File: passlib.hash.oracle11.rst

package info (click to toggle)
python-passlib 1.7.4-6
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 3,920 kB
  • sloc: python: 23,094; makefile: 3
file content (78 lines) | stat: -rw-r--r-- 2,865 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 
==================================================================
:class:`passlib.hash.oracle11` - Oracle 11g password hash
==================================================================

.. currentmodule:: passlib.hash

This class implements the hash algorithm introduced in version 11g of the Oracle Database.
It supersedes the :class:`Oracle 10 <passlib.hash.oracle10>` password hash.
This class can be can be used directly as follows::

    >>> from passlib.hash import oracle11 as oracle11

    >>> # generate new salt, hash password
    >>> hash = oracle11.hash("password")
    >>> hash
    'S:4143053633E59B4992A8EA17D2FF542C9EDEB335C886EED9C80450C1B4E6'

    >>> # verify password
    >>> oracle11.verify("password", hash)
    True
    >>> oracle11.verify("secret", hash)
    False

.. seealso:: the generic :ref:`PasswordHash usage examples <password-hash-examples>`

.. warning::

    This implementation has not been compared
    very carefully against the official implementation or reference documentation,
    and its behavior may not match under various border cases.
    *caveat emptor*.

Interface
=========
.. autoclass:: oracle11()

Format & Algorithm
==================
An example oracle11 hash (of the string ``password``) is:

    ``S:4143053633E59B4992A8EA17D2FF542C9EDEB335C886EED9C80450C1B4E6``

An oracle11 hash string has the format :samp:`S:{checksum}{salt}`, where:

* ``S:`` is the prefix used to identify oracle11 hashes
  (as distinct from oracle10 hashes, which have no constant prefix).
* :samp:`{checksum}` is 40 hexadecimal characters;
  encoding a 160-bit checksum.

  (``4143053633E59B4992A8EA17D2FF542C9EDEB335`` in the example)

* :samp:`{salt}` is 20 hexadecimal characters;
  providing a 80-bit salt (``C886EED9C80450C1B4E6`` in the example).

The Oracle 11 hash has a very simple algorithm: The salt is decoded
from its hexadecimal representation into binary, and the SHA-1 digest
of :samp:`{password}{raw_salt}` is then encoded into hexadecimal, and returned as the checksum.

Deviations
==========
Passlib's implementation of the Oracle11g hash may deviate from the official
implementation in unknown ways, as there is no official documentation.
There is only one known issue:

* Unicode Policy

  Lack of testing (and test vectors) leaves it unclear
  as to how Oracle 11g handles passwords containing non-7bit ascii.
  In order to provide support for unicode strings,
  Passlib will encode unicode passwords using ``utf-8``
  before running them through Oracle11.
  This behavior may be altered in the future, if further testing
  reveals another behavior is more in line with the official representation.

.. rubric:: Footnotes

.. [#] Description of Oracle10g and Oracle11g algorithms -
       `<http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/>`_.