Upgrade Mumble password hashing to bcrypt (#671)

Added transition to bcrypt-sha256 hashing for mumble passwords. All new passwords will be hashed by bcrypt-sha256. The existing SHA-1 hashes will continue to work as a fallback for legacy password hashes.
2026-02-08 08:06:20 +01:00 · 2017-01-26 06:10:07 +10:00
parent 11d52d476c
commit 2c68f485e2
5 changed files with 70 additions and 33 deletions
--- a/thirdparty/Mumble/authenticator.py
+++ b/thirdparty/Mumble/authenticator.py
@@ -70,6 +70,8 @@ try:
 except ImportError:  # python 2.4 compat
    from sha import sha as sha1

+from passlib.hash import bcrypt_sha256
+

 def eprint(*args, **kwargs):
    print(*args, file=sys.stderr, **kwargs)
@@ -521,7 +523,10 @@ def do_main_program():
                return (FALL_THROUGH, None, None)

            try:
-                sql = 'SELECT id, pwhash, groups FROM %smumble_mumbleuser WHERE username = %%s' % cfg.database.prefix
+                sql = 'SELECT id, pwhash, groups, hashfn ' \
+                      'FROM %smumble_mumbleuser ' \
+                      'WHERE username = %%s' % cfg.database.prefix
+
                cur = threadDB.execute(sql, [name])
            except threadDbException:
                return (FALL_THROUGH, None, None)
@@ -532,14 +537,16 @@ def do_main_program():
                info('Fall through for unknown user "%s"', name)
                return (FALL_THROUGH, None, None)

-            uid, upwhash, ugroups = res
+            uid, upwhash, ugroups, uhashfn = res

            if ugroups:
                groups = ugroups.split(',')
            else:
                groups = []

-            if allianceauth_check_hash(pw, upwhash):
+            debug('checking password with hash function: %s' % uhashfn)
+
+            if allianceauth_check_hash(pw, upwhash, uhashfn):
                info('User authenticated: "%s" (%d)', name, uid + cfg.user.id_offset)
                debug('Group memberships: %s', str(groups))
                return (uid + cfg.user.id_offset, entity_decode(name), groups)
@@ -745,14 +752,20 @@ def do_main_program():
    info('Shutdown complete')


-#
-# --- Python implementation of the AllianceAuth MumbleUser hash function
-#
-def allianceauth_check_hash(password, hash):
+def allianceauth_check_hash(password, hash, hash_type):
    """
-    Python implementation of the smf check hash function
+    Python implementation of the AllianceAuth MumbleUser hash function
+    :param password: Password to be verified
+    :param hash: Hash for the password to be checked against
+    :param hash_type: Hashing function originally used to generate the hash
    """
-    return sha1(password).hexdigest() == hash
+    if hash_type == 'sha1':
+        return sha1(password).hexdigest() == hash
+    elif hash_type == 'bcrypt-sha256':
+        return bcrypt_sha256.verify(password, hash)
+    else:
+        warning("No valid hash function found for %s" % hash_type)
+        return False


 #