airbag/venv/lib/python3.10/site-packages/passlib/tests/test_handlers_pbkdf2.py

"""passlib.tests.test_handlers - tests for passlib hash algorithms"""
#=============================================================================
# imports
#=============================================================================
# core
import logging
log = logging.getLogger(__name__)
import warnings
# site
# pkg
from passlib import hash
from passlib.utils.compat import u
from passlib.tests.utils import TestCase, HandlerCase
from passlib.tests.test_handlers import UPASS_WAV
# module

#=============================================================================
# ldap_pbkdf2_{digest}
#=============================================================================
# NOTE: since these are all wrappers for the pbkdf2_{digest} hasehs,
#       they don't extensive separate testing.

class ldap_pbkdf2_test(TestCase):

    def test_wrappers(self):
        """test ldap pbkdf2 wrappers"""

        self.assertTrue(
            hash.ldap_pbkdf2_sha1.verify(
                "password",
                '{PBKDF2}1212$OB.dtnSEXZK8U5cgxU/GYQ$y5LKPOplRmok7CZp/aqVDVg8zGI',
            )
        )

        self.assertTrue(
            hash.ldap_pbkdf2_sha256.verify(
                "password",
                '{PBKDF2-SHA256}1212$4vjV83LKPjQzk31VI4E0Vw$hsYF68OiOUPdDZ1Fg'
                '.fJPeq1h/gXXY7acBp9/6c.tmQ'
            )
        )

        self.assertTrue(
            hash.ldap_pbkdf2_sha512.verify(
                "password",
                '{PBKDF2-SHA512}1212$RHY0Fr3IDMSVO/RSZyb5ow$eNLfBK.eVozomMr.1gYa1'
                '7k9B7KIK25NOEshvhrSX.esqY3s.FvWZViXz4KoLlQI.BzY/YTNJOiKc5gBYFYGww'
            )
        )

#=============================================================================
# pbkdf2 hashes
#=============================================================================
class atlassian_pbkdf2_sha1_test(HandlerCase):
    handler = hash.atlassian_pbkdf2_sha1

    known_correct_hashes = [
        #
        # generated using Jira
        #
        ("admin", '{PKCS5S2}c4xaeTQM0lUieMS3V5voiexyX9XhqC2dBd5ecVy60IPksHChwoTAVYFrhsgoq8/p'),
        (UPASS_WAV,
                  "{PKCS5S2}cE9Yq6Am5tQGdHSHhky2XLeOnURwzaLBG2sur7FHKpvy2u0qDn6GcVGRjlmJoIUy"),
    ]

    known_malformed_hashes = [
        # bad char                                    ---\/
        '{PKCS5S2}c4xaeTQM0lUieMS3V5voiexyX9XhqC2dBd5ecVy!0IPksHChwoTAVYFrhsgoq8/p'

        # bad size, missing padding
        '{PKCS5S2}c4xaeTQM0lUieMS3V5voiexyX9XhqC2dBd5ecVy60IPksHChwoTAVYFrhsgoq8/'

        # bad size, with correct padding
        '{PKCS5S2}c4xaeTQM0lUieMS3V5voiexyX9XhqC2dBd5ecVy60IPksHChwoTAVYFrhsgoq8/='
    ]

class pbkdf2_sha1_test(HandlerCase):
    handler = hash.pbkdf2_sha1
    known_correct_hashes = [
        ("password", '$pbkdf2$1212$OB.dtnSEXZK8U5cgxU/GYQ$y5LKPOplRmok7CZp/aqVDVg8zGI'),
        (UPASS_WAV,
            '$pbkdf2$1212$THDqatpidANpadlLeTeOEg$HV3oi1k5C5LQCgG1BMOL.BX4YZc'),
    ]

    known_malformed_hashes = [
        # zero padded rounds field
        '$pbkdf2$01212$THDqatpidANpadlLeTeOEg$HV3oi1k5C5LQCgG1BMOL.BX4YZc',

        # empty rounds field
        '$pbkdf2$$THDqatpidANpadlLeTeOEg$HV3oi1k5C5LQCgG1BMOL.BX4YZc',

        # too many field
        '$pbkdf2$1212$THDqatpidANpadlLeTeOEg$HV3oi1k5C5LQCgG1BMOL.BX4YZc$',
    ]

class pbkdf2_sha256_test(HandlerCase):
    handler = hash.pbkdf2_sha256
    known_correct_hashes = [
        ("password",
            '$pbkdf2-sha256$1212$4vjV83LKPjQzk31VI4E0Vw$hsYF68OiOUPdDZ1Fg.fJPeq1h/gXXY7acBp9/6c.tmQ'
            ),
        (UPASS_WAV,
            '$pbkdf2-sha256$1212$3SABFJGDtyhrQMVt1uABPw$WyaUoqCLgvz97s523nF4iuOqZNbp5Nt8do/cuaa7AiI'
            ),
    ]

class pbkdf2_sha512_test(HandlerCase):
    handler = hash.pbkdf2_sha512
    known_correct_hashes = [
        ("password",
            '$pbkdf2-sha512$1212$RHY0Fr3IDMSVO/RSZyb5ow$eNLfBK.eVozomMr.1gYa1'
            '7k9B7KIK25NOEshvhrSX.esqY3s.FvWZViXz4KoLlQI.BzY/YTNJOiKc5gBYFYGww'
            ),
        (UPASS_WAV,
            '$pbkdf2-sha512$1212$KkbvoKGsAIcF8IslDR6skQ$8be/PRmd88Ps8fmPowCJt'
            'tH9G3vgxpG.Krjt3KT.NP6cKJ0V4Prarqf.HBwz0dCkJ6xgWnSj2ynXSV7MlvMa8Q'
            ),
    ]

class cta_pbkdf2_sha1_test(HandlerCase):
    handler = hash.cta_pbkdf2_sha1
    known_correct_hashes = [
        #
        # test vectors from original implementation
        #
        (u("hashy the \N{SNOWMAN}"), '$p5k2$1000$ZxK4ZBJCfQg=$jJZVscWtO--p1-xIZl6jhO2LKR0='),

        #
        # custom
        #
        ("password", "$p5k2$1$$h1TDLGSw9ST8UMAPeIE13i0t12c="),
        (UPASS_WAV,
            "$p5k2$4321$OTg3NjU0MzIx$jINJrSvZ3LXeIbUdrJkRpN62_WQ="),
        ]

class dlitz_pbkdf2_sha1_test(HandlerCase):
    handler = hash.dlitz_pbkdf2_sha1
    known_correct_hashes = [
        #
        # test vectors from original implementation
        #
        ('cloadm',  '$p5k2$$exec$r1EWMCMk7Rlv3L/RNcFXviDefYa0hlql'),
        ('gnu',     '$p5k2$c$u9HvcT4d$Sd1gwSVCLZYAuqZ25piRnbBEoAesaa/g'),
        ('dcl',     '$p5k2$d$tUsch7fU$nqDkaxMDOFBeJsTSfABsyn.PYUXilHwL'),
        ('spam',    '$p5k2$3e8$H0NX9mT/$wk/sE8vv6OMKuMaqazCJYDSUhWY9YB2J'),
        (UPASS_WAV,
                    '$p5k2$$KosHgqNo$9mjN8gqjt02hDoP0c2J0ABtLIwtot8cQ'),
        ]

class grub_pbkdf2_sha512_test(HandlerCase):
    handler = hash.grub_pbkdf2_sha512
    known_correct_hashes = [
        #
        # test vectors generated from cmd line tool
        #

        # salt=32 bytes
        (UPASS_WAV,
            'grub.pbkdf2.sha512.10000.BCAC1CEC5E4341C8C511C529'
            '7FA877BE91C2817B32A35A3ECF5CA6B8B257F751.6968526A'
            '2A5B1AEEE0A29A9E057336B48D388FFB3F600233237223C21'
            '04DE1752CEC35B0DD1ED49563398A282C0F471099C2803FBA'
            '47C7919CABC43192C68F60'),

        # salt=64 bytes
        ('toomanysecrets',
            'grub.pbkdf2.sha512.10000.9B436BB6978682363D5C449B'
            'BEAB322676946C632208BC1294D51F47174A9A3B04A7E4785'
            '986CD4EA7470FAB8FE9F6BD522D1FC6C51109A8596FB7AD48'
            '7C4493.0FE5EF169AFFCB67D86E2581B1E251D88C777B98BA'
            '2D3256ECC9F765D84956FC5CA5C4B6FD711AA285F0A04DCF4'
            '634083F9A20F4B6F339A52FBD6BED618E527B'),

        ]

#=============================================================================
# scram hash
#=============================================================================
class scram_test(HandlerCase):
    handler = hash.scram

    # TODO: need a bunch more reference vectors from some real
    # SCRAM transactions.
    known_correct_hashes = [
        #
        # taken from example in SCRAM specification (rfc 5802)
        #
        ('pencil', '$scram$4096$QSXCR.Q6sek8bf92$'
                   'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30'),

        #
        # custom
        #

        # same as 5802 example hash, but with sha-256 & sha-512 added.
        ('pencil', '$scram$4096$QSXCR.Q6sek8bf92$'
                   'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'
                   'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVY,'
                   'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'
                       'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ'),

        # test unicode passwords & saslprep (all the passwords below
        # should normalize to the same value: 'IX \xE0')
        (u('IX \xE0'),             '$scram$6400$0BojBCBE6P2/N4bQ$'
                                   'sha-1=YniLes.b8WFMvBhtSACZyyvxeCc'),
        (u('\u2168\u3000a\u0300'), '$scram$6400$0BojBCBE6P2/N4bQ$'
                                   'sha-1=YniLes.b8WFMvBhtSACZyyvxeCc'),
        (u('\u00ADIX \xE0'),       '$scram$6400$0BojBCBE6P2/N4bQ$'
                                   'sha-1=YniLes.b8WFMvBhtSACZyyvxeCc'),
    ]

    known_malformed_hashes = [
        # zero-padding in rounds
        '$scram$04096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30',

        # non-digit in rounds
        '$scram$409A$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30',

        # bad char in salt       ---\/
        '$scram$4096$QSXCR.Q6sek8bf9-$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30',

        # bad char in digest                                       ---\/
        '$scram$4096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX3-',

        # missing sections
        '$scram$4096$QSXCR.Q6sek8bf92',
        '$scram$4096$QSXCR.Q6sek8bf92$',

        # too many sections
        '$scram$4096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30$',

        # missing separator
        '$scram$4096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30'
                   'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVY',

        # too many chars in alg name
        '$scram$4096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'
                                 'shaxxx-190=HZbuOlKbWl.eR8AfIposuKbhX30',

        # missing sha-1 alg
        '$scram$4096$QSXCR.Q6sek8bf92$sha-256=HZbuOlKbWl.eR8AfIposuKbhX30',

        # non-iana name
        '$scram$4096$QSXCR.Q6sek8bf92$sha1=HZbuOlKbWl.eR8AfIposuKbhX30',
    ]

    def setUp(self):
        super(scram_test, self).setUp()

        # some platforms lack stringprep (e.g. Jython, IronPython)
        self.require_stringprep()

        # silence norm_hash_name() warning
        warnings.filterwarnings("ignore", r"norm_hash_name\(\): unknown hash")

    def test_90_algs(self):
        """test parsing of 'algs' setting"""
        defaults = dict(salt=b'A'*10, rounds=1000)
        def parse(algs, **kwds):
            for k in defaults:
                kwds.setdefault(k, defaults[k])
            return self.handler(algs=algs, **kwds).algs

        # None -> default list
        self.assertEqual(parse(None, use_defaults=True), hash.scram.default_algs)
        self.assertRaises(TypeError, parse, None)

        # strings should be parsed
        self.assertEqual(parse("sha1"), ["sha-1"])
        self.assertEqual(parse("sha1, sha256, md5"), ["md5","sha-1","sha-256"])

        # lists should be normalized
        self.assertEqual(parse(["sha-1","sha256"]), ["sha-1","sha-256"])

        # sha-1 required
        self.assertRaises(ValueError, parse, ["sha-256"])
        self.assertRaises(ValueError, parse, algs=[], use_defaults=True)

        # alg names must be < 10 chars
        self.assertRaises(ValueError, parse, ["sha-1","shaxxx-190"])

        # alg & checksum mutually exclusive.
        self.assertRaises(RuntimeError, parse, ['sha-1'],
                          checksum={"sha-1": b"\x00"*20})

    def test_90_checksums(self):
        """test internal parsing of 'checksum' keyword"""
        # check non-bytes checksum values are rejected
        self.assertRaises(TypeError, self.handler, use_defaults=True,
                          checksum={'sha-1':  u('X')*20})

        # check sha-1 is required
        self.assertRaises(ValueError, self.handler, use_defaults=True,
                          checksum={'sha-256':  b'X'*32})

        # XXX: anything else that's not tested by the other code already?

    def test_91_extract_digest_info(self):
        """test scram.extract_digest_info()"""
        edi = self.handler.extract_digest_info

        # return appropriate value or throw KeyError
        h = "$scram$10$AAAAAA$sha-1=AQ,bbb=Ag,ccc=Aw"
        s = b'\x00'*4
        self.assertEqual(edi(h,"SHA1"), (s,10, b'\x01'))
        self.assertEqual(edi(h,"bbb"), (s,10, b'\x02'))
        self.assertEqual(edi(h,"ccc"), (s,10, b'\x03'))
        self.assertRaises(KeyError, edi, h, "ddd")

        # config strings should cause value error.
        c = "$scram$10$....$sha-1,bbb,ccc"
        self.assertRaises(ValueError, edi, c, "sha-1")
        self.assertRaises(ValueError, edi, c, "bbb")
        self.assertRaises(ValueError, edi, c, "ddd")

    def test_92_extract_digest_algs(self):
        """test scram.extract_digest_algs()"""
        eda = self.handler.extract_digest_algs

        self.assertEqual(eda('$scram$4096$QSXCR.Q6sek8bf92$'
                   'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30'), ["sha-1"])

        self.assertEqual(eda('$scram$4096$QSXCR.Q6sek8bf92$'
                   'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30', format="hashlib"),
                         ["sha1"])

        self.assertEqual(eda('$scram$4096$QSXCR.Q6sek8bf92$'
                   'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'
                   'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVY,'
                   'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'
                       'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ'),
                          ["sha-1","sha-256","sha-512"])

    def test_93_derive_digest(self):
        """test scram.derive_digest()"""
        # NOTE: this just does a light test, since derive_digest
        # is used by hash / verify, and is tested pretty well via those.
        hash = self.handler.derive_digest

        # check various encodings of password work.
        s1 = b'\x01\x02\x03'
        d1 = b'\xb2\xfb\xab\x82[tNuPnI\x8aZZ\x19\x87\xcen\xe9\xd3'
        self.assertEqual(hash(u("\u2168"), s1, 1000, 'sha-1'), d1)
        self.assertEqual(hash(b"\xe2\x85\xa8", s1, 1000, 'SHA-1'), d1)
        self.assertEqual(hash(u("IX"), s1, 1000, 'sha1'), d1)
        self.assertEqual(hash(b"IX", s1, 1000, 'SHA1'), d1)

        # check algs
        self.assertEqual(hash("IX", s1, 1000, 'md5'),
                         b'3\x19\x18\xc0\x1c/\xa8\xbf\xe4\xa3\xc2\x8eM\xe8od')
        self.assertRaises(ValueError, hash, "IX", s1, 1000, 'sha-666')

        # check rounds
        self.assertRaises(ValueError, hash, "IX", s1, 0, 'sha-1')

        # unicode salts accepted as of passlib 1.7 (previous caused TypeError)
        self.assertEqual(hash(u("IX"), s1.decode("latin-1"), 1000, 'sha1'), d1)

    def test_94_saslprep(self):
        """test hash/verify use saslprep"""
        # NOTE: this just does a light test that saslprep() is being
        # called in various places, relying in saslpreps()'s tests
        # to verify full normalization behavior.

        # hash unnormalized
        h = self.do_encrypt(u("I\u00ADX"))
        self.assertTrue(self.do_verify(u("IX"), h))
        self.assertTrue(self.do_verify(u("\u2168"), h))

        # hash normalized
        h = self.do_encrypt(u("\xF3"))
        self.assertTrue(self.do_verify(u("o\u0301"), h))
        self.assertTrue(self.do_verify(u("\u200Do\u0301"), h))

        # throws error if forbidden char provided
        self.assertRaises(ValueError, self.do_encrypt, u("\uFDD0"))
        self.assertRaises(ValueError, self.do_verify, u("\uFDD0"), h)

    def test_94_using_w_default_algs(self, param="default_algs"):
        """using() -- 'default_algs' parameter"""
        # create subclass
        handler = self.handler
        orig = list(handler.default_algs) # in case it's modified in place
        subcls = handler.using(**{param: "sha1,md5"})

        # shouldn't have changed handler
        self.assertEqual(handler.default_algs, orig)

        # should have own set
        self.assertEqual(subcls.default_algs, ["md5", "sha-1"])

        # test hash output
        h1 = subcls.hash("dummy")
        self.assertEqual(handler.extract_digest_algs(h1), ["md5", "sha-1"])

    def test_94_using_w_algs(self):
        """using() -- 'algs' parameter"""
        self.test_94_using_w_default_algs(param="algs")

    def test_94_needs_update_algs(self):
        """needs_update() -- algs setting"""
        handler1 = self.handler.using(algs="sha1,md5")

        # shouldn't need update, has same algs
        h1 = handler1.hash("dummy")
        self.assertFalse(handler1.needs_update(h1))

        # *currently* shouldn't need update, has superset of algs required by handler2
        # (may change this policy)
        handler2 = handler1.using(algs="sha1")
        self.assertFalse(handler2.needs_update(h1))

        # should need update, doesn't have all algs required by handler3
        handler3 = handler1.using(algs="sha1,sha256")
        self.assertTrue(handler3.needs_update(h1))

    def test_95_context_algs(self):
        """test handling of 'algs' in context object"""
        handler = self.handler
        from passlib.context import CryptContext
        c1 = CryptContext(["scram"], scram__algs="sha1,md5")

        h = c1.hash("dummy")
        self.assertEqual(handler.extract_digest_algs(h), ["md5", "sha-1"])
        self.assertFalse(c1.needs_update(h))

        c2 = c1.copy(scram__algs="sha1")
        self.assertFalse(c2.needs_update(h))

        c2 = c1.copy(scram__algs="sha1,sha256")
        self.assertTrue(c2.needs_update(h))

    def test_96_full_verify(self):
        """test verify(full=True) flag"""
        def vpart(s, h):
            return self.handler.verify(s, h)
        def vfull(s, h):
            return self.handler.verify(s, h, full=True)

        # reference
        h = ('$scram$4096$QSXCR.Q6sek8bf92$'
             'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'
             'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVY,'
             'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'
                'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ')
        self.assertTrue(vfull('pencil', h))
        self.assertFalse(vfull('tape', h))

        # catch truncated digests.
        h = ('$scram$4096$QSXCR.Q6sek8bf92$'
             'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'
             'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhV,' # -1 char
             'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'
                'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ')
        self.assertRaises(ValueError, vfull, 'pencil', h)

        # catch padded digests.
        h = ('$scram$4096$QSXCR.Q6sek8bf92$'
             'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'
             'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVYa,' # +1 char
             'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'
                'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ')
        self.assertRaises(ValueError, vfull, 'pencil', h)

        # catch hash containing digests belonging to diff passwords.
        # proper behavior for quick-verify (the default) is undefined,
        # but full-verify should throw error.
        h = ('$scram$4096$QSXCR.Q6sek8bf92$'
             'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,' # 'pencil'
             'sha-256=R7RJDWIbeKRTFwhE9oxh04kab0CllrQ3kCcpZUcligc,' # 'tape'
             'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/' # 'pencil'
                'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ')
        self.assertTrue(vpart('tape', h))
        self.assertFalse(vpart('pencil', h))
        self.assertRaises(ValueError, vfull, 'pencil', h)
        self.assertRaises(ValueError, vfull, 'tape', h)

#=============================================================================
# eof
#=============================================================================
初始化 3 years ago			`"""passlib.tests.test_handlers - tests for passlib hash algorithms"""`
			`#=============================================================================`
			`# imports`
			`#=============================================================================`
			`# core`
			`import logging`
			`log = logging.getLogger(__name__)`
			`import warnings`
			`# site`
			`# pkg`
			`from passlib import hash`
			`from passlib.utils.compat import u`
			`from passlib.tests.utils import TestCase, HandlerCase`
			`from passlib.tests.test_handlers import UPASS_WAV`
			`# module`

			`#=============================================================================`
			`# ldap_pbkdf2_{digest}`
			`#=============================================================================`
			`# NOTE: since these are all wrappers for the pbkdf2_{digest} hasehs,`
			`# they don't extensive separate testing.`

			`class ldap_pbkdf2_test(TestCase):`

			`def test_wrappers(self):`
			`"""test ldap pbkdf2 wrappers"""`

			`self.assertTrue(`
			`hash.ldap_pbkdf2_sha1.verify(`
			`"password",`
			`'{PBKDF2}1212$OB.dtnSEXZK8U5cgxU/GYQ$y5LKPOplRmok7CZp/aqVDVg8zGI',`
			`)`
			`)`

			`self.assertTrue(`
			`hash.ldap_pbkdf2_sha256.verify(`
			`"password",`
			`'{PBKDF2-SHA256}1212$4vjV83LKPjQzk31VI4E0Vw$hsYF68OiOUPdDZ1Fg'`
			`'.fJPeq1h/gXXY7acBp9/6c.tmQ'`
			`)`
			`)`

			`self.assertTrue(`
			`hash.ldap_pbkdf2_sha512.verify(`
			`"password",`
			`'{PBKDF2-SHA512}1212$RHY0Fr3IDMSVO/RSZyb5ow$eNLfBK.eVozomMr.1gYa1'`
			`'7k9B7KIK25NOEshvhrSX.esqY3s.FvWZViXz4KoLlQI.BzY/YTNJOiKc5gBYFYGww'`
			`)`
			`)`

			`#=============================================================================`
			`# pbkdf2 hashes`
			`#=============================================================================`
			`class atlassian_pbkdf2_sha1_test(HandlerCase):`
			`handler = hash.atlassian_pbkdf2_sha1`

			`known_correct_hashes = [`
			`#`
			`# generated using Jira`
			`#`
			`("admin", '{PKCS5S2}c4xaeTQM0lUieMS3V5voiexyX9XhqC2dBd5ecVy60IPksHChwoTAVYFrhsgoq8/p'),`
			`(UPASS_WAV,`
			`"{PKCS5S2}cE9Yq6Am5tQGdHSHhky2XLeOnURwzaLBG2sur7FHKpvy2u0qDn6GcVGRjlmJoIUy"),`
			`]`

			`known_malformed_hashes = [`
			`# bad char ---\/`
			`'{PKCS5S2}c4xaeTQM0lUieMS3V5voiexyX9XhqC2dBd5ecVy!0IPksHChwoTAVYFrhsgoq8/p'`

			`# bad size, missing padding`
			`'{PKCS5S2}c4xaeTQM0lUieMS3V5voiexyX9XhqC2dBd5ecVy60IPksHChwoTAVYFrhsgoq8/'`

			`# bad size, with correct padding`
			`'{PKCS5S2}c4xaeTQM0lUieMS3V5voiexyX9XhqC2dBd5ecVy60IPksHChwoTAVYFrhsgoq8/='`
			`]`

			`class pbkdf2_sha1_test(HandlerCase):`
			`handler = hash.pbkdf2_sha1`
			`known_correct_hashes = [`
			`("password", '$pbkdf2$1212$OB.dtnSEXZK8U5cgxU/GYQ$y5LKPOplRmok7CZp/aqVDVg8zGI'),`
			`(UPASS_WAV,`
			`'$pbkdf2$1212$THDqatpidANpadlLeTeOEg$HV3oi1k5C5LQCgG1BMOL.BX4YZc'),`
			`]`

			`known_malformed_hashes = [`
			`# zero padded rounds field`
			`'$pbkdf2$01212$THDqatpidANpadlLeTeOEg$HV3oi1k5C5LQCgG1BMOL.BX4YZc',`

			`# empty rounds field`
			`'$pbkdf2$$THDqatpidANpadlLeTeOEg$HV3oi1k5C5LQCgG1BMOL.BX4YZc',`

			`# too many field`
			`'$pbkdf2$1212$THDqatpidANpadlLeTeOEg$HV3oi1k5C5LQCgG1BMOL.BX4YZc$',`
			`]`

			`class pbkdf2_sha256_test(HandlerCase):`
			`handler = hash.pbkdf2_sha256`
			`known_correct_hashes = [`
			`("password",`
			`'$pbkdf2-sha256$1212$4vjV83LKPjQzk31VI4E0Vw$hsYF68OiOUPdDZ1Fg.fJPeq1h/gXXY7acBp9/6c.tmQ'`
			`),`
			`(UPASS_WAV,`
			`'$pbkdf2-sha256$1212$3SABFJGDtyhrQMVt1uABPw$WyaUoqCLgvz97s523nF4iuOqZNbp5Nt8do/cuaa7AiI'`
			`),`
			`]`

			`class pbkdf2_sha512_test(HandlerCase):`
			`handler = hash.pbkdf2_sha512`
			`known_correct_hashes = [`
			`("password",`
			`'$pbkdf2-sha512$1212$RHY0Fr3IDMSVO/RSZyb5ow$eNLfBK.eVozomMr.1gYa1'`
			`'7k9B7KIK25NOEshvhrSX.esqY3s.FvWZViXz4KoLlQI.BzY/YTNJOiKc5gBYFYGww'`
			`),`
			`(UPASS_WAV,`
			`'$pbkdf2-sha512$1212$KkbvoKGsAIcF8IslDR6skQ$8be/PRmd88Ps8fmPowCJt'`
			`'tH9G3vgxpG.Krjt3KT.NP6cKJ0V4Prarqf.HBwz0dCkJ6xgWnSj2ynXSV7MlvMa8Q'`
			`),`
			`]`

			`class cta_pbkdf2_sha1_test(HandlerCase):`
			`handler = hash.cta_pbkdf2_sha1`
			`known_correct_hashes = [`
			`#`
			`# test vectors from original implementation`
			`#`
			`(u("hashy the \N{SNOWMAN}"), '$p5k2$1000$ZxK4ZBJCfQg=$jJZVscWtO--p1-xIZl6jhO2LKR0='),`

			`#`
			`# custom`
			`#`
			`("password", "$p5k2$1$$h1TDLGSw9ST8UMAPeIE13i0t12c="),`
			`(UPASS_WAV,`
			`"$p5k2$4321$OTg3NjU0MzIx$jINJrSvZ3LXeIbUdrJkRpN62_WQ="),`
			`]`

			`class dlitz_pbkdf2_sha1_test(HandlerCase):`
			`handler = hash.dlitz_pbkdf2_sha1`
			`known_correct_hashes = [`
			`#`
			`# test vectors from original implementation`
			`#`
			`('cloadm', '$p5k2$$exec$r1EWMCMk7Rlv3L/RNcFXviDefYa0hlql'),`
			`('gnu', '$p5k2$c$u9HvcT4d$Sd1gwSVCLZYAuqZ25piRnbBEoAesaa/g'),`
			`('dcl', '$p5k2$d$tUsch7fU$nqDkaxMDOFBeJsTSfABsyn.PYUXilHwL'),`
			`('spam', '$p5k2$3e8$H0NX9mT/$wk/sE8vv6OMKuMaqazCJYDSUhWY9YB2J'),`
			`(UPASS_WAV,`
			`'$p5k2$$KosHgqNo$9mjN8gqjt02hDoP0c2J0ABtLIwtot8cQ'),`
			`]`

			`class grub_pbkdf2_sha512_test(HandlerCase):`
			`handler = hash.grub_pbkdf2_sha512`
			`known_correct_hashes = [`
			`#`
			`# test vectors generated from cmd line tool`
			`#`

			`# salt=32 bytes`
			`(UPASS_WAV,`
			`'grub.pbkdf2.sha512.10000.BCAC1CEC5E4341C8C511C529'`
			`'7FA877BE91C2817B32A35A3ECF5CA6B8B257F751.6968526A'`
			`'2A5B1AEEE0A29A9E057336B48D388FFB3F600233237223C21'`
			`'04DE1752CEC35B0DD1ED49563398A282C0F471099C2803FBA'`
			`'47C7919CABC43192C68F60'),`

			`# salt=64 bytes`
			`('toomanysecrets',`
			`'grub.pbkdf2.sha512.10000.9B436BB6978682363D5C449B'`
			`'BEAB322676946C632208BC1294D51F47174A9A3B04A7E4785'`
			`'986CD4EA7470FAB8FE9F6BD522D1FC6C51109A8596FB7AD48'`
			`'7C4493.0FE5EF169AFFCB67D86E2581B1E251D88C777B98BA'`
			`'2D3256ECC9F765D84956FC5CA5C4B6FD711AA285F0A04DCF4'`
			`'634083F9A20F4B6F339A52FBD6BED618E527B'),`

			`]`

			`#=============================================================================`
			`# scram hash`
			`#=============================================================================`
			`class scram_test(HandlerCase):`
			`handler = hash.scram`

			`# TODO: need a bunch more reference vectors from some real`
			`# SCRAM transactions.`
			`known_correct_hashes = [`
			`#`
			`# taken from example in SCRAM specification (rfc 5802)`
			`#`
			`('pencil', '$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30'),`

			`#`
			`# custom`
			`#`

			`# same as 5802 example hash, but with sha-256 & sha-512 added.`
			`('pencil', '$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'`
			`'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVY,'`
			`'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'`
			`'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ'),`

			`# test unicode passwords & saslprep (all the passwords below`
			`# should normalize to the same value: 'IX \xE0')`
			`(u('IX \xE0'), '$scram$6400$0BojBCBE6P2/N4bQ$'`
			`'sha-1=YniLes.b8WFMvBhtSACZyyvxeCc'),`
			`(u('\u2168\u3000a\u0300'), '$scram$6400$0BojBCBE6P2/N4bQ$'`
			`'sha-1=YniLes.b8WFMvBhtSACZyyvxeCc'),`
			`(u('\u00ADIX \xE0'), '$scram$6400$0BojBCBE6P2/N4bQ$'`
			`'sha-1=YniLes.b8WFMvBhtSACZyyvxeCc'),`
			`]`

			`known_malformed_hashes = [`
			`# zero-padding in rounds`
			`'$scram$04096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30',`

			`# non-digit in rounds`
			`'$scram$409A$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30',`

			`# bad char in salt ---\/`
			`'$scram$4096$QSXCR.Q6sek8bf9-$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30',`

			`# bad char in digest ---\/`
			`'$scram$4096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX3-',`

			`# missing sections`
			`'$scram$4096$QSXCR.Q6sek8bf92',`
			`'$scram$4096$QSXCR.Q6sek8bf92$',`

			`# too many sections`
			`'$scram$4096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30$',`

			`# missing separator`
			`'$scram$4096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30'`
			`'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVY',`

			`# too many chars in alg name`
			`'$scram$4096$QSXCR.Q6sek8bf92$sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'`
			`'shaxxx-190=HZbuOlKbWl.eR8AfIposuKbhX30',`

			`# missing sha-1 alg`
			`'$scram$4096$QSXCR.Q6sek8bf92$sha-256=HZbuOlKbWl.eR8AfIposuKbhX30',`

			`# non-iana name`
			`'$scram$4096$QSXCR.Q6sek8bf92$sha1=HZbuOlKbWl.eR8AfIposuKbhX30',`
			`]`

			`def setUp(self):`
			`super(scram_test, self).setUp()`

			`# some platforms lack stringprep (e.g. Jython, IronPython)`
			`self.require_stringprep()`

			`# silence norm_hash_name() warning`
			`warnings.filterwarnings("ignore", r"norm_hash_name\(\): unknown hash")`

			`def test_90_algs(self):`
			`"""test parsing of 'algs' setting"""`
			`defaults = dict(salt=b'A'*10, rounds=1000)`
			`def parse(algs, **kwds):`
			`for k in defaults:`
			`kwds.setdefault(k, defaults[k])`
			`return self.handler(algs=algs, **kwds).algs`

			`# None -> default list`
			`self.assertEqual(parse(None, use_defaults=True), hash.scram.default_algs)`
			`self.assertRaises(TypeError, parse, None)`

			`# strings should be parsed`
			`self.assertEqual(parse("sha1"), ["sha-1"])`
			`self.assertEqual(parse("sha1, sha256, md5"), ["md5","sha-1","sha-256"])`

			`# lists should be normalized`
			`self.assertEqual(parse(["sha-1","sha256"]), ["sha-1","sha-256"])`

			`# sha-1 required`
			`self.assertRaises(ValueError, parse, ["sha-256"])`
			`self.assertRaises(ValueError, parse, algs=[], use_defaults=True)`

			`# alg names must be < 10 chars`
			`self.assertRaises(ValueError, parse, ["sha-1","shaxxx-190"])`

			`# alg & checksum mutually exclusive.`
			`self.assertRaises(RuntimeError, parse, ['sha-1'],`
			`checksum={"sha-1": b"\x00"*20})`

			`def test_90_checksums(self):`
			`"""test internal parsing of 'checksum' keyword"""`
			`# check non-bytes checksum values are rejected`
			`self.assertRaises(TypeError, self.handler, use_defaults=True,`
			`checksum={'sha-1': u('X')*20})`

			`# check sha-1 is required`
			`self.assertRaises(ValueError, self.handler, use_defaults=True,`
			`checksum={'sha-256': b'X'*32})`

			`# XXX: anything else that's not tested by the other code already?`

			`def test_91_extract_digest_info(self):`
			`"""test scram.extract_digest_info()"""`
			`edi = self.handler.extract_digest_info`

			`# return appropriate value or throw KeyError`
			`h = "$scram$10$AAAAAA$sha-1=AQ,bbb=Ag,ccc=Aw"`
			`s = b'\x00'*4`
			`self.assertEqual(edi(h,"SHA1"), (s,10, b'\x01'))`
			`self.assertEqual(edi(h,"bbb"), (s,10, b'\x02'))`
			`self.assertEqual(edi(h,"ccc"), (s,10, b'\x03'))`
			`self.assertRaises(KeyError, edi, h, "ddd")`

			`# config strings should cause value error.`
			`c = "$scram$10$....$sha-1,bbb,ccc"`
			`self.assertRaises(ValueError, edi, c, "sha-1")`
			`self.assertRaises(ValueError, edi, c, "bbb")`
			`self.assertRaises(ValueError, edi, c, "ddd")`

			`def test_92_extract_digest_algs(self):`
			`"""test scram.extract_digest_algs()"""`
			`eda = self.handler.extract_digest_algs`

			`self.assertEqual(eda('$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30'), ["sha-1"])`

			`self.assertEqual(eda('$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30', format="hashlib"),`
			`["sha1"])`

			`self.assertEqual(eda('$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'`
			`'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVY,'`
			`'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'`
			`'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ'),`
			`["sha-1","sha-256","sha-512"])`

			`def test_93_derive_digest(self):`
			`"""test scram.derive_digest()"""`
			`# NOTE: this just does a light test, since derive_digest`
			`# is used by hash / verify, and is tested pretty well via those.`
			`hash = self.handler.derive_digest`

			`# check various encodings of password work.`
			`s1 = b'\x01\x02\x03'`
			`d1 = b'\xb2\xfb\xab\x82[tNuPnI\x8aZZ\x19\x87\xcen\xe9\xd3'`
			`self.assertEqual(hash(u("\u2168"), s1, 1000, 'sha-1'), d1)`
			`self.assertEqual(hash(b"\xe2\x85\xa8", s1, 1000, 'SHA-1'), d1)`
			`self.assertEqual(hash(u("IX"), s1, 1000, 'sha1'), d1)`
			`self.assertEqual(hash(b"IX", s1, 1000, 'SHA1'), d1)`

			`# check algs`
			`self.assertEqual(hash("IX", s1, 1000, 'md5'),`
			`b'3\x19\x18\xc0\x1c/\xa8\xbf\xe4\xa3\xc2\x8eM\xe8od')`
			`self.assertRaises(ValueError, hash, "IX", s1, 1000, 'sha-666')`

			`# check rounds`
			`self.assertRaises(ValueError, hash, "IX", s1, 0, 'sha-1')`

			`# unicode salts accepted as of passlib 1.7 (previous caused TypeError)`
			`self.assertEqual(hash(u("IX"), s1.decode("latin-1"), 1000, 'sha1'), d1)`

			`def test_94_saslprep(self):`
			`"""test hash/verify use saslprep"""`
			`# NOTE: this just does a light test that saslprep() is being`
			`# called in various places, relying in saslpreps()'s tests`
			`# to verify full normalization behavior.`

			`# hash unnormalized`
			`h = self.do_encrypt(u("I\u00ADX"))`
			`self.assertTrue(self.do_verify(u("IX"), h))`
			`self.assertTrue(self.do_verify(u("\u2168"), h))`

			`# hash normalized`
			`h = self.do_encrypt(u("\xF3"))`
			`self.assertTrue(self.do_verify(u("o\u0301"), h))`
			`self.assertTrue(self.do_verify(u("\u200Do\u0301"), h))`

			`# throws error if forbidden char provided`
			`self.assertRaises(ValueError, self.do_encrypt, u("\uFDD0"))`
			`self.assertRaises(ValueError, self.do_verify, u("\uFDD0"), h)`

			`def test_94_using_w_default_algs(self, param="default_algs"):`
			`"""using() -- 'default_algs' parameter"""`
			`# create subclass`
			`handler = self.handler`
			`orig = list(handler.default_algs) # in case it's modified in place`
			`subcls = handler.using(**{param: "sha1,md5"})`

			`# shouldn't have changed handler`
			`self.assertEqual(handler.default_algs, orig)`

			`# should have own set`
			`self.assertEqual(subcls.default_algs, ["md5", "sha-1"])`

			`# test hash output`
			`h1 = subcls.hash("dummy")`
			`self.assertEqual(handler.extract_digest_algs(h1), ["md5", "sha-1"])`

			`def test_94_using_w_algs(self):`
			`"""using() -- 'algs' parameter"""`
			`self.test_94_using_w_default_algs(param="algs")`

			`def test_94_needs_update_algs(self):`
			`"""needs_update() -- algs setting"""`
			`handler1 = self.handler.using(algs="sha1,md5")`

			`# shouldn't need update, has same algs`
			`h1 = handler1.hash("dummy")`
			`self.assertFalse(handler1.needs_update(h1))`

			`# currently shouldn't need update, has superset of algs required by handler2`
			`# (may change this policy)`
			`handler2 = handler1.using(algs="sha1")`
			`self.assertFalse(handler2.needs_update(h1))`

			`# should need update, doesn't have all algs required by handler3`
			`handler3 = handler1.using(algs="sha1,sha256")`
			`self.assertTrue(handler3.needs_update(h1))`

			`def test_95_context_algs(self):`
			`"""test handling of 'algs' in context object"""`
			`handler = self.handler`
			`from passlib.context import CryptContext`
			`c1 = CryptContext(["scram"], scram__algs="sha1,md5")`

			`h = c1.hash("dummy")`
			`self.assertEqual(handler.extract_digest_algs(h), ["md5", "sha-1"])`
			`self.assertFalse(c1.needs_update(h))`

			`c2 = c1.copy(scram__algs="sha1")`
			`self.assertFalse(c2.needs_update(h))`

			`c2 = c1.copy(scram__algs="sha1,sha256")`
			`self.assertTrue(c2.needs_update(h))`

			`def test_96_full_verify(self):`
			`"""test verify(full=True) flag"""`
			`def vpart(s, h):`
			`return self.handler.verify(s, h)`
			`def vfull(s, h):`
			`return self.handler.verify(s, h, full=True)`

			`# reference`
			`h = ('$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'`
			`'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVY,'`
			`'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'`
			`'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ')`
			`self.assertTrue(vfull('pencil', h))`
			`self.assertFalse(vfull('tape', h))`

			`# catch truncated digests.`
			`h = ('$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'`
			`'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhV,' # -1 char`
			`'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'`
			`'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ')`
			`self.assertRaises(ValueError, vfull, 'pencil', h)`

			`# catch padded digests.`
			`h = ('$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,'`
			`'sha-256=qXUXrlcvnaxxWG00DdRgVioR2gnUpuX5r.3EZ1rdhVYa,' # +1 char`
			`'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/'`
			`'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ')`
			`self.assertRaises(ValueError, vfull, 'pencil', h)`

			`# catch hash containing digests belonging to diff passwords.`
			`# proper behavior for quick-verify (the default) is undefined,`
			`# but full-verify should throw error.`
			`h = ('$scram$4096$QSXCR.Q6sek8bf92$'`
			`'sha-1=HZbuOlKbWl.eR8AfIposuKbhX30,' # 'pencil'`
			`'sha-256=R7RJDWIbeKRTFwhE9oxh04kab0CllrQ3kCcpZUcligc,' # 'tape'`
			`'sha-512=lzgniLFcvglRLS0gt.C4gy.NurS3OIOVRAU1zZOV4P.qFiVFO2/' # 'pencil'`
			`'edGQSu/kD1LwdX0SNV/KsPdHSwEl5qRTuZQ')`
			`self.assertTrue(vpart('tape', h))`
			`self.assertFalse(vpart('pencil', h))`
			`self.assertRaises(ValueError, vfull, 'pencil', h)`
			`self.assertRaises(ValueError, vfull, 'tape', h)`

			`#=============================================================================`
			`# eof`
			`#=============================================================================`