diff options
author | Alex Gaynor <alex.gaynor@gmail.com> | 2014-03-29 19:22:36 -0700 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2014-03-29 19:22:36 -0700 |
commit | 6f211115f49edcea7d23b764d7cf3a84ff12f5f0 (patch) | |
tree | 093859d4a75d3ccb361974439f61a01e7dc2b2b4 /paramiko/kex_gex.py | |
parent | 5a430def22aa5cbd755f347c8714e4140d6cdcab (diff) | |
download | paramiko-6f211115f49edcea7d23b764d7cf3a84ff12f5f0.tar.gz |
Switch from using PyCrypto's Random to using os.urandom.
There's several reasons for this change:
1) It's faster for reads up to 1024 bytes (nearly 10x faster for 16 byte reads)
2) It receives considerably more security review since it's in the kernel.
3) It's yet another step towards running on PyPy.
4) Using userspace CSPRNGs is considered something of an anti-pattern. See:
http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
http://webcache.googleusercontent.com/search?q=cache:2nTvpCgKZXIJ:www.2uo.de/myths-about-urandom/+&cd=3&hl=en&ct=clnk&gl=us
Diffstat (limited to 'paramiko/kex_gex.py')
-rw-r--r-- | paramiko/kex_gex.py | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/paramiko/kex_gex.py b/paramiko/kex_gex.py index 02e507b7..415f58e3 100644 --- a/paramiko/kex_gex.py +++ b/paramiko/kex_gex.py @@ -22,6 +22,8 @@ generator "g" are provided by the server. A bit more work is required on the client side, and a B{lot} more on the server side. """ +import os + from Crypto.Hash import SHA from paramiko import util @@ -101,7 +103,7 @@ class KexGex (object): qhbyte <<= 1 qmask >>= 1 while True: - x_bytes = self.transport.rng.read(byte_count) + x_bytes = os.urandom(byte_count) x_bytes = byte_mask(x_bytes[0], qmask) + x_bytes[1:] x = util.inflate_long(x_bytes, 1) if (x > 1) and (x < q): @@ -206,7 +208,7 @@ class KexGex (object): H = SHA.new(hm.asbytes()).digest() self.transport._set_K_H(K, H) # sign it - sig = self.transport.get_server_key().sign_ssh_data(self.transport.rng, H) + sig = self.transport.get_server_key().sign_ssh_data(H) # send reply m = Message() m.add_byte(c_MSG_KEXDH_GEX_REPLY) @@ -215,7 +217,7 @@ class KexGex (object): m.add_string(sig) self.transport._send_message(m) self.transport._activate_outbound() - + def _parse_kexdh_gex_reply(self, m): host_key = m.get_string() self.f = m.get_mpint() |