Review Request 124140: Ported over to Netty and added SSL support

Albert Vaca Cintora albertvaka at gmail.com
Tue Aug 25 16:40:34 UTC 2015



> On Aug. 25, 2015, 9:09 a.m., Albert Vaca Cintora wrote:
> > src/org/kde/kdeconnect/Device.java, line 567
> > <https://git.reviewboard.kde.org/r/124140/diff/6/?file=398262#file398262line567>
> >
> >     Here if you receive an unencrypted package, it won't enter this "if" statement and you won't try to decrypt it, but the package will get passed to the Device anyway by this function. This means that your code accepts unencrypted packages, and that's a security problem.
> 
> Vineet Garg wrote:
>     It is the job of lanlink to decrypt the package if it is received encrypted. Device never received encrypted package, it always receive unencypted packaged. After this it checked by device in these conditions. If if it is pair package then handled by this condition, else passed to plugins only if device is paired. Else unpair package is sent. I am not able to see any security problem here. Can you elaborate further ?

When Device.packageReceived gets called, we no longer have knowledge about if the package was originally encrypted or not, so Device can't know if it should trust the package or not. We want to make Device able to trust some unencrypted packages, but not all, and that's not possible right now. Can you add a function that is receivedUnpairedPackage or something like that to Device?


- Albert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/124140/#review84344
-----------------------------------------------------------


On Aug. 25, 2015, 8:17 a.m., Vineet Garg wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/124140/
> -----------------------------------------------------------
> 
> (Updated Aug. 25, 2015, 8:17 a.m.)
> 
> 
> Review request for kdeconnect and Albert Vaca Cintora.
> 
> 
> Repository: kdeconnect-android
> 
> 
> Description
> -------
> 
> * Since MINA was tying hands in adding SSL, ported over Netty which has a good, clean and easy interface and a larger user and developer base.
> * Added support to setup links on SSL
> * Links automatically removed if wrong certificate is sent
> * Shows keys based on hash of certificate to check right certificates are received
> * Added a preference to use SSL, as it is experienced to cause high CPU usage on devices.
> * Corrected unit tests, LanLinkProvider is removed as it is nearly impossible to write it with current design. Will find a way
> 
> 
> Diffs
> -----
> 
>   build.gradle b36cf14 
>   libs/netty-handler.jar PRE-CREATION 
>   proguard-rules.pro ac9cda5 
>   res/values/strings.xml c128342 
>   src/org/kde/kdeconnect/Backends/BaseLink.java 53407f0 
>   src/org/kde/kdeconnect/Backends/BasePairingHandler.java PRE-CREATION 
>   src/org/kde/kdeconnect/Backends/LanBackend/LanLink.java c070126 
>   src/org/kde/kdeconnect/Backends/LanBackend/LanLinkProvider.java 0cb1ee3 
>   src/org/kde/kdeconnect/Backends/LanBackend/LanPairingHandler.java PRE-CREATION 
>   src/org/kde/kdeconnect/Backends/LoopbackBackend/LoopbackLink.java add92f8 
>   src/org/kde/kdeconnect/Backends/LoopbackBackend/LoopbackLinkProvider.java bd9c41b 
>   src/org/kde/kdeconnect/Backends/LoopbackBackend/LoopbackPairingHandler.java PRE-CREATION 
>   src/org/kde/kdeconnect/BackgroundService.java 37baddb 
>   src/org/kde/kdeconnect/Device.java a0b9392 
>   src/org/kde/kdeconnect/Helpers/SecurityHelpers/RsaHelper.java PRE-CREATION 
>   src/org/kde/kdeconnect/Helpers/SecurityHelpers/SslHelper.java PRE-CREATION 
>   src/org/kde/kdeconnect/NetworkPackage.java a4ef7d0 
>   src/org/kde/kdeconnect/UserInterface/DeviceActivity.java fe3c470 
>   src/org/kde/kdeconnect/UserInterface/PairActivity.java 7a45751 
>   tests/org/kde/kdeconnect/DeviceTest.java 5d3383d 
>   tests/org/kde/kdeconnect/LanLinkProviderTest.java 0c1eb58 
>   tests/org/kde/kdeconnect/LanLinkTest.java d3d94c9 
>   tests/org/kde/kdeconnect/NetworkPackageTest.java a21114e 
> 
> Diff: https://git.reviewboard.kde.org/r/124140/diff/
> 
> 
> Testing
> -------
> 
> Tesed on some device with where both supports SSL, also with PC where ssl is not supported, working fine. Need a little bit more testing with more devices.
> 
> 
> Thanks,
> 
> Vineet Garg
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kdeconnect/attachments/20150825/8f49f501/attachment.html>


More information about the KDEConnect mailing list