관리-도구

편집 파일: cisco.cpython-39.pyc

����f�Wc�?����������������������@���s����d�Z�ddlmZmZ�ddlmZ�ddlZe�e�Z	ddl
mZ�ddlm
Z
mZmZmZ�ddlmZ�ddlmZmZmZmZmZmZ�ddlm��mZ�g�d	�Zd
ZG�dd��dej ej!�Z"G�d
d��de"�Z#G�dd��dej$�Z%dS�)z1
passlib.handlers.cisco -- Cisco password hashes
�����)�hexlify�	unhexlify)�md5N)�warn)�right_pad_string�
to_unicode�
repeat_string�to_bytes)�h64)�unicode�u�join_byte_values�join_byte_elems�iter_byte_values�
uascii_to_str)�	cisco_pix�	cisco_asa�cisco_type7s �����������������������������������c�������������������@���s6���e�Zd�ZdZd�ZdZdZdZdZe	j
ZdZdd��Z
dS�)r���a���
    This class implements the password hash used by older Cisco PIX firewalls,
    and follows the :ref:`password-hash-api`.
    It does a single round of hashing, and relies on the username
    as the salt.

This class only allows passwords <= 16 bytes, anything larger
    will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_pix.hash`,
    and be silently rejected if passed to :meth:`~cisco_pix.verify`.

The :meth:`~passlib.ifc.PasswordHash.hash`,
    :meth:`~passlib.ifc.PasswordHash.genhash`, and
    :meth:`~passlib.ifc.PasswordHash.verify` methods
    all support the following extra keyword:

:param str user:
        String containing name of user account this password is associated with.

This is *required* in order to correctly hash passwords associated
        with a user account on the Cisco device, as it is used to salt
        the hash.

Conversely, this *must* be omitted or set to ``""`` in order to correctly
        hash passwords which don't have an associated user account
        (such as the "enable" password).

.. versionadded:: 1.6

.. versionchanged:: 1.7.1

Passwords > 16 bytes are now rejected / throw error instead of being silently truncated,
        to match Cisco behavior.  A number of :ref:`bugs <passlib-asa96-bug>` were fixed
        which caused prior releases to generate unverifiable hashes in certain cases.
    ����TFc�����������������C���s����|�j�}t|t�r|�d�}d}t|�|�jkr^|�jrVd|�j|�jf�}tj	j
|�j|d��n|t�}|�j}|r�t|t�r||�d�}|r�t|�dk�r�|t
|d�7�}|r�t|�dkr�d}nd}t||�}|r�||7�}t|����}td	d
��t|�D���}t�|��d�S�)a7��
        This function implements the "encrypted" hash format used by Cisco
        PIX & ASA. It's behavior has been confirmed for ASA 9.6,
        but is presumed correct for PIX & other ASA releases,
        as it fits with known test vectors, and existing literature.

While nearly the same, the PIX & ASA hashes have slight differences,
        so this function performs differently based on the _is_asa class flag.
        Noteable changes from PIX to ASA include password size limit
        increased from 16 -> 32, and other internal changes.
        �utf-8Nz.Password too long (%s allows at most %d bytes))�msg��������r���� ���c�����������������s���s"���|�]\}}|d��d@�r|V��qdS�)��������N��)�.0�i�cr���r����:/usr/lib/python3.9/site-packages/passlib/handlers/cisco.py�	<genexpr>���������z+cisco_pix._calc_checksum.<locals>.<genexpr>�ascii)�_is_asa�
isinstancer����encode�len�
truncate_size�use_defaults�name�uh�excZPasswordSizeError�_DUMMY_BYTES�userr���r���r����digestr����	enumerater
���Zencode_bytes�decode)�self�secretZasaZspoil_digestr���r.���Zpad_sizer/���r���r���r ����_calc_checksumg���s4����

�

zcisco_pix._calc_checksumN)�__name__�
__module__�__qualname__�__doc__r*���r(���Ztruncate_errorZtruncate_verify_rejectZ
checksum_sizer+���ZHASH64_CHARS�checksum_charsr$���r4���r���r���r���r ���r���$���s���)r���c�������������������@���s���e�Zd�ZdZd�ZdZdZdS�)r���a���
    This class implements the password hash used by Cisco ASA/PIX 7.0 and newer (2005).
    Aside from a different internal algorithm, it's use and format is identical
    to the older :class:`cisco_pix` class.

For passwords less than 13 characters, this should be identical to :class:`!cisco_pix`,
    but will generate a different hash for most larger inputs
    (See the `Format & Algorithm`_ section for the details).

This class only allows passwords <= 32 bytes, anything larger
    will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_asa.hash`,
    and be silently rejected if passed to :meth:`~cisco_asa.verify`.

.. versionadded:: 1.7

.. versionchanged:: 1.7.1

Passwords > 32 bytes are now rejected / throw error instead of being silently truncated,
        to match Cisco behavior.  A number of :ref:`bugs <passlib-asa96-bug>` were fixed
        which caused prior releases to generate unverifiable hashes in certain cases.
    r���TN)r5���r6���r7���r8���r*���r(���r$���r���r���r���r ���r�������s���r���c�����������������������s����e�Zd�ZdZd�ZdZejZdZ	dZ
ed��fdd�	�Zedd	���Z
d��fd
d�	Zedd
d��Zedd���Zdd��Zdd��Zeddd��Zed�Zedd���Z���ZS�)r���a+��
    This class implements the "Type 7" password encoding used by Cisco IOS,
    and follows the :ref:`password-hash-api`.
    It has a simple 4-5 bit salt, but is nonetheless a reversible encoding
    instead of a real hash.

The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords:

:type salt: int
    :param salt:
        This may be an optional salt integer drawn from ``range(0,16)``.
        If omitted, one will be chosen at random.

:type relaxed: bool
    :param relaxed:
        By default, providing an invalid value for one of the other
        keywords will result in a :exc:`ValueError`. If ``relaxed=True``,
        and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning`
        will be issued instead. Correctable errors include
        ``salt`` values that are out of range.

Note that while this class outputs digests in upper-case hexadecimal,
    it will accept lower-case as well.

This class also provides the following additional method:

.. automethod:: decode
    ��saltr����4���Nc��������������������sH���t�t|��jf�i�|��}��d�urD|j��|�d�d���t��fdd��|_|S�)N�relaxed)r=���c����������������������s�����S��Nr���r���r:���r���r ����<lambda>f��r"���z#cisco_type7.using.<locals>.<lambda>)�superr����using�
_norm_salt�get�staticmethod�_generate_salt)�clsr;����kwds�subcls��	__class__r:���r ���rA���a��s
����zcisco_type7.usingc�����������������C���sL���t�|dd�}t|�dk�r$tj�|���t|d�d���}|�||dd������d�S�)Nr#����hash����)r;����checksum)r���r'���r+���r,���ZInvalidHashError�int�upper)rF���rK���r;���r���r���r ����from_stringi��s
����zcisco_type7.from_stringc��������������������sh���t�t|��jf�i�|���|d�ur*|��|�}n4|�jrV|����}|��|�|ks^J�d|f���ntd��||�_d�S�)Nzgenerated invalid salt: %rzno salt specified)r@���r����__init__rB���r)���rE����	TypeErrorr;���)r2���r;���rG���rI���r���r ���rQ���q��s����zcisco_type7.__init__Fc�����������������C���sj���t�|t�stj�|dd��d|��kr0|�jkr8n�n|S�d}|r^t|tj��|dk�rXdS�|�jS�t|��dS�)z�
        validate & normalize salt value.
        .. note::
            the salt for this algorithm is an integer 0-52, not a string
        Zintegerr;���r���z"salt/offset must be in 0..52 rangeN)	r%���rN���r+���r,���ZExpectedTypeError�max_salt_valuer���ZPasslibHashWarning�
ValueError)rF���r;���r=���r���r���r���r ���rB���|��s����
zcisco_type7._norm_saltc�������������������C���s���t�j�dd�S�)Nr�������)r+����rngZrandintr���r���r���r ���rE������s����zcisco_type7._generate_saltc�����������������C���s���d|�j�t|�j�f�S�)Nz%02d%s)r;���r���rM���)r2���r���r���r ����	to_string���s����zcisco_type7.to_stringc�����������������C���s0���t�|t�r|�d�}t|��||�j���d����S�)Nr���r#���)r%���r���r&���r����_cipherr;���r1���rO���)r2���r3���r���r���r ���r4������s����

zcisco_type7._calc_checksumr���c�����������������C���s:���|���|�}t|j�d��}|�||j�}|r6|�|�S�|S�)z�decode hash, returning original password.

:arg hash: encoded password
        :param encoding: optional encoding to use (defaults to ``UTF-8``).
        :returns: password as unicode
        r#���)rP���r���rM���r&���rX���r;���r1���)rF���rK����encodingr2����tmp�rawr���r���r ���r1������s����
zcisco_type7.decodez5dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87c��������������������s0���|�j���t����t����fdd�tt|��D���S�)z1xor static key against data - encrypts & decryptsc�����������������3���s*���|�]"\}}|t����|�����A�V��qd�S�r>���)�ord)r����idx�value��keyZkey_sizer;���r���r ���r!������s����z&cisco_type7._cipher.<locals>.<genexpr>)�_keyr'���r
���r0���r���)rF����datar;���r���r_���r ���rX������s
����
�zcisco_type7._cipher)N)N)F)r���)r5���r6���r7���r8���r*���Zsetting_kwdsr+���ZUPPER_HEX_CHARSr9���Zmin_salt_valuerS����classmethodrA���rP���rQ���rB���rD���rE���rW���r4���r1���r���ra���rX����
__classcell__r���r���rI���r ���r���)��s,���#

r���)&r8���Zbinasciir���r���Zhashlibr���ZloggingZ	getLoggerr5����log�warningsr���Z
passlib.utilsr���r���r���r	���Zpasslib.utils.binaryr
���Zpasslib.utils.compatr���r���r
���r���r���r���Zpasslib.utils.handlersZutils�handlersr+����__all__r-���ZHasUserContextZ
StaticHandlerr���r���ZGenericHandlerr���r���r���r���r ����<module>���s��� �V0