From dd9b5531a3dc4ee55b7bff86ec924e56ec573be5 Mon Sep 17 00:00:00 2001
From: Ola Bini <ola@autonomia.digital>
Date: Thu, 26 Mar 2020 15:00:08 +0000
Subject: [PATCH 1/3] Extract more generic versions of setting and checking
 configuration passwords

---
 cmd/grumble/server.go | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/cmd/grumble/server.go b/cmd/grumble/server.go
index 64b4dd8..bca43aa 100644
--- a/cmd/grumble/server.go
+++ b/cmd/grumble/server.go
@@ -175,8 +175,7 @@ func (server *Server) RootChannel() *Channel {
 	return root
 }
 
-// Set password as the new SuperUser password
-func (server *Server) SetSuperUserPassword(password string) {
+func (server *Server) setConfigPassword(key, password string) {
 	saltBytes := make([]byte, 24)
 	_, err := rand.Read(saltBytes)
 	if err != nil {
@@ -190,7 +189,6 @@ func (server *Server) SetSuperUserPassword(password string) {
 	digest := hex.EncodeToString(hasher.Sum(nil))
 
 	// Could be racy, but shouldn't really matter...
-	key := "SuperUserPassword"
 	val := "sha1$" + salt + "$" + digest
 	server.cfg.Set(key, val)
 
@@ -199,9 +197,13 @@ func (server *Server) SetSuperUserPassword(password string) {
 	}
 }
 
-// CheckSuperUserPassword checks whether password matches the set SuperUser password.
-func (server *Server) CheckSuperUserPassword(password string) bool {
-	parts := strings.Split(server.cfg.StringValue("SuperUserPassword"), "$")
+// Set password as the new SuperUser password
+func (server *Server) SetSuperUserPassword(password string) {
+	server.setConfigPassword("SuperUserPassword", password)
+}
+
+func (server *Server) checkConfigPassword(key, password string) bool {
+	parts := strings.Split(server.cfg.StringValue(key), "$")
 	if len(parts) != 3 {
 		return false
 	}
@@ -239,6 +241,11 @@ func (server *Server) CheckSuperUserPassword(password string) bool {
 	return false
 }
 
+// CheckSuperUserPassword checks whether password matches the set SuperUser password.
+func (server *Server) CheckSuperUserPassword(password string) bool {
+	return server.checkConfigPassword("SuperUserPassword", password)
+}
+
 // Called by the server to initiate a new client connection.
 func (server *Server) handleIncomingClient(conn net.Conn) (err error) {
 	client := new(Client)

From b076a994922b0357be25848672f42e49f792b318 Mon Sep 17 00:00:00 2001
From: Ola Bini <ola@autonomia.digital>
Date: Thu, 26 Mar 2020 15:03:05 +0000
Subject: [PATCH 2/3] Add new methods for setting and checking a potential
 server password

---
 cmd/grumble/server.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/cmd/grumble/server.go b/cmd/grumble/server.go
index bca43aa..edc6a6f 100644
--- a/cmd/grumble/server.go
+++ b/cmd/grumble/server.go
@@ -197,11 +197,16 @@ func (server *Server) setConfigPassword(key, password string) {
 	}
 }
 
-// Set password as the new SuperUser password
+// SetSuperUserPassword sets password as the new SuperUser password
 func (server *Server) SetSuperUserPassword(password string) {
 	server.setConfigPassword("SuperUserPassword", password)
 }
 
+// SetServerPassword sets password as the new Server password
+func (server *Server) SetServerPassword(password string) {
+	server.setConfigPassword("ServerPassword", password)
+}
+
 func (server *Server) checkConfigPassword(key, password string) bool {
 	parts := strings.Split(server.cfg.StringValue(key), "$")
 	if len(parts) != 3 {
@@ -246,6 +251,11 @@ func (server *Server) CheckSuperUserPassword(password string) bool {
 	return server.checkConfigPassword("SuperUserPassword", password)
 }
 
+// CheckServerPassword checks whether password matches the set Server password.
+func (server *Server) CheckServerPassword(password string) bool {
+	return server.checkConfigPassword("ServerPassword", password)
+}
+
 // Called by the server to initiate a new client connection.
 func (server *Server) handleIncomingClient(conn net.Conn) (err error) {
 	client := new(Client)

From 495d699ec82b30187eca72cadfdd1c755798b6e5 Mon Sep 17 00:00:00 2001
From: Ola Bini <ola@autonomia.digital>
Date: Thu, 26 Mar 2020 16:11:47 +0000
Subject: [PATCH 3/3] Try to authenticate using server password if user
 authentication hasn't happened

---
 cmd/grumble/server.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/cmd/grumble/server.go b/cmd/grumble/server.go
index edc6a6f..663b791 100644
--- a/cmd/grumble/server.go
+++ b/cmd/grumble/server.go
@@ -256,6 +256,10 @@ func (server *Server) CheckServerPassword(password string) bool {
 	return server.checkConfigPassword("ServerPassword", password)
 }
 
+func (server *Server) hasServerPassword() bool {
+	return server.cfg.StringValue("ServerPassword") != ""
+}
+
 // Called by the server to initiate a new client connection.
 func (server *Server) handleIncomingClient(conn net.Conn) (err error) {
 	client := new(Client)
@@ -535,6 +539,13 @@ func (server *Server) handleAuthenticate(client *Client, msg *Message) {
 		}
 	}
 
+	if client.user == nil && server.hasServerPassword() {
+		if auth.Password == nil || !server.CheckServerPassword(*auth.Password) {
+			client.RejectAuth(mumbleproto.Reject_WrongServerPW, "Invalid server password")
+			return
+		}
+	}
+
 	// Setup the cryptstate for the client.
 	err = client.crypt.GenerateKey(client.CryptoMode)
 	if err != nil {