def genhash(cls, secret, config):
if config is not None and not cls.identify(config):
raise ValueError("not a mysql-3.2.3 hash")
#FIXME: no idea if mysql has a policy about handling unicode passwords
if isinstance(secret, unicode):
secret = secret.encode("utf-8")
MASK_32 = 0xffffffff
MASK_31 = 0x7fffffff
nr1 = 0x50305735
nr2 = 0x12345671
add = 7
for c in secret:
if c in b(' \t'):
continue
tmp = bord(c)
nr1 ^= ((((nr1 & 63)+add)*tmp) + (nr1 << 8)) & MASK_32
nr2 = (nr2+((nr2 << 8) ^ nr1)) & MASK_32
add = (add+tmp) & MASK_32
hash = u"%08x%08x" % (nr1 & MASK_31, nr2 & MASK_31)
return to_hash_str(hash)
def genhash(cls, secret, hash):
if not cls.identify(hash):
raise ValueError("not a unsalted-example hash")
if isinstance(secret, unicode):
secret = secret.encode("utf-8")
data = b("boblious") + secret
return to_hash_str(hashlib.sha1(data).hexdigest())
def to_string(self, native=True):
if self.rounds == 5000 and self.implicit_rounds:
hash = u"$6$%s$%s" % (self.salt, self.checksum or u'')
else:
hash = u"$6$rounds=%d$%s$%s" % (self.rounds, self.salt,
self.checksum or u'')
return to_hash_str(hash) if native else hash
def to_string(self, withchk=True):
out = u'$p5k2$%x$%s' % (self.rounds,
b64encode(self.salt, CTA_ALTCHARS).decode("ascii"))
if withchk and self.checksum:
out = u"%s$%s" % (out,
b64encode(self.checksum, CTA_ALTCHARS).decode("ascii"))
return to_hash_str(out)
def render_mc3(ident, rounds, salt, checksum, sep=u"$"):
"format hash using 3-part modular crypt format; inverse of parse_mc3"
if checksum:
hash = u"%s%s%s%s%s%s" % (ident, rounds, sep, salt, sep, checksum)
else:
hash = u"%s%s%s%s" % (ident, rounds, sep, salt)
return to_hash_str(hash)
def genhash(cls, secret, config, user):
if config is not None and not cls.identify(config):
raise ValueError("not an oracle-10g hash")
if secret is None:
raise TypeError("secret must be specified")
if not user:
raise ValueError("user keyword must be specified for this algorithm")
#FIXME: not sure how oracle handles unicode.
# online docs about 10g hash indicate it puts ascii chars
# in a 2-byte encoding w/ the high bytenull.
# they don't say how it handles other chars,
# or what encoding.
#
# so for now, encoding secret & user to utf-16-be,
# since that fits,
# and if secret/user is bytes, we assume utf-8, and decode first.
#
# this whole mess really needs someone w/ an oracle system,
# and some answers :)
def encode(value):
"encode according to guess at how oracle encodes strings (see note above)"
#we can't trust what original encoding was.
#user should have passed us unicode in the first place.
#but try decoding as utf-8 just to work for most common case.
value = to_unicode(value, "utf-8")
return value.upper().encode("utf-16-be")
input = encode(user) + encode(secret)
hash = des_cbc_encrypt(ORACLE10_MAGIC, input)
hash = des_cbc_encrypt(hash, input)
return to_hash_str(hexlify(hash)).upper()
def genhash(cls, secret, hash):
if not cls.identify(hash):
raise ValueError("not a unsalted-example hash")
if isinstance(secret, unicode):
secret = secret.encode("utf-8")
data = b("boblious") + secret
return to_hash_str(hashlib.sha1(data).hexdigest())
def to_string(self, withchk=True):
out = u'$p5k2$%x$%s' % (self.rounds, b64encode(
self.salt, CTA_ALTCHARS).decode("ascii"))
if withchk and self.checksum:
out = u"%s$%s" % (out, b64encode(self.checksum,
CTA_ALTCHARS).decode("ascii"))
return to_hash_str(out)
def to_string(self):
chk = self.checksum
if not chk: #fill in stub checksum
chk = b('\x00') * self._info[1]
salt = self.salt
data = b64encode(salt+chk).decode("ascii")
hash = u"{FSHP%d|%d|%d}%s" % (self.variant, len(salt), self.rounds, data)
return to_hash_str(hash)
def to_string(self, withchk=True, native=True):
if self.rounds == 400:
out = u'$p5k2$$%s' % (self.salt,)
else:
out = u'$p5k2$%x$%s' % (self.rounds, self.salt)
if withchk and self.checksum:
out = u"%s$%s" % (out,self.checksum)
return to_hash_str(out) if native else out
def genhash(cls, secret, hash):
if hash is not None and not cls.identify(hash):
raise ValueError("not a %s hash" % (cls.name, ))
if secret is None:
raise TypeError("no secret provided")
if isinstance(secret, unicode):
secret = secret.encode("utf-8")
return to_hash_str(cls._hash_func(secret).hexdigest())
def to_string(self, withchk=True, native=True):
if self.rounds == 400:
out = u'$p5k2$$%s' % (self.salt, )
else:
out = u'$p5k2$%x$%s' % (self.rounds, self.salt)
if withchk and self.checksum:
out = u"%s$%s" % (out, self.checksum)
return to_hash_str(out) if native else out
def genhash(cls, secret, hash):
if hash is not None and not cls.identify(hash):
raise ValueError("not a %s hash" % (cls.name,))
if secret is None:
raise TypeError("no secret provided")
if isinstance(secret, unicode):
secret = secret.encode("utf-8")
return to_hash_str(cls._hash_func(secret).hexdigest())
def to_string(self, withchk=True):
salt = adapted_b64_encode(self.salt).decode("ascii")
if withchk and self.checksum:
chk = adapted_b64_encode(self.checksum).decode("ascii")
hash = u'%s%d$%s$%s' % (self.ident, self.rounds, salt, chk)
else:
hash = u'%s%d$%s' % (self.ident, self.rounds, salt)
return to_hash_str(hash)
def to_string(self, withchk=True):
salt = hexlify(self.salt).decode("ascii").upper()
if withchk and self.checksum:
chk = hexlify(self.checksum).decode("ascii").upper()
hash = u'%s%d.%s.%s' % (self.ident, self.rounds, salt, chk)
else:
hash = u'%s%d.%s' % (self.ident, self.rounds, salt)
return to_hash_str(hash)
def to_string(self, withchk=True):
salt = hexlify(self.salt).decode("ascii").upper()
if withchk and self.checksum:
chk = hexlify(self.checksum).decode("ascii").upper()
hash = u'%s%d.%s.%s' % (self.ident, self.rounds, salt, chk)
else:
hash = u'%s%d.%s' % (self.ident, self.rounds, salt)
return to_hash_str(hash)
def to_string(self, withchk=True):
salt = adapted_b64_encode(self.salt).decode("ascii")
if withchk and self.checksum:
chk = adapted_b64_encode(self.checksum).decode("ascii")
hash = u'%s%d$%s$%s' % (self.ident, self.rounds, salt, chk)
else:
hash = u'%s%d$%s' % (self.ident, self.rounds, salt)
return to_hash_str(hash)
def _yhsmto_string(base, self):
hash = self.ident
inner_str = super(base, self).to_string()
inner_str = inner_str[len(self.ident):].rsplit('$', 1)[0]
chk = b64encode(self.checksum).decode('ascii')
hash += u'%s%s$%s$%s' % (_UKH, self.key_handle, inner_str, chk)
return to_hash_str(hash)
def genhash(cls, secret, config, user):
if config is not None and not cls.identify(config):
raise ValueError("not a postgres-md5 hash")
if not user:
raise ValueError("user keyword must be specified for this algorithm")
if isinstance(secret, unicode):
secret = secret.encode("utf-8")
if isinstance(user, unicode):
user = user.encode("utf-8")
hash = u"md5" + to_unicode(md5(secret + user).hexdigest())
return to_hash_str(hash)
def _wrap_hash(self, hash):
"given orig hash; return one belonging to wrapper"
#NOTE: should usually be native string.
# (which does mean extra work under py2, but not py3)
if isinstance(hash, bytes):
hash = hash.decode('ascii')
orig_prefix = self.orig_prefix
if not hash.startswith(orig_prefix):
raise ValueError("not a valid %s hash" % (self.wrapped.name,))
wrapped = self.prefix + hash[len(orig_prefix):]
return to_hash_str(wrapped)
def test_00_static_handler(self):
"test StaticHandler helper class"
class d1(uh.StaticHandler):
name = "d1"
context_kwds = ("flag",)
@classmethod
def genhash(cls, secret, hash, flag=False):
if isinstance(hash, bytes):
hash = hash.decode("ascii")
if hash not in (u"a", u"b"):
raise ValueError
return to_hash_str(u"b" if flag else u"a")
# check default identify method
self.assertTrue(d1.identify(u"a"))
self.assertTrue(d1.identify(b("a")))
self.assertTrue(d1.identify(u"b"))
self.assertFalse(d1.identify(u"c"))
self.assertFalse(d1.identify(b("c")))
self.assertFalse(d1.identify(u""))
self.assertFalse(d1.identify(None))
# check default genconfig method
self.assertIs(d1.genconfig(), None)
d1._stub_config = u"b"
self.assertEqual(d1.genconfig(), to_hash_str("b"))
# check default verify method
self.assertTrue(d1.verify("s", "a"))
self.assertTrue(d1.verify("s", u"a"))
self.assertFalse(d1.verify("s", "b"))
self.assertFalse(d1.verify("s", u"b"))
self.assertTrue(d1.verify("s", "b", flag=True))
self.assertRaises(ValueError, d1.verify, "s", "c")
# check default encrypt method
self.assertEqual(d1.encrypt("s"), to_hash_str("a"))
self.assertEqual(d1.encrypt("s"), to_hash_str("a"))
self.assertEqual(d1.encrypt("s", flag=True), to_hash_str("b"))
def test_00_static_handler(self):
"test StaticHandler helper class"
class d1(uh.StaticHandler):
name = "d1"
context_kwds = ("flag",)
@classmethod
def genhash(cls, secret, hash, flag=False):
if isinstance(hash, bytes):
hash = hash.decode("ascii")
if hash not in (u'a',u'b'):
raise ValueError
return to_hash_str(u'b' if flag else u'a')
#check default identify method
self.assertTrue(d1.identify(u'a'))
self.assertTrue(d1.identify(b('a')))
self.assertTrue(d1.identify(u'b'))
self.assertFalse(d1.identify(u'c'))
self.assertFalse(d1.identify(b('c')))
self.assertFalse(d1.identify(u''))
self.assertFalse(d1.identify(None))
#check default genconfig method
self.assertIs(d1.genconfig(), None)
d1._stub_config = u'b'
self.assertEqual(d1.genconfig(), to_hash_str('b'))
#check default verify method
self.assertTrue(d1.verify('s','a'))
self.assertTrue(d1.verify('s',u'a'))
self.assertFalse(d1.verify('s','b'))
self.assertFalse(d1.verify('s',u'b'))
self.assertTrue(d1.verify('s', 'b', flag=True))
self.assertRaises(ValueError, d1.verify, 's', 'c')
#check default encrypt method
self.assertEqual(d1.encrypt('s'), to_hash_str('a'))
self.assertEqual(d1.encrypt('s'), to_hash_str('a'))
self.assertEqual(d1.encrypt('s', flag=True), to_hash_str('b'))
def to_string(self, withchk=True, native=True):
ss = u"" if self.bare_salt else u"$"
rounds = self.rounds
if rounds > 0:
out = u"$md5,rounds=%d$%s%s" % (rounds, self.salt, ss)
else:
out = u"$md5$%s%s" % (self.salt, ss)
if withchk:
chk = self.checksum
if chk:
out = u"%s$%s" % (out, chk)
return to_hash_str(out) if native else out
def genhash(cls, secret, config, user):
if config is not None and not cls.identify(config):
raise ValueError("not a postgres-md5 hash")
if not user:
raise ValueError(
"user keyword must be specified for this algorithm")
if isinstance(secret, unicode):
secret = secret.encode("utf-8")
if isinstance(user, unicode):
user = user.encode("utf-8")
hash = u"md5" + to_unicode(md5(secret + user).hexdigest())
return to_hash_str(hash)
def to_string(self, withchk=True, native=True):
ss = u'' if self.bare_salt else u'$'
rounds = self.rounds
if rounds > 0:
out = u"$md5,rounds=%d$%s%s" % (rounds, self.salt, ss)
else:
out = u"$md5$%s%s" % (self.salt, ss)
if withchk:
chk = self.checksum
if chk:
out = u"%s$%s" % (out, chk)
return to_hash_str(out) if native else out
def _yhsmto_string(base, self):
hash = self.ident
inner_str = super(base, self).to_string()
inner_str = inner_str[len(self.ident):].rsplit('$', 1)[0]
chk = b64encode(self.checksum).decode('ascii')
hash += u'%s%s$%s$%s' % (
_UKH,
self.key_handle,
inner_str,
chk
)
return to_hash_str(hash)
def genhash(cls, secret, config):
if config is not None and not cls.identify(config):
raise ValueError("not a mysql-3.2.3 hash")
#FIXME: no idea if mysql has a policy about handling unicode passwords
if isinstance(secret, unicode):
secret = secret.encode("utf-8")
MASK_32 = 0xffffffff
MASK_31 = 0x7fffffff
nr1 = 0x50305735
nr2 = 0x12345671
add = 7
for c in secret:
if c in b(' \t'):
continue
tmp = bord(c)
nr1 ^= ((((nr1 & 63) + add) * tmp) + (nr1 << 8)) & MASK_32
nr2 = (nr2 + ((nr2 << 8) ^ nr1)) & MASK_32
add = (add + tmp) & MASK_32
hash = u"%08x%08x" % (nr1 & MASK_31, nr2 & MASK_31)
return to_hash_str(hash)
def to_string(self):
hash = self.ident + (self.checksum or self._stub_checksum)
return to_hash_str(hash)
def to_string(self):
hash = u"%s%s%s%s" % (self.ident, h64.encode_int6(
self.rounds).decode("ascii"), self.salt, self.checksum or u'')
return to_hash_str(hash)
def to_string(self):
hash = u"@salt%s%s" % (self.salt, self.checksum or self._stub_checksum)
return to_hash_str(hash)
def genhash(cls, secret, hash, flag=False):
if isinstance(hash, bytes):
hash = hash.decode("ascii")
if hash not in (u"a", u"b"):
raise ValueError
return to_hash_str(u"b" if flag else u"a")
def to_string(self, native=True):
if self.rounds == 5000 and self.implicit_rounds:
hash = u"$6$%s$%s" % (self.salt, self.checksum or u'')
else:
hash = u"$6$rounds=%d$%s$%s" % (self.rounds, self.salt, self.checksum or u'')
return to_hash_str(hash) if native else hash
def genhash(cls, secret, config):
if secret is None:
raise TypeError("no secret provided")
return to_hash_str(u"!")
def genhash(cls, secret, hash, enable_wildcard=False):
if secret is None:
raise TypeError("secret must be string")
if hash is None:
raise ValueError("no hash provided")
return to_hash_str(hash)
def to_string(self):
return to_hash_str(u'%s$%s' % (self.salt, self.checksum or u''))
def genhash(cls, secret, hash):
if secret is None:
raise TypeError("secret must be string")
return to_hash_str(secret, "utf-8")
def genhash(cls, secret, hash):
if hash is not None and not cls.identify(hash):
raise ValueError("not a valid ldap_plaintext hash")
if secret is None:
raise TypeError("secret must be string")
return to_hash_str(secret, "utf-8")
def to_string(self):
data = (self.checksum or self._stub_checksum) + self.salt
hash = self.ident + b64encode(data).decode("ascii")
return to_hash_str(hash)
def genhash(cls, secret, config):
if secret is None:
raise TypeError("no secret provided")
return to_hash_str(u"!")
def to_string(self):
hash = u"%s%s%s%s" % (self.ident,
h64.encode_int6(self.rounds).decode("ascii"),
self.salt,
self.checksum or u'')
return to_hash_str(hash)
def to_string(self, native=True):
hash = u"%s%s" % (self.salt, self.checksum or u'')
return to_hash_str(hash) if native else hash
def to_string(self):
chk = self.checksum or self._stub_checksum
out = u"%s%s$%s" % (self.ident, self.salt, chk)
return to_hash_str(out)
def to_string(self):
chk = (self.checksum or self._stub_checksum)
hash = u"S:%s%s" % (chk.upper(), self.salt.upper())
return to_hash_str(hash)
def to_string(self):
chk = self.checksum or self._stub_checksum
out = u"%s%s$%s" % (self.ident, self.salt, chk)
return to_hash_str(out)
def genhash(cls, secret, hash, flag=False):
if isinstance(hash, bytes):
hash = hash.decode("ascii")
if hash not in (u'a',u'b'):
raise ValueError
return to_hash_str(u'b' if flag else u'a')
def to_string(self):
hash = u"@salt%s%s" % (self.salt, self.checksum or self._stub_checksum)
return to_hash_str(hash)
def to_string(self, native=True):
out = u"$sha1$%d$%s" % (self.rounds, self.salt)
if self.checksum:
out += u"$" + self.checksum
return to_hash_str(out) if native else out
def to_string(self, native=True):
hash = u"_%s%s%s" % (h64.encode_int24(self.rounds).decode("ascii"),
self.salt, self.checksum or u'')
return to_hash_str(hash) if native else hash
def genhash(cls, secret, hash, enable_wildcard=False):
if secret is None:
raise TypeError("secret must be string")
if hash is None:
raise ValueError("no hash provided")
return to_hash_str(hash)
def genhash(cls, secret, hash):
if secret is None:
raise TypeError("secret must be string")
return to_hash_str(secret, "utf-8")
def to_string(self):
hash = self.ident + (self.checksum or self._stub_checksum)
return to_hash_str(hash)
