diff options
author | Michael Catanzaro <mcatanzaro@redhat.com> | 2021-12-01 16:10:44 -0600 |
---|---|---|
committer | Michael Catanzaro <mcatanzaro@redhat.com> | 2021-12-02 07:32:00 -0600 |
commit | 4013b1cfbea16a2a7265756d1e003fac9404db10 (patch) | |
tree | 5e790aec82f9892122147093264cbd35260a97b4 | |
parent | b5b3327636c1982ec1bffb5715ffb629016e458c (diff) | |
download | glib-mcatanzaro/dbus-cookie-sha1.tar.gz |
Allow building with DBUS_COOKIE_SHA1 authentication disabledmcatanzaro/dbus-cookie-sha1
For RHEL and Fedora, we don't want SHA-1 to get used for authentication
purposes anymore unless the user explicitly opts-in to insecure
authentication configuration. The easiest way to do this is to disable
it at build time.
Normally this is fine because EXTERNAL authentication takes precedence
over DBUS_COOKIE_SHA1 authentication. EXTERNAL only works for D-Bus over
Unix sockets, but that's 99% of D-Bus usage. This is going to break use
of D-Bus over TCP or over pipes, though. It will also break D-Bus on
Windows, but that's why it's a build option: just don't enable it there.
Fixes #2546
-rw-r--r-- | gio/gdbusauth.c | 2 | ||||
-rw-r--r-- | gio/gdbusauthmechanismsha1.c | 4 | ||||
-rw-r--r-- | gio/gdbusauthmechanismsha1.h | 4 | ||||
-rw-r--r-- | gio/tests/gdbus-auth.c | 8 | ||||
-rw-r--r-- | gio/tests/gdbus-connection-flush.c | 19 | ||||
-rw-r--r-- | gio/tests/gdbus-non-socket.c | 9 | ||||
-rw-r--r-- | gio/tests/gdbus-peer.c | 6 | ||||
-rw-r--r-- | gio/tests/gdbus-server-auth.c | 12 | ||||
-rw-r--r-- | meson.build | 4 | ||||
-rw-r--r-- | meson_options.txt | 7 |
10 files changed, 69 insertions, 6 deletions
diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c index 74c178dbf..f6a88f1c3 100644 --- a/gio/gdbusauth.c +++ b/gio/gdbusauth.c @@ -232,7 +232,9 @@ _g_dbus_auth_add_mechs (GDBusAuth *auth, { /* TODO: trawl extension points */ add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_ANON); +#ifdef ENABLE_DBUS_COOKIE_SHA1 add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_SHA1); +#endif add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_EXTERNAL); auth->priv->available_mechanisms = g_list_sort (auth->priv->available_mechanisms, diff --git a/gio/gdbusauthmechanismsha1.c b/gio/gdbusauthmechanismsha1.c index 94fe0bce8..066a198fd 100644 --- a/gio/gdbusauthmechanismsha1.c +++ b/gio/gdbusauthmechanismsha1.c @@ -20,6 +20,8 @@ #include "config.h" +#ifdef ENABLE_DBUS_COOKIE_SHA1 + #include <string.h> #include <fcntl.h> #include <errno.h> @@ -1257,3 +1259,5 @@ mechanism_client_shutdown (GDBusAuthMechanism *mechanism) } /* ---------------------------------------------------------------------------------------------------- */ + +#endif /* ENABLE_DBUS_COOKIE_SHA1 */ diff --git a/gio/gdbusauthmechanismsha1.h b/gio/gdbusauthmechanismsha1.h index 0e563fd2c..67686d7e4 100644 --- a/gio/gdbusauthmechanismsha1.h +++ b/gio/gdbusauthmechanismsha1.h @@ -25,6 +25,8 @@ #error "gdbusauthmechanismsha1.h is a private header file." #endif +#ifdef ENABLE_DBUS_COOKIE_SHA1 + #include <gio/giotypes.h> #include <gio/gdbusauthmechanism.h> @@ -55,7 +57,7 @@ struct _GDBusAuthMechanismSha1 GType _g_dbus_auth_mechanism_sha1_get_type (void) G_GNUC_CONST; - G_END_DECLS +#endif /* ENABLE_DBUS_COOKIE_SHA1 */ #endif /* __G_DBUS_AUTH_MECHANISM_SHA1_H__ */ diff --git a/gio/tests/gdbus-auth.c b/gio/tests/gdbus-auth.c index 18288f36d..686516bd7 100644 --- a/gio/tests/gdbus-auth.c +++ b/gio/tests/gdbus-auth.c @@ -213,7 +213,11 @@ auth_client_external (void) static void auth_client_dbus_cookie_sha1 (void) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 test_auth_mechanism ("DBUS_COOKIE_SHA1", NULL); +#else + g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled"); +#endif } static void @@ -231,7 +235,11 @@ auth_server_external (void) static void auth_server_dbus_cookie_sha1 (void) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 test_auth_mechanism (NULL, "DBUS_COOKIE_SHA1"); +#else + g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled"); +#endif } /* ---------------------------------------------------------------------------------------------------- */ diff --git a/gio/tests/gdbus-connection-flush.c b/gio/tests/gdbus-connection-flush.c index 8c925825a..81bdb36cd 100644 --- a/gio/tests/gdbus-connection-flush.c +++ b/gio/tests/gdbus-connection-flush.c @@ -29,6 +29,8 @@ #include "test-io-stream.h" #include "test-pipe-unix.h" +#ifdef ENABLE_DBUS_COOKIE_SHA1 + #define MY_TYPE_OUTPUT_STREAM \ (my_output_stream_get_type ()) #define MY_OUTPUT_STREAM(o) \ @@ -150,6 +152,7 @@ my_output_stream_class_init (MyOutputStreamClass *cls) ostream_class->write_fn = my_output_stream_write; ostream_class->flush = my_output_stream_flush; } +#endif /* ENABLE_DBUS_COOKIE_SHA1 */ /* ---------------------------------------------------------------------------------------------------- */ @@ -170,6 +173,7 @@ typedef struct { GDBusConnection *server_conn; } Fixture; +#ifdef ENABLE_DBUS_COOKIE_SHA1 static void setup_client_cb (GObject *source, GAsyncResult *res, @@ -195,11 +199,13 @@ setup_server_cb (GObject *source, g_assert (G_IS_DBUS_CONNECTION (f->server_conn)); g_assert (f->server_conn == G_DBUS_CONNECTION (source)); } +#endif /* ENABLE_DBUS_COOKIE_SHA1 */ static void setup (Fixture *f, gconstpointer test_data G_GNUC_UNUSED) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 gboolean ok; f->guid = g_dbus_generate_guid (); @@ -234,8 +240,10 @@ setup (Fixture *f, while (f->client_conn == NULL || f->server_conn == NULL) g_main_context_iteration (NULL, TRUE); +#endif } +#ifdef ENABLE_DBUS_COOKIE_SHA1 static void flush_cb (GObject *source, GAsyncResult *res, @@ -254,11 +262,13 @@ flush_cb (GObject *source, f->flushed = TRUE; } +#endif static void test_flush_busy (Fixture *f, gconstpointer test_data G_GNUC_UNUSED) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 gint initial, started; gboolean ok; @@ -303,12 +313,16 @@ test_flush_busy (Fixture *f, */ g_assert_cmpint (my_output_stream_get_bytes_flushed (f->client_ostream), >=, started); +#else /* ENABLE_DBUS_COOKIE_SHA1 */ + g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled"); +#endif } static void test_flush_idle (Fixture *f, gconstpointer test_data G_GNUC_UNUSED) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 gint initial, finished; gboolean ok; @@ -338,12 +352,16 @@ test_flush_idle (Fixture *f, */ g_assert_cmpint (my_output_stream_get_bytes_flushed (f->client_ostream), >=, finished); +#else /* ENABLE_DBUS_COOKIE_SHA1 */ + g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled"); +#endif } static void teardown (Fixture *f, gconstpointer test_data G_GNUC_UNUSED) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 g_clear_error (&f->error); g_clear_object (&f->client_stream); @@ -358,6 +376,7 @@ teardown (Fixture *f, g_clear_object (&f->server_conn); g_free (f->guid); +#endif } /* ---------------------------------------------------------------------------------------------------- */ diff --git a/gio/tests/gdbus-non-socket.c b/gio/tests/gdbus-non-socket.c index 911aff262..b6ee34d3e 100644 --- a/gio/tests/gdbus-non-socket.c +++ b/gio/tests/gdbus-non-socket.c @@ -32,10 +32,10 @@ #include "gdbus-tests.h" -static GMainLoop *loop = NULL; - /* ---------------------------------------------------------------------------------------------------- */ -#ifdef G_OS_UNIX +#if defined(G_OS_UNIX) && defined(ENABLE_DBUS_COOKIE_SHA1) + +static GMainLoop *loop = NULL; #include "test-pipe-unix.h" #include "test-io-stream.h" @@ -276,12 +276,13 @@ test_non_socket (void) exit (0); } -#else /* G_OS_UNIX */ +#else /* G_OS_UNIX && ENABLE_DBUS_COOKIE_SHA1 */ static void test_non_socket (void) { /* TODO: test this with e.g. GWin32InputStream/GWin32OutputStream */ + g_test_skip ("This test only works on Unix with DBUS_COOKIE_SHA1 authentication enabled"); } #endif diff --git a/gio/tests/gdbus-peer.c b/gio/tests/gdbus-peer.c index 2f2caf77a..39c665248 100644 --- a/gio/tests/gdbus-peer.c +++ b/gio/tests/gdbus-peer.c @@ -1589,6 +1589,7 @@ delayed_message_processing (void) /* ---------------------------------------------------------------------------------------------------- */ +#ifdef ENABLE_DBUS_COOKIE_SHA1 static gboolean nonce_tcp_on_authorize_authenticated_peer (GDBusAuthObserver *observer, GIOStream *stream, @@ -1670,10 +1671,12 @@ nonce_tcp_service_thread_func (gpointer user_data) return NULL; } +#endif static void test_nonce_tcp (void) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 PeerData data; GError *error; GThread *service_thread; @@ -1796,6 +1799,9 @@ test_nonce_tcp (void) g_main_loop_unref (loop); g_free (test_guid); +#else + g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled"); +#endif } static void diff --git a/gio/tests/gdbus-server-auth.c b/gio/tests/gdbus-server-auth.c index bd1443eb1..c764256c5 100644 --- a/gio/tests/gdbus-server-auth.c +++ b/gio/tests/gdbus-server-auth.c @@ -495,7 +495,11 @@ test_server_auth_abstract (void) static void test_server_auth_tcp (void) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 do_test_server_auth (INTEROP_FLAGS_TCP); +#else + g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled"); +#endif } static void @@ -525,13 +529,21 @@ test_server_auth_external_require_same_user (void) static void test_server_auth_sha1 (void) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 do_test_server_auth (INTEROP_FLAGS_SHA1); +#else + g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled"); +#endif } static void test_server_auth_sha1_tcp (void) { +#ifdef ENABLE_DBUS_COOKIE_SHA1 do_test_server_auth (INTEROP_FLAGS_SHA1 | INTEROP_FLAGS_TCP); +#else + g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled"); +#endif } int diff --git a/meson.build b/meson.build index 075287ac0..0c2c311bb 100644 --- a/meson.build +++ b/meson.build @@ -2390,6 +2390,10 @@ if host_system != 'windows' install_dir : join_paths(get_option('datadir'), 'glib-2.0', 'valgrind')) endif +if get_option('dbus_cookie_sha1').enabled() + glib_conf.set('ENABLE_DBUS_COOKIE_SHA1', 1) +endif + configure_file(output : 'config.h', configuration : glib_conf) if host_system == 'windows' diff --git a/meson_options.txt b/meson_options.txt index 6cd7bc90a..fd103aaa4 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -121,4 +121,9 @@ option('glib_checks', option('libelf', type : 'feature', value : 'auto', - description : 'Enable support for listing and extracting from ELF resource files with gresource tool')
\ No newline at end of file + description : 'Enable support for listing and extracting from ELF resource files with gresource tool') + +option('dbus_cookie_sha1', + type : 'feature', + value : 'enabled', + description : 'Allow GDBus to use the DBUS_COOKIE_SHA1 authentication mechanism') |