summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2019-09-05 19:50:24 +0200
committerGravatar Nikias Bassen2019-09-05 19:50:24 +0200
commita9e69b1252e5918b6d8ada1209ccefde301cfa26 (patch)
tree2428ae909f123e48dac2afead248089ae1c531fd
parent6d5a3d6a35a8610f83d6a69156cfe1b64da4f2bd (diff)
downloadlibimobiledevice-a9e69b1252e5918b6d8ada1209ccefde301cfa26.tar.gz
libimobiledevice-a9e69b1252e5918b6d8ada1209ccefde301cfa26.tar.bz2
idevice: Fix handling SSL/TLS version selection for OpenSSL 1.1.0+ and for older devices
-rw-r--r--src/idevice.c30
-rw-r--r--src/idevice.h4
-rw-r--r--src/lockdown.c4
3 files changed, 24 insertions, 14 deletions
diff --git a/src/idevice.c b/src/idevice.c
index 382e9d2..fd1f4b5 100644
--- a/src/idevice.c
+++ b/src/idevice.c
@@ -320,7 +320,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connect(idevice_t device, uint16_t
new_connection->type = CONNECTION_USBMUXD;
new_connection->data = (void*)(long)sfd;
new_connection->ssl_data = NULL;
- idevice_get_udid(device, &new_connection->udid);
+ new_connection->device = device;
*connection = new_connection;
return IDEVICE_E_SUCCESS;
} else {
@@ -348,9 +348,6 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_disconnect(idevice_connection_t con
debug_info("Unknown connection type %d", connection->type);
}
- if (connection->udid)
- free(connection->udid);
-
free(connection);
connection = NULL;
@@ -759,9 +756,9 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne
#endif
plist_t pair_record = NULL;
- userpref_read_pair_record(connection->udid, &pair_record);
+ userpref_read_pair_record(connection->device->udid, &pair_record);
if (!pair_record) {
- debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->udid);
+ debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->device->udid);
return ret;
}
@@ -789,16 +786,27 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne
return ret;
}
- /* force use of TLSv1 */
+#if OPENSSL_VERSION_NUMBER < 0x10100002L || \
+ (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2060000fL))
+ /* force use of TLSv1 for older devices */
+ if (connection->device->version < DEVICE_VERSION(10,0,0)) {
#ifdef SSL_OP_NO_TLSv1_1
- int opts = SSL_OP_NO_TLSv1_1;
+ long opts = SSL_CTX_get_options(ssl_ctx);
+ opts |= SSL_OP_NO_TLSv1_1;
#ifdef SSL_OP_NO_TLSv1_2
- opts |= SSL_OP_NO_TLSv1_2;
+ opts |= SSL_OP_NO_TLSv1_2;
#endif
#ifdef SSL_OP_NO_TLSv1_3
- opts |= SSL_OP_NO_TLSv1_3;
+ opts |= SSL_OP_NO_TLSv1_3;
+#endif
+ SSL_CTX_set_options(ssl_ctx, opts);
#endif
- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | opts);
+ }
+#else
+ SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
+ if (connection->device->version < DEVICE_VERSION(10,0,0)) {
+ SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION);
+ }
#endif
BIO* membp;
diff --git a/src/idevice.h b/src/idevice.h
index 94e828b..f403c55 100644
--- a/src/idevice.h
+++ b/src/idevice.h
@@ -46,6 +46,8 @@
#include "common/userpref.h"
#include "libimobiledevice/libimobiledevice.h"
+#define DEVICE_VERSION(maj, min, patch) (((maj & 0xFF) << 16) | ((min & 0xFF) << 8) | (patch & 0xFF))
+
enum connection_type {
CONNECTION_USBMUXD = 1
};
@@ -66,7 +68,7 @@ struct ssl_data_private {
typedef struct ssl_data_private *ssl_data_t;
struct idevice_connection_private {
- char *udid;
+ idevice_t device;
enum connection_type type;
void *data;
ssl_data_t ssl_data;
diff --git a/src/lockdown.c b/src/lockdown.c
index 23f2782..694fb47 100644
--- a/src/lockdown.c
+++ b/src/lockdown.c
@@ -715,7 +715,7 @@ LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_client_new_with_handshake(idevi
char *s_version = NULL;
plist_get_string_val(p_version, &s_version);
if (s_version && sscanf(s_version, "%d.%d.%d", &vers[0], &vers[1], &vers[2]) >= 2) {
- device->version = ((vers[0] & 0xFF) << 16) | ((vers[1] & 0xFF) << 8) | (vers[2] & 0xFF);
+ device->version = DEVICE_VERSION(vers[0], vers[1], vers[2]);
}
free(s_version);
}
@@ -738,7 +738,7 @@ LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_client_new_with_handshake(idevi
plist_free(pair_record);
pair_record = NULL;
- if (device->version < 0x070000) {
+ if (device->version < DEVICE_VERSION(7,0,0)) {
/* for older devices, we need to validate pairing to receive trusted host status */
ret = lockdownd_validate_pair(client_loc, NULL);