Restrict scram algorithms to IANA Hash Function Textual Names (sasl.scram)

2019-02-06 22:28:50 +00:00 · 2019-02-06 22:28:50 +00:00 · 50a8de2792
commit 50a8de2792
parent 4e3e782519
2 changed files with 11 additions and 2 deletions
--- a/modules/sasl/init.py
+++ b/modules/sasl/init.py
@ -70,7 +70,7 @@ class Module(ModuleManager.BaseModule):

                # create SCRAM helper
                sasl_username, sasl_password = sasl["args"].split(":", 1)
-                algo = mechanism.split("SCRAM-", 1)[1].replace("-", "")
+                algo = mechanism.split("SCRAM-", 1)[1]
                event["server"]._scram = scram.SCRAM(
                    algo, sasl_username, sasl_password)

--- a/modules/sasl/scram.py
+++ b/modules/sasl/scram.py
@ -1,5 +1,11 @@
 import base64, enum, hashlib, hmac, os, typing

+# IANA Hash Function Textual Names
+# https://tools.ietf.org/html/rfc5802#section-4
+# https://www.iana.org/assignments/hash-function-text-names/
+ALGORITHMS = [
+    "MD2", "MD5", "SHA-1", "SHA-224", "SHA-256", "SHA-384", "SHA-512"]
+
 def _scram_nonce() -> bytes:
    return base64.b64encode(os.urandom(32))
 def _scram_escape(s: bytes) -> bytes:
@ -22,7 +28,10 @@ class SCRAMError(Exception):

 class SCRAM(object):
    def __init__(self, algo, username, password):
-        self._algo = algo
+        if not algo in ALGORITHMS:
+            raise ValueError("Unknown SCRAM algorithm '%s'" % algo)
+
+        self._algo = algo.replace("-", "") # SHA-1 -> SHA1
        self._username = username.encode("utf8")
        self._password = password.encode("utf8")