XR_ XdZddlZejeZddlmZmZmZm Z ddl m Z m Z ddl mZmZmZmZddlmZmZddlmcmZdgZGddejejejejZdS) z:passlib.handlers.scram - hash for SCRAM credential storageN)consteqsaslprep to_native_str splitcomma) ab64_decode ab64_encode) bascii_to_str iteritemsunative_string_types) pbkdf2_hmacnorm_hash_namescramc2eZdZdZdZdZedZdZdZ dZ dZ dZ d Z gd Zgd Zd Zed ZeddZedZedZdZedfd Zdfd ZddZedZfdZddZeddZxZS)raZThis class provides a format for storing SCRAM passwords, and follows the :ref:`password-hash-api`. It supports a variable-length salt, and a variable number of rounds. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: bytes :param salt: Optional salt bytes. If specified, the length must be between 0-1024 bytes. If not specified, a 12 byte salt will be autogenerated (this is recommended). :type salt_size: int :param salt_size: Optional number of bytes to use when autogenerating new salts. Defaults to 12 bytes, but can be any value between 0 and 1024. :type rounds: int :param rounds: Optional number of rounds to use. Defaults to 100000, but must be within ``range(1,1<<32)``. :type algs: list of strings :param algs: Specify list of digest algorithms to use. By default each scram hash will contain digests for SHA-1, SHA-256, and SHA-512. This can be overridden by specify either be a list such as ``["sha-1", "sha-256"]``, or a comma-separated string such as ``"sha-1, sha-256"``. Names are case insensitive, and may use :mod:`!hashlib` or `IANA `_ hash names. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``rounds`` that are too small or too large, and ``salt`` strings that are too long. .. versionadded:: 1.6 In addition to the standard :ref:`password-hash-api` methods, this class also provides the following methods for manipulating Passlib scram hashes in ways useful for pluging into a SCRAM protocol stack: .. automethod:: extract_digest_info .. automethod:: extract_digest_algs .. automethod:: derive_digest )salt salt_sizeroundsalgs$scram$ iillinear)sha-1sha-256sha-512)rrzsha-224zsha-384rNct|d}||}|j}|std|j|j||fS)areturn (salt, rounds, digest) for specific hash algorithm. :type hash: str :arg hash: :class:`!scram` hash stored for desired user :type alg: str :arg alg: Name of digest algorithm (e.g. ``"sha-1"``) requested by client. This value is run through :func:`~passlib.crypto.digest.norm_hash_name`, so it is case-insensitive, and can be the raw SCRAM mechanism name (e.g. ``"SCRAM-SHA-1"``), the IANA name, or the hashlib name. :raises KeyError: If the hash does not contain an entry for the requested digest algorithm. :returns: A tuple containing ``(salt, rounds, digest)``, where *digest* matches the raw bytes returned by SCRAM's :func:`Hi` function for the stored password, the provided *salt*, and the iteration count (*rounds*). *salt* and *digest* are both raw (unencoded) bytes. ianazscram hash contains no digests)r from_stringchecksum ValueErrorrr)clshashalgselfchkmaps 8/usr/lib/python3/dist-packages/passlib/handlers/scram.pyextract_digest_infozscram.extract_digest_info|sW>S&))t$$ ?=>> >y$+vc{22rcd||j}dkr|Sfd|DS)aReturn names of all algorithms stored in a given hash. :type hash: str :arg hash: The :class:`!scram` hash to parse :type format: str :param format: This changes the naming convention used by the returned algorithm names. By default the names are IANA-compatible; possible values are ``"iana"`` or ``"hashlib"``. :returns: Returns a list of digest algorithms; e.g. ``["sha-1"]`` rc0g|]}t|Sr).0r#formats r& z-scram.extract_digest_algs..s#@@@CN3//@@@r()rr)r!r"r.rs ` r&extract_digest_algszscram.extract_digest_algssC(t$$) V  K@@@@4@@@ @r(ct|tr|d}t|t |||S)a;helper to create SaltedPassword digest for SCRAM. This performs the step in the SCRAM protocol described as:: SaltedPassword := Hi(Normalize(password), salt, i) :type password: unicode or utf-8 bytes :arg password: password to run through digest :type salt: bytes :arg salt: raw salt data :type rounds: int :arg rounds: number of iterations. :type alg: str :arg alg: name of digest to use (e.g. ``"sha-1"``). :returns: raw bytes of ``SaltedPassword`` zutf-8) isinstancebytesdecoder r)r!passwordrrr#s r& derive_digestzscram.derive_digestsE. h & & 0w//H3 2 2D&AAAr(ct|dd}|dstj||ddd}t |dkrtj||\}}}t|}|t|krtj| t| d}n-#t$r tj|wxYw|stj|d|vrd}i} |dD]m} | d\} } t| d| | <A#t$r tj|wxYwn|}d} |||| | S) Nasciir"r$=,)rrrr) r startswithuhexcInvalidHashErrorsplitlenMalformedHashErrorintstrrencode TypeError) r!r"parts rounds_strsalt_strchk_strrrrr%pairr#digests r&rzscram.from_stringsT7F33y)) /&))#.. .QRRs## u::??&++C00 0(-% HgZ V $ $&++C00 0 1xw7788DD 1 1 1&++C00 0 1 &++C00 0 G^^DF c** 9 9"jjoo V9"-fmmG.D.D"E"EF3KK 999&33C8889  9DFs     s"D*D*%F,,*Gctt|j}|jdfd|jD}d|j||fzS)Nr=c 3fK|]+}|dtt|V,dS)r<N)r r)r-r#r%s r& z"scram.to_string..sW  ssM+fSk*B*BCCC D      r(z$scram$%d$%s$%s)r rrrjoinrr)r$rrLr%s @r& to_stringzscram.to_string sr[3344((    y     !DKw#???r(c ||J|}tt|jdi|}||||_|S)Nr+)superrusing _norm_algs default_algs)r!rXrkwdssubcls __class__s r&rVz scram.usingsa  '''L)uc""(00400  #"%..">">F  r(c tt|jdi||j}|'|t d||}n{|(||}nQ|jr;t|j }|||ks Jd|ntd||_ dS)Nz+checksum & algs kwds are mutually exclusivezinvalid default algs: zno algs list specifiedr+) rUr__init__r RuntimeErrorrWkeys use_defaultslistrXrHr)r$rrY digest_mapr[s r&r]zscram.__init__+s#eT#++d+++]  %"#PQQQ??4((DD  #??:??#4#455DD   6)**D??4((D0000PTPT2V0000455 5 r(Fct|ts!tj|ddt |D]\}}|t |dkrtd|t|dkrtd|t|ts!tj|ddd |vrtd |S) Ndictrrz(malformed algorithm name in scram hash: z.SCRAM limits algorithm names to 9 characters: z raw bytesdigestsr-sha-1 must be in algorithm list of scram hash) r2rdr?r@ExpectedTypeErrorr rr rCr3)r$rrelaxedr#rNs r&_norm_checksumzscram._norm_checksum>s(D)) I&**8VZHH H$X.. O OKCnS&1111 j"%#"()))3xx!|| j7:s"=>>>fe,, Of..v{INNN O ( " "LMM Mr(ct|trt|}td|D}t d|Drt dd|vrt d|S)znormalize algs parameterc36K|]}t|dVdS)rNr,r-r#s r&rQz#scram._norm_algs..Us,BBcnS&11BBBBBBr(c3<K|]}t|dkVdS)reN)rCrms r&rQz#scram._norm_algs..Vs,**cs3xxz******r(z-SCRAM limits alg names to max of 9 charactersrrg)r2r rsortedanyr )r!rs r&rWzscram._norm_algsPs d/ 0 0 $d##DBBTBBBBB **T*** * * NLMM M $  LMM M r(c t|j|jsdSt t |jdi|S)NTr+)setr issupersetrXrUr_calc_needs_update)r$rYr[s r&rtzscram._calc_needs_update`sP49~~(():;; 45uUD!!4<.vsLdd64556r()rrr6rdr)r$rxr#r"rrs ` @@@r&_calc_checksumzscram._calc_checksummsy!  4fc22 29 r(c tj|||}|j}|s t d|jd|jd|rdx}}t |D]\}} |||} t| t| kr2t d|dt| dt| t| | rd}d}|r|rt d |S|j D]4}||vr.|||} t| ||cS5td ) Nz expected z hash, got z config string insteadFz mis-sized z digest in scram hash: z != Tz4scram hash verified inconsistently, may be corruptedzsha-1 digest not found!) r?validate_secretrrr namer ryrCr _verify_algsAssertionError) r!rxr"fullr$r%correctfailedr#rNothers r&verifyz scram.verify{s 6"""t$$ 3*!hhh233 3  <$ $Gf(00 " " V++FC88 v;;#e**,,$*(+S[[[[#e***&FGGG5&))""GG!FF 6  "4555( 7 7&== //<rs@@ 'g'11GFFFFFFFFFFF99999999QQQQQQQQQQQQ========#########  N<N<N<N<N