g?>SrSSKJrJr SSKJr SSKr\R"\5r SSK J r SSK J r JrJrJr SSKJr SSKJrJrJrJrJrJr SSKJs Jr /S QrS r"S S \R@\RB5r""S S\"5r#"SS\RH5r%g)z1 passlib.handlers.cisco -- Cisco password hashes )hexlify unhexlify)md5N)warn)right_pad_string to_unicode repeat_stringto_bytes)h64)unicodeujoin_byte_valuesjoin_byte_elemsiter_byte_values uascii_to_str) cisco_pix cisco_asa cisco_type7s cN\rSrSrSrSrSrSrSrSr \ Rr Sr SrSrg) r$a6 This class implements the password hash used by older Cisco PIX firewalls, and follows the :ref:`password-hash-api`. It does a single round of hashing, and relies on the username as the salt. This class only allows passwords <= 16 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_pix.hash`, and be silently rejected if passed to :meth:`~cisco_pix.verify`. The :meth:`~passlib.ifc.PasswordHash.hash`, :meth:`~passlib.ifc.PasswordHash.genhash`, and :meth:`~passlib.ifc.PasswordHash.verify` methods all support the following extra keyword: :param str user: String containing name of user account this password is associated with. This is *required* in order to correctly hash passwords associated with a user account on the Cisco device, as it is used to salt the hash. Conversely, this *must* be omitted or set to ``""`` in order to correctly hash passwords which don't have an associated user account (such as the "enable" password). .. versionadded:: 1.6 .. versionchanged:: 1.7.1 Passwords > 16 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. TFc&URn[U[5(aURS5nSn[ U5UR :a]UR (aCSURUR 4-n[RRUR US9eU[-nURnU(aK[U[5(aURS5nU(a[ U5S:aU[US5- nU(a[ U5S:aSnOSn[X5nU(aX- n[U5R!5n[#S [%U555n[&R("U5R+S 5$) a This function implements the "encrypted" hash format used by Cisco PIX & ASA. It's behavior has been confirmed for ASA 9.6, but is presumed correct for PIX & other ASA releases, as it fits with known test vectors, and existing literature. While nearly the same, the PIX & ASA hashes have slight differences, so this function performs differently based on the _is_asa class flag. Noteable changes from PIX to ASA include password size limit increased from 16 -> 32, and other internal changes. utf-8Nz.Password too long (%s allows at most %d bytes))msgr c3H# UHupUS-S-(dMUv M g7f)N).0ics O/home/matz/Project1/venv/lib/python3.13/site-packages/passlib/handlers/cisco.py +cisco_pix._calc_checksum..s P/@tqQUaK/@s" "ascii)_is_asa isinstancer encodelen truncate_size use_defaultsnameuhexcPasswordSizeError _DUMMY_BYTESuserr rrdigestr enumerater encode_bytesdecode)selfsecretasa spoil_digestrr4pad_sizer5s r%_calc_checksumcisco_pix._calc_checksumgsTll fg & &]]7+F, v;++ +  Fyy$"4"456ff..t/A/As.KK & 4 .yy $(({{7+#f+*-a00 3v;#HH!&3   "FV##%! Py/@ PP '..w77r!N)__name__ __module__ __qualname____firstlineno____doc__r/r-truncate_errortruncate_verify_reject checksum_sizer0 HASH64_CHARSchecksum_charsr)r>__static_attributes__r!r@r%rr$s>!R DMN! M__NG |8r@rc$\rSrSrSrSrSrSrSrg)ra This class implements the password hash used by Cisco ASA/PIX 7.0 and newer (2005). Aside from a different internal algorithm, it's use and format is identical to the older :class:`cisco_pix` class. For passwords less than 13 characters, this should be identical to :class:`!cisco_pix`, but will generate a different hash for most larger inputs (See the `Format & Algorithm`_ section for the details). This class only allows passwords <= 32 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_asa.hash`, and be silently rejected if passed to :meth:`~cisco_asa.verify`. .. versionadded:: 1.7 .. versionchanged:: 1.7.1 Passwords > 32 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. rTr!N) rArBrCrDrEr/r-r)rKr!r@r%rrs8 D M Gr@rc^\rSrSrSrSrSr\Rr Sr Sr \ SU4Sjj5r \ S5rSU4Sjjr\ SS j5r\S 5rS rS r\ SS j5r\"S5r\ S5rSrU=r$)ri)a This class implements the "Type 7" password encoding used by Cisco IOS, and follows the :ref:`password-hash-api`. It has a simple 4-5 bit salt, but is nonetheless a reversible encoding instead of a real hash. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: int :param salt: This may be an optional salt integer drawn from ``range(0,16)``. If omitted, one will be chosen at random. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``salt`` values that are out of range. Note that while this class outputs digests in upper-case hexadecimal, it will accept lower-case as well. This class also provides the following additional method: .. automethod:: decode saltr4c >^[[U] "S0UD6nTb3URTUR S5S9m[ U4Sj5UlU$)Nrelaxed)rSc>T$Nr!rOsr%#cisco_type7.using..fsr@r!)superrusing _norm_saltget staticmethod_generate_salt)clsrPkwdssubcls __class__s ` r%rYcisco_type7.usingasM{C.66  $$T488I3F$GD$0$>F ! r@c[USS5n[U5S:a[RR U5e[ USS5nU"X!SSR 5S9$)Nr(hash)rPchecksum)rr,r0r1InvalidHashErrorintupper)r^rdrPs r% from_stringcisco_type7.from_stringisW$0 t9q=&&))#. .48}ABx~~'788r@c >[[U] "S0UD6 UbURU5nOMUR(a1UR 5nURU5U:Xd SU<35eO [ S5eXlg)Nzgenerated invalid salt: zno salt specifiedr!)rXr__init__rZr.r] TypeErrorrP)r9rPr_ras r%rmcisco_type7.__init__qsq k4)1D1  ??4(D   &&(D??4(D0 XRV2X X0/0 0 r@c([U[5(d![RR USS5eSUs=::aUR ::aU$ SnU(a.[ U[R5 US:aS$UR $[U5e)zm validate & normalize salt value. .. note:: the salt for this algorithm is an integer 0-52, not a string integerrPrz"salt/offset must be in 0..52 range) r*rhr0r1ExpectedTypeErrormax_salt_valuerPasslibHashWarning ValueError)r^rPrSrs r%rZcisco_type7._norm_salt|s$$$&&**4FC C  *** *K +2  b++ ,q1 8c&8&8 8S/ !r@cB[RRSS5$)Nr)r0rngrandintr!r@r%r]cisco_type7._generate_saltsvv~~a$$r@cJSUR[UR54-$)Nz%02d%s)rPrrf)r9s r% to_stringcisco_type7.to_strings499mDMM&BCCCr@c[U[5(aURS5n[UR XR 55R S5R5$)Nrr()r*r r+r_cipherrPr8ri)r9r:s r%r>cisco_type7._calc_checksumsK fg & &]]7+Ft||FII67>>wGMMOOr@cURU5n[URRS55nUR XCR 5nU(aUR U5$U$)zdecode hash, returning original password. :arg hash: encoded password :param encoding: optional encoding to use (defaults to ``UTF-8``). :returns: password as unicode r()rjrrfr+rrPr8)r^rdencodingr9tmpraws r%r8cisco_type7.decodesSt$ ,,W56ll3 *'/szz(#8S8r@z5dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87c^^^URm[T5m[UUU4Sj[[ U5555$)z1xor static key against data - encrypts & decryptsc3V># UHupU[TTU-T-5- v M g7frU)ord)r"idxvaluekeykey_sizerPs r%r&&cisco_type7._cipher..s2 ?  CTCZ8345 5?s&))_keyr,rr6r)r^datarPrrs `@@r%rcisco_type7._ciphers<hhs8 '(8(>?   r@rU)F)r)rArBrCrDrEr/ setting_kwdsr0UPPER_HEX_CHARSrJmin_salt_valuers classmethodrYrjrmrZr\r]r}r>r8r rrrK __classcell__)ras@r%rr)sF DL ''NNN 99 """%%DP 9 9 D ED  r@r)&rEbinasciirrhashlibrlogging getLoggerrAlogwarningsr passlib.utilsrrr r passlib.utils.binaryr passlib.utils.compatr r rrrrpasslib.utils.handlersutilshandlersr0__all__r3HasUserContext StaticHandlerrrGenericHandlerrr!r@r%rs(g''1PO$>>##  8!!2#3#38j' '`K "##K r@