U h?@sdZddlmZmZddlmZddlZeeZ ddl m Z ddl m Z mZmZmZddlmZddlmZmZmZmZmZmZddlmmZd d d gZd ZGd d d ej ej!Z"Gdd d e"Z#Gdd d ej$Z%dS)z1 passlib.handlers.cisco -- Cisco password hashes )hexlify unhexlify)md5N)warn)right_pad_string to_unicode repeat_stringto_bytes)h64)unicodeujoin_byte_valuesjoin_byte_elemsiter_byte_values uascii_to_str cisco_pix cisco_asa cisco_type7s c@s6eZdZdZdZdZdZdZdZe j Z dZ ddZ dS)ra This class implements the password hash used by older Cisco PIX firewalls, and follows the :ref:`password-hash-api`. It does a single round of hashing, and relies on the username as the salt. This class only allows passwords <= 16 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_pix.hash`, and be silently rejected if passed to :meth:`~cisco_pix.verify`. The :meth:`~passlib.ifc.PasswordHash.hash`, :meth:`~passlib.ifc.PasswordHash.genhash`, and :meth:`~passlib.ifc.PasswordHash.verify` methods all support the following extra keyword: :param str user: String containing name of user account this password is associated with. This is *required* in order to correctly hash passwords associated with a user account on the Cisco device, as it is used to salt the hash. Conversely, this *must* be omitted or set to ``""`` in order to correctly hash passwords which don't have an associated user account (such as the "enable" password). .. versionadded:: 1.6 .. versionchanged:: 1.7.1 Passwords > 16 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. TFcCs|j}t|tr|d}d}t||jkr^|jrVd|j|jf}tj j |j|dn|t }|j }|rt|tr||d}|rt|dkr|t |d7}|rt|dkrd}nd}t||}|r||7}t|}td d t|D}t|d S) a7 This function implements the "encrypted" hash format used by Cisco PIX & ASA. It's behavior has been confirmed for ASA 9.6, but is presumed correct for PIX & other ASA releases, as it fits with known test vectors, and existing literature. While nearly the same, the PIX & ASA hashes have slight differences, so this function performs differently based on the _is_asa class flag. Noteable changes from PIX to ASA include password size limit increased from 16 -> 32, and other internal changes. utf-8Nz.Password too long (%s allows at most %d bytes))msgr css"|]\}}|dd@r|VqdS)N).0icrr<./venv/lib/python3.8/site-packages/passlib/handlers/cisco.py s z+cisco_pix._calc_checksum..ascii)_is_asa isinstancer encodelen truncate_size use_defaultsnameuhexcZPasswordSizeError _DUMMY_BYTESuserrrrdigestr enumerater Z encode_bytesdecode)selfsecretZasaZ spoil_digestrr-Zpad_sizer.rrr _calc_checksumgs4         zcisco_pix._calc_checksumN)__name__ __module__ __qualname____doc__r)r'Ztruncate_errorZtruncate_verify_rejectZ checksum_sizer*Z HASH64_CHARSchecksum_charsr#r3rrrr r$s)c@seZdZdZdZdZdZdS)ra This class implements the password hash used by Cisco ASA/PIX 7.0 and newer (2005). Aside from a different internal algorithm, it's use and format is identical to the older :class:`cisco_pix` class. For passwords less than 13 characters, this should be identical to :class:`!cisco_pix`, but will generate a different hash for most larger inputs (See the `Format & Algorithm`_ section for the details). This class only allows passwords <= 32 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_asa.hash`, and be silently rejected if passed to :meth:`~cisco_asa.verify`. .. versionadded:: 1.7 .. versionchanged:: 1.7.1 Passwords > 32 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. rTN)r4r5r6r7r)r'r#rrrr rscseZdZdZdZdZejZdZ dZ e dfdd Z e dd Z dfd d Ze dd dZeddZddZddZe dddZedZe ddZZS)ra+ This class implements the "Type 7" password encoding used by Cisco IOS, and follows the :ref:`password-hash-api`. It has a simple 4-5 bit salt, but is nonetheless a reversible encoding instead of a real hash. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: int :param salt: This may be an optional salt integer drawn from ``range(0,16)``. If omitted, one will be chosen at random. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``salt`` values that are out of range. Note that while this class outputs digests in upper-case hexadecimal, it will accept lower-case as well. This class also provides the following additional method: .. automethod:: decode saltr4Nc sDtt|jf|}dk r@|j|ddtfdd|_|S)Nrelaxed)r<csSNrrr9rr fz#cisco_type7.using..)superrusing _norm_saltget staticmethod_generate_salt)clsr:kwdssubcls __class__r9r rAas zcisco_type7.usingcCsLt|dd}t|dkr$tj|t|dd}|||dddS)Nr"hash)r:checksum)rr&r*r+ZInvalidHashErrorintupper)rFrKr:rrr from_stringis    zcisco_type7.from_stringc sdtt|jf||dk r&||}n4|jrR|}|||ksZtd|fntd||_dS)Nzgenerated invalid salt: %rzno salt specified) r@r__init__rBr(rEAssertionError TypeErrorr:)r1r:rGrIrr rQqs zcisco_type7.__init__FcCsjt|tstj|ddd|kr0|jkr8nn|Sd}|r^t|tj|dkrXdS|jSt|dS)z validate & normalize salt value. .. note:: the salt for this algorithm is an integer 0-52, not a string Zintegerr:rz"salt/offset must be in 0..52 rangeN) r$rNr*r+ZExpectedTypeErrormax_salt_valuerZPasslibHashWarning ValueError)rFr:r<rrrr rB|s  zcisco_type7._norm_saltcCstjddS)Nr)r*rngZrandintrrrr rEszcisco_type7._generate_saltcCsd|jt|jfS)Nz%02d%s)r:rrM)r1rrr to_stringszcisco_type7.to_stringcCs0t|tr|d}t|||jdS)Nrr")r$r r%r_cipherr:r0rO)r1r2rrr r3s  zcisco_type7._calc_checksumrcCs:||}t|jd}|||j}|r6||S|S)zdecode hash, returning original password. :arg hash: encoded password :param encoding: optional encoding to use (defaults to ``UTF-8``). :returns: password as unicode r")rPrrMr%rYr:r0)rFrKencodingr1Ztmprawrrr r0s zcisco_type7.decodez5dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87cs0|jttfddtt|DS)z1xor static key against data - encrypts & decryptsc3s*|]"\}}|t|AVqdSr=)ord)ridxvaluekeyZkey_sizer:rr r!sz&cisco_type7._cipher..)_keyr&r r/r)rFdatar:rr_r rYs  zcisco_type7._cipher)N)N)F)r)r4r5r6r7r)Z setting_kwdsr*ZUPPER_HEX_CHARSr8Zmin_salt_valuerT classmethodrArPrQrBrDrErXr3r0r rarY __classcell__rrrIr r)s,#     )&r7ZbinasciirrZhashlibrZloggingZ getLoggerr4logwarningsrZ passlib.utilsrrrr Zpasslib.utils.binaryr Zpasslib.utils.compatr r r rrrZpasslib.utils.handlersZutilsZhandlersr*__all__r,ZHasUserContextZ StaticHandlerrrZGenericHandlerrrrrr s$      V0