Upgrade password hashing from SHA1 to PBKDF2-SHA256

- Add new password hashing functions using PBKDF2-SHA256 with format prefix
- Maintain backward compatibility with old SHA1 passwords
- Auto-upgrade passwords to PBKDF2 format on successful authentication
- Update all password setting locations to use new hashing
- Use only Python 3 standard library (hashlib.pbkdf2_hmac, secrets)

This addresses GitHub security warnings about SHA1 usage while maintaining
full backward compatibility for existing installations. Passwords are
automatically upgraded as users authenticate, allowing incremental migration.

Format: New passwords use $pbkdf2$<iterations>$<salt>$<hash> prefix
Old format: 40 hex character SHA1 hashes (no prefix) still supported

Author: jared mauch

Mailman/Cgi/admin.py

@@ -41,7 +41,7 @@ def cmp(a, b):
 from Mailman.htmlformat import *
 from Mailman.Cgi import Auth
 from Mailman.Logging.Syslog import syslog
-from Mailman.Utils import sha_new
+from Mailman.Utils import sha_new, hash_password
 from Mailman.CSRFcheck import csrf_check
 
 # Set up i18n
@@ -1424,7 +1424,8 @@ def safeint(formvar, defaultval=None):
     confirm = cgidata.getfirst('confirmmodpw', '').strip()
     if new or confirm:
         if new == confirm:
-            mlist.mod_password = sha_new(new.encode()).hexdigest()
+            # Use new PBKDF2 hashing for all new passwords
+            mlist.mod_password = hash_password(new)
             # No re-authentication necessary because the moderator's
             # password doesn't get you into these pages.
         else:
@@ -1435,7 +1436,8 @@ def safeint(formvar, defaultval=None):
     confirm = cgidata.getfirst('confirmpostpw', '').strip()
     if new or confirm:
         if new == confirm:
-            mlist.post_password = sha_new(new.encode()).hexdigest()
+            # Use new PBKDF2 hashing for all new passwords
+            mlist.post_password = hash_password(new)
             # No re-authentication necessary because the poster's
             # password doesn't get you into these pages.
         else:
@@ -1445,7 +1447,8 @@ def safeint(formvar, defaultval=None):
     confirm = cgidata.getfirst('confirmpw', '').strip()
     if new or confirm:
         if new == confirm:
-            mlist.password = sha_new(new.encode()).hexdigest()
+            # Use new PBKDF2 hashing for all new passwords
+            mlist.password = hash_password(new)
             # Set new cookie
             print(mlist.MakeCookie(mm_cfg.AuthListAdmin))
         else:

Mailman/SecurityManager.py

@@ -67,7 +67,7 @@
 from Mailman import Utils
 from Mailman import Errors
 from Mailman.Logging.Syslog import syslog
-from Mailman.Utils import md5_new, sha_new
+from Mailman.Utils import md5_new, sha_new, hash_password, verify_password
 
 
 class SecurityManager(object):
@@ -163,34 +163,47 @@ def cryptmatchp(response, secret):
                         # know how that can happen (perhaps if a MM2.0 list
                         # with USE_CRYPT = 0 has been updated?  Doubtful.
                         return False
-                # The password for the list admin and list moderator are not
-                # kept as plain text, but instead as an sha hexdigest.  The
-                # response being passed in is plain text, so we need to
-                # digestify it first.  Note however, that for backwards
-                # compatibility reasons, we'll also check the admin response
-                # against the crypted and md5'd passwords, and if they match,
-                # we'll auto-migrate the passwords to sha.
+                # The password for the list admin is stored as a hash.
+                # We support multiple formats for backwards compatibility:
+                # - New format: PBKDF2-SHA256 with $pbkdf2$ prefix
+                # - Old format: SHA1 hexdigest (40 hex chars)
+                # - Legacy: MD5 or crypt() (auto-upgrade to PBKDF2)
                 key, secret = self.AuthContextInfo(ac)
                 if secret is None:
                     continue
                 if isinstance(response, str):
                     response = response.encode('utf-8')
 
-                sharesponse = sha_new(response).hexdigest()
-                upgrade = ok = False
-                if sharesponse == secret:
-                    ok = True
-                elif md5_new(response).digest() == secret:
-                    ok = upgrade = True
-                elif cryptmatchp(response, secret):
-                    ok = upgrade = True
-                if upgrade:
+                # Try new PBKDF2 or old SHA1 format first
+                ok, needs_upgrade = verify_password(response, secret)
+                upgrade = needs_upgrade
+                
+                # If that didn't work, try legacy MD5 and crypt() formats
+                if not ok:
+                    sharesponse = sha_new(response).hexdigest()
+                    if sharesponse == secret:
+                        ok = True
+                        upgrade = True
+                    elif md5_new(response).digest() == secret:
+                        ok = True
+                        upgrade = True
+                    elif cryptmatchp(response, secret):
+                        ok = True
+                        upgrade = True
+                
+                # Upgrade to new PBKDF2 format if needed
+                if upgrade and ok:
                     save_and_unlock = False
                     if not self.Locked():
                         self.Lock()
                         save_and_unlock = True
                     try:
-                        self.password = sharesponse
+                        # Convert response back to string for hash_password
+                        if isinstance(response, bytes):
+                            response_str = response.decode('utf-8')
+                        else:
+                            response_str = response
+                        self.password = hash_password(response_str)
                         if save_and_unlock:
                             self.Save()
                     finally:
@@ -199,24 +212,62 @@ def cryptmatchp(response, secret):
                 if ok:
                     return ac
             elif ac == mm_cfg.AuthListModerator:
-                # The list moderator password must be sha'd
+                # The list moderator password is stored as a hash.
+                # Supports both new PBKDF2 and old SHA1 formats with auto-upgrade.
                 key, secret = self.AuthContextInfo(ac)
                 if secret:
                     if isinstance(response, str):
                         response_bytes = response.encode('utf-8')
                     else:
                         response_bytes = response
-                    if sha_new(response_bytes).hexdigest() == secret:
+                    ok, needs_upgrade = verify_password(response_bytes, secret)
+                    if ok:
+                        # Upgrade to new format if needed
+                        if needs_upgrade:
+                            save_and_unlock = False
+                            if not self.Locked():
+                                self.Lock()
+                                save_and_unlock = True
+                            try:
+                                if isinstance(response, str):
+                                    response_str = response
+                                else:
+                                    response_str = response_bytes.decode('utf-8')
+                                self.mod_password = hash_password(response_str)
+                                if save_and_unlock:
+                                    self.Save()
+                            finally:
+                                if save_and_unlock:
+                                    self.Unlock()
                         return ac
             elif ac == mm_cfg.AuthListPoster:
-                # The list poster password must be sha'd
+                # The list poster password is stored as a hash.
+                # Supports both new PBKDF2 and old SHA1 formats with auto-upgrade.
                 key, secret = self.AuthContextInfo(ac)
                 if secret:
                     if isinstance(response, str):
                         response_bytes = response.encode('utf-8')
                     else:
                         response_bytes = response
-                    if sha_new(response_bytes).hexdigest() == secret:
+                    ok, needs_upgrade = verify_password(response_bytes, secret)
+                    if ok:
+                        # Upgrade to new format if needed
+                        if needs_upgrade:
+                            save_and_unlock = False
+                            if not self.Locked():
+                                self.Lock()
+                                save_and_unlock = True
+                            try:
+                                if isinstance(response, str):
+                                    response_str = response
+                                else:
+                                    response_str = response_bytes.decode('utf-8')
+                                self.post_password = hash_password(response_str)
+                                if save_and_unlock:
+                                    self.Save()
+                            finally:
+                                if save_and_unlock:
+                                    self.Unlock()
                         return ac
             elif ac == mm_cfg.AuthUser:
                 if user is not None:

Mailman/Utils.py

@@ -31,6 +31,7 @@
 import errno
 import base64
 import random
+import secrets
 import urllib
 import urllib.request, urllib.error
 import html.entities
@@ -663,6 +664,134 @@ def mkletter(c):
     return "%c%c" % tuple(map(mkletter, (chr1, chr2)))
 
 
+
+# Password hashing functions for secure password storage
+# Format: $pbkdf2$<iterations>$<salt>$<hash>
+# Old format (SHA1): 40 hex characters, no prefix
+
+# PBKDF2 iterations - should be high enough to be secure but not too slow
+PBKDF2_ITERATIONS = 100000
+PBKDF2_SALT_LENGTH = 16  # 128 bits
+
+def hash_password(password):
+    """Hash a password using PBKDF2-SHA256.
+    
+    Returns a string in the format: $pbkdf2$<iterations>$<salt>$<hash>
+    where salt and hash are base64-encoded.
+    
+    Args:
+        password: The password to hash (str or bytes)
+    
+    Returns:
+        str: The hashed password with format prefix
+    """
+    if isinstance(password, str):
+        password = password.encode('utf-8')
+    
+    # Generate a random salt
+    salt = secrets.token_bytes(PBKDF2_SALT_LENGTH)
+    
+    # Hash using PBKDF2-SHA256
+    # hashlib.pbkdf2_hmac is available in Python 3.4+
+    dk = hashlib.pbkdf2_hmac('sha256', password, salt, PBKDF2_ITERATIONS)
+    
+    # Encode salt and hash as base64
+    salt_b64 = base64.b64encode(salt).decode('ascii')
+    hash_b64 = base64.b64encode(dk).decode('ascii')
+    
+    return f'$pbkdf2${PBKDF2_ITERATIONS}${salt_b64}${hash_b64}'
+
+
+def verify_password(password, stored_hash):
+    """Verify a password against a stored hash.
+    
+    Supports both old SHA1 format (40 hex chars) and new PBKDF2 format.
+    
+    Args:
+        password: The password to verify (str or bytes)
+        stored_hash: The stored hash to verify against (str)
+    
+    Returns:
+        tuple: (bool, bool) - (is_valid, needs_upgrade)
+            is_valid: True if password matches
+            needs_upgrade: True if password is valid but in old format
+    """
+    if isinstance(password, str):
+        password = password.encode('utf-8')
+    
+    # Check if it's the new format (starts with $pbkdf2$)
+    if stored_hash.startswith('$pbkdf2$'):
+        return _verify_pbkdf2(password, stored_hash), False
+    
+    # Old format: SHA1 hexdigest (40 hex characters)
+    # Check if it looks like a SHA1 hash (40 hex chars)
+    if len(stored_hash) == 40 and all(c in '0123456789abcdef' for c in stored_hash.lower()):
+        sha1_hash = sha_new(password).hexdigest()
+        if sha1_hash == stored_hash:
+            return True, True  # Valid but needs upgrade
+        return False, False
+    
+    # Fallback: try SHA1 comparison for backwards compatibility
+    sha1_hash = sha_new(password).hexdigest()
+    if sha1_hash == stored_hash:
+        return True, True  # Valid but needs upgrade
+    return False, False
+
+
+def _verify_pbkdf2(password, stored_hash):
+    """Verify a password against a PBKDF2 hash.
+    
+    Args:
+        password: The password to verify (bytes)
+        stored_hash: The stored hash in format $pbkdf2$<iterations>$<salt>$<hash>
+    
+    Returns:
+        bool: True if password matches
+    """
+    try:
+        # Parse the hash format: $pbkdf2$<iterations>$<salt>$<hash>
+        parts = stored_hash.split('$')
+        if len(parts) != 5 or parts[1] != 'pbkdf2':
+            return False
+        
+        iterations = int(parts[2])
+        salt_b64 = parts[3]
+        hash_b64 = parts[4]
+        
+        # Decode salt and hash
+        salt = base64.b64decode(salt_b64)
+        stored_dk = base64.b64decode(hash_b64)
+        
+        # Compute hash with same parameters
+        dk = hashlib.pbkdf2_hmac('sha256', password, salt, iterations)
+        
+        # Constant-time comparison to prevent timing attacks
+        return secrets.compare_digest(dk, stored_dk)
+    except (ValueError, TypeError, IndexError):
+        return False
+
+
+def is_old_password_format(stored_hash):
+    """Check if a stored hash is in the old SHA1 format.
+    
+    Args:
+        stored_hash: The stored hash to check (str)
+    
+    Returns:
+        bool: True if the hash is in old format (needs upgrade)
+    """
+    # New format starts with $pbkdf2$
+    if stored_hash.startswith('$pbkdf2$'):
+        return False
+    
+    # Old format: 40 hex characters
+    if len(stored_hash) == 40 and all(c in '0123456789abcdef' for c in stored_hash.lower()):
+        return True
+    
+    # If it doesn't match either format, assume old for backwards compatibility
+    return True
+
+
 
 def set_global_password(pw, siteadmin=True):
     if siteadmin:
@@ -673,10 +802,8 @@ def set_global_password(pw, siteadmin=True):
     omask = os.umask(0o026)
     try:
         fp = open(filename, 'w')
-        if isinstance(pw, bytes):
-            fp.write(sha_new(pw).hexdigest() + '\n')
-        else:
-            fp.write(sha_new(pw.encode()).hexdigest() + '\n')
+        # Use new PBKDF2 hashing for all new passwords
+        fp.write(hash_password(pw) + '\n')
         fp.close()
     finally:
         os.umask(omask)
@@ -702,10 +829,11 @@ def check_global_password(response, siteadmin=True):
     challenge = get_global_password(siteadmin)
     if challenge is None:
         return None
-    if isinstance(response, bytes):
-        return challenge == sha_new(response).hexdigest()
-    else:
-        return challenge == sha_new(response.encode()).hexdigest()
+    # Use verify_password which handles both old SHA1 and new PBKDF2 formats
+    is_valid, needs_upgrade = verify_password(response, challenge)
+    # Note: We don't auto-upgrade global passwords here since they're in files
+    # and we'd need to write back to the file. This could be added if needed.
+    return is_valid
 
 
 

bin/change_pw

@@ -147,7 +147,7 @@ def main():
     if password is not None:
         if not password:
             usage(1, C_('Empty list passwords are not allowed'))
-        shapassword = Utils.sha_new(password.encode()).hexdigest()
+        shapassword = Utils.hash_password(password)
 
     if domains:
         for name in Utils.list_names():
@@ -167,7 +167,7 @@ def main():
             if password is None:
                 randompw = Utils.MakeRandomPassword(
                     mm_cfg.ADMIN_PASSWORD_LENGTH)
-                shapassword = Utils.sha_new(randompw.encode('utf-8')).hexdigest()
+                shapassword = Utils.hash_password(randompw)
                 notifypassword = randompw
             else:
                 notifypassword = password

bin/newlist

@@ -198,7 +198,8 @@ def main():
 
     mlist = MailList.MailList()
     try:
-        pw = Utils.sha_new(listpasswd.encode()).hexdigest()
+        # Use new PBKDF2 hashing for all new passwords
+        pw = Utils.hash_password(listpasswd)
         # Guarantee that all newly created files have the proper permission.
         # proper group ownership should be assured by the autoconf script
         # enforcing that all directories have the group sticky bit set