diff options
| author |  Nikias Bassen | 2019-09-05 19:50:24 +0200 |
|---|---|---|
| committer | Nikias Bassen | 2019-09-05 19:50:24 +0200 |
| commit | a9e69b1252e5918b6d8ada1209ccefde301cfa26 (patch) | |
| tree | 2428ae909f123e48dac2afead248089ae1c531fd | |
| parent | 6d5a3d6a35a8610f83d6a69156cfe1b64da4f2bd (diff) | |
| download | libimobiledevice-a9e69b1252e5918b6d8ada1209ccefde301cfa26.tar.gz libimobiledevice-a9e69b1252e5918b6d8ada1209ccefde301cfa26.tar.bz2 | |
idevice: Fix handling SSL/TLS version selection for OpenSSL 1.1.0+ and for older devices
| -rw-r--r-- | src/idevice.c | 30 | ||||
| -rw-r--r-- | src/idevice.h | 4 | ||||
| -rw-r--r-- | src/lockdown.c | 4 |
3 files changed, 24 insertions, 14 deletions
diff --git a/src/idevice.c b/src/idevice.c index 382e9d2..fd1f4b5 100644 --- a/src/idevice.c +++ b/src/idevice.c | |||
| @@ -320,7 +320,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connect(idevice_t device, uint16_t | |||
| 320 | new_connection->type = CONNECTION_USBMUXD; | 320 | new_connection->type = CONNECTION_USBMUXD; |
| 321 | new_connection->data = (void*)(long)sfd; | 321 | new_connection->data = (void*)(long)sfd; |
| 322 | new_connection->ssl_data = NULL; | 322 | new_connection->ssl_data = NULL; |
| 323 | idevice_get_udid(device, &new_connection->udid); | 323 | new_connection->device = device; |
| 324 | *connection = new_connection; | 324 | *connection = new_connection; |
| 325 | return IDEVICE_E_SUCCESS; | 325 | return IDEVICE_E_SUCCESS; |
| 326 | } else { | 326 | } else { |
| @@ -348,9 +348,6 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_disconnect(idevice_connection_t con | |||
| 348 | debug_info("Unknown connection type %d", connection->type); | 348 | debug_info("Unknown connection type %d", connection->type); |
| 349 | } | 349 | } |
| 350 | 350 | ||
| 351 | if (connection->udid) | ||
| 352 | free(connection->udid); | ||
| 353 | |||
| 354 | free(connection); | 351 | free(connection); |
| 355 | connection = NULL; | 352 | connection = NULL; |
| 356 | 353 | ||
| @@ -759,9 +756,9 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne | |||
| 759 | #endif | 756 | #endif |
| 760 | plist_t pair_record = NULL; | 757 | plist_t pair_record = NULL; |
| 761 | 758 | ||
| 762 | userpref_read_pair_record(connection->udid, &pair_record); | 759 | userpref_read_pair_record(connection->device->udid, &pair_record); |
| 763 | if (!pair_record) { | 760 | if (!pair_record) { |
| 764 | debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->udid); | 761 | debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->device->udid); |
| 765 | return ret; | 762 | return ret; |
| 766 | } | 763 | } |
| 767 | 764 | ||
| @@ -789,16 +786,27 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne | |||
| 789 | return ret; | 786 | return ret; |
| 790 | } | 787 | } |
| 791 | 788 | ||
| 792 | /* force use of TLSv1 */ | 789 | #if OPENSSL_VERSION_NUMBER < 0x10100002L || \ |
| 790 | (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2060000fL)) | ||
| 791 | /* force use of TLSv1 for older devices */ | ||
| 792 | if (connection->device->version < DEVICE_VERSION(10,0,0)) { | ||
| 793 | #ifdef SSL_OP_NO_TLSv1_1 | 793 | #ifdef SSL_OP_NO_TLSv1_1 |
| 794 | int opts = SSL_OP_NO_TLSv1_1; | 794 | long opts = SSL_CTX_get_options(ssl_ctx); |
| 795 | opts |= SSL_OP_NO_TLSv1_1; | ||
| 795 | #ifdef SSL_OP_NO_TLSv1_2 | 796 | #ifdef SSL_OP_NO_TLSv1_2 |
| 796 | opts |= SSL_OP_NO_TLSv1_2; | 797 | opts |= SSL_OP_NO_TLSv1_2; |
| 797 | #endif | 798 | #endif |
| 798 | #ifdef SSL_OP_NO_TLSv1_3 | 799 | #ifdef SSL_OP_NO_TLSv1_3 |
| 799 | opts |= SSL_OP_NO_TLSv1_3; | 800 | opts |= SSL_OP_NO_TLSv1_3; |
| 801 | #endif | ||
| 802 | SSL_CTX_set_options(ssl_ctx, opts); | ||
| 800 | #endif | 803 | #endif |
| 801 | SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | opts); | 804 | } |
| 805 | #else | ||
| 806 | SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION); | ||
| 807 | if (connection->device->version < DEVICE_VERSION(10,0,0)) { | ||
| 808 | SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION); | ||
| 809 | } | ||
| 802 | #endif | 810 | #endif |
| 803 | 811 | ||
| 804 | BIO* membp; | 812 | BIO* membp; |
diff --git a/src/idevice.h b/src/idevice.h index 94e828b..f403c55 100644 --- a/src/idevice.h +++ b/src/idevice.h | |||
| @@ -46,6 +46,8 @@ | |||
| 46 | #include "common/userpref.h" | 46 | #include "common/userpref.h" |
| 47 | #include "libimobiledevice/libimobiledevice.h" | 47 | #include "libimobiledevice/libimobiledevice.h" |
| 48 | 48 | ||
| 49 | #define DEVICE_VERSION(maj, min, patch) (((maj & 0xFF) << 16) | ((min & 0xFF) << 8) | (patch & 0xFF)) | ||
| 50 | |||
| 49 | enum connection_type { | 51 | enum connection_type { |
| 50 | CONNECTION_USBMUXD = 1 | 52 | CONNECTION_USBMUXD = 1 |
| 51 | }; | 53 | }; |
| @@ -66,7 +68,7 @@ struct ssl_data_private { | |||
| 66 | typedef struct ssl_data_private *ssl_data_t; | 68 | typedef struct ssl_data_private *ssl_data_t; |
| 67 | 69 | ||
| 68 | struct idevice_connection_private { | 70 | struct idevice_connection_private { |
| 69 | char *udid; | 71 | idevice_t device; |
| 70 | enum connection_type type; | 72 | enum connection_type type; |
| 71 | void *data; | 73 | void *data; |
| 72 | ssl_data_t ssl_data; | 74 | ssl_data_t ssl_data; |
diff --git a/src/lockdown.c b/src/lockdown.c index 23f2782..694fb47 100644 --- a/src/lockdown.c +++ b/src/lockdown.c | |||
| @@ -715,7 +715,7 @@ LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_client_new_with_handshake(idevi | |||
| 715 | char *s_version = NULL; | 715 | char *s_version = NULL; |
| 716 | plist_get_string_val(p_version, &s_version); | 716 | plist_get_string_val(p_version, &s_version); |
| 717 | if (s_version && sscanf(s_version, "%d.%d.%d", &vers[0], &vers[1], &vers[2]) >= 2) { | 717 | if (s_version && sscanf(s_version, "%d.%d.%d", &vers[0], &vers[1], &vers[2]) >= 2) { |
| 718 | device->version = ((vers[0] & 0xFF) << 16) | ((vers[1] & 0xFF) << 8) | (vers[2] & 0xFF); | 718 | device->version = DEVICE_VERSION(vers[0], vers[1], vers[2]); |
| 719 | } | 719 | } |
| 720 | free(s_version); | 720 | free(s_version); |
| 721 | } | 721 | } |
| @@ -738,7 +738,7 @@ LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_client_new_with_handshake(idevi | |||
| 738 | plist_free(pair_record); | 738 | plist_free(pair_record); |
| 739 | pair_record = NULL; | 739 | pair_record = NULL; |
| 740 | 740 | ||
| 741 | if (device->version < 0x070000) { | 741 | if (device->version < DEVICE_VERSION(7,0,0)) { |
| 742 | /* for older devices, we need to validate pairing to receive trusted host status */ | 742 | /* for older devices, we need to validate pairing to receive trusted host status */ |
| 743 | ret = lockdownd_validate_pair(client_loc, NULL); | 743 | ret = lockdownd_validate_pair(client_loc, NULL); |
| 744 | 744 | ||