,30 @@ ### internals... + class _Counter(): + """Stateful counter for CTR mode crypto""" + def __init__(self, blocksize, iv): + self.blocksize = blocksize + self.value = Util.number.bytes_to_long(iv) + # start with value - 1 so we don't have to store intermediate values when counting + # could the iv be 0? + if self.value != 0: + self.value = Util.number.long_to_bytes(self.value - 1, blocksize) + else: + self.value = '\xFF' * blocksize + self.value = array.array('c', self.value) + + def __call__(self): + """Increament the counter and return the new value""" + i = self.blocksize - 1 + while i > -1: + c = self.value[i] = chr((ord(self.value[i]) + 1) % 256) + if c != '\x00': + return self.value.tostring() + i -= 1 + # counter reset + self.value = array.array('c', '\x00' * self.blocksize) + return self.value.tostring() def _log(self, level, msg, *args): if issubclass(type(msg), list): @@ -1446,7 +1477,19 @@ def _get_cipher(self, name, key, iv): if name not in self._cipher_info: raise SSHException('Unknown client cipher ' + name) - return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv) + if name in ('arcfour128', 'arcfour256'): + # arcfour cipher + cipher = self._cipher_info[name]['class'].new(key) + # as per RFC 4345, the first 1536 bytes of keystream + # generated by the cipher MUST be discarded + cipher.encrypt(" " * 1536) + return cipher + elif name.endswith("-ctr"): + # CTR modes, we need a counter + return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, + Transport._Counter(self._cipher_info[name]['block-size'], iv)) + else: + return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv) def _set_x11_handler(self, handler): # only called if a channel has turned on x11 forwarding