diff options
author | Alex Gaynor <alex.gaynor@gmail.com> | 2014-03-29 19:22:36 -0700 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2014-03-29 19:22:36 -0700 |
commit | 6f211115f49edcea7d23b764d7cf3a84ff12f5f0 (patch) | |
tree | 093859d4a75d3ccb361974439f61a01e7dc2b2b4 /paramiko/kex_group1.py | |
parent | 5a430def22aa5cbd755f347c8714e4140d6cdcab (diff) | |
download | paramiko-6f211115f49edcea7d23b764d7cf3a84ff12f5f0.tar.gz |
Switch from using PyCrypto's Random to using os.urandom.
There's several reasons for this change:
1) It's faster for reads up to 1024 bytes (nearly 10x faster for 16 byte reads)
2) It receives considerably more security review since it's in the kernel.
3) It's yet another step towards running on PyPy.
4) Using userspace CSPRNGs is considered something of an anti-pattern. See:
http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
http://webcache.googleusercontent.com/search?q=cache:2nTvpCgKZXIJ:www.2uo.de/myths-about-urandom/+&cd=3&hl=en&ct=clnk&gl=us
Diffstat (limited to 'paramiko/kex_group1.py')
-rw-r--r-- | paramiko/kex_group1.py | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/paramiko/kex_group1.py b/paramiko/kex_group1.py index 3dfb7f18..bc88202c 100644 --- a/paramiko/kex_group1.py +++ b/paramiko/kex_group1.py @@ -21,6 +21,8 @@ Standard SSH key exchange ("kex" if you wanna sound cool). Diffie-Hellman of 1024 bit key halves, using a known "p" prime and "g" generator. """ +import os + from Crypto.Hash import SHA from paramiko import util @@ -82,7 +84,7 @@ class KexGroup1(object): # potential x where the first 63 bits are 1, because some of those will be # larger than q (but this is a tiny tiny subset of potential x). while 1: - x_bytes = self.transport.rng.read(128) + x_bytes = os.urandom(128) x_bytes = byte_mask(x_bytes[0], 0x7f) + x_bytes[1:] if (x_bytes[:8] != b7fffffffffffffff and x_bytes[:8] != b0000000000000000): @@ -127,7 +129,7 @@ class KexGroup1(object): H = SHA.new(hm.asbytes()).digest() self.transport._set_K_H(K, H) # sign it - sig = self.transport.get_server_key().sign_ssh_data(self.transport.rng, H) + sig = self.transport.get_server_key().sign_ssh_data(H) # send reply m = Message() m.add_byte(c_MSG_KEXDH_REPLY) |