1 files changed, 277 insertions, 39 deletions
diff --git a/common/userpref.c b/common/userpref.c
index a5aa7cb..0c6050f 100644
--- a/common/userpref.c
+++ b/common/userpref.c
@@ -2,6 +2,7 @@
 * userpref.c
 * contains methods to access user specific certificates IDs and more.
 *
+ * Copyright (c) 2013-2021 Nikias Bassen, All Rights Reserved.
 * Copyright (c) 2013-2014 Martin Szulecki All Rights Reserved.
 * Copyright (c) 2008 Jonathan Beck All Rights Reserved.
 *
@@ -36,7 +37,7 @@
 #endif
 #include <unistd.h>
 #include <usbmuxd.h>
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL)
 #include <openssl/bn.h>
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
@@ -47,12 +48,20 @@
 #define X509_set1_notBefore X509_set_notBefore
 #define X509_set1_notAfter X509_set_notAfter
 #endif
-#else
+#elif defined(HAVE_GNUTLS)
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 #include <gnutls/x509.h>
 #include <gcrypt.h>
 #include <libtasn1.h>
+#elif defined(HAVE_MBEDTLS)
+#include <mbedtls/ssl.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/asn1write.h>
+#include <mbedtls/oid.h>
+#else
+#error No supported TLS/SSL library enabled
 #endif
 #include <dirent.h>
@@ -68,7 +77,7 @@
 #include "debug.h"
 #include "utils.h"
-#ifndef HAVE_OPENSSL
+#if defined(HAVE_GNUTLS)
 const ASN1_ARRAY_TYPE pkcs1_asn1_tab[] = {
        {"PKCS1", 536872976, 0},
        {0, 1073741836, 0},
@@ -343,7 +352,7 @@ userpref_error_t userpref_delete_pair_record(const char *udid)
        return res == 0 ? USERPREF_E_SUCCESS: USERPREF_E_UNKNOWN_ERROR;
 }
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL)
 static int X509_add_ext_helper(X509 *cert, int nid, char *value)
 {
        X509_EXTENSION *ex;
@@ -364,6 +373,31 @@ static int X509_add_ext_helper(X509 *cert, int nid, char *value)
        return 1;
 }
+#elif defined(HAVE_MBEDTLS)
+static int _mbedtls_x509write_crt_set_basic_constraints_critical(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
+{
+        int ret;
+        unsigned char buf[9];
+        unsigned char *c = buf + sizeof(buf);
+        size_t len = 0;
+        memset( buf, 0, sizeof(buf) );
+        if (is_ca && max_pathlen > 127)
+                return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+        if (is_ca) {
+                if (max_pathlen >= 0) {
+                        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
+                }
+                MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
+        }
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+        return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS, MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ), 1, buf + sizeof(buf) - len, len );
+}
 #endif
 /**
@@ -390,7 +424,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
        debug_info("Generating keys and certificates...");
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL)
        BIGNUM *e = BN_new();
        RSA* root_keypair = RSA_new();
        RSA* host_keypair = RSA_new();
@@ -579,7 +613,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
        X509_free(host_cert);
        X509_free(root_cert);
-#else
+#elif defined(HAVE_GNUTLS)
        gnutls_x509_privkey_t root_privkey;
        gnutls_x509_crt_t root_cert;
        gnutls_x509_privkey_t host_privkey;
@@ -749,6 +783,211 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
        gnutls_free(exponent.data);
        gnutls_free(der_pub_key.data);
+#elif defined(HAVE_MBEDTLS)
+        time_t now = time(NULL);
+        struct tm* timestamp = gmtime(&now);
+        char notbefore[16];
+        strftime(notbefore, sizeof(notbefore), "%Y%m%d%H%M%S", timestamp);
+        time_t then = now + 60 * 60 * 24 * 365 * 10;
+        char notafter[16];
+        timestamp = gmtime(&then);
+        strftime(notafter, sizeof(notafter), "%Y%m%d%H%M%S", timestamp);
+        mbedtls_mpi sn;
+        mbedtls_mpi_init(&sn);
+        mbedtls_mpi_lset(&sn, 1); /* 0 doesn't work, so we have to use 1 (like GnuTLS) */
+        mbedtls_ctr_drbg_context ctr_drbg;
+        mbedtls_ctr_drbg_init(&ctr_drbg);
+        mbedtls_pk_context root_pkey;
+        mbedtls_pk_init(&root_pkey);
+        mbedtls_pk_context host_pkey;
+        mbedtls_pk_init(&host_pkey);
+        mbedtls_pk_context dev_public_key;
+        mbedtls_pk_init(&dev_public_key);
+        mbedtls_entropy_context entropy;
+        mbedtls_entropy_init(&entropy);
+        mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)"limd", 4);
+        /* ----- root key & cert ----- */
+        ret = mbedtls_pk_setup(&root_pkey, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+        if (ret != 0) {
+                debug_info("mbedtls_pk_setup returned -0x%04x", -ret);
+                goto cleanup;
+        }
+        ret = mbedtls_rsa_gen_key(mbedtls_pk_rsa(root_pkey), mbedtls_ctr_drbg_random, &ctr_drbg, 2048, 65537);
+        if (ret != 0) {
+                debug_info("mbedtls_rsa_gen_key returned -0x%04x", -ret);
+                goto cleanup;
+        }
+        mbedtls_x509write_cert cert;
+        mbedtls_x509write_crt_init(&cert);
+        /* set serial number */
+        mbedtls_x509write_crt_set_serial(&cert, &sn);
+        /* set version */
+        mbedtls_x509write_crt_set_version(&cert, 2);
+        /* set x509v3 basic constraints */
+        _mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 1, -1);
+        /* use root public key for root cert */
+        mbedtls_x509write_crt_set_subject_key(&cert, &root_pkey);
+        /* set x509v3 subject key identifier */
+        mbedtls_x509write_crt_set_subject_key_identifier(&cert);
+        /* set key validity */
+        mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
+        /* sign root cert with root private key */
+        mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
+        mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1);
+        unsigned char outbuf[16384];
+        /* write root private key */
+        mbedtls_pk_write_key_pem(&root_pkey, outbuf, sizeof(outbuf));
+        root_key_pem.size = strlen((const char*)outbuf);
+        root_key_pem.data = malloc(root_key_pem.size+1);
+        memcpy(root_key_pem.data, outbuf, root_key_pem.size);
+        root_key_pem.data[root_key_pem.size] = '\0';
+        /* write root certificate */
+        mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
+        root_cert_pem.size = strlen((const char*)outbuf);
+        root_cert_pem.data = malloc(root_cert_pem.size+1);
+        memcpy(root_cert_pem.data, outbuf, root_cert_pem.size);
+        root_cert_pem.data[root_cert_pem.size] = '\0';
+        mbedtls_x509write_crt_free(&cert);
+        /* ----- host key & cert ----- */
+        ret = mbedtls_pk_setup(&host_pkey, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+        if (ret != 0) {
+                debug_info("mbedtls_pk_setup returned -0x%04x", -ret);
+                goto cleanup;
+        }
+        ret = mbedtls_rsa_gen_key(mbedtls_pk_rsa(host_pkey), mbedtls_ctr_drbg_random, &ctr_drbg, 2048, 65537);
+        if (ret != 0) {
+                debug_info("mbedtls_rsa_gen_key returned -0x%04x", -ret);
+                goto cleanup;
+        }
+        mbedtls_x509write_crt_init(&cert);
+        /* set serial number */
+        mbedtls_x509write_crt_set_serial(&cert, &sn);
+        /* set version */
+        mbedtls_x509write_crt_set_version(&cert, 2);
+        /* set x509v3 basic constraints */
+        _mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 0, -1);
+        /* use host public key for host cert */
+        mbedtls_x509write_crt_set_subject_key(&cert, &host_pkey);
+        /* set x509v3 subject key identifier */
+        mbedtls_x509write_crt_set_subject_key_identifier(&cert);
+        /* set x509v3 key usage */
+        mbedtls_x509write_crt_set_key_usage(&cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_ENCIPHERMENT);
+        /* set key validity */
+        mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
+        /* sign host cert with root private key */
+        mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
+        mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1);
+        /* write host private key */
+        mbedtls_pk_write_key_pem(&host_pkey, outbuf, sizeof(outbuf));
+        host_key_pem.size = strlen((const char*)outbuf);
+        host_key_pem.data = malloc(host_key_pem.size+1);
+        memcpy(host_key_pem.data, outbuf, host_key_pem.size);
+        host_key_pem.data[host_key_pem.size] = '\0';
+        /* write host certificate */
+        mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
+        host_cert_pem.size = strlen((const char*)outbuf);
+        host_cert_pem.data = malloc(host_cert_pem.size+1);
+        memcpy(host_cert_pem.data, outbuf, host_cert_pem.size);
+        host_cert_pem.data[host_cert_pem.size] = '\0';
+        mbedtls_x509write_crt_free(&cert);
+        /* ----- device certificate ----- */
+        unsigned char* pubkey_data = malloc(public_key.size+1);
+        if (!pubkey_data) {
+                debug_info("malloc() failed\n");
+                goto cleanup;
+        }
+        memcpy(pubkey_data, public_key.data, public_key.size);
+        pubkey_data[public_key.size] = '\0';
+        int pr = mbedtls_pk_parse_public_key(&dev_public_key, pubkey_data, public_key.size+1);
+        free(pubkey_data);
+        if (pr != 0) {
+                debug_info("Failed to read device public key: -0x%x\n", -pr);
+                goto cleanup;
+        }
+        mbedtls_x509write_crt_init(&cert);
+        /* set serial number */
+        mbedtls_x509write_crt_set_serial(&cert, &sn);
+        /* set version */
+        mbedtls_x509write_crt_set_version(&cert, 2);
+        /* set x509v3 basic constraints */
+        _mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 0, -1);
+        /* use root public key for dev cert subject key */
+        mbedtls_x509write_crt_set_subject_key(&cert, &dev_public_key);
+        /* set x509v3 subject key identifier */
+        mbedtls_x509write_crt_set_subject_key_identifier(&cert);
+        /* set x509v3 key usage */
+        mbedtls_x509write_crt_set_key_usage(&cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_ENCIPHERMENT);
+        /* set key validity */
+        mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
+        /* sign device certificate with root private key */
+        mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
+        mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1);
+        /* write device certificate */
+        mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
+        dev_cert_pem.size = strlen((const char*)outbuf);
+        dev_cert_pem.data = malloc(dev_cert_pem.size+1);
+        memcpy(dev_cert_pem.data, outbuf, dev_cert_pem.size);
+        dev_cert_pem.data[dev_cert_pem.size] = '\0';
+        mbedtls_x509write_crt_free(&cert);
+        /* cleanup */
+cleanup:
+        mbedtls_mpi_free(&sn);
+        mbedtls_pk_free(&dev_public_key);
+        mbedtls_entropy_free(&entropy);
+        mbedtls_pk_free(&host_pkey);
+        mbedtls_pk_free(&root_pkey);
+        mbedtls_ctr_drbg_free(&ctr_drbg);
 #endif
        /* make sure that we have all we need */
@@ -783,32 +1022,31 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
 *
 * @return 1 if the key was successfully imported.
 */
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
 userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, key_data_t* key)
-#else
+#elif defined(HAVE_GNUTLS)
 userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, gnutls_x509_privkey_t key)
 #endif
 {
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
        if (!key)
                return USERPREF_E_SUCCESS;
 #endif
        userpref_error_t ret = USERPREF_E_INVALID_CONF;
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
-                ret = pair_record_get_item_as_key_data(pair_record, name, key);
+        ret = pair_record_get_item_as_key_data(pair_record, name, key);
-#else
+#elif defined(HAVE_GNUTLS)
-                key_data_t pem = { NULL, 0 };
+        key_data_t pem = { NULL, 0 };
-                ret = pair_record_get_item_as_key_data(pair_record, name, &pem);
+        ret = pair_record_get_item_as_key_data(pair_record, name, &pem);
-                if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_privkey_import(key, &pem, GNUTLS_X509_FMT_PEM))
+        if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_privkey_import(key, &pem, GNUTLS_X509_FMT_PEM))
-                        ret = USERPREF_E_SUCCESS;
+                ret = USERPREF_E_SUCCESS;
-                else
+        else
-                        ret = USERPREF_E_SSL_ERROR;
+                ret = USERPREF_E_SSL_ERROR;
-                if (pem.data)
-                        free(pem.data);
-#endif
+        if (pem.data)
+                free(pem.data);
+#endif
        return ret;
 }
@@ -820,32 +1058,31 @@ userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const cha
 *
 * @return IDEVICE_E_SUCCESS if the certificate was successfully imported.
 */
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
 userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, key_data_t* cert)
 #else
 userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, gnutls_x509_crt_t cert)
 #endif
 {
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
        if (!cert)
                return USERPREF_E_SUCCESS;
 #endif
        userpref_error_t ret = USERPREF_E_INVALID_CONF;
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
-                ret = pair_record_get_item_as_key_data(pair_record, name, cert);
+        ret = pair_record_get_item_as_key_data(pair_record, name, cert);
-#else
+#elif defined(HAVE_GNUTLS)
-                key_data_t pem = { NULL, 0 };
+        key_data_t pem = { NULL, 0 };
-                ret = pair_record_get_item_as_key_data(pair_record, name, &pem);
+        ret = pair_record_get_item_as_key_data(pair_record, name, &pem);
-                if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_crt_import(cert, &pem, GNUTLS_X509_FMT_PEM))
+        if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_crt_import(cert, &pem, GNUTLS_X509_FMT_PEM))
-                        ret = USERPREF_E_SUCCESS;
+                ret = USERPREF_E_SUCCESS;
-                else
+        else
-                        ret = USERPREF_E_SSL_ERROR;
+                ret = USERPREF_E_SSL_ERROR;
-                if (pem.data)
-                        free(pem.data);
-#endif
+        if (pem.data)
+                free(pem.data);
+#endif
        return ret;
 }
@@ -880,9 +1117,10 @@ userpref_error_t pair_record_get_item_as_key_data(plist_t pair_record, const cha
        if (node && plist_get_node_type(node) == PLIST_DATA) {
                plist_get_data_val(node, &buffer, &length);
-                value->data = (unsigned char*)malloc(length);
+                value->data = (unsigned char*)malloc(length+1);
                memcpy(value->data, buffer, length);
-                value->size = length;
+                value->data[length] = '\0';
+                value->size = length+1;
                free(buffer);
                buffer = NULL;
        } else {

diff --git a/common/userpref.c b/common/userpref.c index a5aa7cb..0c6050f 100644 --- a/common/userpref.c +++ b/common/userpref.c
@@ -2,6 +2,7 @@
2	* userpref.c	2	* userpref.c
3	* contains methods to access user specific certificates IDs and more.	3	* contains methods to access user specific certificates IDs and more.
4	*	4	*
		5	* Copyright (c) 2013-2021 Nikias Bassen, All Rights Reserved.
5	* Copyright (c) 2013-2014 Martin Szulecki All Rights Reserved.	6	* Copyright (c) 2013-2014 Martin Szulecki All Rights Reserved.
6	* Copyright (c) 2008 Jonathan Beck All Rights Reserved.	7	* Copyright (c) 2008 Jonathan Beck All Rights Reserved.
7	*	8	*
@@ -36,7 +37,7 @@
36	#endif	37	#endif
37	#include <unistd.h>	38	#include <unistd.h>
38	#include <usbmuxd.h>	39	#include <usbmuxd.h>
39	#ifdef HAVE_OPENSSL	40	#if defined(HAVE_OPENSSL)
40	#include <openssl/bn.h>	41	#include <openssl/bn.h>
41	#include <openssl/pem.h>	42	#include <openssl/pem.h>
42	#include <openssl/rsa.h>	43	#include <openssl/rsa.h>
@@ -47,12 +48,20 @@
47	#define X509_set1_notBefore X509_set_notBefore	48	#define X509_set1_notBefore X509_set_notBefore
48	#define X509_set1_notAfter X509_set_notAfter	49	#define X509_set1_notAfter X509_set_notAfter
49	#endif	50	#endif
50	#else	51	#elif defined(HAVE_GNUTLS)
51	#include <gnutls/gnutls.h>	52	#include <gnutls/gnutls.h>
52	#include <gnutls/crypto.h>	53	#include <gnutls/crypto.h>
53	#include <gnutls/x509.h>	54	#include <gnutls/x509.h>
54	#include <gcrypt.h>	55	#include <gcrypt.h>
55	#include <libtasn1.h>	56	#include <libtasn1.h>
		57	#elif defined(HAVE_MBEDTLS)
		58	#include <mbedtls/ssl.h>
		59	#include <mbedtls/entropy.h>
		60	#include <mbedtls/ctr_drbg.h>
		61	#include <mbedtls/asn1write.h>
		62	#include <mbedtls/oid.h>
		63	#else
		64	#error No supported TLS/SSL library enabled
56	#endif	65	#endif
57		66
58	#include <dirent.h>	67	#include <dirent.h>
@@ -68,7 +77,7 @@
68	#include "debug.h"	77	#include "debug.h"
69	#include "utils.h"	78	#include "utils.h"
70		79
71	#ifndef HAVE_OPENSSL	80	#if defined(HAVE_GNUTLS)
72	const ASN1_ARRAY_TYPE pkcs1_asn1_tab[] = {	81	const ASN1_ARRAY_TYPE pkcs1_asn1_tab[] = {
73	{"PKCS1", 536872976, 0},	82	{"PKCS1", 536872976, 0},
74	{0, 1073741836, 0},	83	{0, 1073741836, 0},
@@ -343,7 +352,7 @@ userpref_error_t userpref_delete_pair_record(const char *udid)
343	return res == 0 ? USERPREF_E_SUCCESS: USERPREF_E_UNKNOWN_ERROR;	352	return res == 0 ? USERPREF_E_SUCCESS: USERPREF_E_UNKNOWN_ERROR;
344	}	353	}
345		354
346	#ifdef HAVE_OPENSSL	355	#if defined(HAVE_OPENSSL)
347	static int X509_add_ext_helper(X509 cert, int nid, char value)	356	static int X509_add_ext_helper(X509 cert, int nid, char value)
348	{	357	{
349	X509_EXTENSION *ex;	358	X509_EXTENSION *ex;
@@ -364,6 +373,31 @@ static int X509_add_ext_helper(X509 cert, int nid, char value)
364		373
365	return 1;	374	return 1;
366	}	375	}
		376	#elif defined(HAVE_MBEDTLS)
		377	static int _mbedtls_x509write_crt_set_basic_constraints_critical(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
		378	{
		379	int ret;
		380	unsigned char buf[9];
		381	unsigned char *c = buf + sizeof(buf);
		382	size_t len = 0;
		383
		384	memset( buf, 0, sizeof(buf) );
		385
		386	if (is_ca && max_pathlen > 127)
		387	return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
		388
		389	if (is_ca) {
		390	if (max_pathlen >= 0) {
		391	MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
		392	}
		393	MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
		394	}
		395
		396	MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
		397	MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED \| MBEDTLS_ASN1_SEQUENCE ) );
		398
		399	return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS, MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ), 1, buf + sizeof(buf) - len, len );
		400	}
367	#endif	401	#endif
368		402
369	/**	403	/**
@@ -390,7 +424,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
390		424
391	debug_info("Generating keys and certificates...");	425	debug_info("Generating keys and certificates...");
392		426
393	#ifdef HAVE_OPENSSL	427	#if defined(HAVE_OPENSSL)
394	BIGNUM *e = BN_new();	428	BIGNUM *e = BN_new();
395	RSA* root_keypair = RSA_new();	429	RSA* root_keypair = RSA_new();
396	RSA* host_keypair = RSA_new();	430	RSA* host_keypair = RSA_new();
@@ -579,7 +613,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
579		613
580	X509_free(host_cert);	614	X509_free(host_cert);
581	X509_free(root_cert);	615	X509_free(root_cert);
582	#else	616	#elif defined(HAVE_GNUTLS)
583	gnutls_x509_privkey_t root_privkey;	617	gnutls_x509_privkey_t root_privkey;
584	gnutls_x509_crt_t root_cert;	618	gnutls_x509_crt_t root_cert;
585	gnutls_x509_privkey_t host_privkey;	619	gnutls_x509_privkey_t host_privkey;
@@ -749,6 +783,211 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
749	gnutls_free(exponent.data);	783	gnutls_free(exponent.data);
750		784
751	gnutls_free(der_pub_key.data);	785	gnutls_free(der_pub_key.data);
		786	#elif defined(HAVE_MBEDTLS)
		787	time_t now = time(NULL);
		788	struct tm* timestamp = gmtime(&now);
		789	char notbefore[16];
		790	strftime(notbefore, sizeof(notbefore), "%Y%m%d%H%M%S", timestamp);
		791	time_t then = now + 60 * 60 * 24 * 365 * 10;
		792	char notafter[16];
		793	timestamp = gmtime(&then);
		794	strftime(notafter, sizeof(notafter), "%Y%m%d%H%M%S", timestamp);
		795
		796	mbedtls_mpi sn;
		797	mbedtls_mpi_init(&sn);
		798	mbedtls_mpi_lset(&sn, 1); /* 0 doesn't work, so we have to use 1 (like GnuTLS) */
		799
		800	mbedtls_ctr_drbg_context ctr_drbg;
		801	mbedtls_ctr_drbg_init(&ctr_drbg);
		802
		803	mbedtls_pk_context root_pkey;
		804	mbedtls_pk_init(&root_pkey);
		805
		806	mbedtls_pk_context host_pkey;
		807	mbedtls_pk_init(&host_pkey);
		808
		809	mbedtls_pk_context dev_public_key;
		810	mbedtls_pk_init(&dev_public_key);
		811
		812	mbedtls_entropy_context entropy;
		813	mbedtls_entropy_init(&entropy);
		814
		815	mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)"limd", 4);
		816
		817	/* ----- root key & cert ----- */
		818	ret = mbedtls_pk_setup(&root_pkey, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
		819	if (ret != 0) {
		820	debug_info("mbedtls_pk_setup returned -0x%04x", -ret);
		821	goto cleanup;
		822	}
		823
		824	ret = mbedtls_rsa_gen_key(mbedtls_pk_rsa(root_pkey), mbedtls_ctr_drbg_random, &ctr_drbg, 2048, 65537);
		825	if (ret != 0) {
		826	debug_info("mbedtls_rsa_gen_key returned -0x%04x", -ret);
		827	goto cleanup;
		828	}
		829
		830	mbedtls_x509write_cert cert;
		831	mbedtls_x509write_crt_init(&cert);
		832
		833	/* set serial number */
		834	mbedtls_x509write_crt_set_serial(&cert, &sn);
		835
		836	/* set version */
		837	mbedtls_x509write_crt_set_version(&cert, 2);
		838
		839	/* set x509v3 basic constraints */
		840	_mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 1, -1);
		841
		842	/* use root public key for root cert */
		843	mbedtls_x509write_crt_set_subject_key(&cert, &root_pkey);
		844
		845	/* set x509v3 subject key identifier */
		846	mbedtls_x509write_crt_set_subject_key_identifier(&cert);
		847
		848	/* set key validity */
		849	mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
		850
		851	/* sign root cert with root private key */
		852	mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
		853	mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1);
		854
		855	unsigned char outbuf[16384];
		856
		857	/* write root private key */
		858	mbedtls_pk_write_key_pem(&root_pkey, outbuf, sizeof(outbuf));
		859	root_key_pem.size = strlen((const char*)outbuf);
		860	root_key_pem.data = malloc(root_key_pem.size+1);
		861	memcpy(root_key_pem.data, outbuf, root_key_pem.size);
		862	root_key_pem.data[root_key_pem.size] = '\0';
		863
		864	/* write root certificate */
		865	mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
		866	root_cert_pem.size = strlen((const char*)outbuf);
		867	root_cert_pem.data = malloc(root_cert_pem.size+1);
		868	memcpy(root_cert_pem.data, outbuf, root_cert_pem.size);
		869	root_cert_pem.data[root_cert_pem.size] = '\0';
		870
		871	mbedtls_x509write_crt_free(&cert);
		872
		873
		874	/* ----- host key & cert ----- */
		875	ret = mbedtls_pk_setup(&host_pkey, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
		876	if (ret != 0) {
		877	debug_info("mbedtls_pk_setup returned -0x%04x", -ret);
		878	goto cleanup;
		879	}
		880
		881	ret = mbedtls_rsa_gen_key(mbedtls_pk_rsa(host_pkey), mbedtls_ctr_drbg_random, &ctr_drbg, 2048, 65537);
		882	if (ret != 0) {
		883	debug_info("mbedtls_rsa_gen_key returned -0x%04x", -ret);
		884	goto cleanup;
		885	}
		886
		887	mbedtls_x509write_crt_init(&cert);
		888
		889	/* set serial number */
		890	mbedtls_x509write_crt_set_serial(&cert, &sn);
		891
		892	/* set version */
		893	mbedtls_x509write_crt_set_version(&cert, 2);
		894
		895	/* set x509v3 basic constraints */
		896	_mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 0, -1);
		897
		898	/* use host public key for host cert */
		899	mbedtls_x509write_crt_set_subject_key(&cert, &host_pkey);
		900
		901	/* set x509v3 subject key identifier */
		902	mbedtls_x509write_crt_set_subject_key_identifier(&cert);
		903
		904	/* set x509v3 key usage */
		905	mbedtls_x509write_crt_set_key_usage(&cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE \| MBEDTLS_X509_KU_KEY_ENCIPHERMENT);
		906
		907	/* set key validity */
		908	mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
		909
		910	/* sign host cert with root private key */
		911	mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
		912	mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1);
		913
		914	/* write host private key */
		915	mbedtls_pk_write_key_pem(&host_pkey, outbuf, sizeof(outbuf));
		916	host_key_pem.size = strlen((const char*)outbuf);
		917	host_key_pem.data = malloc(host_key_pem.size+1);
		918	memcpy(host_key_pem.data, outbuf, host_key_pem.size);
		919	host_key_pem.data[host_key_pem.size] = '\0';
		920
		921	/* write host certificate */
		922	mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
		923	host_cert_pem.size = strlen((const char*)outbuf);
		924	host_cert_pem.data = malloc(host_cert_pem.size+1);
		925	memcpy(host_cert_pem.data, outbuf, host_cert_pem.size);
		926	host_cert_pem.data[host_cert_pem.size] = '\0';
		927
		928	mbedtls_x509write_crt_free(&cert);
		929
		930
		931	/* ----- device certificate ----- */
		932	unsigned char* pubkey_data = malloc(public_key.size+1);
		933	if (!pubkey_data) {
		934	debug_info("malloc() failed\n");
		935	goto cleanup;
		936	}
		937	memcpy(pubkey_data, public_key.data, public_key.size);
		938	pubkey_data[public_key.size] = '\0';
		939
		940	int pr = mbedtls_pk_parse_public_key(&dev_public_key, pubkey_data, public_key.size+1);
		941	free(pubkey_data);
		942	if (pr != 0) {
		943	debug_info("Failed to read device public key: -0x%x\n", -pr);
		944	goto cleanup;
		945	}
		946
		947	mbedtls_x509write_crt_init(&cert);
		948
		949	/* set serial number */
		950	mbedtls_x509write_crt_set_serial(&cert, &sn);
		951
		952	/* set version */
		953	mbedtls_x509write_crt_set_version(&cert, 2);
		954
		955	/* set x509v3 basic constraints */
		956	_mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 0, -1);
		957
		958	/* use root public key for dev cert subject key */
		959	mbedtls_x509write_crt_set_subject_key(&cert, &dev_public_key);
		960
		961	/* set x509v3 subject key identifier */
		962	mbedtls_x509write_crt_set_subject_key_identifier(&cert);
		963
		964	/* set x509v3 key usage */
		965	mbedtls_x509write_crt_set_key_usage(&cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE \| MBEDTLS_X509_KU_KEY_ENCIPHERMENT);
		966
		967	/* set key validity */
		968	mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
		969
		970	/* sign device certificate with root private key */
		971	mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
		972	mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1);
		973
		974	/* write device certificate */
		975	mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
		976	dev_cert_pem.size = strlen((const char*)outbuf);
		977	dev_cert_pem.data = malloc(dev_cert_pem.size+1);
		978	memcpy(dev_cert_pem.data, outbuf, dev_cert_pem.size);
		979	dev_cert_pem.data[dev_cert_pem.size] = '\0';
		980
		981	mbedtls_x509write_crt_free(&cert);
		982
		983	/* cleanup */
		984	cleanup:
		985	mbedtls_mpi_free(&sn);
		986	mbedtls_pk_free(&dev_public_key);
		987	mbedtls_entropy_free(&entropy);
		988	mbedtls_pk_free(&host_pkey);
		989	mbedtls_pk_free(&root_pkey);
		990	mbedtls_ctr_drbg_free(&ctr_drbg);
752	#endif	991	#endif
753		992
754	/* make sure that we have all we need */	993	/* make sure that we have all we need */
@@ -783,32 +1022,31 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da
783	*	1022	*
784	* @return 1 if the key was successfully imported.	1023	* @return 1 if the key was successfully imported.
785	*/	1024	*/
786	#ifdef HAVE_OPENSSL	1025	#if defined(HAVE_OPENSSL) \|\| defined(HAVE_MBEDTLS)
787	userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, key_data_t* key)	1026	userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, key_data_t* key)
788	#else	1027	#elif defined(HAVE_GNUTLS)
789	userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, gnutls_x509_privkey_t key)	1028	userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, gnutls_x509_privkey_t key)
790	#endif	1029	#endif
791	{	1030	{
792	#ifdef HAVE_OPENSSL	1031	#if defined(HAVE_OPENSSL) \|\| defined(HAVE_MBEDTLS)
793	if (!key)	1032	if (!key)
794	return USERPREF_E_SUCCESS;	1033	return USERPREF_E_SUCCESS;
795	#endif	1034	#endif
796	userpref_error_t ret = USERPREF_E_INVALID_CONF;	1035	userpref_error_t ret = USERPREF_E_INVALID_CONF;
797		1036
798	#ifdef HAVE_OPENSSL	1037	#if defined(HAVE_OPENSSL) \|\| defined(HAVE_MBEDTLS)
799	ret = pair_record_get_item_as_key_data(pair_record, name, key);	1038	ret = pair_record_get_item_as_key_data(pair_record, name, key);
800	#else	1039	#elif defined(HAVE_GNUTLS)
801	key_data_t pem = { NULL, 0 };	1040	key_data_t pem = { NULL, 0 };
802	ret = pair_record_get_item_as_key_data(pair_record, name, &pem);	1041	ret = pair_record_get_item_as_key_data(pair_record, name, &pem);
803	if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_privkey_import(key, &pem, GNUTLS_X509_FMT_PEM))	1042	if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_privkey_import(key, &pem, GNUTLS_X509_FMT_PEM))
804	ret = USERPREF_E_SUCCESS;	1043	ret = USERPREF_E_SUCCESS;
805	else	1044	else
806	ret = USERPREF_E_SSL_ERROR;	1045	ret = USERPREF_E_SSL_ERROR;
807
808	if (pem.data)
809	free(pem.data);
810	#endif
811		1046
		1047	if (pem.data)
		1048	free(pem.data);
		1049	#endif
812	return ret;	1050	return ret;
813	}	1051	}
814		1052
@@ -820,32 +1058,31 @@ userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const cha
820	*	1058	*
821	* @return IDEVICE_E_SUCCESS if the certificate was successfully imported.	1059	* @return IDEVICE_E_SUCCESS if the certificate was successfully imported.
822	*/	1060	*/
823	#ifdef HAVE_OPENSSL	1061	#if defined(HAVE_OPENSSL) \|\| defined(HAVE_MBEDTLS)
824	userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, key_data_t* cert)	1062	userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, key_data_t* cert)
825	#else	1063	#else
826	userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, gnutls_x509_crt_t cert)	1064	userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, gnutls_x509_crt_t cert)
827	#endif	1065	#endif
828	{	1066	{
829	#ifdef HAVE_OPENSSL	1067	#if defined(HAVE_OPENSSL) \|\| defined(HAVE_MBEDTLS)
830	if (!cert)	1068	if (!cert)
831	return USERPREF_E_SUCCESS;	1069	return USERPREF_E_SUCCESS;
832	#endif	1070	#endif
833	userpref_error_t ret = USERPREF_E_INVALID_CONF;	1071	userpref_error_t ret = USERPREF_E_INVALID_CONF;
834		1072
835	#ifdef HAVE_OPENSSL	1073	#if defined(HAVE_OPENSSL) \|\| defined(HAVE_MBEDTLS)
836	ret = pair_record_get_item_as_key_data(pair_record, name, cert);	1074	ret = pair_record_get_item_as_key_data(pair_record, name, cert);
837	#else	1075	#elif defined(HAVE_GNUTLS)
838	key_data_t pem = { NULL, 0 };	1076	key_data_t pem = { NULL, 0 };
839	ret = pair_record_get_item_as_key_data(pair_record, name, &pem);	1077	ret = pair_record_get_item_as_key_data(pair_record, name, &pem);
840	if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_crt_import(cert, &pem, GNUTLS_X509_FMT_PEM))	1078	if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_crt_import(cert, &pem, GNUTLS_X509_FMT_PEM))
841	ret = USERPREF_E_SUCCESS;	1079	ret = USERPREF_E_SUCCESS;
842	else	1080	else
843	ret = USERPREF_E_SSL_ERROR;	1081	ret = USERPREF_E_SSL_ERROR;
844
845	if (pem.data)
846	free(pem.data);
847	#endif
848		1082
		1083	if (pem.data)
		1084	free(pem.data);
		1085	#endif
849	return ret;	1086	return ret;
850	}	1087	}
851		1088
@@ -880,9 +1117,10 @@ userpref_error_t pair_record_get_item_as_key_data(plist_t pair_record, const cha
880		1117
881	if (node && plist_get_node_type(node) == PLIST_DATA) {	1118	if (node && plist_get_node_type(node) == PLIST_DATA) {
882	plist_get_data_val(node, &buffer, &length);	1119	plist_get_data_val(node, &buffer, &length);
883	value->data = (unsigned char*)malloc(length);	1120	value->data = (unsigned char*)malloc(length+1);
884	memcpy(value->data, buffer, length);	1121	memcpy(value->data, buffer, length);
885	value->size = length;	1122	value->data[length] = '\0';
		1123	value->size = length+1;
886	free(buffer);	1124	free(buffer);
887	buffer = NULL;	1125	buffer = NULL;
888	} else {	1126	} else {