linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1436105] [NEW] KEYP checks not in effect with default settings

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: Crise <1436105@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Mar 2015 23:19:49 -0000
Reply-to: Bug 1436105 <1436105@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Private security bug reported:

I posted about this on the hub few days ago, figured it might be
beneficial to do so here as well

The issue is that the "allow untrusted" options as they are now are
honest to a fault, ie. they also disable all KEYP checks when turned on.
The attached patch fixes this. The ConnectionManager and UserConnection
changes are just a micro-optimization not to lookup the user twice if we
already have it.

In theory we could also avoid verifying KEYP twice in such scenario (ie.
just include the checkKeyprint() call to under the added if statement as
well, because if it fails in the first place the execution never reaches
this point, for outgoing connections).

Also, while this is more of a request it would be nice if someone would
come up with a way to reflect the verify_callback error "KeyPrint
mismatch" in HubFrame.

** Affects: dcplusplus
     Importance: Undecided
     Assignee: Crise (markuwil)
         Status: New

** Attachment added: "3599.patch"
   https://bugs.launchpad.net/bugs/1436105/+attachment/4355018/+files/3599.patch

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1436105

Title:
  KEYP checks not in effect with default settings

Status in DC++:
  New

Bug description:
  I posted about this on the hub few days ago, figured it might be
  beneficial to do so here as well

  The issue is that the "allow untrusted" options as they are now are
  honest to a fault, ie. they also disable all KEYP checks when turned
  on. The attached patch fixes this. The ConnectionManager and
  UserConnection changes are just a micro-optimization not to lookup the
  user twice if we already have it.

  In theory we could also avoid verifying KEYP twice in such scenario
  (ie. just include the checkKeyprint() call to under the added if
  statement as well, because if it fails in the first place the
  execution never reaches this point, for outgoing connections).

  Also, while this is more of a request it would be nice if someone
  would come up with a way to reflect the verify_callback error
  "KeyPrint mismatch" in HubFrame.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1436105/+subscriptions

Follow ups

[Bug 1436105] Re: KEYP checks not in effect with default settings
From: eMTee, 2016-09-14
[Bug 1436105] Re: KEYP checks not in effect with default settings
From: poy, 2016-09-14
[Bug 1436105] Re: KEYP checks not in effect with default settings
From: poy, 2016-01-10
[Bug 1436105] Re: KEYP checks not in effect with default settings
From: Fredrik Ullner, 2015-08-05
[Bug 1436105] [NEW] KEYP checks not in effect with default settings
From: Crise, 2015-03-24

References

[Bug 1436105] [NEW] KEYP checks not in effect with default settings
From: Crise, 2015-03-24