[glib/mcatanzaro/dbus-cookie-sha1] Allow building with DBUS_COOKIE_SHA1 authentication disabled
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib/mcatanzaro/dbus-cookie-sha1] Allow building with DBUS_COOKIE_SHA1 authentication disabled
- Date: Wed, 1 Dec 2021 22:12:54 +0000 (UTC)
commit 5e40f5c35ed57b9ab8c54fc8c394e96364b50108
Author: Michael Catanzaro <mcatanzaro redhat com>
Date: Wed Dec 1 16:10:44 2021 -0600
Allow building with DBUS_COOKIE_SHA1 authentication disabled
For RHEL and Fedora, we don't want SHA-1 to get used for authentication
purposes anymore unless the user explicitly opts-in to insecure
authentication configuration. The easiest way to do this is to disable
it at build time.
Normally this is fine because EXTERNAL authentication takes precedence
over DBUS_COOKIE_SHA1 authentication. EXTERNAL only works for D-Bus over
Unix sockets, but that's 99% of D-Bus usage. This is going to break use
of D-Bus over TCP or over pipes, though.
Fixes #2546
gio/gdbusauth.c | 2 ++
gio/gdbusauthmechanismsha1.c | 4 ++++
gio/gdbusauthmechanismsha1.h | 4 +++-
gio/tests/gdbus-auth.c | 8 ++++++++
gio/tests/gdbus-connection-flush.c | 19 +++++++++++++++++++
gio/tests/gdbus-non-socket.c | 9 +++++----
gio/tests/gdbus-peer.c | 6 ++++++
gio/tests/gdbus-server-auth.c | 12 ++++++++++++
meson.build | 4 ++++
meson_options.txt | 7 ++++++-
10 files changed, 69 insertions(+), 6 deletions(-)
---
diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c
index 74c178dbf..f6a88f1c3 100644
--- a/gio/gdbusauth.c
+++ b/gio/gdbusauth.c
@@ -232,7 +232,9 @@ _g_dbus_auth_add_mechs (GDBusAuth *auth,
{
/* TODO: trawl extension points */
add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_ANON);
+#ifdef ENABLE_DBUS_COOKIE_SHA1
add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_SHA1);
+#endif
add_mechanism (auth, observer, G_TYPE_DBUS_AUTH_MECHANISM_EXTERNAL);
auth->priv->available_mechanisms = g_list_sort (auth->priv->available_mechanisms,
diff --git a/gio/gdbusauthmechanismsha1.c b/gio/gdbusauthmechanismsha1.c
index 94fe0bce8..066a198fd 100644
--- a/gio/gdbusauthmechanismsha1.c
+++ b/gio/gdbusauthmechanismsha1.c
@@ -20,6 +20,8 @@
#include "config.h"
+#ifdef ENABLE_DBUS_COOKIE_SHA1
+
#include <string.h>
#include <fcntl.h>
#include <errno.h>
@@ -1257,3 +1259,5 @@ mechanism_client_shutdown (GDBusAuthMechanism *mechanism)
}
/* ---------------------------------------------------------------------------------------------------- */
+
+#endif /* ENABLE_DBUS_COOKIE_SHA1 */
diff --git a/gio/gdbusauthmechanismsha1.h b/gio/gdbusauthmechanismsha1.h
index 0e563fd2c..67686d7e4 100644
--- a/gio/gdbusauthmechanismsha1.h
+++ b/gio/gdbusauthmechanismsha1.h
@@ -25,6 +25,8 @@
#error "gdbusauthmechanismsha1.h is a private header file."
#endif
+#ifdef ENABLE_DBUS_COOKIE_SHA1
+
#include <gio/giotypes.h>
#include <gio/gdbusauthmechanism.h>
@@ -55,7 +57,7 @@ struct _GDBusAuthMechanismSha1
GType _g_dbus_auth_mechanism_sha1_get_type (void) G_GNUC_CONST;
-
G_END_DECLS
+#endif /* ENABLE_DBUS_COOKIE_SHA1 */
#endif /* __G_DBUS_AUTH_MECHANISM_SHA1_H__ */
diff --git a/gio/tests/gdbus-auth.c b/gio/tests/gdbus-auth.c
index 18288f36d..686516bd7 100644
--- a/gio/tests/gdbus-auth.c
+++ b/gio/tests/gdbus-auth.c
@@ -213,7 +213,11 @@ auth_client_external (void)
static void
auth_client_dbus_cookie_sha1 (void)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
test_auth_mechanism ("DBUS_COOKIE_SHA1", NULL);
+#else
+ g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
}
static void
@@ -231,7 +235,11 @@ auth_server_external (void)
static void
auth_server_dbus_cookie_sha1 (void)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
test_auth_mechanism (NULL, "DBUS_COOKIE_SHA1");
+#else
+ g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
}
/* ---------------------------------------------------------------------------------------------------- */
diff --git a/gio/tests/gdbus-connection-flush.c b/gio/tests/gdbus-connection-flush.c
index 8c925825a..81bdb36cd 100644
--- a/gio/tests/gdbus-connection-flush.c
+++ b/gio/tests/gdbus-connection-flush.c
@@ -29,6 +29,8 @@
#include "test-io-stream.h"
#include "test-pipe-unix.h"
+#ifdef ENABLE_DBUS_COOKIE_SHA1
+
#define MY_TYPE_OUTPUT_STREAM \
(my_output_stream_get_type ())
#define MY_OUTPUT_STREAM(o) \
@@ -150,6 +152,7 @@ my_output_stream_class_init (MyOutputStreamClass *cls)
ostream_class->write_fn = my_output_stream_write;
ostream_class->flush = my_output_stream_flush;
}
+#endif /* ENABLE_DBUS_COOKIE_SHA1 */
/* ---------------------------------------------------------------------------------------------------- */
@@ -170,6 +173,7 @@ typedef struct {
GDBusConnection *server_conn;
} Fixture;
+#ifdef ENABLE_DBUS_COOKIE_SHA1
static void
setup_client_cb (GObject *source,
GAsyncResult *res,
@@ -195,11 +199,13 @@ setup_server_cb (GObject *source,
g_assert (G_IS_DBUS_CONNECTION (f->server_conn));
g_assert (f->server_conn == G_DBUS_CONNECTION (source));
}
+#endif /* ENABLE_DBUS_COOKIE_SHA1 */
static void
setup (Fixture *f,
gconstpointer test_data G_GNUC_UNUSED)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
gboolean ok;
f->guid = g_dbus_generate_guid ();
@@ -234,8 +240,10 @@ setup (Fixture *f,
while (f->client_conn == NULL || f->server_conn == NULL)
g_main_context_iteration (NULL, TRUE);
+#endif
}
+#ifdef ENABLE_DBUS_COOKIE_SHA1
static void
flush_cb (GObject *source,
GAsyncResult *res,
@@ -254,11 +262,13 @@ flush_cb (GObject *source,
f->flushed = TRUE;
}
+#endif
static void
test_flush_busy (Fixture *f,
gconstpointer test_data G_GNUC_UNUSED)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
gint initial, started;
gboolean ok;
@@ -303,12 +313,16 @@ test_flush_busy (Fixture *f,
*/
g_assert_cmpint (my_output_stream_get_bytes_flushed (f->client_ostream),
>=, started);
+#else /* ENABLE_DBUS_COOKIE_SHA1 */
+ g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
}
static void
test_flush_idle (Fixture *f,
gconstpointer test_data G_GNUC_UNUSED)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
gint initial, finished;
gboolean ok;
@@ -338,12 +352,16 @@ test_flush_idle (Fixture *f,
*/
g_assert_cmpint (my_output_stream_get_bytes_flushed (f->client_ostream),
>=, finished);
+#else /* ENABLE_DBUS_COOKIE_SHA1 */
+ g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
}
static void
teardown (Fixture *f,
gconstpointer test_data G_GNUC_UNUSED)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
g_clear_error (&f->error);
g_clear_object (&f->client_stream);
@@ -358,6 +376,7 @@ teardown (Fixture *f,
g_clear_object (&f->server_conn);
g_free (f->guid);
+#endif
}
/* ---------------------------------------------------------------------------------------------------- */
diff --git a/gio/tests/gdbus-non-socket.c b/gio/tests/gdbus-non-socket.c
index 911aff262..b6ee34d3e 100644
--- a/gio/tests/gdbus-non-socket.c
+++ b/gio/tests/gdbus-non-socket.c
@@ -32,10 +32,10 @@
#include "gdbus-tests.h"
-static GMainLoop *loop = NULL;
-
/* ---------------------------------------------------------------------------------------------------- */
-#ifdef G_OS_UNIX
+#if defined(G_OS_UNIX) && defined(ENABLE_DBUS_COOKIE_SHA1)
+
+static GMainLoop *loop = NULL;
#include "test-pipe-unix.h"
#include "test-io-stream.h"
@@ -276,12 +276,13 @@ test_non_socket (void)
exit (0);
}
-#else /* G_OS_UNIX */
+#else /* G_OS_UNIX && ENABLE_DBUS_COOKIE_SHA1 */
static void
test_non_socket (void)
{
/* TODO: test this with e.g. GWin32InputStream/GWin32OutputStream */
+ g_test_skip ("This test only works on Unix with DBUS_COOKIE_SHA1 authentication enabled");
}
#endif
diff --git a/gio/tests/gdbus-peer.c b/gio/tests/gdbus-peer.c
index 2f2caf77a..39c665248 100644
--- a/gio/tests/gdbus-peer.c
+++ b/gio/tests/gdbus-peer.c
@@ -1589,6 +1589,7 @@ delayed_message_processing (void)
/* ---------------------------------------------------------------------------------------------------- */
+#ifdef ENABLE_DBUS_COOKIE_SHA1
static gboolean
nonce_tcp_on_authorize_authenticated_peer (GDBusAuthObserver *observer,
GIOStream *stream,
@@ -1670,10 +1671,12 @@ nonce_tcp_service_thread_func (gpointer user_data)
return NULL;
}
+#endif
static void
test_nonce_tcp (void)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
PeerData data;
GError *error;
GThread *service_thread;
@@ -1796,6 +1799,9 @@ test_nonce_tcp (void)
g_main_loop_unref (loop);
g_free (test_guid);
+#else
+ g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
}
static void
diff --git a/gio/tests/gdbus-server-auth.c b/gio/tests/gdbus-server-auth.c
index bd1443eb1..c764256c5 100644
--- a/gio/tests/gdbus-server-auth.c
+++ b/gio/tests/gdbus-server-auth.c
@@ -495,7 +495,11 @@ test_server_auth_abstract (void)
static void
test_server_auth_tcp (void)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
do_test_server_auth (INTEROP_FLAGS_TCP);
+#else
+ g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
}
static void
@@ -525,13 +529,21 @@ test_server_auth_external_require_same_user (void)
static void
test_server_auth_sha1 (void)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
do_test_server_auth (INTEROP_FLAGS_SHA1);
+#else
+ g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
}
static void
test_server_auth_sha1_tcp (void)
{
+#ifdef ENABLE_DBUS_COOKIE_SHA1
do_test_server_auth (INTEROP_FLAGS_SHA1 | INTEROP_FLAGS_TCP);
+#else
+ g_test_skip ("DBUS_COOKIE_SHA1 authentication is disabled");
+#endif
}
int
diff --git a/meson.build b/meson.build
index 075287ac0..006a6202b 100644
--- a/meson.build
+++ b/meson.build
@@ -2390,6 +2390,10 @@ if host_system != 'windows'
install_dir : join_paths(get_option('datadir'), 'glib-2.0', 'valgrind'))
endif
+if (get_option('dbus_cookie_sha1') == 'enabled')
+ glib_conf.set('ENABLE_DBUS_COOKIE_SHA1', 1)
+endif
+
configure_file(output : 'config.h', configuration : glib_conf)
if host_system == 'windows'
diff --git a/meson_options.txt b/meson_options.txt
index 6cd7bc90a..fd103aaa4 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -121,4 +121,9 @@ option('glib_checks',
option('libelf',
type : 'feature',
value : 'auto',
- description : 'Enable support for listing and extracting from ELF resource files with gresource tool')
\ No newline at end of file
+ description : 'Enable support for listing and extracting from ELF resource files with gresource tool')
+
+option('dbus_cookie_sha1',
+ type : 'feature',
+ value : 'enabled',
+ description : 'Allow GDBus to use the DBUS_COOKIE_SHA1 authentication mechanism')
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]