+ i?@Rt^RIHtHt^RIHt^RIt]P!]4t ^RI H t ^RI H t HtHtHt^RIHt^RIHtHtHtHtHtHt^RIHuHt.ROtRt!R R]P@]PB4t"!R R ]"4t#!R R ]PH4t%R#)z1 passlib.handlers.cisco -- Cisco password hashes )hexlify unhexlify)md5N)warn)right_pad_string to_unicode repeat_stringto_bytes)h64)unicodeujoin_byte_valuesjoin_byte_elemsiter_byte_values uascii_to_str cisco_pix cisco_asa cisco_type7cZa]tRt^$toRtRt^tRtRt^t ] Pt Rt RtRtVtR#)ra6 This class implements the password hash used by older Cisco PIX firewalls, and follows the :ref:`password-hash-api`. It does a single round of hashing, and relies on the username as the salt. This class only allows passwords <= 16 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_pix.hash`, and be silently rejected if passed to :meth:`~cisco_pix.verify`. The :meth:`~passlib.ifc.PasswordHash.hash`, :meth:`~passlib.ifc.PasswordHash.genhash`, and :meth:`~passlib.ifc.PasswordHash.verify` methods all support the following extra keyword: :param str user: String containing name of user account this password is associated with. This is *required* in order to correctly hash passwords associated with a user account on the Cisco device, as it is used to salt the hash. Conversely, this *must* be omitted or set to ``""`` in order to correctly hash passwords which don't have an associated user account (such as the "enable" password). .. versionadded:: 1.6 .. versionchanged:: 1.7.1 Passwords > 16 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. TFc `VPp\V\4'dVPR4pRp\ V4VP 8djVP 'dKRVPVP 3,p\PPVP VR7hV\,pVPpV'dS\V\4'dVPR4pV'd\ V4^8dV\V^4, pV'd\ V4^8d^ pM^p\W4pV'd W, p\V4P!4p\#R\%V444p\&P(!V4P+R4#)a This function implements the "encrypted" hash format used by Cisco PIX & ASA. It's behavior has been confirmed for ASA 9.6, but is presumed correct for PIX & other ASA releases, as it fits with known test vectors, and existing literature. While nearly the same, the PIX & ASA hashes have slight differences, so this function performs differently based on the _is_asa class flag. Noteable changes from PIX to ASA include password size limit increased from 16 -> 32, and other internal changes. utf-8Nz.Password too long (%s allows at most %d bytes))msgc3Z"TF!wrV^,^,'gKVxK# R#5i)N).0ics& T/var/www/html/photoedit/myenv/lib/python3.14/site-packages/passlib/handlers/cisco.py +cisco_pix._calc_checksum..s" P/@tqQUaKK/@s+ +ascii)_is_asa isinstancer encodelen truncate_size use_defaultsnameuhexcPasswordSizeError _DUMMY_BYTESuserrrrdigestr enumerater encode_bytesdecode)selfsecretasa spoil_digestrr-pad_sizer.s&& r_calc_checksumcisco_pix._calc_checksumgsWll fg & &]]7+F, v;++ +   Fyy$"4"456ff..t/A/As.KK & 4 .yy $(({{7+#f+*-a00 3v;#HH!&3   "FV##%! Py/@ PP '..w77rN)__name__ __module__ __qualname____firstlineno____doc__r(r&truncate_errortruncate_verify_reject checksum_sizer) HASH64_CHARSchecksum_charsr"r7__static_attributes____classdictcell__) __classdict__s@rrr$sG!R DMN! M__NG |8|8r9c&]tRt^tRtRt^ tRtRtR#)ra This class implements the password hash used by Cisco ASA/PIX 7.0 and newer (2005). Aside from a different internal algorithm, it's use and format is identical to the older :class:`cisco_pix` class. For passwords less than 13 characters, this should be identical to :class:`!cisco_pix`, but will generate a different hash for most larger inputs (See the `Format & Algorithm`_ section for the details). This class only allows passwords <= 32 bytes, anything larger will result in a :exc:`~passlib.exc.PasswordSizeError` if passed to :meth:`~cisco_asa.hash`, and be silently rejected if passed to :meth:`~cisco_asa.verify`. .. versionadded:: 1.7 .. versionchanged:: 1.7.1 Passwords > 32 bytes are now rejected / throw error instead of being silently truncated, to match Cisco behavior. A number of :ref:`bugs ` were fixed which caused prior releases to generate unverifiable hashes in certain cases. TrN) r:r;r<r=r>r(r&r"rDrr9rrrs8 D M Gr9caa]tRtRtoRtRtR t]Pt ^t ^4t ] RV3Rll4t ] R4tRV3Rllt] RRl4t]R4tRtR t] RR l4t]!R 4t] R 4tR tVtV;t#)ri)a This class implements the "Type 7" password encoding used by Cisco IOS, and follows the :ref:`password-hash-api`. It has a simple 4-5 bit salt, but is nonetheless a reversible encoding instead of a real hash. The :meth:`~passlib.ifc.PasswordHash.using` method accepts the following optional keywords: :type salt: int :param salt: This may be an optional salt integer drawn from ``range(0,16)``. If omitted, one will be chosen at random. :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other keywords will result in a :exc:`ValueError`. If ``relaxed=True``, and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning` will be issued instead. Correctable errors include ``salt`` values that are out of range. Note that while this class outputs digests in upper-case hexadecimal, it will accept lower-case as well. This class also provides the following additional method: .. automethod:: decode c <a\\V` !R/VBpSe7VPSVP R4R7o\ V3Rl4VnV#)Nrelaxed)rJc<S#Nrsaltsr#cisco_type7.using..fsr9r)superrusing _norm_saltget staticmethod_generate_salt)clsrNkwdssubcls __class__s&f, rrRcisco_type7.usingasM{C.66  $$T488I3F$GD$0$>F ! r9c\VRR4p\V4^8d \PP V4h\ VR,4pV!W!R,P 4R7#)r!hash:NN:r^NN)rNchecksum)rr%r)r*InvalidHashErrorintupper)rWr]rNs&& r from_stringcisco_type7.from_stringisS$0 t9q=&&))#. .48}Bx~~'788r9c <\\V` !R/VBVeVPV4pMOVP'd3VP 4pVPV4V8Xg QRV: 24hM \ R4hWnR#)Nzgenerated invalid salt: zno salt specifiedr)rQr__init__rSr'rV TypeErrorrN)r2rNrXrZs&&,rrfcisco_type7.__init__qst k4)1D1  ??4(D    &&(D??4(D0 XRV2X X0/0 0 r9c 2\V\4'g"\PP VRR4h^Tu;8:dVP 8:dV#RpV'd0\ V\P4V^8d^#VP #\V4h)zm validate & normalize salt value. .. note:: the salt for this algorithm is an integer 0-52, not a string integerrNz"salt/offset must be in 0..52 range) r#rar)r*ExpectedTypeErrormax_salt_valuerPasslibHashWarning ValueError)rWrNrJrs&&& rrScisco_type7._norm_salt|s$$$&&**4FC C  *** *K +2  b++ ,q1 8c&8&8 8S/ !r9cB\PP^^4#))r)rngrandintrr9rrVcisco_type7._generate_saltsvv~~a$$r9cRRVP\VP43,#)z%02d%s)rNrr_)r2s&r to_stringcisco_type7.to_strings499mDMM&BCCCr9c\V\4'dVPR4p\VP WP 44P R4P4#)rr!)r#r r$r_cipherrNr1rb)r2r3s&&rr7cisco_type7._calc_checksumsK fg & &]]7+Ft||FII67>>wGMMOOr9c VPV4p\VPPR44pVP WCP 4pV'dVP V4#T#)zdecode hash, returning original password. :arg hash: encoded password :param encoding: optional encoding to use (defaults to ``UTF-8``). :returns: password as unicode r!)rcrr_r$ryrNr1)rWr]encodingr2tmpraws&&& rr1cisco_type7.decodesSt$ ,,W56ll3 *'/szz(#8S8r9z5dsfd;kfoA,.iyewrkldJKDHSUBsgvca69834ncxv9873254k;fg87c aaaVPo\S4o\VVV3Rl\\ V4444#)z1xor static key against data - encrypts & decryptsc3v<"TF.wrV\SSV,S,,4, xK0 R#5irL)ord)ridxvaluekeykey_sizerNs& rr&cisco_type7._cipher..s5 ?  CTCZ8345 5 5?s69)_keyr%r r/r)rWdatarNrrs&&f@@rrycisco_type7._ciphers<hhs8 '(8(>?   r9rMrL)F)r)r:r;r<r=r>r( setting_kwdsr)UPPER_HEX_CHARSrCmin_salt_valuerl classmethodrRrcrfrSrUrVrvr7r1r rryrDrE __classcell__)rZrFs@@rrr)sF DL ''NNN 99 """%%DP 9 9 D ED   r9)rrrs )&r>binasciirrhashlibrlogging getLoggerr:logwarningsr passlib.utilsrrrr passlib.utils.binaryr passlib.utils.compatr r r rrrpasslib.utils.handlersutilshandlersr)__all__r,HasUserContext StaticHandlerrrGenericHandlerrrr9rrs(g''1PO$>>##  8!!2#3#38j' '`K "##K r9