From bd27aec9d23d45f04db7d887e4721be9223612f2 Mon Sep 17 00:00:00 2001
From: Albert Vaca Cintora <albertvaka@gmail.com>
Date: Thu, 24 Sep 2020 18:46:57 +0200
Subject: [PATCH] Do not replace connections for a given deviceId if the certs
 have changed

Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
---
 core/backends/lan/landevicelink.cpp   | 5 +++++
 core/backends/lan/landevicelink.h     | 1 +
 core/backends/lan/lanlinkprovider.cpp | 6 ++++++
 3 files changed, 12 insertions(+)

diff --git a/core/backends/lan/landevicelink.cpp b/core/backends/lan/landevicelink.cpp
index 829df9e1d..b3900f7d4 100644
--- a/core/backends/lan/landevicelink.cpp
+++ b/core/backends/lan/landevicelink.cpp
@@ -178,3 +178,8 @@ bool LanDeviceLink::linkShouldBeKeptAlive() {
     //return (mConnectionSource == ConnectionStarted::Remotely || pairStatus() == Paired);
 
 }
+
+QSslCertificate LanDeviceLink::certificate() const
+{
+    return m_socketLineReader->peerCertificate();
+}
diff --git a/core/backends/lan/landevicelink.h b/core/backends/lan/landevicelink.h
index 1f05ee837..2d8f3e5a8 100644
--- a/core/backends/lan/landevicelink.h
+++ b/core/backends/lan/landevicelink.h
@@ -42,6 +42,7 @@ public:
     bool linkShouldBeKeptAlive() override;
 
     QHostAddress hostAddress() const;
+    QSslCertificate certificate() const;
 
 private Q_SLOTS:
     void dataReceived();
diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp
index d07e0b61f..7691419e3 100644
--- a/core/backends/lan/lanlinkprovider.cpp
+++ b/core/backends/lan/lanlinkprovider.cpp
@@ -363,6 +363,12 @@ void LanLinkProvider::encrypted()
     NetworkPacket* receivedPacket = m_receivedIdentityPackets[socket].np;
     const QString& deviceId = receivedPacket->get<QString>(QStringLiteral("deviceId"));
 
+    if (m_links.contains(deviceId) && m_links[deviceId]->certificate() != socket->peerCertificate()) {
+        socket->disconnectFromHost();
+        qCWarning(KDECONNECT_CORE) << "Got connection for the same deviceId but certificates don't match. Ignoring " << deviceId;
+        return;
+    }
+
     addLink(deviceId, socket, receivedPacket, connectionOrigin);
 
     // Copied from tcpSocketConnected slot, now delete received packet