ó ƒXc@s4dZddlmZmZddlmZddlZejeƒZ ddl m Z ddl m Z mZmZmZddlmZddlmZmZmZmZmZmZddljjZd d d gZd d Zd ej ej!fd„ƒYZ"d e"fd„ƒYZ#d ej$fd„ƒYZ%dS(s1 passlib.handlers.cisco -- Cisco password hashes iÿÿÿÿ(thexlifyt unhexlify(tmd5N(twarn(tright_pad_stringt to_unicodet repeat_stringtto_bytes(th64(tunicodetutjoin_byte_valuestjoin_byte_elemstiter_byte_valuest uascii_to_strt cisco_pixt cisco_asat cisco_type7sÿi cBsDeZdZdZdZeZeZdZe j Z e Z d„ZRS(sš This class implements the password hash used by older Cisco PIX firewalls, and follows the :ref:`password-hash-api`. It does a single round of hashing, and relies on the username as the salt. This class only allows passwords <= 16 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_pix.hash`, and be silently rejected if passed to :meth:`~cisco_pix.verify`. The :meth:`~passlib.ifc.PasswordHash.hash`, :meth:`~passlib.ifc.PasswordHash.genhash`, and :meth:`~passlib.ifc.PasswordHash.verify` methods all support the following extra keyword: :param str user: String containing name of user account this password is associated with. This is *required* in order to correctly hash passwords associated with a user account on the Cisco device, as it is used to salt the hash. Conversely, this *must* be omitted or set to ``""`` in order to correctly hash passwords which don't have an associated user account (such as the "enable" password). .. versionadded:: 1.6 .. versionchanged:: 1.7.1 Passwords > 16 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. RicCs~|j}t|tƒr*|jdƒ}nd }t|ƒ|jkr|jr‚d|j|jf}t j j |jd|ƒ‚q|t }n|j }|rñt|tƒr¿|jdƒ}n| sØt|ƒdkrñ|t|dƒ7}qñn|rt|ƒdkrd}nd}t||ƒ}|r:||7}nt|ƒjƒ}td„t|ƒDƒƒ}tj|ƒjd ƒS( s7 This function implements the "encrypted" hash format used by Cisco PIX & ASA. It's behavior has been confirmed for ASA 9.6, but is presumed correct for PIX & other ASA releases, as it fits with known test vectors, and existing literature. While nearly the same, the PIX & ASA hashes have slight differences, so this function performs differently based on the _is_asa class flag. Noteable changes from PIX to ASA include password size limit increased from 16 -> 32, and other internal changes. sutf-8s.Password too long (%s allows at most %d bytes)tmsgiiii css)|]\}}|dd@r|VqdS(iiN((t.0titc((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pys ÞstasciiN(t_is_asat isinstanceR tencodetNonetlent truncate_sizet use_defaultstnametuhtexctPasswordSizeErrort _DUMMY_BYTEStuserRRRtdigestR t enumerateRt encode_bytestdecode(tselftsecrettasat spoil_digestRR#tpad_sizeR$((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyt_calc_checksumgs2       (t__name__t __module__t__doc__RRtTruettruncate_errorttruncate_verify_rejectt checksum_sizeRt HASH64_CHARStchecksum_charstFalseRR-(((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR$s" cBs eZdZdZdZeZRS(sä This class implements the password hash used by Cisco ASA/PIX 7.0 and newer (2005). Aside from a different internal algorithm, it's use and format is identical to the older :class:`cisco_pix` class. For passwords less than 13 characters, this should be identical to :class:`!cisco_pix`, but will generate a different hash for most larger inputs (See the `Format & Algorithm`_ section for the details). This class only allows passwords <= 32 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_asa.hash`, and be silently rejected if passed to :meth:`~cisco_asa.verify`. .. versionadded:: 1.7 .. versionchanged:: 1.7.1 Passwords > 32 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. Ri (R.R/R0RRR1R(((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyRùscBs¼eZdZdZdZejZdZdZ e dd„ƒZ e d„ƒZ dd„Ze ed„ƒZed „ƒZd „Zd „Ze d d „ƒZedƒZe d„ƒZRS(s+ This class implements the "Type 7" password encoding used by Cisco IOS, and follows the :ref:`password-hash-api`. It has a simple 4-5 bit salt, but is nonetheless a reversible encoding instead of a real hash. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: int :param salt: This may be an optional salt integer drawn from ``range(0,16)``. If omitted, one will be chosen at random. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``salt`` values that are out of range. Note that while this class outputs digests in upper-case hexadecimal, it will accept lower-case as well. This class also provides the following additional method: .. automethod:: decode Rtsaltii4c satt|ƒj|}ˆdk r]|jˆd|jdƒƒ‰t‡fd†ƒ|_n|S(NtrelaxedcsˆS(N(((R8(s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pytfs(tsuperRtusingRt _norm_salttgett staticmethodt_generate_salt(tclsR8tkwdstsubcls((R8s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR<as  cCsft|ddƒ}t|ƒdkr9tjj|ƒ‚nt|d ƒ}|d|d|djƒƒS(NRthashiR8tchecksum(RRRR tInvalidHashErrortinttupper(RARDR8((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyt from_stringis cKstt|ƒj||dk r4|j|ƒ}nL|jrt|jƒ}|j|ƒ|ks€td|fƒ‚n tdƒ‚||_ dS(Nsgenerated invalid salt: %rsno salt specified( R;Rt__init__RR=RR@tAssertionErrort TypeErrorR8(R(R8RB((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyRJqs   + cCst|tƒs*tjj|ddƒ‚nd|koD|jknrM|Sd}|r€t|tjƒ|dkrydS|jSt|ƒ‚dS(s validate & normalize salt value. .. note:: the salt for this algorithm is an integer 0-52, not a string tintegerR8is"salt/offset must be in 0..52 rangeN( RRGRR tExpectedTypeErrortmax_salt_valueRtPasslibHashWarningt ValueError(RAR8R9R((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR=|scCstjjddƒS(Nii(Rtrngtrandint(((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR@ŽscCsd|jt|jƒfS(Ns%02d%s(R8RRE(R(((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyt to_string’scCsIt|tƒr!|jdƒ}nt|j||jƒƒjdƒjƒS(Nsutf-8R(RR RRt_cipherR8R'RH(R(R)((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR-•ssutf-8cCsS|j|ƒ}t|jjdƒƒ}|j||jƒ}|rO|j|ƒS|S(sÈdecode hash, returning original password. :arg hash: encoded password :param encoding: optional encoding to use (defaults to ``UTF-8``). :returns: password as unicode R(RIRRERRUR8R'(RARDtencodingR(ttmptraw((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR'œss5dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87csA|j‰tˆƒ‰t‡‡‡fd†tt|ƒƒDƒƒS(s1xor static key against data - encrypts & decryptsc3s1|]'\}}|tˆˆ|ˆƒAVqdS(N(tord(Rtidxtvalue(tkeytkey_sizeR8(s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pys ²s(t_keyRR R%R (RAtdataR8((R\R]R8s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyRU¬s   (ssaltN(R.R/R0Rt setting_kwdsRtUPPER_HEX_CHARSR6tmin_salt_valueROt classmethodRR<RIRJR7R=R?R@RTR-R'R R^RU(((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR)s&     (&R0tbinasciiRRthashlibRtloggingt getLoggerR.tlogtwarningsRt passlib.utilsRRRRtpasslib.utils.binaryRtpasslib.utils.compatR R R R R Rtpasslib.utils.handlerstutilsthandlersRt__all__R"tHasUserContextt StaticHandlerRRtGenericHandlerR(((s:/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyts  ".  Õ0