v3.0.3: Sicherheit erhöht, Bugs behoben

- VerifySsl Default auf true (war unsicher auf false)
- HaApiClient VerifySsl Default korrigiert
- WebSocket SSL-Validierung respektiert jetzt VerifySsl-Einstellung
- WebSocket URL wird korrekt via Uri-Klasse gebaut
- WebSocket Buffer von 16KB auf 64KB erhöht
- pageSize dynamisch ermittelt (hw.pagesize) statt hartcodiert 16384
- Kamera-Erkennung: lsof -c ersetzt durch ioreg (zuverlässiger)
- AesGcm(key) deprecated -> AesGcm(key, 16)
- chmod Process-Spawn durch File.SetUnixFileMode ersetzt
- Config-Datei bekommt chmod 600 via File.SetUnixFileMode
- Null-Reference Warning in MainWindow.axaml.cs behoben
- DefineConstants MACOS hinzugefügt für bedingte Kompilierung
- Hardcodierte Version 2.2.1 auf 3.0.3 korrigiert

Author: J.A.R.V.I.S.

VERSION

@@ -1 +1 @@
-3.0.2
+3.0.3

src/HaDeskLink/Config.cs

@@ -31,7 +31,7 @@ public class Config
 
     public string HaUrl { get; set; } = "";
     public string HaToken { get; set; } = "";
-    public bool VerifySsl { get; set; } = false;
+    public bool VerifySsl { get; set; } = true;
     public int SensorInterval { get; set; } = 30;
     public string UpdateChannel { get; set; } = "stable";
     public string Language { get; set; } = "de";
@@ -50,17 +50,26 @@ private static bool TryKeychainStore(string token)
     {
         try
         {
+            // Pipe token via stdin to avoid exposing it in `ps aux`
             var psi = new System.Diagnostics.ProcessStartInfo
             {
                 FileName = "security",
-                Arguments = $"add-generic-password -a ha-desklink -s ha-desklink-token -w {EscapeShellArg(token)} -U",
+                Arguments = "add-generic-password -a ha-desklink -s ha-desklink-token -w -U",
                 UseShellExecute = false,
                 CreateNoWindow = true,
+                RedirectStandardInput = true,
                 RedirectStandardError = true
             };
-            var proc = System.Diagnostics.Process.Start(psi);
-            proc?.WaitForExit(5000);
-            return proc?.ExitCode == 0;
+            using var proc = System.Diagnostics.Process.Start(psi);
+            if (proc == null) return false;
+            proc.StandardInput.WriteLine(token);
+            proc.StandardInput.Close();
+            // Read stderr BEFORE WaitForExit to prevent deadlock
+            var stderr = proc.StandardError.ReadToEnd();
+            proc.WaitForExit(5000);
+            if (proc.ExitCode != 0 && !string.IsNullOrWhiteSpace(stderr))
+                Console.WriteLine($"[Keychain] Store failed: {stderr.Trim()}");
+            return proc.ExitCode == 0;
         }
         catch { return false; }
     }
@@ -107,7 +116,9 @@ private static byte[] GetOrCreateKey()
         RandomNumberGenerator.Fill(key);
         Directory.CreateDirectory(ConfigDir);
         File.WriteAllText(keyPath, Convert.ToBase64String(key));
-        try { System.Diagnostics.Process.Start("chmod", $"600 {keyPath}")?.WaitForExit(2000); } catch { }
+#pragma warning disable CA1416
+        try { File.SetUnixFileMode(keyPath, System.IO.UnixFileMode.UserRead | System.IO.UnixFileMode.UserWrite); } catch { }
+#pragma warning restore CA1416
         return key;
     }
 
@@ -117,7 +128,7 @@ private static string EncryptAesGcm(string plainText)
         var key = GetOrCreateKey();
         var plainBytes = Encoding.UTF8.GetBytes(plainText);
 
-        using var aes = new AesGcm(key);
+        using var aes = new AesGcm(key, 16);
         var nonce = new byte[AesGcm.NonceByteSizes.MaxSize];
         RandomNumberGenerator.Fill(nonce);
         var ciphertext = new byte[plainBytes.Length];
@@ -151,7 +162,7 @@ private static string DecryptAesGcm(string encryptedText)
             Buffer.BlockCopy(combined, nonceSize, tag, 0, tagSize);
             Buffer.BlockCopy(combined, nonceSize + tagSize, ciphertext, 0, ciphertext.Length);
 
-            using var aes = new AesGcm(key);
+            using var aes = new AesGcm(key, 16);
             var plainBytes = new byte[ciphertext.Length];
             aes.Decrypt(nonce, ciphertext, tag, plainBytes);
             return Encoding.UTF8.GetString(plainBytes);
@@ -245,6 +256,11 @@ public void Save()
 
         var json = JsonSerializer.Serialize(saveConfig, new JsonSerializerOptions { WriteIndented = true });
         File.WriteAllText(ConfigPath, json);
+
+        // Secure config file permissions (macOS)
+#pragma warning disable CA1416
+        try { File.SetUnixFileMode(ConfigPath, System.IO.UnixFileMode.UserRead | System.IO.UnixFileMode.UserWrite); } catch { }
+#pragma warning restore CA1416
     }
 
     public static string GetConfigDir() => ConfigDir;

src/HaDeskLink/DeskLinkApp.cs

@@ -74,7 +74,8 @@ private void StartWebSocket(Config config, HaApiClient api)
                 config.HaToken,
                 webhookId,
                 null,
-                cmd => { try { _ = CommandHandler.ExecuteAsync(cmd); } catch { } }
+                cmd => { try { _ = CommandHandler.ExecuteAsync(cmd); } catch { } },
+                verifySsl: config.VerifySsl
             );
 
             // Pass WS to MainWindow for retry button

src/HaDeskLink/HaApiClient.cs

@@ -34,7 +34,7 @@ public class HaApiClient
         ? $"{_haUrl}/api/webhook/{_webhookId}"
         : _cloudUrl;
 
-    public HaApiClient(string configDir, bool verifySsl = false)
+    public HaApiClient(string configDir, bool verifySsl = true)
     {
         _configDir = configDir;
         var handler = new HttpClientHandler
@@ -314,6 +314,6 @@ private static string GetVersion()
             if (File.Exists(vfile)) return File.ReadAllText(vfile).Trim();
         }
         catch { }
-        return "2.2.1";
+        return "3.0.3";
     }
 }

src/HaDeskLink/HaDeskLink.csproj

@@ -5,9 +5,10 @@
     <TargetFramework>net8.0</TargetFramework>
     <AssemblyName>HA_DeskLink</AssemblyName>
     <RootNamespace>HaDeskLink</RootNamespace>
-    <Version>3.0.2</Version>
+    <Version>3.0.3</Version>
     <Nullable>enable</Nullable>
     <RuntimeIdentifier>osx-arm64</RuntimeIdentifier>
+    <DefineConstants>MACOS</DefineConstants>
   </PropertyGroup>
 
   <ItemGroup>

src/HaDeskLink/HaWebSocketClient.cs

@@ -31,6 +31,7 @@ public class HaWebSocketClient : IDisposable
     private readonly string _token;
     private readonly string _webhookId;
     private readonly Action<string>? _onCommand;
+    private readonly bool _verifySsl;
     private ClientWebSocket? _ws;
     private CancellationTokenSource? _cts;
     private bool _disposed;
@@ -50,18 +51,18 @@ public void ResetLoginBlock()
         _connected = false;
     }
 
-    public HaWebSocketClient(string haUrl, string token, string webhookId, object? trayIcon, Action<string>? onCommand = null)
+    public HaWebSocketClient(string haUrl, string token, string webhookId, object? trayIcon, Action<string>? onCommand = null, bool verifySsl = true)
     {
         _haUrl = haUrl.TrimEnd('/');
         _token = token;
         _webhookId = webhookId;
         _onCommand = onCommand;
+        _verifySsl = verifySsl;
     }
 
     public async Task ConnectAsync()
     {
         _cts = new CancellationTokenSource();
-        var wsUrl = _haUrl.Replace("https://", "wss://").Replace("http://", "ws://") + "/api/websocket";
 
         while (!_cts.Token.IsCancellationRequested)
         {
@@ -76,7 +77,14 @@ public async Task ConnectAsync()
             try
             {
                 _ws = new ClientWebSocket();
-                _ws.Options.RemoteCertificateValidationCallback = (sender, cert, chain, errors) => true;
+                if (!_verifySsl)
+                {
+                    _ws.Options.RemoteCertificateValidationCallback = (sender, cert, chain, errors) => true;
+                }
+                // Build WebSocket URL properly using Uri class
+                var uri = new Uri(_haUrl);
+                var wsScheme = uri.Scheme == "https" ? "wss" : "ws";
+                var wsUrl = $"{wsScheme}://{uri.Authority}/api/websocket";
                 await _ws.ConnectAsync(new Uri(wsUrl), _cts.Token);
 
                 var msg = await ReceiveMessage();
@@ -131,7 +139,7 @@ await SendMessage(new
     private async Task<string?> ReceiveMessage()
     {
         if (_ws?.State != WebSocketState.Open) return null;
-        var buffer = new byte[16384];
+        var buffer = new byte[65536];
         var sb = new StringBuilder();
         WebSocketReceiveResult result;
         do

src/HaDeskLink/Program.cs

@@ -98,6 +98,6 @@ private static string GetVersion()
             if (File.Exists(vfile)) return File.ReadAllText(vfile).Trim();
         }
         catch { }
-        return "2.2.1";
+        return "3.0.3";
     }
 }

src/HaDeskLink/SensorManager.cs

@@ -287,10 +287,11 @@ private static (float? percent, float? availableGB) GetMemory()
     {
         try
         {
+            // Get vm_stat and hw.memsize in one call, also get vm.page_pageable_internal_count for page size
             var psi = new ProcessStartInfo
             {
                 FileName = "bash",
-                Arguments = "-c \"vm_stat | head -10; echo '---'; sysctl -n hw.memsize\"",
+                Arguments = "-c \"vm_stat | head -15; echo '---'; sysctl -n hw.memsize; echo '---'; sysctl -n hw.pagesize\"",
                 UseShellExecute = false,
                 CreateNoWindow = true,
                 RedirectStandardOutput = true
@@ -302,7 +303,7 @@ private static (float? percent, float? availableGB) GetMemory()
 
             ulong freePages = 0, inactivePages = 0;
             ulong totalMemory = 0;
-            const int pageSize = 16384; // Apple Silicon: 16KB pages
+            ulong pageSize = 16384; // default Apple Silicon, dynamically resolved below
 
             foreach (var line in output.Split('\n'))
             {
@@ -312,17 +313,23 @@ private static (float? percent, float? availableGB) GetMemory()
                     inactivePages = ParseUlong(line.Split(':')[1].Trim().Trim('.'));
             }
 
-            // Parse hw.memsize (after --- separator)
+            // Parse sections: vm_stat --- hw.memsize --- hw.pagesize
             var sections = output.Split("---");
             if (sections.Length > 1)
             {
                 var memStr = sections[1].Trim();
                 totalMemory = ParseUlong(memStr);
             }
+            if (sections.Length > 2)
+            {
+                var psStr = sections[2].Trim();
+                var parsedPs = ParseUlong(psStr);
+                if (parsedPs > 0) pageSize = parsedPs;
+            }
 
             if (totalMemory > 0)
             {
-                var freeMemory = (freePages + inactivePages) * (ulong)pageSize;
+                var freeMemory = (freePages + inactivePages) * pageSize;
                 var usedPercent = (1f - (float)freeMemory / totalMemory) * 100f;
                 return ((float)Math.Round(usedPercent, 1), (float)Math.Round((float)freeMemory / 1024 / 1024 / 1024, 1));
             }
@@ -832,11 +839,11 @@ private static bool GetWebcamActive()
     {
         try
         {
-            // Check if any process has a camera device open via lsof
+            // Check for camera activity via ioreg (more reliable than lsof on macOS)
             var psi = new ProcessStartInfo
             {
-                FileName = "lsof",
-                Arguments = "-c",
+                FileName = "bash",
+                Arguments = "-c \"ioreg -r -c IOAVDevice 2>/dev/null | grep -i camera; ioreg -r -w0 -c AppleCamera 2>/dev/null | head -5\"",
                 UseShellExecute = false,
                 CreateNoWindow = true,
                 RedirectStandardOutput = true
@@ -846,9 +853,9 @@ private static bool GetWebcamActive()
             var output = proc.StandardOutput.ReadToEnd();
             proc.WaitForExit(3000);
 
-            // Check for camera-related devices in lsof output
-            if (output.Contains("Camera") || output.Contains("VDC") || output.Contains("coremediaio"))
-                return true;
+            if (string.IsNullOrWhiteSpace(output)) return false;
+            // Check if camera device shows active state
+            return output.Contains("Camera") || output.Contains("VDC") || output.Contains("coremediaio");
         }
         catch { }
 

src/HaDeskLink/Views/MainWindow.axaml.cs

@@ -235,7 +235,7 @@ private static string GetVersion()
             if (System.IO.File.Exists(vfile)) return System.IO.File.ReadAllText(vfile).Trim();
         }
         catch { }
-        return "2.2.1";
+        return "3.0.3";
     }
 
     private async void OnQuickActions(object? sender, RoutedEventArgs e)
@@ -279,7 +279,8 @@ private async void OnQuickActions(object? sender, RoutedEventArgs e)
             };
             btn.Click += async (s, args) =>
             {
-                var a = (QuickActionItem)((Button)s).Tag!;
+                var a = (s as Button)?.Tag as QuickActionItem;
+                if (a == null) return;
                 try
                 {
                     await _api.ToggleEntityAsync(a.EntityId);