From a37fe9750523d1555c83bfdb5f4cd6ef97c6526b Mon Sep 17 00:00:00 2001 From: llouislu Date: Thu, 5 Jan 2023 15:46:01 +1300 Subject: [PATCH 01/22] removed deprecated ciphers This includes * Blowfish * CAST5 * IDEA * SEED --- docs/conch/man/conch.1 | 2 +- src/twisted/conch/ssh/transport.py | 8 -------- src/twisted/conch/test/test_transport.py | 16 ++++++++-------- 3 files changed, 9 insertions(+), 17 deletions(-) diff --git a/docs/conch/man/conch.1 b/docs/conch/man/conch.1 index 6a327c224d1..531465a1659 100644 --- a/docs/conch/man/conch.1 +++ b/docs/conch/man/conch.1 @@ -108,7 +108,7 @@ Enable compression. .It Fl c Ar cipher_spec Selects encryption algorithms to be used for this connection, as a comma-separated list of ciphers in order of preference. The list that .Nm -supports is (in order of default preference): aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, cast128-ctr, cast128-cbc, blowfish-ctr, blowfish, idea-ctr, idea-cbc, 3des-ctr, 3des-cbc. +supports is (in order of default preference): aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-ctr, 3des-cbc. .It Fl e Ar ch | ^ch | none Sets the escape character for sessions with a PTY (default: .Ql ~ ) . diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py index 278c0dce317..771587e61ab 100644 --- a/src/twisted/conch/ssh/transport.py +++ b/src/twisted/conch/ssh/transport.py @@ -94,17 +94,13 @@ class SSHCiphers: cipherMap = { b"3des-cbc": (algorithms.TripleDES, 24, modes.CBC), - b"blowfish-cbc": (algorithms.Blowfish, 16, modes.CBC), b"aes256-cbc": (algorithms.AES, 32, modes.CBC), b"aes192-cbc": (algorithms.AES, 24, modes.CBC), b"aes128-cbc": (algorithms.AES, 16, modes.CBC), - b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC), b"aes128-ctr": (algorithms.AES, 16, modes.CTR), b"aes192-ctr": (algorithms.AES, 24, modes.CTR), b"aes256-ctr": (algorithms.AES, 32, modes.CTR), b"3des-ctr": (algorithms.TripleDES, 24, modes.CTR), - b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR), - b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR), b"none": (None, 0, modes.CBC), } macMap = { @@ -284,10 +280,6 @@ def _getSupportedCiphers(): b"aes192-cbc", b"aes128-ctr", b"aes128-cbc", - b"cast128-ctr", - b"cast128-cbc", - b"blowfish-ctr", - b"blowfish-cbc", b"3des-ctr", b"3des-cbc", ] diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index 0c69501164c..cdbd9d2b12f 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -1539,11 +1539,11 @@ def test_KEXINITMultipleAlgorithms(self): b"\x99\x00\x00\x00bdiffie-hellman-group1-sha1,diffie-hellman-g" b"roup-exchange-sha1,diffie-hellman-group-exchange-sha256\x00" b"\x00\x00\x0fssh-dss,ssh-rsa\x00\x00\x00\x85aes128-ctr,aes128-" - b"cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,cast128-ctr,c" - b"ast128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc\x00" + b"cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc," + b"3des-ctr,3des-cbc\x00" b"\x00\x00\x85aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes25" - b"6-ctr,aes256-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blowfis" - b"h-cbc,3des-ctr,3des-cbc\x00\x00\x00\x12hmac-md5,hmac-sha1\x00" + b"6-ctr,aes256-cbc" + b"3des-ctr,3des-cbc\x00\x00\x00\x12hmac-md5,hmac-sha1\x00" b"\x00\x00\x12hmac-md5,hmac-sha1\x00\x00\x00\tnone,zlib\x00\x00" b"\x00\tnone,zlib\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" b"\x00\x00\x99\x99\x99\x99" @@ -2213,11 +2213,11 @@ def test_KEXINITMultipleAlgorithms(self): b"\x99\x00\x00\x00bdiffie-hellman-group1-sha1,diffie-hellman-g" b"roup-exchange-sha1,diffie-hellman-group-exchange-sha256\x00" b"\x00\x00\x0fssh-dss,ssh-rsa\x00\x00\x00\x85aes128-ctr,aes128-" - b"cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,cast128-ctr,c" - b"ast128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc\x00" + b"cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc," + b"3des-ctr,3des-cbc\x00" b"\x00\x00\x85aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes25" - b"6-ctr,aes256-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blowfis" - b"h-cbc,3des-ctr,3des-cbc\x00\x00\x00\x12hmac-md5,hmac-sha1\x00" + b"6-ctr,aes256-cbc," + b"3des-ctr,3des-cbc\x00\x00\x00\x12hmac-md5,hmac-sha1\x00" b"\x00\x00\x12hmac-md5,hmac-sha1\x00\x00\x00\tzlib,none\x00\x00" b"\x00\tzlib,none\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" b"\x00\x00\x99\x99\x99\x99" From c60c9522ee0c91a14613062f256e5ed72cc506bb Mon Sep 17 00:00:00 2001 From: llouislu Date: Thu, 5 Jan 2023 16:18:00 +1300 Subject: [PATCH 02/22] added a newsfragment --- src/twisted/newsfragments/11793.removal | 1 + 1 file changed, 1 insertion(+) create mode 100644 src/twisted/newsfragments/11793.removal diff --git a/src/twisted/newsfragments/11793.removal b/src/twisted/newsfragments/11793.removal new file mode 100644 index 00000000000..2ea520d716f --- /dev/null +++ b/src/twisted/newsfragments/11793.removal @@ -0,0 +1 @@ +Twisted Conch has removed and no longer supports legacy ciphers (CAST5, SEED, IDEA, Blowfish) as the upstream library "cryptography" has deprecated them since version 37. \ No newline at end of file From b222435ca390dd74e0059d14b40801b40fb6a010 Mon Sep 17 00:00:00 2001 From: llouislu Date: Thu, 5 Jan 2023 16:45:55 +1300 Subject: [PATCH 03/22] reverted cipher tests --- src/twisted/conch/test/test_transport.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index cdbd9d2b12f..0c69501164c 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -1539,11 +1539,11 @@ def test_KEXINITMultipleAlgorithms(self): b"\x99\x00\x00\x00bdiffie-hellman-group1-sha1,diffie-hellman-g" b"roup-exchange-sha1,diffie-hellman-group-exchange-sha256\x00" b"\x00\x00\x0fssh-dss,ssh-rsa\x00\x00\x00\x85aes128-ctr,aes128-" - b"cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc," - b"3des-ctr,3des-cbc\x00" + b"cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,cast128-ctr,c" + b"ast128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc\x00" b"\x00\x00\x85aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes25" - b"6-ctr,aes256-cbc" - b"3des-ctr,3des-cbc\x00\x00\x00\x12hmac-md5,hmac-sha1\x00" + b"6-ctr,aes256-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blowfis" + b"h-cbc,3des-ctr,3des-cbc\x00\x00\x00\x12hmac-md5,hmac-sha1\x00" b"\x00\x00\x12hmac-md5,hmac-sha1\x00\x00\x00\tnone,zlib\x00\x00" b"\x00\tnone,zlib\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" b"\x00\x00\x99\x99\x99\x99" @@ -2213,11 +2213,11 @@ def test_KEXINITMultipleAlgorithms(self): b"\x99\x00\x00\x00bdiffie-hellman-group1-sha1,diffie-hellman-g" b"roup-exchange-sha1,diffie-hellman-group-exchange-sha256\x00" b"\x00\x00\x0fssh-dss,ssh-rsa\x00\x00\x00\x85aes128-ctr,aes128-" - b"cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc," - b"3des-ctr,3des-cbc\x00" + b"cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,cast128-ctr,c" + b"ast128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc\x00" b"\x00\x00\x85aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes25" - b"6-ctr,aes256-cbc," - b"3des-ctr,3des-cbc\x00\x00\x00\x12hmac-md5,hmac-sha1\x00" + b"6-ctr,aes256-cbc,cast128-ctr,cast128-cbc,blowfish-ctr,blowfis" + b"h-cbc,3des-ctr,3des-cbc\x00\x00\x00\x12hmac-md5,hmac-sha1\x00" b"\x00\x00\x12hmac-md5,hmac-sha1\x00\x00\x00\tzlib,none\x00\x00" b"\x00\tzlib,none\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" b"\x00\x00\x99\x99\x99\x99" From 5e9af03518f44fd047adee25013aabfa954605fc Mon Sep 17 00:00:00 2001 From: llouislu Date: Thu, 5 Jan 2023 17:15:06 +1300 Subject: [PATCH 04/22] rerun ci From 4fb20608a33cf5b7097396dc64d47c87008fcd26 Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 11:08:19 +1300 Subject: [PATCH 05/22] grouped out and deprecated legacy ciphers --- src/twisted/conch/ssh/transport.py | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py index 771587e61ab..0955f11cfcf 100644 --- a/src/twisted/conch/ssh/transport.py +++ b/src/twisted/conch/ssh/transport.py @@ -17,6 +17,7 @@ import zlib from hashlib import md5, sha1, sha256, sha384, sha512 from typing import Dict +import warnings from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.backends import default_backend @@ -91,8 +92,19 @@ class SSHCiphers: ) representing the outgoing MAC. @ivar inMAc: see outMAC, but for the incoming MAC. """ - + warnings.warn("Legacy SSH ciphers 'CAST5', 'Blowfish' " + "were deprecated in Twisted 21.11. " + "Please check and update if any is in use.", + category=DeprecationWarning, stacklevel=2) + deprecatedCipherMap = { + b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC), + b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR), + b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR), + } cipherMap = { + # 3DES, ARC4 are also legacy (and ARC4 has serious security issues), + # `cryptography` decides not to deprecate them due to common use. + # https://github.com/pyca/cryptography/issues/6809 b"3des-cbc": (algorithms.TripleDES, 24, modes.CBC), b"aes256-cbc": (algorithms.AES, 32, modes.CBC), b"aes192-cbc": (algorithms.AES, 24, modes.CBC), @@ -103,6 +115,8 @@ class SSHCiphers: b"3des-ctr": (algorithms.TripleDES, 24, modes.CTR), b"none": (None, 0, modes.CBC), } + cipherMap.update(deprecatedCipherMap) + macMap = { b"hmac-sha2-512": sha512, b"hmac-sha2-384": sha384, @@ -280,9 +294,17 @@ def _getSupportedCiphers(): b"aes192-cbc", b"aes128-ctr", b"aes128-cbc", + # 3DES, ARC4 are also legacy (and ARC4 has serious security issues), + # `cryptography` decides not to deprecate them due to common use. + # https://github.com/pyca/cryptography/issues/6809 b"3des-ctr", b"3des-cbc", ] + deprecatedCiphers = [ + b"cast128-ctr", + ] + cs.extend(deprecatedCiphers) + for cipher in cs: algorithmClass, keySize, modeClass = SSHCiphers.cipherMap[cipher] try: From cd36e573ece9d645bd9874a022ab882e98420062 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 5 Jan 2023 22:12:06 +0000 Subject: [PATCH 06/22] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- src/twisted/conch/ssh/transport.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py index 0955f11cfcf..59174aeb81f 100644 --- a/src/twisted/conch/ssh/transport.py +++ b/src/twisted/conch/ssh/transport.py @@ -14,10 +14,10 @@ import binascii import hmac import struct +import warnings import zlib from hashlib import md5, sha1, sha256, sha384, sha512 from typing import Dict -import warnings from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.backends import default_backend @@ -92,10 +92,14 @@ class SSHCiphers: ) representing the outgoing MAC. @ivar inMAc: see outMAC, but for the incoming MAC. """ - warnings.warn("Legacy SSH ciphers 'CAST5', 'Blowfish' " - "were deprecated in Twisted 21.11. " - "Please check and update if any is in use.", - category=DeprecationWarning, stacklevel=2) + + warnings.warn( + "Legacy SSH ciphers 'CAST5', 'Blowfish' " + "were deprecated in Twisted 21.11. " + "Please check and update if any is in use.", + category=DeprecationWarning, + stacklevel=2, + ) deprecatedCipherMap = { b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC), b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR), From aeed574d7a62cbce6ae73d33d8c1f2659c7dabe8 Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 11:58:06 +1300 Subject: [PATCH 07/22] added test case --- src/twisted/conch/test/test_transport.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index 0c69501164c..b1a42ec088b 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -20,6 +20,7 @@ from twisted.internet import defer from twisted.protocols import loopback from twisted.python import randbytes +from twisted.python import reflect from twisted.python.compat import iterbytes from twisted.python.randbytes import insecureRandom from twisted.python.reflect import requireModule @@ -3012,7 +3013,25 @@ def test_makeMAC(self): binascii.hexlify(outMAC.makeMAC(seqid, shortened)), f"Failed HMAC test vector; key={key!r} data={data!r}", ) + def test_deprecation(self): + """ + Test deprecation warning for legacy ciphers `CAST5`, `Blowfish`. + + A deprecation warning is emitted when directly importing the + SSHCiphers class. + """ + from twisted.conch.ssh.transport import SSHCiphers + warningsShown = self.flushWarnings(offendingFunctions=[self.test_deprecation]) + self.assertEqual(warningsShown[0]["category"], DeprecationWarning) + self.assertEqual( + warningsShown[0]["message"], + "Legacy SSH ciphers 'CAST5', 'Blowfish' " + "were deprecated in Twisted 21.11. " + "Please check and update if any is in use.", + ) + self.assertEqual(len(warningsShown), 1) + SSHCiphers # Fake usage to please pyflakes. class TransportLoopbackTests(TestCase): """ From b82d4422d32a9211f6a1fd59038756fa9ce98b6d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 5 Jan 2023 22:59:53 +0000 Subject: [PATCH 08/22] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- src/twisted/conch/test/test_transport.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index b1a42ec088b..241d29173f5 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -19,8 +19,7 @@ from twisted.conch.ssh import _kex, address, service from twisted.internet import defer from twisted.protocols import loopback -from twisted.python import randbytes -from twisted.python import reflect +from twisted.python import randbytes, reflect from twisted.python.compat import iterbytes from twisted.python.randbytes import insecureRandom from twisted.python.reflect import requireModule @@ -3013,6 +3012,7 @@ def test_makeMAC(self): binascii.hexlify(outMAC.makeMAC(seqid, shortened)), f"Failed HMAC test vector; key={key!r} data={data!r}", ) + def test_deprecation(self): """ Test deprecation warning for legacy ciphers `CAST5`, `Blowfish`. @@ -3031,7 +3031,8 @@ def test_deprecation(self): "Please check and update if any is in use.", ) self.assertEqual(len(warningsShown), 1) - SSHCiphers # Fake usage to please pyflakes. + SSHCiphers # Fake usage to please pyflakes. + class TransportLoopbackTests(TestCase): """ From 8f882ec6e6a45ef1bdd1fe509657653aacacf263 Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 14:05:26 +1300 Subject: [PATCH 09/22] fixed warning and test --- src/twisted/conch/ssh/transport.py | 16 +++++++--------- src/twisted/conch/test/test_transport.py | 15 ++++++++++----- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py index 59174aeb81f..8b14d5b4b00 100644 --- a/src/twisted/conch/ssh/transport.py +++ b/src/twisted/conch/ssh/transport.py @@ -69,8 +69,13 @@ class _MACParams(tuple): @ivar key: The HMAC key which will be used. """ - - +warnings.warn( + "Legacy SSH ciphers 'CAST5', 'Blowfish' " + "were deprecated in Twisted 22.11. " + "Please check and update if any is in use.", + category=DeprecationWarning, + stacklevel=2, + ) class SSHCiphers: """ SSHCiphers represents all the encryption operations that need to occur @@ -93,13 +98,6 @@ class SSHCiphers: @ivar inMAc: see outMAC, but for the incoming MAC. """ - warnings.warn( - "Legacy SSH ciphers 'CAST5', 'Blowfish' " - "were deprecated in Twisted 21.11. " - "Please check and update if any is in use.", - category=DeprecationWarning, - stacklevel=2, - ) deprecatedCipherMap = { b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC), b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR), diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index 241d29173f5..3ac592d7f6d 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -10,7 +10,9 @@ import re import string import struct +import sys import types +import warnings from hashlib import md5, sha1, sha256, sha384, sha512 from typing import Optional, Type @@ -3020,18 +3022,21 @@ def test_deprecation(self): A deprecation warning is emitted when directly importing the SSHCiphers class. """ - from twisted.conch.ssh.transport import SSHCiphers + warnings.resetwarnings() + transportModuleName = "twisted.conch.ssh.transport" + del sys.modules[transportModuleName] + import importlib + importlib.import_module(transportModuleName) - warningsShown = self.flushWarnings(offendingFunctions=[self.test_deprecation]) + warningsShown = self.flushWarnings() self.assertEqual(warningsShown[0]["category"], DeprecationWarning) self.assertEqual( warningsShown[0]["message"], "Legacy SSH ciphers 'CAST5', 'Blowfish' " - "were deprecated in Twisted 21.11. " + "were deprecated in Twisted 22.11. " "Please check and update if any is in use.", ) - self.assertEqual(len(warningsShown), 1) - SSHCiphers # Fake usage to please pyflakes. + self.assertEqual(len(warningsShown), 4) class TransportLoopbackTests(TestCase): From cb62b8247798afa7800d61f71fdb92537e2c89a0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 6 Jan 2023 01:07:23 +0000 Subject: [PATCH 10/22] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- src/twisted/conch/ssh/transport.py | 16 ++++++++++------ src/twisted/conch/test/test_transport.py | 1 + 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py index 8b14d5b4b00..e2216a630b2 100644 --- a/src/twisted/conch/ssh/transport.py +++ b/src/twisted/conch/ssh/transport.py @@ -69,13 +69,17 @@ class _MACParams(tuple): @ivar key: The HMAC key which will be used. """ + + warnings.warn( - "Legacy SSH ciphers 'CAST5', 'Blowfish' " - "were deprecated in Twisted 22.11. " - "Please check and update if any is in use.", - category=DeprecationWarning, - stacklevel=2, - ) + "Legacy SSH ciphers 'CAST5', 'Blowfish' " + "were deprecated in Twisted 22.11. " + "Please check and update if any is in use.", + category=DeprecationWarning, + stacklevel=2, +) + + class SSHCiphers: """ SSHCiphers represents all the encryption operations that need to occur diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index 3ac592d7f6d..c221692949f 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -3026,6 +3026,7 @@ def test_deprecation(self): transportModuleName = "twisted.conch.ssh.transport" del sys.modules[transportModuleName] import importlib + importlib.import_module(transportModuleName) warningsShown = self.flushWarnings() From ebf63436a573f22eebdb17648dbc59b9b4993e7a Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 14:26:43 +1300 Subject: [PATCH 11/22] rerun ci From 16d10f59685473d9d746265ab8848314c59ea723 Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 14:35:05 +1300 Subject: [PATCH 12/22] fixed import for flake8 --- src/twisted/conch/test/test_transport.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index c221692949f..ad37270a1d5 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -21,7 +21,7 @@ from twisted.conch.ssh import _kex, address, service from twisted.internet import defer from twisted.protocols import loopback -from twisted.python import randbytes, reflect +from twisted.python import randbytes from twisted.python.compat import iterbytes from twisted.python.randbytes import insecureRandom from twisted.python.reflect import requireModule From 3b51bf33d831c9eb88892801b607eafbf809ed47 Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 14:47:52 +1300 Subject: [PATCH 13/22] updated documentation --- docs/conch/man/conch.1 | 2 +- src/twisted/newsfragments/11793.removal | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/conch/man/conch.1 b/docs/conch/man/conch.1 index 531465a1659..6dac55851e5 100644 --- a/docs/conch/man/conch.1 +++ b/docs/conch/man/conch.1 @@ -108,7 +108,7 @@ Enable compression. .It Fl c Ar cipher_spec Selects encryption algorithms to be used for this connection, as a comma-separated list of ciphers in order of preference. The list that .Nm -supports is (in order of default preference): aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-ctr, 3des-cbc. +supports is (in order of default preference): aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, cast128-ctr, cast128-cbc, blowfish-ctr, blowfish, idea-ctr, idea-cbc, 3des-ctr, 3des-cbc. However, cast128-ctr, cast128-cbc, blowfish-ctr, blowfish are deprecated and will be removed in a future version. .It Fl e Ar ch | ^ch | none Sets the escape character for sessions with a PTY (default: .Ql ~ ) . diff --git a/src/twisted/newsfragments/11793.removal b/src/twisted/newsfragments/11793.removal index 2ea520d716f..3fa27bc09fa 100644 --- a/src/twisted/newsfragments/11793.removal +++ b/src/twisted/newsfragments/11793.removal @@ -1 +1 @@ -Twisted Conch has removed and no longer supports legacy ciphers (CAST5, SEED, IDEA, Blowfish) as the upstream library "cryptography" has deprecated them since version 37. \ No newline at end of file +Twisted Conch has deprecated but still supports legacy ciphers (CAST5, SEED, IDEA, Blowfish) as the upstream library "cryptography" has deprecated them since version 37. From d993552b6364a88d3f7839129f1852ff2e192bf0 Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 15:01:03 +1300 Subject: [PATCH 14/22] fixed deprecated cipher list --- src/twisted/conch/ssh/transport.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py index e2216a630b2..b921f53e999 100644 --- a/src/twisted/conch/ssh/transport.py +++ b/src/twisted/conch/ssh/transport.py @@ -104,8 +104,9 @@ class SSHCiphers: deprecatedCipherMap = { b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC), - b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR), b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR), + b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR), + b"blowfish-cbc": (algorithms.Blowfish, 16, modes.CBC), } cipherMap = { # 3DES, ARC4 are also legacy (and ARC4 has serious security issues), @@ -308,6 +309,9 @@ def _getSupportedCiphers(): ] deprecatedCiphers = [ b"cast128-ctr", + b"cast128-cbc", + b"blowfish-ctr", + b"blowfish-cbc", ] cs.extend(deprecatedCiphers) From 32abf9eeafd62e835c3a8818c51e1fe7e7cb682a Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 15:18:53 +1300 Subject: [PATCH 15/22] fixed unit test --- src/twisted/conch/test/test_transport.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index ad37270a1d5..29fef193dca 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -3037,7 +3037,7 @@ def test_deprecation(self): "were deprecated in Twisted 22.11. " "Please check and update if any is in use.", ) - self.assertEqual(len(warningsShown), 4) + self.assertEqual(len(warningsShown), 5) class TransportLoopbackTests(TestCase): From ff08b39032851df1415b67d92525bfdea4f96e25 Mon Sep 17 00:00:00 2001 From: llouislu Date: Fri, 6 Jan 2023 16:04:28 +1300 Subject: [PATCH 16/22] fixed unit test for mindeps-withcov-posix --- src/twisted/conch/test/test_transport.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index 29fef193dca..b36fb5f72bd 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -3037,7 +3037,11 @@ def test_deprecation(self): "were deprecated in Twisted 22.11. " "Please check and update if any is in use.", ) - self.assertEqual(len(warningsShown), 5) + majorVersion = int(cryptography.__version__.split(".")[0]) + expectedNumberOfWarnings = 1 + if majorVersion >= 37: + expectedNumberOfWarnings = 5 + self.assertEqual(len(warningsShown), expectedNumberOfWarnings) class TransportLoopbackTests(TestCase): From 3e4b9a5021ad88ef72eda28559d195225e3fea2c Mon Sep 17 00:00:00 2001 From: llouislu Date: Tue, 10 Jan 2023 18:37:47 +1300 Subject: [PATCH 17/22] updated version placeholder Co-authored-by: Adi Roiban --- src/twisted/conch/ssh/transport.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py index b921f53e999..ea46a860b3f 100644 --- a/src/twisted/conch/ssh/transport.py +++ b/src/twisted/conch/ssh/transport.py @@ -73,7 +73,7 @@ class _MACParams(tuple): warnings.warn( "Legacy SSH ciphers 'CAST5', 'Blowfish' " - "were deprecated in Twisted 22.11. " + "were deprecated in Twisted NEXT. " "Please check and update if any is in use.", category=DeprecationWarning, stacklevel=2, From 230107527d73357220d7dbddda7226ce2651bd74 Mon Sep 17 00:00:00 2001 From: llouislu Date: Tue, 10 Jan 2023 18:54:02 +1300 Subject: [PATCH 18/22] Updated test case name Co-authored-by: Adi Roiban --- src/twisted/conch/test/test_transport.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index b36fb5f72bd..a740c3c947f 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -3015,12 +3015,9 @@ def test_makeMAC(self): f"Failed HMAC test vector; key={key!r} data={data!r}", ) - def test_deprecation(self): + def test_deprecationCAST5Blowfish(self): """ - Test deprecation warning for legacy ciphers `CAST5`, `Blowfish`. - - A deprecation warning is emitted when directly importing the - SSHCiphers class. + A deprecation warning is raised when importing the L{twisted.conch.transport} module. """ warnings.resetwarnings() transportModuleName = "twisted.conch.ssh.transport" From ca8eacc7f53992119b6b616865b51ee3e673b22a Mon Sep 17 00:00:00 2001 From: llouislu Date: Tue, 10 Jan 2023 18:58:36 +1300 Subject: [PATCH 19/22] added comment to deprecation test --- src/twisted/conch/test/test_transport.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index a740c3c947f..2318e0a7e01 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -3037,6 +3037,7 @@ def test_deprecationCAST5Blowfish(self): majorVersion = int(cryptography.__version__.split(".")[0]) expectedNumberOfWarnings = 1 if majorVersion >= 37: + # `cryptography` has raised deprecation 4 warnings + 1 warning from twisted since 37 expectedNumberOfWarnings = 5 self.assertEqual(len(warningsShown), expectedNumberOfWarnings) From efc0e42389448564cfa88a8019afeebd379897cf Mon Sep 17 00:00:00 2001 From: llouislu Date: Tue, 10 Jan 2023 18:59:49 +1300 Subject: [PATCH 20/22] updated newsfragment --- src/twisted/newsfragments/11793.removal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/twisted/newsfragments/11793.removal b/src/twisted/newsfragments/11793.removal index 3fa27bc09fa..95c35f2b6da 100644 --- a/src/twisted/newsfragments/11793.removal +++ b/src/twisted/newsfragments/11793.removal @@ -1 +1 @@ -Twisted Conch has deprecated but still supports legacy ciphers (CAST5, SEED, IDEA, Blowfish) as the upstream library "cryptography" has deprecated them since version 37. +twisted.conch.ssh.transport has the CAST5 and Blowfish based cipher deprecated. This was done since the same ciphers were deprecated in the cryptography library since version 37. \ No newline at end of file From 2b627a4ab211036ff8166e3e495830da05888e22 Mon Sep 17 00:00:00 2001 From: llouislu Date: Tue, 10 Jan 2023 19:00:02 +1300 Subject: [PATCH 21/22] updated to private APIs --- src/twisted/conch/ssh/transport.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py index ea46a860b3f..061991191a3 100644 --- a/src/twisted/conch/ssh/transport.py +++ b/src/twisted/conch/ssh/transport.py @@ -102,7 +102,7 @@ class SSHCiphers: @ivar inMAc: see outMAC, but for the incoming MAC. """ - deprecatedCipherMap = { + _deprecatedCipherMap = { b"cast128-cbc": (algorithms.CAST5, 16, modes.CBC), b"cast128-ctr": (algorithms.CAST5, 16, modes.CTR), b"blowfish-ctr": (algorithms.Blowfish, 16, modes.CTR), @@ -122,7 +122,7 @@ class SSHCiphers: b"3des-ctr": (algorithms.TripleDES, 24, modes.CTR), b"none": (None, 0, modes.CBC), } - cipherMap.update(deprecatedCipherMap) + cipherMap.update(_deprecatedCipherMap) macMap = { b"hmac-sha2-512": sha512, @@ -307,13 +307,13 @@ def _getSupportedCiphers(): b"3des-ctr", b"3des-cbc", ] - deprecatedCiphers = [ + _deprecatedCiphers = [ b"cast128-ctr", b"cast128-cbc", b"blowfish-ctr", b"blowfish-cbc", ] - cs.extend(deprecatedCiphers) + cs.extend(_deprecatedCiphers) for cipher in cs: algorithmClass, keySize, modeClass = SSHCiphers.cipherMap[cipher] From 945b76fc4484554b460d2d25f4375bb55b4d30d3 Mon Sep 17 00:00:00 2001 From: llouislu Date: Tue, 10 Jan 2023 19:09:03 +1300 Subject: [PATCH 22/22] updated test case --- src/twisted/conch/test/test_transport.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py index 2318e0a7e01..918191ca76c 100644 --- a/src/twisted/conch/test/test_transport.py +++ b/src/twisted/conch/test/test_transport.py @@ -3017,7 +3017,8 @@ def test_makeMAC(self): def test_deprecationCAST5Blowfish(self): """ - A deprecation warning is raised when importing the L{twisted.conch.transport} module. + A deprecation warning is raised when importing the + L{twisted.conch.transport} module. """ warnings.resetwarnings() transportModuleName = "twisted.conch.ssh.transport" @@ -3031,13 +3032,16 @@ def test_deprecationCAST5Blowfish(self): self.assertEqual( warningsShown[0]["message"], "Legacy SSH ciphers 'CAST5', 'Blowfish' " - "were deprecated in Twisted 22.11. " + "were deprecated in Twisted NEXT. " "Please check and update if any is in use.", ) majorVersion = int(cryptography.__version__.split(".")[0]) + # twisted raises 1 warning regardless of the installed + # cryptography version expectedNumberOfWarnings = 1 if majorVersion >= 37: - # `cryptography` has raised deprecation 4 warnings + 1 warning from twisted since 37 + # `cryptography`, since version 37, + # raises 4 extra deprecation warnings during the import expectedNumberOfWarnings = 5 self.assertEqual(len(warningsShown), expectedNumberOfWarnings)