diff options
| author |  jesopo | 2019-02-06 22:28:50 +0000 |
|---|---|---|
| committer | jesopo | 2019-02-06 22:28:50 +0000 |
| commit | 50a8de2792648301fff77c26ecd4cbda48c58421 (patch) | |
| tree | 22783b401f399232105f27451f56d47efb0e04be /modules | |
| parent | Remove pointless local auth_message variable (sasl.scram) (diff) | |
| signature | ||
Restrict scram algorithms to IANA Hash Function Textual Names (sasl.scram)
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/sasl/__init__.py | 2 | ||||
| -rw-r--r-- | modules/sasl/scram.py | 11 |
2 files changed, 11 insertions, 2 deletions
diff --git a/modules/sasl/__init__.py b/modules/sasl/__init__.py index 40604c38..67126155 100644 --- a/modules/sasl/__init__.py +++ b/modules/sasl/__init__.py @@ -70,7 +70,7 @@ class Module(ModuleManager.BaseModule): # create SCRAM helper sasl_username, sasl_password = sasl["args"].split(":", 1) - algo = mechanism.split("SCRAM-", 1)[1].replace("-", "") + algo = mechanism.split("SCRAM-", 1)[1] event["server"]._scram = scram.SCRAM( algo, sasl_username, sasl_password) diff --git a/modules/sasl/scram.py b/modules/sasl/scram.py index 9756d7cf..2f66e44d 100644 --- a/modules/sasl/scram.py +++ b/modules/sasl/scram.py @@ -1,5 +1,11 @@ import base64, enum, hashlib, hmac, os, typing +# IANA Hash Function Textual Names +# https://tools.ietf.org/html/rfc5802#section-4 +# https://www.iana.org/assignments/hash-function-text-names/ +ALGORITHMS = [ + "MD2", "MD5", "SHA-1", "SHA-224", "SHA-256", "SHA-384", "SHA-512"] + def _scram_nonce() -> bytes: return base64.b64encode(os.urandom(32)) def _scram_escape(s: bytes) -> bytes: @@ -22,7 +28,10 @@ class SCRAMError(Exception): class SCRAM(object): def __init__(self, algo, username, password): - self._algo = algo + if not algo in ALGORITHMS: + raise ValueError("Unknown SCRAM algorithm '%s'" % algo) + + self._algo = algo.replace("-", "") # SHA-1 -> SHA1 self._username = username.encode("utf8") self._password = password.encode("utf8") |