This file is indexed.

/usr/share/pyshared/passlib/handlers/mssql.py is in python-passlib 1.6.1-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
"""passlib.handlers.mssql - MS-SQL Password Hash

Notes
=====
MS-SQL has used a number of hash algs over the years,
most of which were exposed through the undocumented
'pwdencrypt' and 'pwdcompare' sql functions.

Known formats
-------------
6.5
    snefru hash, ascii encoded password
    no examples found

7.0
    snefru hash, unicode (what encoding?)
    saw ref that these blobs were 16 bytes in size
    no examples found

2000
    byte string using displayed as 0x hex, using 0x0100 prefix.
    contains hashes of password and upper-case password.

2007
    same as 2000, but without the upper-case hash.

refs
----------
https://blogs.msdn.com/b/lcris/archive/2007/04/30/sql-server-2005-about-login-password-hashes.aspx?Redirected=true
http://us.generation-nt.com/securing-passwords-hash-help-35429432.html
http://forum.md5decrypter.co.uk/topic230-mysql-and-mssql-get-password-hashes.aspx
http://www.theregister.co.uk/2002/07/08/cracking_ms_sql_server_passwords/
"""
#=============================================================================
# imports
#=============================================================================
# core
from binascii import hexlify, unhexlify
from hashlib import sha1
import re
import logging; log = logging.getLogger(__name__)
from warnings import warn
# site
# pkg
from passlib.utils import consteq
from passlib.utils.compat import b, bytes, bascii_to_str, unicode, u
import passlib.utils.handlers as uh
# local
__all__ = [
    "mssql2000",
    "mssql2005",
]

#=============================================================================
# mssql 2000
#=============================================================================
def _raw_mssql(secret, salt):
    assert isinstance(secret, unicode)
    assert isinstance(salt, bytes)
    return sha1(secret.encode("utf-16-le") + salt).digest()

BIDENT = b("0x0100")
##BIDENT2 = b("\x01\x00")
UIDENT = u("0x0100")

def _ident_mssql(hash, csize, bsize):
    "common identify for mssql 2000/2005"
    if isinstance(hash, unicode):
        if len(hash) == csize and hash.startswith(UIDENT):
            return True
    elif isinstance(hash, bytes):
        if len(hash) == csize and hash.startswith(BIDENT):
            return True
        ##elif len(hash) == bsize and hash.startswith(BIDENT2): # raw bytes
        ##    return True
    else:
        raise uh.exc.ExpectedStringError(hash, "hash")
    return False

def _parse_mssql(hash, csize, bsize, handler):
    "common parser for mssql 2000/2005; returns 4 byte salt + checksum"
    if isinstance(hash, unicode):
        if len(hash) == csize and hash.startswith(UIDENT):
            try:
                return unhexlify(hash[6:].encode("utf-8"))
            except TypeError: # throw when bad char found
                pass
    elif isinstance(hash, bytes):
        # assumes ascii-compat encoding
        assert isinstance(hash, bytes)
        if len(hash) == csize and hash.startswith(BIDENT):
            try:
                return unhexlify(hash[6:])
            except TypeError: # throw when bad char found
                pass
        ##elif len(hash) == bsize and hash.startswith(BIDENT2): # raw bytes
        ##    return hash[2:]
    else:
        raise uh.exc.ExpectedStringError(hash, "hash")
    raise uh.exc.InvalidHashError(handler)

class mssql2000(uh.HasRawSalt, uh.HasRawChecksum, uh.GenericHandler):
    """This class implements the password hash used by MS-SQL 2000, and follows the :ref:`password-hash-api`.

    It supports a fixed-length salt.

    The :meth:`~passlib.ifc.PasswordHash.encrypt` and :meth:`~passlib.ifc.PasswordHash.genconfig` methods accept the following optional keywords:

    :type salt: bytes
    :param salt:
        Optional salt string.
        If not specified, one will be autogenerated (this is recommended).
        If specified, it must be 4 bytes in length.

    :type relaxed: bool
    :param relaxed:
        By default, providing an invalid value for one of the other
        keywords will result in a :exc:`ValueError`. If ``relaxed=True``,
        and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning`
        will be issued instead. Correctable errors include
        ``salt`` strings that are too long.
    """
    #===================================================================
    # algorithm information
    #===================================================================
    name = "mssql2000"
    setting_kwds = ("salt",)
    checksum_size = 40
    min_salt_size = max_salt_size = 4
    _stub_checksum = b("\x00") * 40

    #===================================================================
    # formatting
    #===================================================================

    # 0100 - 2 byte identifier
    # 4 byte salt
    # 20 byte checksum
    # 20 byte checksum
    # = 46 bytes
    # encoded '0x' + 92 chars = 94

    @classmethod
    def identify(cls, hash):
        return _ident_mssql(hash, 94, 46)

    @classmethod
    def from_string(cls, hash):
        data = _parse_mssql(hash, 94, 46, cls)
        return cls(salt=data[:4], checksum=data[4:])

    def to_string(self):
        raw = self.salt + (self.checksum or self._stub_checksum)
        # raw bytes format - BIDENT2 + raw
        return "0x0100" + bascii_to_str(hexlify(raw).upper())

    def _calc_checksum(self, secret):
        if isinstance(secret, bytes):
            secret = secret.decode("utf-8")
        salt = self.salt
        return _raw_mssql(secret, salt) + _raw_mssql(secret.upper(), salt)

    @classmethod
    def verify(cls, secret, hash):
        # NOTE: we only compare against the upper-case hash
        # XXX: add 'full' just to verify both checksums?
        uh.validate_secret(secret)
        self = cls.from_string(hash)
        chk = self.checksum
        if chk is None:
            raise uh.exc.MissingDigestError(cls)
        if isinstance(secret, bytes):
            secret = secret.decode("utf-8")
        result = _raw_mssql(secret.upper(), self.salt)
        return consteq(result, chk[20:])

#=============================================================================
# handler
#=============================================================================
class mssql2005(uh.HasRawSalt, uh.HasRawChecksum, uh.GenericHandler):
    """This class implements the password hash used by MS-SQL 2005, and follows the :ref:`password-hash-api`.

    It supports a fixed-length salt.

    The :meth:`~passlib.ifc.PasswordHash.encrypt` and :meth:`~passlib.ifc.PasswordHash.genconfig` methods accept the following optional keywords:

    :type salt: bytes
    :param salt:
        Optional salt string.
        If not specified, one will be autogenerated (this is recommended).
        If specified, it must be 4 bytes in length.

    :type relaxed: bool
    :param relaxed:
        By default, providing an invalid value for one of the other
        keywords will result in a :exc:`ValueError`. If ``relaxed=True``,
        and the error can be corrected, a :exc:`~passlib.exc.PasslibHashWarning`
        will be issued instead. Correctable errors include
        ``salt`` strings that are too long.
    """
    #===================================================================
    # algorithm information
    #===================================================================
    name = "mssql2005"
    setting_kwds = ("salt",)

    checksum_size = 20
    min_salt_size = max_salt_size = 4
    _stub_checksum = b("\x00") * 20

    #===================================================================
    # formatting
    #===================================================================

    # 0x0100 - 2 byte identifier
    # 4 byte salt
    # 20 byte checksum
    # = 26 bytes
    # encoded '0x' + 52 chars = 54

    @classmethod
    def identify(cls, hash):
        return _ident_mssql(hash, 54, 26)

    @classmethod
    def from_string(cls, hash):
        data = _parse_mssql(hash, 54, 26, cls)
        return cls(salt=data[:4], checksum=data[4:])

    def to_string(self):
        raw = self.salt + (self.checksum or self._stub_checksum)
        # raw bytes format - BIDENT2 + raw
        return "0x0100" + bascii_to_str(hexlify(raw)).upper()

    def _calc_checksum(self, secret):
        if isinstance(secret, bytes):
            secret = secret.decode("utf-8")
        return _raw_mssql(secret, self.salt)

    #===================================================================
    # eoc
    #===================================================================

#=============================================================================
# eof
#=============================================================================