| Current File : //usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyc |
��
���Xc������������@���s4���d��Z��d��d��l��m��Z��m��Z���d��d��l��m��Z���d��d��l��Z��e��j��e�����Z �d��d��l
�m��Z���d��d��l��m
�Z
�m��Z��m��Z��m��Z���d��d��l��m��Z���d��d��l��m��Z��m��Z��m��Z��m��Z��m��Z��m��Z���d��d��l��j��j��Z��d �d
�d��g��Z��d��d
��Z��d �e��j �e��j!�f��d��������YZ"�d
�e"�f��d��������YZ#�d��e��j$�f��d��������YZ%�d��S(����s1���
passlib.handlers.cisco -- Cisco password hashes
i����(����t����hexlifyt ���unhexlify(����t����md5N(����t����warn(����t����right_pad_stringt
���to_unicodet
���repeat_stringt����to_bytes(����t����h64(����t����unicodet����ut����join_byte_valuest����join_byte_elemst����iter_byte_valuest
���uascii_to_strt ���cisco_pixt ���cisco_asat����cisco_type7s�����i ���c������������B���sD���e��Z��d��Z��d��Z��d��Z��e��Z��e��Z��d��Z��e �j
�Z��e��Z
�d�����Z��RS(����s����
This class implements the password hash used by older Cisco PIX firewalls,
and follows the :ref:`password-hash-api`.
It does a single round of hashing, and relies on the username
as the salt.
This class only allows passwords <= 16 bytes, anything larger
will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_pix.hash`,
and be silently rejected if passed to :meth:`~cisco_pix.verify`.
The :meth:`~passlib.ifc.PasswordHash.hash`,
:meth:`~passlib.ifc.PasswordHash.genhash`, and
:meth:`~passlib.ifc.PasswordHash.verify` methods
all support the following extra keyword:
:param str user:
String containing name of user account this password is associated with.
This is *required* in order to correctly hash passwords associated
with a user account on the Cisco device, as it is used to salt
the hash.
Conversely, this *must* be omitted or set to ``""`` in order to correctly
hash passwords which don't have an associated user account
(such as the "enable" password).
.. versionadded:: 1.6
.. versionchanged:: 1.7.1
Passwords > 16 bytes are now rejected / throw error instead of being silently truncated,
to match Cisco behavior. A number of :ref:`bugs <passlib-asa96-bug>` were fixed
which caused prior releases to generate unverifiable hashes in certain cases.
R����i����c������������C���s~���|��j��}��t��|��t�����r*�|��j��d�����}��n��d
�}��t��|�����|��j��k��r��|��j��r��d��|��j��|��j��f���}��t �j
�j��|��j��d��|��������q��|��t���}��n��|��j
�}��|��r��t��|��t�����r��|��j��d�����}��n��|���s��t��|�����d��k��r��|��t��|��d�����7}��q��n��|��r��t��|�����d��k��r��d��}��n��d��}��t��|��|�����}��|��r:�|��|��7}��n��t��|�����j�����}��t��d�����t��|�����D������}��t��j��|�����j��d ����S(����s7���
This function implements the "encrypted" hash format used by Cisco
PIX & ASA. It's behavior has been confirmed for ASA 9.6,
but is presumed correct for PIX & other ASA releases,
as it fits with known test vectors, and existing literature.
While nearly the same, the PIX & ASA hashes have slight differences,
so this function performs differently based on the _is_asa class flag.
Noteable changes from PIX to ASA include password size limit
increased from 16 -> 32, and other internal changes.
s����utf-8s.���Password too long (%s allows at most %d bytes)t����msgi����i����i����i ���c������������s���s)���|��]��\��}��}��|��d���d��@r��|��V�q��d��S(����i����i����N(����(����t����.0t����it����c(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pys ���<genexpr>����s������t����asciiN(����t����_is_asat
���isinstanceR ���t����encodet����Nonet����lent
���truncate_sizet����use_defaultst����namet����uht����exct����PasswordSizeErrort����_DUMMY_BYTESt����userR����R����R����t����digestR����t ���enumerateR����t����encode_bytest����decode(����t����selft����secrett����asat����spoil_digestR����R#���t����pad_sizeR$���(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyt����_calc_checksumg���s2����
��������� �������
� ����������
�� �������
�����(����t����__name__t
���__module__t����__doc__R����R����t����Truet����truncate_errort����truncate_verify_rejectt
���checksum_sizeR����t����HASH64_CHARSt����checksum_charst����FalseR����R-���(����(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR����$���s�����"������������ ���c������������B���s ���e��Z��d��Z��d��Z��d��Z��e��Z��RS(����s����
This class implements the password hash used by Cisco ASA/PIX 7.0 and newer (2005).
Aside from a different internal algorithm, it's use and format is identical
to the older :class:`cisco_pix` class.
For passwords less than 13 characters, this should be identical to :class:`!cisco_pix`,
but will generate a different hash for most larger inputs
(See the `Format & Algorithm`_ section for the details).
This class only allows passwords <= 32 bytes, anything larger
will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_asa.hash`,
and be silently rejected if passed to :meth:`~cisco_asa.verify`.
.. versionadded:: 1.7
.. versionchanged:: 1.7.1
Passwords > 32 bytes are now rejected / throw error instead of being silently truncated,
to match Cisco behavior. A number of :ref:`bugs <passlib-asa96-bug>` were fixed
which caused prior releases to generate unverifiable hashes in certain cases.
R����i ���(����R.���R/���R0���R����R����R1���R����(����(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR��������s������������c������������B���s����e��Z��d��Z��d��Z��d��Z��e��j��Z��d��Z��d��Z �e
�d��d��������Z��e
�d��������Z
�d��d�����Z��e
�e��d��������Z��e��d �������Z��d
����Z��d�����Z��e
�d��d
�������Z��e��d�����Z��e
�d��������Z��RS(����s+���
This class implements the "Type 7" password encoding used by Cisco IOS,
and follows the :ref:`password-hash-api`.
It has a simple 4-5 bit salt, but is nonetheless a reversible encoding
instead of a real hash.
The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords:
:type salt: int
:param salt:
This may be an optional salt integer drawn from ``range(0,16)``.
If omitted, one will be chosen at random.
:type relaxed: bool
:param relaxed:
By default, providing an invalid value for one of the other
keywords will result in a :exc:`ValueError`. If ``relaxed=True``,
and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning`
will be issued instead. Correctable errors include
``salt`` values that are out of range.
Note that while this class outputs digests in upper-case hexadecimal,
it will accept lower-case as well.
This class also provides the following additional method:
.. automethod:: decode
R����t����salti����i4���c����������������sa���t��t��|�����j��|�����}�����d��k �r]�|��j�����d��|��j��d�����������t�����f��d��������|��_��n��|��S(����Nt����relaxedc����������������s�������S(����N(����(����(����R8���(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyt����<lambda>f���s����(����t����superR����t����usingR����t
���_norm_saltt����gett����staticmethodt����_generate_salt(����t����clsR8���t����kwdst����subcls(����(����R8���s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR<���a���s
�������������c������������C���sf���t��|��d��d�����}��t��|�����d��k��r9�t��j��j��|��������n��t��|��d�� ���}��|��d��|��d��|��d���j��������S(����NR����t����hashi����R8���t����checksum(����R����R����R����R ���t����InvalidHashErrort����intt����upper(����RA���RD���R8���(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyt����from_stringi���s
�������������c������������K���s����t��t��|�����j��|������|��d��k �r4�|��j��|�����}��nL�|��j��rt�|��j�����}��|��j��|�����|��k��s��t��d��|��f���������n��t��d��������|��|��_ �d��S(����Ns����generated invalid salt: %rs����no salt specified(
���R;���R����t����__init__R����R=���R����R@���t����AssertionErrort ���TypeErrorR8���(����R(���R8���RB���(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyRJ���q���s������������ ���+���c������������C���s����t��|��t�����s*�t��j��j��|��d��d��������n��d��|����k��oD�|��j��k��n����rM�|��Sd��}��|��r��t��|��t��j������|��d��k��ry�d��S|��j��St��|��������d��S(����s����
validate & normalize salt value.
.. note::
the salt for this algorithm is an integer 0-52, not a string
t����integerR8���i����s"���salt/offset must be in 0..52 rangeN( ���R����RG���R����R ���t����ExpectedTypeErrort����max_salt_valueR����t����PasslibHashWarningt
���ValueError(����RA���R8���R9���R����(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR=���|���s����������������������c������������C���s����t��j��j��d��d�����S(����Ni����i����(����R����t����rngt����randint(����(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR@�������s������c������������C���s����d��|��j��t��|��j�����f���S(����Ns����%02d%s(����R8���R����RE���(����R(���(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyt ���to_string����s������c������������C���sI���t��|��t�����r!�|��j��d�����}��n��t��|��j��|��|��j��������j��d�����j�����S(����Ns����utf-8R����(����R����R ���R����R����t����_cipherR8���R'���RH���(����R(���R)���(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR-�������s����������s����utf-8c������������C���sS���|��j��|�����}��t��|��j��j��d��������}��|��j��|��|��j�����}��|��rO�|��j��|�����S|��S(����s����decode hash, returning original password.
:arg hash: encoded password
:param encoding: optional encoding to use (defaults to ``UTF-8``).
:returns: password as unicode
R����(����RI���R����RE���R����RU���R8���R'���(����RA���RD���t����encodingR(���t����tmpt����raw(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR'�������s������������s5���dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87c����������������sA���|��j�����t�����������t�����������f��d�����t��t��|��������D������S(����s1���xor static key against data - encrypts & decryptsc������������3���s1���|��]'�\��}��}��|��t��������|�����������AV�q��d��S(����N(����t����ord(����R����t����idxt����value(����t����keyt����key_sizeR8���(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pys ���<genexpr>����s������(����t����_keyR����R����R%���R
���(����RA���t����dataR8���(����(����R\���R]���R8���s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyRU�������s
����� �������(����s����saltN(����R.���R/���R0���R����t����setting_kwdsR����t����UPPER_HEX_CHARSR6���t����min_salt_valueRO���t����classmethodR����R<���RI���RJ���R7���R=���R?���R@���RT���R-���R'���R
���R^���RU���(����(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyR����)���s&����������� ������������������� � ����
��(&���R0���t����binasciiR����R����t����hashlibR����t����loggingt ���getLoggerR.���t����logt����warningsR����t
���passlib.utilsR����R����R����R����t����passlib.utils.binaryR����t����passlib.utils.compatR ���R
���R����R����R
���R����t����passlib.utils.handlerst����utilst����handlersR����t����__all__R"���t����HasUserContextt
���StaticHandlerR����R����t����GenericHandlerR����(����(����(����s:���/usr/lib/python2.7/site-packages/passlib/handlers/cisco.pyt����<module>����s ���������������"���.������� �
����0