Drop support for RC4.

It's cryptoanalytically completely 100% broken, and practical attacks have been demonstrated against it's usage in TLS. As far as I'm aware, there's no use case for RC4 based on compatibility.
paramiko · Jan 28, 2016 · 4b02a9b · 4b02a9b
1 parent e3b11da
commit 4b02a9b
Showing 1 changed file with 2 additions and 23 deletions.
diff --git a/paramiko/transport.py b/paramiko/transport.py
@@ -64,7 +64,7 @@
                                     ChannelException, ProxyCommandFailure)
 from paramiko.util import retry_on_signal, ClosingContextManager, clamp_value
 
-from Crypto.Cipher import Blowfish, AES, DES3, ARC4
+from Crypto.Cipher import Blowfish, AES, DES3
 try:
     from Crypto.Util import Counter
 except ImportError:
@@ -106,8 +106,6 @@ class Transport (threading.Thread, ClosingContextManager):
         'aes192-cbc',
         'aes256-cbc',
         '3des-cbc',
-        'arcfour128',
-        'arcfour256',
     )
     _preferred_macs = (
         'hmac-sha2-256',
@@ -179,18 +177,6 @@ class Transport (threading.Thread, ClosingContextManager):
             'block-size': 8,
             'key-size': 24
         },
-        'arcfour128': {
-            'class': ARC4,
-            'mode': None,
-            'block-size': 8,
-            'key-size': 16
-        },
-        'arcfour256': {
-            'class': ARC4,
-            'mode': None,
-            'block-size': 8,
-            'key-size': 32
-        },
     }
 
     _mac_info = {
@@ -1636,14 +1622,7 @@ def _compute_key(self, id, nbytes):
     def _get_cipher(self, name, key, iv):
         if name not in self._cipher_info:
             raise SSHException('Unknown client cipher ' + name)
-        if name in ('arcfour128', 'arcfour256'):
-            # arcfour cipher
-            cipher = self._cipher_info[name]['class'].new(key)
-            # as per RFC 4345, the first 1536 bytes of keystream
-            # generated by the cipher MUST be discarded
-            cipher.encrypt(" " * 1536)
-            return cipher
-        elif name.endswith("-ctr"):
+        if name.endswith("-ctr"):
             # CTR modes, we need a counter
             counter = Counter.new(nbits=self._cipher_info[name]['block-size'] * 8, initial_value=util.inflate_long(iv, True))
             return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, counter)