h?>dZddlmZmZddlmZddlZejeZ ddl m Z ddl m Z mZmZmZddlmZddlmZmZmZmZmZmZddlmcmZgd Zd ZGd d ej@ejBZ"Gd de"Z#GddejHZ%y)z1 passlib.handlers.cisco -- Cisco password hashes )hexlify unhexlify)md5N)warn)right_pad_string to_unicode repeat_stringto_bytes)h64)unicodeujoin_byte_valuesjoin_byte_elemsiter_byte_values uascii_to_str) cisco_pix cisco_asa cisco_type7s cFeZdZdZdZdZdZdZdZe jZ dZ dZ y)ra This class implements the password hash used by older Cisco PIX firewalls, and follows the :ref:`password-hash-api`. It does a single round of hashing, and relies on the username as the salt. This class only allows passwords <= 16 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_pix.hash`, and be silently rejected if passed to :meth:`~cisco_pix.verify`. The :meth:`~passlib.ifc.PasswordHash.hash`, :meth:`~passlib.ifc.PasswordHash.genhash`, and :meth:`~passlib.ifc.PasswordHash.verify` methods all support the following extra keyword: :param str user: String containing name of user account this password is associated with. This is *required* in order to correctly hash passwords associated with a user account on the Cisco device, as it is used to salt the hash. Conversely, this *must* be omitted or set to ``""`` in order to correctly hash passwords which don't have an associated user account (such as the "enable" password). .. versionadded:: 1.6 .. versionchanged:: 1.7.1 Passwords > 16 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. TFc|j}t|tr|jd}d}t ||j kDr[|j rFd|j|j fz}tjj|j ||tz}|j}|r@t|tr|jd}|rt |dkr|t|dz }|rt |dkDrd}nd}t||}|r||z }t|j!}t#d t%|D}t'j(|j+d S) a7 This function implements the "encrypted" hash format used by Cisco PIX & ASA. It's behavior has been confirmed for ASA 9.6, but is presumed correct for PIX & other ASA releases, as it fits with known test vectors, and existing literature. While nearly the same, the PIX & ASA hashes have slight differences, so this function performs differently based on the _is_asa class flag. Noteable changes from PIX to ASA include password size limit increased from 16 -> 32, and other internal changes. utf-8Nz.Password too long (%s allows at most %d bytes))msgr c38K|]\}}|dzdzs|yw)N).0ics X/var/www/html/Resume-Scraper/venv/lib/python3.12/site-packages/passlib/handlers/cisco.py z+cisco_pix._calc_checksum..s Ptq!QUaK Psascii)_is_asa isinstancer encodelen truncate_size use_defaultsnameuhexcPasswordSizeError _DUMMY_BYTESuserr rrdigestr enumerater encode_bytesdecode)selfsecretasa spoil_digestrr2pad_sizer3s r$_calc_checksumzcisco_pix._calc_checksumgsRll fg &]]7+F, v;++ +  Fyy$"4"456ff..t/A/As.KK & 4 .yy $({{7+#f+*-a00 3v;#HH!&(3  l "FV##%! Py/@ PP '..w77N)__name__ __module__ __qualname____doc__r-r+truncate_errortruncate_verify_reject checksum_sizer. HASH64_CHARSchecksum_charsr'r<r r=r$rr$s>!R DMN! M__NG |8r=rceZdZdZdZdZdZy)ra This class implements the password hash used by Cisco ASA/PIX 7.0 and newer (2005). Aside from a different internal algorithm, it's use and format is identical to the older :class:`cisco_pix` class. For passwords less than 13 characters, this should be identical to :class:`!cisco_pix`, but will generate a different hash for most larger inputs (See the `Format & Algorithm`_ section for the details). This class only allows passwords <= 32 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_asa.hash`, and be silently rejected if passed to :meth:`~cisco_asa.verify`. .. versionadded:: 1.7 .. versionchanged:: 1.7.1 Passwords > 32 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. rTN)r>r?r@rAr-r+r'r r=r$rrs8 D M Gr=rceZdZdZdZdZejZdZ dZ e dfd Z e dZ dfd Ze ddZed Zd Zd Ze dd Zed Ze dZxZS)ra+ This class implements the "Type 7" password encoding used by Cisco IOS, and follows the :ref:`password-hash-api`. It has a simple 4-5 bit salt, but is nonetheless a reversible encoding instead of a real hash. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: int :param salt: This may be an optional salt integer drawn from ``range(0,16)``. If omitted, one will be chosen at random. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``salt`` values that are out of range. Note that while this class outputs digests in upper-case hexadecimal, it will accept lower-case as well. This class also provides the following additional method: .. automethod:: decode saltr4c tt| di|}5|j|j dt fd|_|S)Nrelaxed)rMcSNr rIsr$z#cisco_type7.using..fsr=r )superrusing _norm_saltget staticmethod_generate_salt)clsrJkwdssubcls __class__s ` r$rRzcisco_type7.usingasM{C.66  $$T488I3F$GD$0$>F ! r=ct|dd}t|dkrtjj |t |dd}|||ddj S)Nr&hash)rJchecksum)rr*r.r/InvalidHashErrorintupper)rWr\rJs r$ from_stringzcisco_type7.from_stringisY$0 t9q=&&))#. .48}tABx~~'788r=c tt| di|||j|}||_y|jr.|j }|j||k(sJd|t d||_y)Nzgenerated invalid salt: zno salt specifiedr )rQr__init__rSr,rV TypeErrorrJ)r7rJrXrZs r$rdzcisco_type7.__init__qs{ k4)1D1  ??4(D    &&(D??4(D0 XRV2X X/0 0 r=c t|ts!tjj |ddd|cxkr|j kr|Sd}|r-t |tj|dkrdS|j St|)z validate & normalize salt value. .. note:: the salt for this algorithm is an integer 0-52, not a string integerrJrz"salt/offset must be in 0..52 range) r(r`r.r/ExpectedTypeErrormax_salt_valuerPasslibHashWarning ValueError)rWrJrMrs r$rSzcisco_type7._norm_salt|s}$$&&**4FC C  *** *K +2  b++ ,q1 8c&8&8 8S/ !r=cBtjjddS)Nr)r.rngrandintr r=r$rVzcisco_type7._generate_saltsvv~~a$$r=cJd|jt|jfzS)Nz%02d%s)rJrr^)r7s r$ to_stringzcisco_type7.to_strings499mDMM&BCCCr=ct|tr|jd}t|j ||j j djS)Nrr&)r(r r)r_cipherrJr6ra)r7r8s r$r<zcisco_type7._calc_checksumsJ fg &]]7+Ft||FDII67>>wGMMOOr=c|j|}t|jjd}|j ||j }|r|j |S|S)zdecode hash, returning original password. :arg hash: encoded password :param encoding: optional encoding to use (defaults to ``UTF-8``). :returns: password as unicode r&)rbrr^r)rsrJr6)rWr\encodingr7tmpraws r$r6zcisco_type7.decodesUt$ ,,W56ll3 *'/szz(#8S8r=z5dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87c|jttfdtt |DS)z1xor static key against data - encrypts & decryptsc3RK|]\}}|t|zzz  ywrO)ord)r!idxvaluekeykey_sizerJs r$r%z&cisco_type7._cipher..s5 U CTCZ8345 5 s$')_keyr*rr4r)rWdatarJr}r~s `@@r$rszcisco_type7._ciphers<hhs8 '(8(>?   r=rO)F)r)r>r?r@rAr- setting_kwdsr.UPPER_HEX_CHARSrFmin_salt_valueri classmethodrRrbrdrSrUrVrqr<r6r rrs __classcell__)rZs@r$rr)sF DL ''NNN 99 """%%DP 9 9 D ED  r=r)&rAbinasciirrhashlibrlogging getLoggerr>logwarningsr passlib.utilsrrr r passlib.utils.binaryr passlib.utils.compatr r rrrrpasslib.utils.handlersutilshandlersr.__all__r1HasUserContext StaticHandlerrrGenericHandlerrr r=r$rs('g''1PO$>>##  8!!2#3#38j' '`K "##K r=