Bug 458341 - KWallet/SecretService: Support "plain" algorithm for DBus communications
Summary: KWallet/SecretService: Support "plain" algorithm for DBus communications
Status: RESOLVED FIXED
Alias: None
Product: frameworks-kwallet
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: 5.97.0
Platform: unspecified Linux
: NOR wishlist
Target Milestone: ---
Assignee: Valentin Rusu
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-26 12:30 UTC by michaelk83
Modified: 2022-11-11 01:40 UTC (History)
7 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description michaelk83 2022-08-26 12:30:45 UTC
Based on https://invent.kde.org/frameworks/kwallet/-/issues/3

SUMMARY
KWallet introduced Secret Service API support in 5.97.0, but only using encrypted communication over DBus ("dh-ietf1024-sha256-aes128-cbc-pkcs7" algorthm). https://invent.kde.org/frameworks/kwallet/-/blob/master/src/runtime/kwalletd/kwalletfreedesktopservice.cpp#L265

Some applications use a hardcoded "plain" algorithm for secret transfer and the specification says: "It is strongly recommended that a service implementing this API support the plain algorithm."  
https://specifications.freedesktop.org/secret-service/latest/ch07s02.html

It would be awesome if "plain" would also be supported to support more applications.

SOFTWARE/OS VERSIONS
KDE Frameworks Version: 5.97.0
Comment 1 michaelk83 2022-08-26 12:37:00 UTC
That said, apps should generally use QtKeyChain or at least `libsecret` to communicate with the the Secret Service API, so this is more a matter of completeness and broader compatibility with existing apps.
Comment 2 Bug Janitor Service 2022-09-03 21:07:38 UTC
A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kwallet/-/merge_requests/35
Comment 3 tgpski 2022-10-07 23:06:34 UTC
This change was either intentional or a regression. After upgrading KWallet today, I was locked out of my company VPN due to the plain algorithm being used in wallet communications between the VPN frontend and the keyring.

The upgrade today was from KWallet 5.96.0 to 5.98.0.

The plain algorithm support worked for versions 5.96 and lower. Therefore, a change to restrict this algorithm must have been introduced in 5.97.

Can we not revert this change?
Comment 4 tgpski 2022-10-07 23:06:49 UTC
This change was either intentional or a regression. After upgrading KWallet today, I was locked out of my company VPN due to the plain algorithm being used in wallet communications between the VPN frontend and the keyring.

The upgrade today was from KWallet 5.96.0 to 5.98.0.

The plain algorithm support worked for versions 5.96 and lower. Therefore, a change to restrict this algorithm must have been introduced in 5.97.

Can we not revert this change?
Comment 5 michaelk83 2022-10-08 11:40:24 UTC
(In reply to tgpski from comment #3)
> After upgrading KWallet today, I was locked out of my company VPN due to the plain algorithm
> being used in wallet communications between the VPN frontend and the keyring.
> 
> The upgrade today was from KWallet 5.96.0 to 5.98.0.

5.97 introduced Secret Service API support in KWallet, there was no Service Service support at all prior to that. The "plain" algorithm discussed here is specifically the "plain" algorithm for the Secret Service API, which was never implemented.

What I suspect in your case, is possibly the VPN client was using the Secret Service API to store its credentials in Gnome keyring. You can try disabling Secret Service support in the KWallet settings to see if that resolves your issue (you may need to kill the `kwalletd5` process or restart the PC for the change to take effect). If that doesn't help, you'll need to provide more details on the software you are using. But this is not likely to be related to this issue.
Comment 6 Nicolas Fella 2022-10-11 21:32:37 UTC
Git commit b9ada3a3c9a75e5244e55afa01eb3bf3c6f5c7f3 by Nicolas Fella, on behalf of Georg Kotheimer.
Committed on 11/10/2022 at 21:25.
Pushed by nicolasfella into branch 'master'.

Add support for plain transfer algorithm to Secret Service API

Move the secret transfer encryption and decryption logic from
KWalletFreedesktopSession to the newly introduced
KWalletFreedesktopSessionAlgorithm class, abstracting from the concrete
secret transfer algorithm in use.

M  +35   -29   src/runtime/kwalletd/kwalletfreedesktopservice.cpp
M  +5    -6    src/runtime/kwalletd/kwalletfreedesktopservice.h
M  +73   -26   src/runtime/kwalletd/kwalletfreedesktopsession.cpp
M  +34   -13   src/runtime/kwalletd/kwalletfreedesktopsession.h

https://invent.kde.org/frameworks/kwallet/commit/b9ada3a3c9a75e5244e55afa01eb3bf3c6f5c7f3