g XSrSSKr\R"\5rSSKJrJrJrJ r SSK J r J r SSK JrJrJrJr SSKJrJr SSKJs Jr S/r"SS\R4\R6\R8\R:5rg) z:passlib.handlers.scram - hash for SCRAM credential storageN)consteqsaslprep to_native_str splitcomma) ab64_decode ab64_encode) bascii_to_str iteritemsunative_string_types) pbkdf2_hmacnorm_hash_namescramc^\rSrSrSrSrSr\"S5rSr Sr Sr Sr S r S r/S Qr/S QrS r\S5r\SSj5r\S5r\S5rSr\SU4Sjj5rSU4SjjrSSjr\S5rU4SjrSSjr\SSj5rSrU=r $)raThis class provides a format for storing SCRAM passwords, and follows the :ref:`password-hash-api`. It supports a variable-length salt, and a variable number of rounds. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: bytes :param salt: Optional salt bytes. If specified, the length must be between 0-1024 bytes. If not specified, a 12 byte salt will be autogenerated (this is recommended). :type salt_size: int :param salt_size: Optional number of bytes to use when autogenerating new salts. Defaults to 12 bytes, but can be any value between 0 and 1024. :type rounds: int :param rounds: Optional number of rounds to use. Defaults to 100000, but must be within ``range(1,1<<32)``. :type algs: list of strings :param algs: Specify list of digest algorithms to use. By default each scram hash will contain digests for SHA-1, SHA-256, and SHA-512. This can be overridden by specify either be a list such as ``["sha-1", "sha-256"]``, or a comma-separated string such as ``"sha-1, sha-256"``. Names are case insensitive, and may use :mod:`!hashlib` or `IANA `_ hash names. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``rounds`` that are too small or too large, and ``salt`` strings that are too long. .. versionadded:: 1.6 In addition to the standard :ref:`password-hash-api` methods, this class also provides the following methods for manipulating Passlib scram hashes in ways useful for pluging into a SCRAM protocol stack: .. automethod:: extract_digest_info .. automethod:: extract_digest_algs .. automethod:: derive_digest )salt salt_sizeroundsalgs$scram$ iillinear)sha-1sha-256sha-512)rrzsha-224zsha-384rNc[US5nURU5nURnU(d [S5eURUR XB4$)aHreturn (salt, rounds, digest) for specific hash algorithm. :type hash: str :arg hash: :class:`!scram` hash stored for desired user :type alg: str :arg alg: Name of digest algorithm (e.g. ``"sha-1"``) requested by client. This value is run through :func:`~passlib.crypto.digest.norm_hash_name`, so it is case-insensitive, and can be the raw SCRAM mechanism name (e.g. ``"SCRAM-SHA-1"``), the IANA name, or the hashlib name. :raises KeyError: If the hash does not contain an entry for the requested digest algorithm. :returns: A tuple containing ``(salt, rounds, digest)``, where *digest* matches the raw bytes returned by SCRAM's :func:`Hi` function for the stored password, the provided *salt*, and the iteration count (*rounds*). *salt* and *digest* are both raw (unencoded) bytes. ianazscram hash contains no digests)r from_stringchecksum ValueErrorrr)clshashalgselfchkmaps O/home/matz/Project1/venv/lib/python3.13/site-packages/passlib/handlers/scram.pyextract_digest_infoscram.extract_digest_info|sM>S&)t$=> >yy$++v{22cURU5RnUS:XaU$UVs/sHn[XB5PM sn$s snf)aReturn names of all algorithms stored in a given hash. :type hash: str :arg hash: The :class:`!scram` hash to parse :type format: str :param format: This changes the naming convention used by the returned algorithm names. By default the names are IANA-compatible; possible values are ``"iana"`` or ``"hashlib"``. :returns: Returns a list of digest algorithms; e.g. ``["sha-1"]`` r)rrr)r"r#formatrr$s r'extract_digest_algsscram.extract_digest_algssB(t$)) V K;?@4CN3/4@ @@sAcz[U[5(aURS5n[U[ U5X#5$)ahelper to create SaltedPassword digest for SCRAM. This performs the step in the SCRAM protocol described as:: SaltedPassword := Hi(Normalize(password), salt, i) :type password: unicode or utf-8 bytes :arg password: password to run through digest :type salt: bytes :arg salt: raw salt data :type rounds: int :arg rounds: number of iterations. :type alg: str :arg alg: name of digest to use (e.g. ``"sha-1"``). :returns: raw bytes of ``SaltedPassword`` zutf-8) isinstancebytesdecoder r)r"passwordrrr$s r' derive_digestscram.derive_digests5. h & &w/H3 2DAAr*c|[USS5nURS5(d[RR U5eUSSR S5n[ U5S:wa[RRU5eUup4n[U5nU[U5:wa[RRU5e[URS55nU(d[RRU5eSU;aMSn0n UR S5H3n U R S5up[U RS55X'M5 OUnSn U"UUU US 9$![a [RRU5ef=f![a [RRU5ef=f) Nasciir#r$=,)rrr r) r startswithuhexcInvalidHashErrorsplitlenMalformedHashErrorintstrrencode TypeError) r"r#parts rounds_strsalt_strchk_strrrrr&pairr$digests r'rscram.from_stringsT7F3y))&&))#. .QRs# u:?&&++C0 0(-% gZ V $&&++C0 0 1xw78D &&++C0 0 G^DF c*"jjo 9"-fmmG.D"EFK+DF   / 1&&++C0 0 1!9&&33C889sE$6F$*F*F;c^[[UR55nURmSR U4SjUR 55nSUR X4-$)Nr<c 3`># UH#nU<S[[TU55<3v M% g7f)r;N)r r).0r$r&s r' "scram.to_string..s+  M+fSk*BC D s+.z$scram$%d$%s$%s)r rrr joinrr)r%rrKr&s @r' to_stringscram.to_string sT[34(( yy  !DKK#???r*c v>UbUbeUn[[U] "S0UD6nUbURU5UlU$)N)superrusing _norm_algs default_algs)r"r\rkwdssubcls __class__s r'rZ scram.usingsP  ' ''Luc(040  #"%..">F  r*c >[[U] "S0UD6 URnUb Ub [ S5eUR U5nOuUb UR UR 55nORUR(a6[UR5nUR U5U:Xd SU<35eO [S5eXl g)Nz+checksum & algs kwds are mutually exclusivezinvalid default algs: zno algs list specifiedrX) rYr__init__r RuntimeErrorr[keys use_defaultslistr\rGr)r%rr] digest_mapr_s r'rbscram.__init__+s eT#+d+]]  %"#PQQ??4(D  #??:??#45D   ))*D??4(D0 VPT2V V045 5 r*c[U[5(d![RR USS5e[ U5Hxup4U[ US5:wa[SU<35e[U5S:a[SU<35e[U[5(aMY[RR USS5e S U;a [S 5eU$) Ndictr rz(malformed algorithm name in scram hash: z.SCRAM limits algorithm names to 9 characters: z raw bytesdigestsr-sha-1 must be in algorithm list of scram hash) r0rjr>r?ExpectedTypeErrorr rr!rBr1)r%r relaxedr$rMs r'_norm_checksumscram._norm_checksum>s(D))&&**8VZH H$X.KCnS&11 "%"())3x!| 7:"=>>fe,,ff..v{INN/ ( "LM Mr*c[U[5(a [U5n[SU55n[ SU55(a [ S5eSU;a [ S5eU$)znormalize algs parameterc3:# UHn[US5v M g7f)rN)rrQr$s r'rR#scram._norm_algs..UsBTcnS&11Tsc3># UHn[U5S:v M g7f)rkN)rBrts r'rRruVs*Tcs3xzTsz-SCRAM limits alg names to max of 9 charactersrrm)r0r rsortedanyr!)r"rs r'r[scram._norm_algsPsb d/ 0 0d#DBTBB *T* * *LM M $ LM M r*c >[UR5RUR5(dg[[ U]"S0UD6$)NTrX)setr issupersetr\rYr_calc_needs_update)r%r]r_s r'r}scram._calc_needs_update`s>499~(():):;;UD4># UHnUT"TTTU54v M g7fNrX)rQr$r#rrsecrets r'rR'scram._calc_checksum..vs($Cd6456$s)rrr4rjr)r%rr$r#rrs ` @@@r'_calc_checksumscram._calc_checksummsTyy!! fc2 299 r*c [R"U5 URU5nURnU(d([ SUR <SUR <S35eU(aS=pg[ U5HmupURX5n [U 5[U 5:wa)[ SU<S[U 5<S[U 5<35e[X5(aSnMkSnMo U(aU(a [ S 5eU$URH)nX;dM URX5n [XU5s $ [S 5e) Nz expected z hash, got z config string insteadFz mis-sized z digest in scram hash: z != Tz4scram hash verified inconsistently, may be corruptedzsha-1 digest not found!) r>validate_secretrr r!namer rrBr _verify_algsAssertionError) r"rr#fullr%r&correctfailedr$rMothers r'verify scram.verify{s& 6"t$!hh23 3 $ $G(0 ++F8 v;#e*,$(+S[#e*&FGG5))"G!F 16 "455((= //__all__ HasRounds HasRawSaltHasRawChecksumGenericHandlerrrXr*r'rsk@ g''1GF9QQ=##  N