Allow building with DBUS_COOKIE_SHA1 authentication disabledmcatanzaro/dbus-cookie-sha1

For RHEL and Fedora, we don't want SHA-1 to get used for authentication
purposes anymore unless the user explicitly opts-in to insecure
authentication configuration. The easiest way to do this is to disable
it at build time.

Normally this is fine because EXTERNAL authentication takes precedence
over DBUS_COOKIE_SHA1 authentication. EXTERNAL only works for D-Bus over
Unix sockets, but that's 99% of D-Bus usage. This is going to break use
of D-Bus over TCP or over pipes, though. It will also break D-Bus on
Windows, but that's why it's a build option: just don't enable it there.

Fixes #2546

10 files changed, 69 insertions, 6 deletions

diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c
index 74c178dbf..f6a88f1c3 100644
--- a/gio/gdbusauth.c
+++ b/gio/gdbusauth.c
@@ -232,7 +232,9 @@ _g_dbus_auth_add_mechs (GDBusAuth         *auth,
 {
   /* TODO: trawl extension points */
   add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_ANON);
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_SHA1);
+#endif
   add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_EXTERNAL);
 
   auth->priv->available_mechanisms = g_list_sort (auth->priv->available_mechanisms,
diff --git a/gio/gdbusauthmechanismsha1.c b/gio/gdbusauthmechanismsha1.c
index 94fe0bce8..066a198fd 100644
--- a/gio/gdbusauthmechanismsha1.c
+++ b/gio/gdbusauthmechanismsha1.c
@@ -20,6 +20,8 @@
 
 #include "config.h"
 
+#ifdef ENABLE_DBUS_COOKIE_SHA1
+
 #include <string.h>
 #include <fcntl.h>
 #include <errno.h>
@@ -1257,3 +1259,5 @@ mechanism_client_shutdown (GDBusAuthMechanism   *mechanism)
 }
 
 /* ---------------------------------------------------------------------------------------------------- */
+
+#endif /* ENABLE_DBUS_COOKIE_SHA1 */
diff --git a/gio/gdbusauthmechanismsha1.h b/gio/gdbusauthmechanismsha1.h
index 0e563fd2c..67686d7e4 100644
--- a/gio/gdbusauthmechanismsha1.h
+++ b/gio/gdbusauthmechanismsha1.h
@@ -25,6 +25,8 @@
 #error "gdbusauthmechanismsha1.h is a private header file."
 #endif
 
+#ifdef ENABLE_DBUS_COOKIE_SHA1
+
 #include <gio/giotypes.h>
 #include <gio/gdbusauthmechanism.h>
 
@@ -55,7 +57,7 @@ struct _GDBusAuthMechanismSha1
 
 GType _g_dbus_auth_mechanism_sha1_get_type (void) G_GNUC_CONST;
 
-
 G_END_DECLS
 
+#endif /* ENABLE_DBUS_COOKIE_SHA1 */
 #endif /* __G_DBUS_AUTH_MECHANISM_SHA1_H__ */
diff --git a/gio/tests/gdbus-auth.c b/gio/tests/gdbus-auth.c
index 18288f36d..686516bd7 100644
--- a/gio/tests/gdbus-auth.c
+++ b/gio/tests/gdbus-auth.c
@@ -213,7 +213,11 @@ auth_client_external (void)
 static void
 auth_client_dbus_cookie_sha1 (void)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   test_auth_mechanism ("DBUS_COOKIE_SHA1", NULL);
+#else
+  g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
 }
 
 static void
@@ -231,7 +235,11 @@ auth_server_external (void)
 static void
 auth_server_dbus_cookie_sha1 (void)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   test_auth_mechanism (NULL, "DBUS_COOKIE_SHA1");
+#else
+  g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
 }
 
 /* ---------------------------------------------------------------------------------------------------- */
diff --git a/gio/tests/gdbus-connection-flush.c b/gio/tests/gdbus-connection-flush.c
index 8c925825a..81bdb36cd 100644
--- a/gio/tests/gdbus-connection-flush.c
+++ b/gio/tests/gdbus-connection-flush.c
@@ -29,6 +29,8 @@
 #include "test-io-stream.h"
 #include "test-pipe-unix.h"
 
+#ifdef ENABLE_DBUS_COOKIE_SHA1
+
 #define MY_TYPE_OUTPUT_STREAM \
         (my_output_stream_get_type ())
 #define MY_OUTPUT_STREAM(o) \
@@ -150,6 +152,7 @@ my_output_stream_class_init (MyOutputStreamClass *cls)
   ostream_class->write_fn = my_output_stream_write;
   ostream_class->flush = my_output_stream_flush;
 }
+#endif /* ENABLE_DBUS_COOKIE_SHA1 */
 
 /* ---------------------------------------------------------------------------------------------------- */
 
@@ -170,6 +173,7 @@ typedef struct {
     GDBusConnection *server_conn;
 } Fixture;
 
+#ifdef ENABLE_DBUS_COOKIE_SHA1
 static void
 setup_client_cb (GObject      *source,
                  GAsyncResult *res,
@@ -195,11 +199,13 @@ setup_server_cb (GObject      *source,
   g_assert (G_IS_DBUS_CONNECTION (f->server_conn));
   g_assert (f->server_conn == G_DBUS_CONNECTION (source));
 }
+#endif /* ENABLE_DBUS_COOKIE_SHA1 */
 
 static void
 setup (Fixture       *f,
        gconstpointer  test_data G_GNUC_UNUSED)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   gboolean ok;
 
   f->guid = g_dbus_generate_guid ();
@@ -234,8 +240,10 @@ setup (Fixture       *f,
 
   while (f->client_conn == NULL || f->server_conn == NULL)
     g_main_context_iteration (NULL, TRUE);
+#endif
 }
 
+#ifdef ENABLE_DBUS_COOKIE_SHA1
 static void
 flush_cb (GObject      *source,
           GAsyncResult *res,
@@ -254,11 +262,13 @@ flush_cb (GObject      *source,
 
   f->flushed = TRUE;
 }
+#endif
 
 static void
 test_flush_busy (Fixture       *f,
                  gconstpointer  test_data G_GNUC_UNUSED)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   gint initial, started;
   gboolean ok;
 
@@ -303,12 +313,16 @@ test_flush_busy (Fixture       *f,
    */
   g_assert_cmpint (my_output_stream_get_bytes_flushed (f->client_ostream),
                    >=, started);
+#else /* ENABLE_DBUS_COOKIE_SHA1 */
+  g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
 }
 
 static void
 test_flush_idle (Fixture       *f,
                  gconstpointer  test_data G_GNUC_UNUSED)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   gint initial, finished;
   gboolean ok;
 
@@ -338,12 +352,16 @@ test_flush_idle (Fixture       *f,
    */
   g_assert_cmpint (my_output_stream_get_bytes_flushed (f->client_ostream),
                    >=, finished);
+#else /* ENABLE_DBUS_COOKIE_SHA1 */
+  g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
 }
 
 static void
 teardown (Fixture       *f,
           gconstpointer  test_data G_GNUC_UNUSED)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   g_clear_error (&f->error);
 
   g_clear_object (&f->client_stream);
@@ -358,6 +376,7 @@ teardown (Fixture       *f,
   g_clear_object (&f->server_conn);
 
   g_free (f->guid);
+#endif
 }
 
 /* ---------------------------------------------------------------------------------------------------- */
diff --git a/gio/tests/gdbus-non-socket.c b/gio/tests/gdbus-non-socket.c
index 911aff262..b6ee34d3e 100644
--- a/gio/tests/gdbus-non-socket.c
+++ b/gio/tests/gdbus-non-socket.c
@@ -32,10 +32,10 @@
 
 #include "gdbus-tests.h"
 
-static GMainLoop *loop = NULL;
-
 /* ---------------------------------------------------------------------------------------------------- */
-#ifdef G_OS_UNIX
+#if defined(G_OS_UNIX) && defined(ENABLE_DBUS_COOKIE_SHA1)
+
+static GMainLoop *loop = NULL;
 
 #include "test-pipe-unix.h"
 #include "test-io-stream.h"
@@ -276,12 +276,13 @@ test_non_socket (void)
   exit (0);
 }
 
-#else /* G_OS_UNIX */
+#else /* G_OS_UNIX && ENABLE_DBUS_COOKIE_SHA1 */
 
 static void
 test_non_socket (void)
 {
   /* TODO: test this with e.g. GWin32InputStream/GWin32OutputStream */
+  g_test_skip ("This test only works on Unix with DBUS_COOKIE_SHA1 authentication enabled");
 }
 #endif
 
diff --git a/gio/tests/gdbus-peer.c b/gio/tests/gdbus-peer.c
index 2f2caf77a..39c665248 100644
--- a/gio/tests/gdbus-peer.c
+++ b/gio/tests/gdbus-peer.c
@@ -1589,6 +1589,7 @@ delayed_message_processing (void)
 
 /* ---------------------------------------------------------------------------------------------------- */
 
+#ifdef ENABLE_DBUS_COOKIE_SHA1
 static gboolean
 nonce_tcp_on_authorize_authenticated_peer (GDBusAuthObserver *observer,
                                            GIOStream         *stream,
@@ -1670,10 +1671,12 @@ nonce_tcp_service_thread_func (gpointer user_data)
 
   return NULL;
 }
+#endif
 
 static void
 test_nonce_tcp (void)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   PeerData data;
   GError *error;
   GThread *service_thread;
@@ -1796,6 +1799,9 @@ test_nonce_tcp (void)
 
   g_main_loop_unref (loop);
   g_free (test_guid);
+#else
+  g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
 }
 
 static void
diff --git a/gio/tests/gdbus-server-auth.c b/gio/tests/gdbus-server-auth.c
index bd1443eb1..c764256c5 100644
--- a/gio/tests/gdbus-server-auth.c
+++ b/gio/tests/gdbus-server-auth.c
@@ -495,7 +495,11 @@ test_server_auth_abstract (void)
 static void
 test_server_auth_tcp (void)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   do_test_server_auth (INTEROP_FLAGS_TCP);
+#else
+  g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
 }
 
 static void
@@ -525,13 +529,21 @@ test_server_auth_external_require_same_user (void)
 static void
 test_server_auth_sha1 (void)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   do_test_server_auth (INTEROP_FLAGS_SHA1);
+#else
+  g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
 }
 
 static void
 test_server_auth_sha1_tcp (void)
 {
+#ifdef ENABLE_DBUS_COOKIE_SHA1
   do_test_server_auth (INTEROP_FLAGS_SHA1 | INTEROP_FLAGS_TCP);
+#else
+  g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
 }
 
 int
diff --git a/meson.build b/meson.build
index 075287ac0..0c2c311bb 100644
--- a/meson.build
+++ b/meson.build
@@ -2390,6 +2390,10 @@ if host_system != 'windows'
     install_dir : join_paths(get_option('datadir'), 'glib-2.0', 'valgrind'))
 endif
 
+if get_option('dbus_cookie_sha1').enabled()
+    glib_conf.set('ENABLE_DBUS_COOKIE_SHA1', 1)
+endif
+
 configure_file(output : 'config.h', configuration : glib_conf)
 
 if host_system == 'windows'
diff --git a/meson_options.txt b/meson_options.txt
index 6cd7bc90a..fd103aaa4 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -121,4 +121,9 @@ option('glib_checks',
 option('libelf',
        type : 'feature',
        value : 'auto',
-       description : 'Enable support for listing and extracting from ELF resource files with gresource tool')
\ No newline at end of file
+       description : 'Enable support for listing and extracting from ELF resource files with gresource tool')
+
+option('dbus_cookie_sha1',
+       type : 'feature',
+       value : 'enabled',
+       description : 'Allow GDBus to use the DBUS_COOKIE_SHA1 authentication mechanism')