XR_?0dZddlmZmZddlmZddlZejeZ ddl m Z ddl m Z mZmZmZddlmZddlmZmZmZmZmZmZddlmcmZgd Zd ZGd d ej ej!Z"Gd de"Z#Gddej$Z%dS)z1 passlib.handlers.cisco -- Cisco password hashes )hexlify unhexlify)md5N)warn)right_pad_string to_unicode repeat_stringto_bytes)h64)unicodeujoin_byte_valuesjoin_byte_elemsiter_byte_values uascii_to_str) cisco_pix cisco_asa cisco_type7s c>eZdZdZdZdZdZdZdZe j Z dZ dZ dS)ra This class implements the password hash used by older Cisco PIX firewalls, and follows the :ref:`password-hash-api`. It does a single round of hashing, and relies on the username as the salt. This class only allows passwords <= 16 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_pix.hash`, and be silently rejected if passed to :meth:`~cisco_pix.verify`. The :meth:`~passlib.ifc.PasswordHash.hash`, :meth:`~passlib.ifc.PasswordHash.genhash`, and :meth:`~passlib.ifc.PasswordHash.verify` methods all support the following extra keyword: :param str user: String containing name of user account this password is associated with. This is *required* in order to correctly hash passwords associated with a user account on the Cisco device, as it is used to salt the hash. Conversely, this *must* be omitted or set to ``""`` in order to correctly hash passwords which don't have an associated user account (such as the "enable" password). .. versionadded:: 1.6 .. versionchanged:: 1.7.1 Passwords > 16 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. TFc|j}t|tr|d}d}t ||jkrH|jr7d|j|jfz}tj |j||tz}|j }|rRt|tr|d}|rt |dkr|t|dz }|rt |dkrd}nd}t||}|r||z }t|}t#d t%|D}t'j|d S) a7 This function implements the "encrypted" hash format used by Cisco PIX & ASA. It's behavior has been confirmed for ASA 9.6, but is presumed correct for PIX & other ASA releases, as it fits with known test vectors, and existing literature. While nearly the same, the PIX & ASA hashes have slight differences, so this function performs differently based on the _is_asa class flag. Noteable changes from PIX to ASA include password size limit increased from 16 -> 32, and other internal changes. utf-8Nz.Password too long (%s allows at most %d bytes))msgr c30K|]\}}|dzdz |VdS)N).0ics 8/usr/lib/python3/dist-packages/passlib/handlers/cisco.py z+cisco_pix._calc_checksum..s3 P Ptq!QUaK P P P P P P Pascii)_is_asa isinstancer encodelen truncate_size use_defaultsnameuhexcPasswordSizeError _DUMMY_BYTESuserr rrdigestr enumerater encode_bytesdecode)selfsecretasa spoil_digestrr3pad_sizer4s r$_calc_checksumzcisco_pix._calc_checksumgsl fg & & ,]]7++F, v;;+ + + 5Fy$"456f..t/As.KKK & 4 .y  1$(( ,{{7++ 1#f++**-a000  3v;;##HHH!&(33  # l "FV##%%! P Py/@/@ P P PPP ''..w777r&N)__name__ __module__ __qualname____doc__r.r,truncate_errortruncate_verify_reject checksum_sizer/ HASH64_CHARSchecksum_charsr(r=r r&r$rr$sa!!R DMN! M_NG |8|8|8|8|8r&rceZdZdZdZdZdZdS)ra This class implements the password hash used by Cisco ASA/PIX 7.0 and newer (2005). Aside from a different internal algorithm, it's use and format is identical to the older :class:`cisco_pix` class. For passwords less than 13 characters, this should be identical to :class:`!cisco_pix`, but will generate a different hash for most larger inputs (See the `Format & Algorithm`_ section for the details). This class only allows passwords <= 32 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_asa.hash`, and be silently rejected if passed to :meth:`~cisco_asa.verify`. .. versionadded:: 1.7 .. versionchanged:: 1.7.1 Passwords > 32 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. rTN)r>r?r@rAr.r,r(r r&r$rrs-8 D M GGGr&rceZdZdZdZdZejZdZ dZ e dfd Z e dZ dfd Ze dd Zed Zd Zd Ze ddZedZe dZxZS)ra+ This class implements the "Type 7" password encoding used by Cisco IOS, and follows the :ref:`password-hash-api`. It has a simple 4-5 bit salt, but is nonetheless a reversible encoding instead of a real hash. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: int :param salt: This may be an optional salt integer drawn from ``range(0,16)``. If omitted, one will be chosen at random. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``salt`` values that are out of range. Note that while this class outputs digests in upper-case hexadecimal, it will accept lower-case as well. This class also provides the following additional method: .. automethod:: decode saltr4Nc tt|jdi|}A||dt fd|_|S)Nrelaxed)rMcSNr rIsr$z#cisco_type7.using..fsr&r )superrusing _norm_saltget staticmethod_generate_salt)clsrJkwdssubcls __class__s ` r$rRzcisco_type7.usingask.{C((.6666  $$T488I3F3F$GGD$0$>$>F ! r&ct|dd}t|dkrtj|t |dd}|||ddS)Nr'hash)rJchecksum)rr+r/r0InvalidHashErrorintupper)rWr\rJs r$ from_stringzcisco_type7.from_stringisr$00 t99q==&))#.. .48}}stABBx~~'7'78888r&c (tt|jdi||||}nQ|jr;|}|||ks Jd|nt d||_dS)Nzgenerated invalid salt: zno salt specifiedr )rQr__init__rSr-rV TypeErrorrJ)r8rJrXrZs r$rdzcisco_type7.__init__qs)k4  )11D111  ??4((DD   1&&((D??4((D0000RVRV2X0000/00 0 r&Fct|ts!tj|ddd|cxkr |jkrnn|Sd}|r)t |tj|dkrdn|jSt|)z validate & normalize salt value. .. note:: the salt for this algorithm is an integer 0-52, not a string integerrJrz"salt/offset must be in 0..52 range) r)r`r/r0ExpectedTypeErrormax_salt_valuerPasslibHashWarning ValueError)rWrJrMrs r$rSzcisco_type7._norm_salt|s$$$ D&**4FCC C  * * * ** * * * * *K2  " b+ , , ,q11c&8 8S// !r&cBtjddS)Nr)r/rngrandintr r&r$rVzcisco_type7._generate_saltsv~~a$$$r&c>d|jt|jfzS)Nz%02d%s)rJrr^)r8s r$ to_stringzcisco_type7.to_strings49mDM&B&BCCCr&ct|tr|d}t|||jdS)Nrr')r)r r*r_cipherrJr7ra)r8r9s r$r=zcisco_type7._calc_checksums_ fg & & ,]]7++Ft||FDI6677>>wGGMMOOOr&rc||}t|jd}|||j}|r||n|S)zdecode hash, returning original password. :arg hash: encoded password :param encoding: optional encoding to use (defaults to ``UTF-8``). :returns: password as unicode r')rbrr^r*rsrJr7)rWr\encodingr8tmpraws r$r7zcisco_type7.decodesct$$ ,,W5566ll3 **'/8szz(###S8r&z5dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87c|jttfdtt |DS)z1xor static key against data - encrypts & decryptsc3ZK|]%\}}|t|zzz V&dSrO)ord)r!idxvaluekeykey_sizerJs r$r%z&cisco_type7._cipher..sV  U CTCZ83455 5      r&)_keyr+rr5r)rWdatarJr}r~s `@@r$rszcisco_type7._cipherslhs88      '(8(>(>??      r&rO)F)r)r>r?r@rAr. setting_kwdsr/UPPER_HEX_CHARSrFmin_salt_valueri classmethodrRrbrdrSrUrVrqr=r7r rrs __classcell__)rZs@r$rr)sYF DL 'NNN [99[9      """[""%%\%DDDPPP 9 9 9[ 9 1 D E ED  [     r&r)&rAbinasciirrhashlibrlogging getLoggerr>logwarningsr passlib.utilsrrr r passlib.utils.binaryr passlib.utils.compatr r rrrrpasslib.utils.handlersutilshandlersr/__all__r2HasUserContext StaticHandlerrrGenericHandlerrr r&r$rs(''''''''g'11POOOOOOOOOOO$$$$$$>>>>>>>>>>>>>>>>#########    88888!2#3888j''''' '''`K K K K K "#K K K K K r&