Add HekaDrop — cross-platform Quick Share Rust implementation#15514
Closed
YatogamiRaito wants to merge 3 commits into
Closed
Add HekaDrop — cross-platform Quick Share Rust implementation#15514YatogamiRaito wants to merge 3 commits into
YatogamiRaito wants to merge 3 commits into
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
YatogamiRaito is integrating a new project: |
Author
|
I have signed the CLA. Please re-check. |
1 similar comment
Author
|
I have signed the CLA. Please re-check. |
HekaDrop is a cross-platform Rust implementation of Google Quick Share (Nearby Share). It receives files from Android devices (no app install needed) over LAN using UKEY2 + AES-256-CBC + HMAC-SHA256. 10 fuzz harnesses covering: - UKEY2 handshake (client_init, client_finish) - Frame dispatch (magic prefix + OfflineFrame + HekaDropFrame decode) - SecureCtx decrypt (AES-256-CBC + HMAC-SHA256) - PayloadHeader/Chunk/TransferFrame protobuf decode - PayloadAssembler ingest state machine - Chunk-HMAC compute+verify pipeline (RFC-0003) - Resume meta filename/session_id computation (RFC-0004) - All hekadrop_ext protobuf types (ChunkIntegrity, ResumeHint, FolderManifest) - mDNS endpoint_info bitmap+name parse
YatogamiRaito
force-pushed
the
add-hekadrop
branch
from
0b972d9 to
753f873
Compare
Use find instead of hardcoded x86_64-unknown-linux-gnu path. Fixes i386/aarch64 build failures.
DavidKorczynski
requested changes
May 16, 2026
Collaborator
DavidKorczynski
left a comment
DavidKorczynski
left a comment
There was a problem hiding this comment.
Thanks! The project looks too immature for OSS-Fuzz. I would advice using ClusterFuzzLite: https://google.github.io/clusterfuzzlite/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Project description
HekaDrop is a cross-platform Rust implementation of Google Quick Share (Nearby Share). It allows Android devices to send files to macOS/Linux/Windows over LAN without installing any app on the phone — the Android side uses the stock Quick Share that ships on all Android devices.
Language: Rust
Repo: https://github.com/YatogamiRaito/HekaDrop
License: MIT
Security relevance
The project implements a non-trivial cryptographic protocol:
All of these operate on attacker-controlled input from the network. A bug in any of these paths is a pre-auth DoS or worse.
Fuzz targets (10)
fuzz_ukey2_client_initprocess_client_init— raw bytes → UKEY2 parsefuzz_ukey2_client_finishprocess_client_finish— ECDH commitment verifyfuzz_frame_decodefuzz_secure_decryptSecureCtx::decrypt— AES-256-CBC + HMAC-SHA256fuzz_payload_headerfuzz_payload_assemblerPayloadAssembler::ingeststate machinefuzz_chunk_hmaccompute_tag+verify_tag+ mutated-body rejectionfuzz_resume_metafuzz_protobuf_framesfuzz_endpoint_infoCI status
All 10 targets compile and run crash-free (verified locally with libFuzzer, 764k+ runs/10s).
Contact
Primary contact: destek@sourvice.com