Restrict scram algorithms to IANA Hash Function Textual Names (sasl.scram)

2 files changed, 11 insertions, 2 deletions

diff --git a/modules/sasl/__init__.py b/modules/sasl/__init__.py
index 40604c38..67126155 100644
--- a/modules/sasl/__init__.py
+++ b/modules/sasl/__init__.py
@@ -70,7 +70,7 @@ class Module(ModuleManager.BaseModule):
 
                 # create SCRAM helper
                 sasl_username, sasl_password = sasl["args"].split(":", 1)
-                algo = mechanism.split("SCRAM-", 1)[1].replace("-", "")
+                algo = mechanism.split("SCRAM-", 1)[1]
                 event["server"]._scram = scram.SCRAM(
                     algo, sasl_username, sasl_password)
 
diff --git a/modules/sasl/scram.py b/modules/sasl/scram.py
index 9756d7cf..2f66e44d 100644
--- a/modules/sasl/scram.py
+++ b/modules/sasl/scram.py
@@ -1,5 +1,11 @@
 import base64, enum, hashlib, hmac, os, typing
 
+# IANA Hash Function Textual Names
+# https://tools.ietf.org/html/rfc5802#section-4
+# https://www.iana.org/assignments/hash-function-text-names/
+ALGORITHMS = [
+    "MD2", "MD5", "SHA-1", "SHA-224", "SHA-256", "SHA-384", "SHA-512"]
+
 def _scram_nonce() -> bytes:
     return base64.b64encode(os.urandom(32))
 def _scram_escape(s: bytes) -> bytes:
@@ -22,7 +28,10 @@ class SCRAMError(Exception):
 
 class SCRAM(object):
     def __init__(self, algo, username, password):
-        self._algo = algo
+        if not algo in ALGORITHMS:
+            raise ValueError("Unknown SCRAM algorithm '%s'" % algo)
+
+        self._algo = algo.replace("-", "") # SHA-1 -> SHA1
         self._username = username.encode("utf8")
         self._password = password.encode("utf8")