diff options
Diffstat (limited to 'src/idevice.c')
-rw-r--r-- | src/idevice.c | 757 |
1 files changed, 546 insertions, 211 deletions
diff --git a/src/idevice.c b/src/idevice.c index 47c9ab4..b9bbb1f 100644 --- a/src/idevice.c +++ b/src/idevice.c @@ -2,7 +2,7 @@ * idevice.c * Device discovery and communication interface. * - * Copyright (c) 2009-2019 Nikias Bassen. All Rights Reserved. + * Copyright (c) 2009-2021 Nikias Bassen. All Rights Reserved. * Copyright (c) 2014 Martin Szulecki All Rights Reserved. * Copyright (c) 2008 Zach C. All Rights Reserved. * @@ -30,29 +30,49 @@ #include <errno.h> #include <time.h> +#ifdef WIN32 +#include <winsock2.h> +#include <ws2tcpip.h> +#include <windows.h> +#else +#include <sys/socket.h> +#include <netinet/in.h> +#endif + #include <usbmuxd.h> -#ifdef HAVE_OPENSSL + +#if defined(HAVE_OPENSSL) #include <openssl/err.h> #include <openssl/rsa.h> #include <openssl/ssl.h> -#else +#elif defined(HAVE_GNUTLS) #include <gnutls/gnutls.h> +#elif defined(HAVE_MBEDTLS) +#include <mbedtls/rsa.h> +#include <mbedtls/ssl.h> +#include <mbedtls/entropy.h> +#include <mbedtls/ctr_drbg.h> +#include <mbedtls/debug.h> +#else +#error No supported TLS/SSL library enabled #endif +#include <libimobiledevice-glue/socket.h> +#include <libimobiledevice-glue/thread.h> + #include "idevice.h" +#include "lockdown.h" #include "common/userpref.h" -#include "common/socket.h" -#include "common/thread.h" #include "common/debug.h" -#ifdef WIN32 -#include <windows.h> +#ifndef ECONNREFUSED +#define ECONNREFUSED 107 #endif - #ifndef ETIMEDOUT #define ETIMEDOUT 138 #endif + #ifdef HAVE_OPENSSL #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ @@ -106,7 +126,7 @@ static void id_function(CRYPTO_THREADID *thread) static void internal_idevice_init(void) { -#ifdef HAVE_OPENSSL +#if defined(HAVE_OPENSSL) #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) int i; SSL_library_init(); @@ -124,14 +144,16 @@ static void internal_idevice_init(void) #endif CRYPTO_set_locking_callback(locking_function); #endif -#else +#elif defined(HAVE_GNUTLS) gnutls_global_init(); +#elif defined(HAVE_MBEDTLS) + // NO-OP #endif } static void internal_idevice_deinit(void) { -#ifdef HAVE_OPENSSL +#if defined(HAVE_OPENSSL) #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) int i; if (mutex_buf) { @@ -152,15 +174,33 @@ static void internal_idevice_deinit(void) SSL_COMP_free_compression_methods(); openssl_remove_thread_state(); #endif -#else +#elif defined(HAVE_GNUTLS) gnutls_global_deinit(); +#elif defined(HAVE_MBEDTLS) + // NO-OP #endif } static thread_once_t init_once = THREAD_ONCE_INIT; static thread_once_t deinit_once = THREAD_ONCE_INIT; -#ifdef WIN32 +#ifndef HAVE_ATTRIBUTE_CONSTRUCTOR + #if defined(__llvm__) || defined(__GNUC__) + #define HAVE_ATTRIBUTE_CONSTRUCTOR + #endif +#endif + +#ifdef HAVE_ATTRIBUTE_CONSTRUCTOR +static void __attribute__((constructor)) libimobiledevice_initialize(void) +{ + thread_once(&init_once, internal_idevice_init); +} + +static void __attribute__((destructor)) libimobiledevice_deinitialize(void) +{ + thread_once(&deinit_once, internal_idevice_deinit); +} +#elif defined(WIN32) BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved) { switch (dwReason) { @@ -176,21 +216,28 @@ BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved) return 1; } #else -static void __attribute__((constructor)) libimobiledevice_initialize(void) -{ - thread_once(&init_once, internal_idevice_init); -} +#warning No compiler support for constructor/destructor attributes, some features might not be available. +#endif -static void __attribute__((destructor)) libimobiledevice_deinitialize(void) +const char* libimobiledevice_version() { - thread_once(&deinit_once, internal_idevice_deinit); -} +#ifndef PACKAGE_VERSION +#error PACKAGE_VERSION is not defined! #endif + return PACKAGE_VERSION; +} + +struct idevice_subscription_context { + idevice_event_cb_t callback; + void *user_data; + usbmuxd_subscription_context_t ctx; +}; -static idevice_event_cb_t event_cb = NULL; +static idevice_subscription_context_t event_ctx = NULL; static void usbmux_event_cb(const usbmuxd_event_t *event, void *user_data) { + idevice_subscription_context_t context = (idevice_subscription_context_t)user_data; idevice_event_t ev; ev.event = event->event; @@ -204,35 +251,68 @@ static void usbmux_event_cb(const usbmuxd_event_t *event, void *user_data) debug_info("Unknown connection type %d", event->device.conn_type); } - if (event_cb) { - event_cb(&ev, user_data); + if (context->callback) { + context->callback(&ev, context->user_data); } } -LIBIMOBILEDEVICE_API idevice_error_t idevice_event_subscribe(idevice_event_cb_t callback, void *user_data) +idevice_error_t idevice_events_subscribe(idevice_subscription_context_t *context, idevice_event_cb_t callback, void *user_data) { - event_cb = callback; - int res = usbmuxd_subscribe(usbmux_event_cb, user_data); + if (!context || !callback) { + return IDEVICE_E_INVALID_ARG; + } + *context = malloc(sizeof(struct idevice_subscription_context)); + if (!*context) { + debug_info("ERROR: %s: Failed to allocate subscription context\n", __func__); + return IDEVICE_E_UNKNOWN_ERROR; + } + (*context)->callback = callback; + (*context)->user_data = user_data; + int res = usbmuxd_events_subscribe(&(*context)->ctx, usbmux_event_cb, *context); if (res != 0) { - event_cb = NULL; + free(*context); + *context = NULL; debug_info("ERROR: usbmuxd_subscribe() returned %d!", res); return IDEVICE_E_UNKNOWN_ERROR; } return IDEVICE_E_SUCCESS; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_event_unsubscribe(void) +idevice_error_t idevice_events_unsubscribe(idevice_subscription_context_t context) { - event_cb = NULL; - int res = usbmuxd_unsubscribe(); + if (!context) { + return IDEVICE_E_INVALID_ARG; + } + int res = usbmuxd_events_unsubscribe(context->ctx); if (res != 0) { debug_info("ERROR: usbmuxd_unsubscribe() returned %d!", res); return IDEVICE_E_UNKNOWN_ERROR; } + if (context == event_ctx) { + event_ctx = NULL; + } + free(context); return IDEVICE_E_SUCCESS; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_get_device_list_extended(idevice_info_t **devices, int *count) +idevice_error_t idevice_event_subscribe(idevice_event_cb_t callback, void *user_data) +{ + if (event_ctx) { + idevice_events_unsubscribe(event_ctx); + } + return idevice_events_subscribe(&event_ctx, callback, user_data); +} + +idevice_error_t idevice_event_unsubscribe(void) +{ + if (!event_ctx) { + return IDEVICE_E_SUCCESS; + } + event_ctx->callback = NULL; + return idevice_events_unsubscribe(event_ctx); +} + +idevice_error_t idevice_get_device_list_extended(idevice_info_t **devices, int *count) { usbmuxd_device_info_t *dev_list; @@ -256,7 +336,21 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_get_device_list_extended(idevice_in newlist[newcount]->conn_data = NULL; } else if (dev_list[i].conn_type == CONNECTION_TYPE_NETWORK) { newlist[newcount]->conn_type = CONNECTION_NETWORK; - size_t addrlen = dev_list[i].conn_data[0]; + struct sockaddr* saddr = (struct sockaddr*)(dev_list[i].conn_data); + size_t addrlen = 0; + switch (saddr->sa_family) { + case AF_INET: + addrlen = sizeof(struct sockaddr_in); + break; +#ifdef AF_INET6 + case AF_INET6: + addrlen = sizeof(struct sockaddr_in6); + break; +#endif + default: + debug_info("Unsupported address family 0x%02x\n", saddr->sa_family); + continue; + } newlist[newcount]->conn_data = malloc(addrlen); memcpy(newlist[newcount]->conn_data, dev_list[i].conn_data, addrlen); } @@ -273,7 +367,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_get_device_list_extended(idevice_in return IDEVICE_E_SUCCESS; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_device_list_extended_free(idevice_info_t *devices) +idevice_error_t idevice_device_list_extended_free(idevice_info_t *devices) { if (devices) { int i = 0; @@ -288,7 +382,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_device_list_extended_free(idevice_i return IDEVICE_E_SUCCESS; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_get_device_list(char ***devices, int *count) +idevice_error_t idevice_get_device_list(char ***devices, int *count) { usbmuxd_device_info_t *dev_list; @@ -320,7 +414,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_get_device_list(char ***devices, in return IDEVICE_E_SUCCESS; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_device_list_free(char **devices) +idevice_error_t idevice_device_list_free(char **devices) { if (devices) { int i = 0; @@ -333,7 +427,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_device_list_free(char **devices) return IDEVICE_E_SUCCESS; } -LIBIMOBILEDEVICE_API void idevice_set_debug_level(int level) +void idevice_set_debug_level(int level) { internal_set_debug_level(level); } @@ -350,6 +444,7 @@ static idevice_t idevice_from_mux_device(usbmuxd_device_info_t *muxdev) device->udid = strdup(muxdev->udid); device->mux_id = muxdev->handle; device->version = 0; + device->device_class = 0; switch (muxdev->conn_type) { case CONNECTION_TYPE_USB: device->conn_type = CONNECTION_USBMUXD; @@ -357,9 +452,25 @@ static idevice_t idevice_from_mux_device(usbmuxd_device_info_t *muxdev) break; case CONNECTION_TYPE_NETWORK: device->conn_type = CONNECTION_NETWORK; - size_t len = ((uint8_t*)muxdev->conn_data)[0]; - device->conn_data = malloc(len); - memcpy(device->conn_data, muxdev->conn_data, len); + struct sockaddr* saddr = (struct sockaddr*)(muxdev->conn_data); + size_t addrlen = 0; + switch (saddr->sa_family) { + case AF_INET: + addrlen = sizeof(struct sockaddr_in); + break; +#ifdef AF_INET6 + case AF_INET6: + addrlen = sizeof(struct sockaddr_in6); + break; +#endif + default: + debug_info("Unsupported address family 0x%02x\n", saddr->sa_family); + free(device->udid); + free(device); + return NULL; + } + device->conn_data = malloc(addrlen); + memcpy(device->conn_data, muxdev->conn_data, addrlen); break; default: device->conn_type = 0; @@ -369,7 +480,7 @@ static idevice_t idevice_from_mux_device(usbmuxd_device_info_t *muxdev) return device; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_new_with_options(idevice_t * device, const char *udid, enum idevice_options options) +idevice_error_t idevice_new_with_options(idevice_t * device, const char *udid, enum idevice_options options) { usbmuxd_device_info_t muxdev; int usbmux_options = 0; @@ -393,12 +504,12 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_new_with_options(idevice_t * device return IDEVICE_E_NO_DEVICE; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_new(idevice_t * device, const char *udid) +idevice_error_t idevice_new(idevice_t * device, const char *udid) { return idevice_new_with_options(device, udid, 0); } -LIBIMOBILEDEVICE_API idevice_error_t idevice_free(idevice_t device) +idevice_error_t idevice_free(idevice_t device) { if (!device) return IDEVICE_E_INVALID_ARG; @@ -415,7 +526,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_free(idevice_t device) return ret; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_connect(idevice_t device, uint16_t port, idevice_connection_t *connection) +idevice_error_t idevice_connect(idevice_t device, uint16_t port, idevice_connection_t *connection) { if (!device) { return IDEVICE_E_INVALID_ARG; @@ -424,7 +535,15 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connect(idevice_t device, uint16_t if (device->conn_type == CONNECTION_USBMUXD) { int sfd = usbmuxd_connect(device->mux_id, port); if (sfd < 0) { - debug_info("ERROR: Connecting to usbmuxd failed: %d (%s)", sfd, strerror(-sfd)); + debug_info("ERROR: Connecting to usbmux device failed: %d (%s)", sfd, strerror(-sfd)); + switch (-sfd) { + case ECONNREFUSED: + return IDEVICE_E_CONNREFUSED; + case ENODEV: + return IDEVICE_E_NO_DEVICE; + default: + break; + } return IDEVICE_E_UNKNOWN_ERROR; } idevice_connection_t new_connection = (idevice_connection_t)malloc(sizeof(struct idevice_connection_private)); @@ -432,30 +551,22 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connect(idevice_t device, uint16_t new_connection->data = (void*)(long)sfd; new_connection->ssl_data = NULL; new_connection->device = device; + new_connection->ssl_recv_timeout = (unsigned int)-1; + new_connection->status = IDEVICE_E_SUCCESS; *connection = new_connection; return IDEVICE_E_SUCCESS; - } else if (device->conn_type == CONNECTION_NETWORK) { - struct sockaddr_storage saddr_storage; - struct sockaddr* saddr = (struct sockaddr*)&saddr_storage; - - /* FIXME: Improve handling of this platform/host dependent connection data */ - if (((char*)device->conn_data)[1] == 0x02) { // AF_INET - saddr->sa_family = AF_INET; - memcpy(&saddr->sa_data[0], (char*)device->conn_data + 2, 14); - } - else if (((char*)device->conn_data)[1] == 0x1E) { // AF_INET6 (bsd) + } + if (device->conn_type == CONNECTION_NETWORK) { + struct sockaddr* saddr = (struct sockaddr*)(device->conn_data); + switch (saddr->sa_family) { + case AF_INET: #ifdef AF_INET6 - saddr->sa_family = AF_INET6; - /* copy the address and the host dependent scope id */ - memcpy(&saddr->sa_data[0], (char*)device->conn_data + 2, 26); -#else - debug_info("ERROR: Got an IPv6 address but this system doesn't support IPv6"); - return IDEVICE_E_UNKNOWN_ERROR; + case AF_INET6: #endif - } - else { - debug_info("Unsupported address family 0x%02x", ((char*)device->conn_data)[1]); - return IDEVICE_E_UNKNOWN_ERROR; + break; + default: + debug_info("Unsupported address family 0x%02x", saddr->sa_family); + return IDEVICE_E_UNKNOWN_ERROR; } char addrtxt[48]; @@ -469,7 +580,14 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connect(idevice_t device, uint16_t int sfd = socket_connect_addr(saddr, port); if (sfd < 0) { - debug_info("ERROR: Connecting to network device failed: %d (%s)", errno, strerror(errno)); + int result = errno; + debug_info("ERROR: Connecting to network device failed: %d (%s)", result, strerror(result)); + switch (result) { + case ECONNREFUSED: + return IDEVICE_E_CONNREFUSED; + default: + break; + } return IDEVICE_E_NO_DEVICE; } @@ -478,18 +596,18 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connect(idevice_t device, uint16_t new_connection->data = (void*)(long)sfd; new_connection->ssl_data = NULL; new_connection->device = device; + new_connection->ssl_recv_timeout = (unsigned int)-1; *connection = new_connection; return IDEVICE_E_SUCCESS; - } else { - debug_info("Unknown connection type %d", device->conn_type); } + debug_info("Unknown connection type %d", device->conn_type); return IDEVICE_E_UNKNOWN_ERROR; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_disconnect(idevice_connection_t connection) +idevice_error_t idevice_disconnect(idevice_connection_t connection) { if (!connection) { return IDEVICE_E_INVALID_ARG; @@ -527,13 +645,17 @@ static idevice_error_t internal_connection_send(idevice_connection_t connection, } if (connection->type == CONNECTION_USBMUXD) { - int res = usbmuxd_send((int)(long)connection->data, data, len, sent_bytes); + int res; + do { + res = usbmuxd_send((int)(long)connection->data, data, len, sent_bytes); + } while (res == -EAGAIN); if (res < 0) { debug_info("ERROR: usbmuxd_send returned %d (%s)", res, strerror(-res)); return IDEVICE_E_UNKNOWN_ERROR; } return IDEVICE_E_SUCCESS; - } else if (connection->type == CONNECTION_NETWORK) { + } + if (connection->type == CONNECTION_NETWORK) { int s = socket_send((int)(long)connection->data, (void*)data, len); if (s < 0) { *sent_bytes = 0; @@ -541,29 +663,28 @@ static idevice_error_t internal_connection_send(idevice_connection_t connection, } *sent_bytes = s; return IDEVICE_E_SUCCESS; - } else { - debug_info("Unknown connection type %d", connection->type); } + + debug_info("Unknown connection type %d", connection->type); return IDEVICE_E_UNKNOWN_ERROR; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_send(idevice_connection_t connection, const char *data, uint32_t len, uint32_t *sent_bytes) +idevice_error_t idevice_connection_send(idevice_connection_t connection, const char *data, uint32_t len, uint32_t *sent_bytes) { - if (!connection || !data || (connection->ssl_data && !connection->ssl_data->session)) { + if (!connection || !data +#if defined(HAVE_OPENSSL) || defined(HAVE_GNUTLS) + || (connection->ssl_data && !connection->ssl_data->session) +#endif + ) { return IDEVICE_E_INVALID_ARG; } if (connection->ssl_data) { + connection->status = IDEVICE_E_SUCCESS; uint32_t sent = 0; while (sent < len) { -#ifdef HAVE_OPENSSL - int c = socket_check_fd((int)(long)connection->data, FDM_WRITE, 100); - if (c == 0 || c == -ETIMEDOUT || c == -EAGAIN) { - continue; - } else if (c < 0) { - break; - } +#if defined(HAVE_OPENSSL) int s = SSL_write(connection->ssl_data->session, (const void*)(data+sent), (int)(len-sent)); if (s <= 0) { int sslerr = SSL_get_error(connection->ssl_data->session, s); @@ -572,8 +693,10 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_send(idevice_connection_ } break; } -#else +#elif defined(HAVE_GNUTLS) ssize_t s = gnutls_record_send(connection->ssl_data->session, (void*)(data+sent), (size_t)(len-sent)); +#elif defined(HAVE_MBEDTLS) + int s = mbedtls_ssl_write(&connection->ssl_data->ctx, (const unsigned char*)(data+sent), (size_t)(len-sent)); #endif if (s < 0) { break; @@ -583,36 +706,42 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_send(idevice_connection_ debug_info("SSL_write %d, sent %d", len, sent); if (sent < len) { *sent_bytes = 0; - return IDEVICE_E_SSL_ERROR; + return connection->status == IDEVICE_E_SUCCESS ? IDEVICE_E_SSL_ERROR : connection->status; } *sent_bytes = sent; return IDEVICE_E_SUCCESS; - } else { - uint32_t sent = 0; - while (sent < len) { - uint32_t bytes = 0; - int s = internal_connection_send(connection, data+sent, len-sent, &bytes); - if (s < 0) { - break; - } - sent += bytes; - } - debug_info("internal_connection_send %d, sent %d", len, sent); - if (sent < len) { - *sent_bytes = 0; - return IDEVICE_E_NOT_ENOUGH_DATA; + } + uint32_t sent = 0; + while (sent < len) { + uint32_t bytes = 0; + int s = internal_connection_send(connection, data+sent, len-sent, &bytes); + if (s < 0) { + break; } + sent += bytes; + } + debug_info("internal_connection_send %d, sent %d", len, sent); + if (sent < len) { *sent_bytes = sent; - return IDEVICE_E_SUCCESS; + if (sent == 0) { + return IDEVICE_E_UNKNOWN_ERROR; + } + return IDEVICE_E_NOT_ENOUGH_DATA; } + *sent_bytes = sent; + return IDEVICE_E_SUCCESS; } -static idevice_error_t socket_recv_to_idevice_error(int conn_error, uint32_t len, uint32_t received) +static inline idevice_error_t socket_recv_to_idevice_error(int conn_error, uint32_t len, uint32_t received) { if (conn_error < 0) { switch (conn_error) { case -EAGAIN: - debug_info("ERROR: received partial data %d/%d (%s)", received, len, strerror(-conn_error)); + if (len) { + debug_info("ERROR: received partial data %d/%d (%s)", received, len, strerror(-conn_error)); + } else { + debug_info("ERROR: received partial data (%s)", strerror(-conn_error)); + } return IDEVICE_E_NOT_ENOUGH_DATA; case -ETIMEDOUT: return IDEVICE_E_TIMEOUT; @@ -620,7 +749,6 @@ static idevice_error_t socket_recv_to_idevice_error(int conn_error, uint32_t len return IDEVICE_E_UNKNOWN_ERROR; } } - return IDEVICE_E_SUCCESS; } @@ -637,55 +765,50 @@ static idevice_error_t internal_connection_receive_timeout(idevice_connection_t if (connection->type == CONNECTION_USBMUXD) { int conn_error = usbmuxd_recv_timeout((int)(long)connection->data, data, len, recv_bytes, timeout); idevice_error_t error = socket_recv_to_idevice_error(conn_error, len, *recv_bytes); - if (error == IDEVICE_E_UNKNOWN_ERROR) { debug_info("ERROR: usbmuxd_recv_timeout returned %d (%s)", conn_error, strerror(-conn_error)); } - return error; - } else if (connection->type == CONNECTION_NETWORK) { + } + if (connection->type == CONNECTION_NETWORK) { int res = socket_receive_timeout((int)(long)connection->data, data, len, 0, timeout); - if (res < 0) { - debug_info("ERROR: socket_receive_timeout failed: %d (%s)", res, strerror(-res)); - return (res == -EAGAIN ? IDEVICE_E_NOT_ENOUGH_DATA : IDEVICE_E_UNKNOWN_ERROR); + idevice_error_t error = socket_recv_to_idevice_error(res, 0, 0); + if (error == IDEVICE_E_SUCCESS) { + *recv_bytes = (uint32_t)res; + } else if (error == IDEVICE_E_UNKNOWN_ERROR) { + debug_info("ERROR: socket_receive_timeout returned %d (%s)", res, strerror(-res)); } - *recv_bytes = (uint32_t)res; - return IDEVICE_E_SUCCESS; - } else { - debug_info("Unknown connection type %d", connection->type); + return error; } + + debug_info("Unknown connection type %d", connection->type); return IDEVICE_E_UNKNOWN_ERROR; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_receive_timeout(idevice_connection_t connection, char *data, uint32_t len, uint32_t *recv_bytes, unsigned int timeout) +idevice_error_t idevice_connection_receive_timeout(idevice_connection_t connection, char *data, uint32_t len, uint32_t *recv_bytes, unsigned int timeout) { - if (!connection || (connection->ssl_data && !connection->ssl_data->session) || len == 0) { + if (!connection +#if defined(HAVE_OPENSSL) || defined(HAVE_GNUTLS) + || (connection->ssl_data && !connection->ssl_data->session) +#endif + || len == 0 + ) { return IDEVICE_E_INVALID_ARG; } if (connection->ssl_data) { uint32_t received = 0; - int do_select = 1; - while (received < len) { -#ifdef HAVE_OPENSSL - do_select = (SSL_pending(connection->ssl_data->session) == 0); -#endif - if (do_select) { - int conn_error = socket_check_fd((int)(long)connection->data, FDM_READ, timeout); - idevice_error_t error = socket_recv_to_idevice_error(conn_error, len, received); - - switch (error) { - case IDEVICE_E_SUCCESS: - break; - case IDEVICE_E_UNKNOWN_ERROR: - default: - debug_info("ERROR: socket_check_fd returned %d (%s)", conn_error, strerror(-conn_error)); - return error; - } - } + if (connection->ssl_recv_timeout != (unsigned int)-1) { + debug_info("WARNING: ssl_recv_timeout was not properly reset in idevice_connection_receive_timeout"); + } -#ifdef HAVE_OPENSSL + // this should be reset after the SSL_read call on all codepaths, as + // the supplied timeout should only apply to the current read. + connection->ssl_recv_timeout = timeout; + connection->status = IDEVICE_E_SUCCESS; + while (received < len) { +#if defined(HAVE_OPENSSL) int r = SSL_read(connection->ssl_data->session, (void*)((char*)(data+received)), (int)len-received); if (r > 0) { received += r; @@ -693,23 +816,35 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_receive_timeout(idevice_ int sslerr = SSL_get_error(connection->ssl_data->session, r); if (sslerr == SSL_ERROR_WANT_READ) { continue; + } else if (sslerr == SSL_ERROR_ZERO_RETURN) { + if (connection->status == IDEVICE_E_TIMEOUT) { + SSL_set_shutdown(connection->ssl_data->session, 0); + } } break; } -#else +#elif defined(HAVE_GNUTLS) ssize_t r = gnutls_record_recv(connection->ssl_data->session, (void*)(data+received), (size_t)len-received); if (r > 0) { received += r; } else { break; } +#elif defined(HAVE_MBEDTLS) + int r = mbedtls_ssl_read(&connection->ssl_data->ctx, (void*)(data+received), (size_t)len-received); + if (r > 0) { + received += r; + } else { + break; + } #endif } + connection->ssl_recv_timeout = (unsigned int)-1; debug_info("SSL_read %d, received %d", len, received); if (received < len) { - *recv_bytes = 0; - return IDEVICE_E_SSL_ERROR; + *recv_bytes = received; + return connection->status == IDEVICE_E_SUCCESS ? IDEVICE_E_SSL_ERROR : connection->status; } *recv_bytes = received; @@ -734,7 +869,8 @@ static idevice_error_t internal_connection_receive(idevice_connection_t connecti return IDEVICE_E_UNKNOWN_ERROR; } return IDEVICE_E_SUCCESS; - } else if (connection->type == CONNECTION_NETWORK) { + } + if (connection->type == CONNECTION_NETWORK) { int res = socket_receive((int)(long)connection->data, data, len); if (res < 0) { debug_info("ERROR: socket_receive returned %d (%s)", res, strerror(-res)); @@ -742,24 +878,34 @@ static idevice_error_t internal_connection_receive(idevice_connection_t connecti } *recv_bytes = (uint32_t)res; return IDEVICE_E_SUCCESS; - } else { - debug_info("Unknown connection type %d", connection->type); } + + debug_info("Unknown connection type %d", connection->type); return IDEVICE_E_UNKNOWN_ERROR; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_receive(idevice_connection_t connection, char *data, uint32_t len, uint32_t *recv_bytes) +idevice_error_t idevice_connection_receive(idevice_connection_t connection, char *data, uint32_t len, uint32_t *recv_bytes) { - if (!connection || (connection->ssl_data && !connection->ssl_data->session)) { + if (!connection +#if defined(HAVE_OPENSSL) || defined(HAVE_GNUTLS) + || (connection->ssl_data && !connection->ssl_data->session) +#endif + ) { return IDEVICE_E_INVALID_ARG; } if (connection->ssl_data) { -#ifdef HAVE_OPENSSL + if (connection->ssl_recv_timeout != (unsigned int)-1) { + debug_info("WARNING: ssl_recv_timeout was not properly reset in idevice_connection_receive_timeout"); + connection->ssl_recv_timeout = (unsigned int)-1; + } +#if defined(HAVE_OPENSSL) int received = SSL_read(connection->ssl_data->session, (void*)data, (int)len); debug_info("SSL_read %d, received %d", len, received); -#else +#elif defined(HAVE_GNUTLS) ssize_t received = gnutls_record_recv(connection->ssl_data->session, (void*)data, (size_t)len); +#elif defined(HAVE_MBEDTLS) + int received = mbedtls_ssl_read(&connection->ssl_data->ctx, (unsigned char*)data, (size_t)len); #endif if (received > 0) { *recv_bytes = received; @@ -771,26 +917,26 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_receive(idevice_connecti return internal_connection_receive(connection, data, len, recv_bytes); } -LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_get_fd(idevice_connection_t connection, int *fd) +idevice_error_t idevice_connection_get_fd(idevice_connection_t connection, int *fd) { if (!connection || !fd) { return IDEVICE_E_INVALID_ARG; } - idevice_error_t result = IDEVICE_E_UNKNOWN_ERROR; if (connection->type == CONNECTION_USBMUXD) { *fd = (int)(long)connection->data; - result = IDEVICE_E_SUCCESS; - } else if (connection->type == CONNECTION_NETWORK) { + return IDEVICE_E_SUCCESS; + } + if (connection->type == CONNECTION_NETWORK) { *fd = (int)(long)connection->data; - result = IDEVICE_E_SUCCESS; - } else { - debug_info("Unknown connection type %d", connection->type); + return IDEVICE_E_SUCCESS; } - return result; + + debug_info("Unknown connection type %d", connection->type); + return IDEVICE_E_UNKNOWN_ERROR; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_get_handle(idevice_t device, uint32_t *handle) +idevice_error_t idevice_get_handle(idevice_t device, uint32_t *handle) { if (!device || !handle) return IDEVICE_E_INVALID_ARG; @@ -799,78 +945,80 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_get_handle(idevice_t device, uint32 return IDEVICE_E_SUCCESS; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_get_udid(idevice_t device, char **udid) +idevice_error_t idevice_get_udid(idevice_t device, char **udid) { if (!device || !udid) return IDEVICE_E_INVALID_ARG; - *udid = strdup(device->udid); + if (device->udid) { + *udid = strdup(device->udid); + } return IDEVICE_E_SUCCESS; } -#ifndef HAVE_OPENSSL +#if defined(HAVE_OPENSSL) || defined(HAVE_GNUTLS) +typedef ssize_t ssl_cb_ret_type_t; +#elif defined(HAVE_MBEDTLS) +typedef int ssl_cb_ret_type_t; +#endif + /** - * Internally used gnutls callback function for receiving encrypted data. + * Internally used SSL callback function for receiving encrypted data. */ -static ssize_t internal_ssl_read(gnutls_transport_ptr_t transport, char *buffer, size_t length) +static ssl_cb_ret_type_t internal_ssl_read(idevice_connection_t connection, char *buffer, size_t length) { - int bytes = 0, pos_start_fill = 0; - size_t tbytes = 0; - int this_len = length; + uint32_t bytes = 0; + uint32_t pos = 0; idevice_error_t res; - idevice_connection_t connection = (idevice_connection_t)transport; - char *recv_buffer; + unsigned int timeout = connection->ssl_recv_timeout; - debug_info("pre-read client wants %zi bytes", length); - - recv_buffer = (char *)malloc(sizeof(char) * this_len); + debug_info("pre-read length = %zi bytes", length); /* repeat until we have the full data or an error occurs */ do { - if ((res = internal_connection_receive(connection, recv_buffer, this_len, (uint32_t*)&bytes)) != IDEVICE_E_SUCCESS) { - debug_info("ERROR: idevice_connection_receive returned %d", res); - return res; + bytes = 0; + if (timeout == (unsigned int)-1) { + res = internal_connection_receive(connection, buffer + pos, (uint32_t)length - pos, &bytes); + } else { + res = internal_connection_receive_timeout(connection, buffer + pos, (uint32_t)length - pos, &bytes, (unsigned int)timeout); + } + if (res != IDEVICE_E_SUCCESS) { + if (res != IDEVICE_E_TIMEOUT) { + debug_info("ERROR: %s returned %d", (timeout == (unsigned int)-1) ? "internal_connection_receive" : "internal_connection_receive_timeout", res); + } + connection->status = res; + return -1; } - debug_info("post-read we got %i bytes", bytes); + debug_info("read %i bytes", bytes); /* increase read count */ - tbytes += bytes; - - /* fill the buffer with what we got right now */ - memcpy(buffer + pos_start_fill, recv_buffer, bytes); - pos_start_fill += bytes; - - if (tbytes >= length) { - break; + pos += bytes; + if (pos < (uint32_t)length) { + debug_info("re-read trying to read missing %i bytes", (uint32_t)length - pos); } + } while (pos < (uint32_t)length); - this_len = length - tbytes; - debug_info("re-read trying to read missing %i bytes", this_len); - } while (tbytes < length); + debug_info("post-read received %i bytes", pos); - if (recv_buffer) { - free(recv_buffer); - } - return tbytes; + return pos; } /** - * Internally used gnutls callback function for sending encrypted data. + * Internally used SSL callback function for sending encrypted data. */ -static ssize_t internal_ssl_write(gnutls_transport_ptr_t transport, char *buffer, size_t length) +static ssl_cb_ret_type_t internal_ssl_write(idevice_connection_t connection, const char *buffer, size_t length) { uint32_t bytes = 0; idevice_error_t res; - idevice_connection_t connection = (idevice_connection_t)transport; - debug_info("pre-send length = %zi", length); + debug_info("pre-send length = %zi bytes", length); if ((res = internal_connection_send(connection, buffer, length, &bytes)) != IDEVICE_E_SUCCESS) { debug_info("ERROR: internal_connection_send returned %d", res); + connection->status = res; return -1; } debug_info("post-send sent %i bytes", bytes); return bytes; } -#endif /** * Internally used function for cleaning up SSL stuff. @@ -880,14 +1028,14 @@ static void internal_ssl_cleanup(ssl_data_t ssl_data) if (!ssl_data) return; -#ifdef HAVE_OPENSSL +#if defined(HAVE_OPENSSL) if (ssl_data->session) { SSL_free(ssl_data->session); } if (ssl_data->ctx) { SSL_CTX_free(ssl_data->ctx); } -#else +#elif defined(HAVE_GNUTLS) if (ssl_data->session) { gnutls_deinit(ssl_data->session); } @@ -906,10 +1054,62 @@ static void internal_ssl_cleanup(ssl_data_t ssl_data) if (ssl_data->host_privkey) { gnutls_x509_privkey_deinit(ssl_data->host_privkey); } +#elif defined(HAVE_MBEDTLS) + mbedtls_pk_free(&ssl_data->root_privkey); + mbedtls_x509_crt_free(&ssl_data->certificate); + mbedtls_entropy_free(&ssl_data->entropy); + mbedtls_ctr_drbg_free(&ssl_data->ctr_drbg); + mbedtls_ssl_config_free(&ssl_data->config); + mbedtls_ssl_free(&ssl_data->ctx); #endif } #ifdef HAVE_OPENSSL +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +static long ssl_idevice_bio_callback(BIO *b, int oper, const char *argp, size_t len, int argi, long argl, int retvalue, size_t *processed) +#else +static long ssl_idevice_bio_callback(BIO *b, int oper, const char *argp, int argi, long argl, long retvalue) +#endif +{ + ssize_t bytes = 0; + idevice_connection_t conn = (idevice_connection_t)BIO_get_callback_arg(b); +#if OPENSSL_VERSION_NUMBER < 0x30000000L + size_t len = (size_t)argi; + size_t *processed = (size_t*)&bytes; +#endif + switch (oper) { + case (BIO_CB_READ|BIO_CB_RETURN): + if (argp) { + bytes = internal_ssl_read(conn, (char *)argp, len); + *processed = bytes; + return (long)bytes; + } + return 0; + case (BIO_CB_PUTS|BIO_CB_RETURN): + len = strlen(argp); + // fallthrough + case (BIO_CB_WRITE|BIO_CB_RETURN): + bytes = internal_ssl_write(conn, argp, len); + *processed = bytes; + return (long)bytes; + default: + return retvalue; + } +} + +static BIO *ssl_idevice_bio_new(idevice_connection_t conn) +{ + BIO *b = BIO_new(BIO_s_null()); + if (!b) return NULL; + BIO_set_callback_arg(b, (char *)conn); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + BIO_set_callback_ex(b, ssl_idevice_bio_callback); +#else + BIO_set_callback(b, ssl_idevice_bio_callback); +#endif + return b; +} + static int ssl_verify_callback(int ok, X509_STORE_CTX *ctx) { return 1; @@ -944,7 +1144,7 @@ static const char *ssl_error_to_string(int e) #endif #endif -#ifndef HAVE_OPENSSL +#if defined(HAVE_GNUTLS) /** * Internally used gnutls callback function that gets called during handshake. */ @@ -975,9 +1175,26 @@ static int internal_cert_callback(gnutls_session_t session, const gnutls_datum_t } return res; } +#elif defined(HAVE_MBEDTLS) +static void _mbedtls_log_cb(void* ctx, int level, const char* filename, int line, const char* message) +{ + fprintf(stderr, "[mbedtls][%d] %s:%d => %s", level, filename, line, message); +} + +static int cert_verify_cb(void* ctx, mbedtls_x509_crt* cert, int depth, uint32_t *flags) +{ + *flags = 0; + return 0; +} + +static int _mbedtls_f_rng(void* p_rng, unsigned char* buf, size_t len) +{ + memset(buf, 4, len); + return 0; +} #endif -LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection) +idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection) { if (!connection || connection->ssl_data) return IDEVICE_E_INVALID_ARG; @@ -985,13 +1202,13 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne idevice_error_t ret = IDEVICE_E_SSL_ERROR; plist_t pair_record = NULL; - userpref_read_pair_record(connection->device->udid, &pair_record); - if (!pair_record) { - debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->device->udid); + userpref_error_t uerr = userpref_read_pair_record(connection->device->udid, &pair_record); + if (uerr != USERPREF_E_SUCCESS) { + debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s (%d)", connection->device->udid, uerr); return ret; } -#ifdef HAVE_OPENSSL +#if defined(HAVE_OPENSSL) key_data_t root_cert = { NULL, 0 }; key_data_t root_privkey = { NULL, 0 }; @@ -1001,12 +1218,11 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne if (pair_record) plist_free(pair_record); - BIO *ssl_bio = BIO_new(BIO_s_socket()); + BIO *ssl_bio = ssl_idevice_bio_new(connection); if (!ssl_bio) { debug_info("ERROR: Could not create SSL bio."); return ret; } - BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE); SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method()); if (ssl_ctx == NULL) { @@ -1015,7 +1231,8 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne return ret; } -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) || \ + (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x3060000fL)) SSL_CTX_set_security_level(ssl_ctx, 0); #endif @@ -1024,23 +1241,52 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne /* force use of TLSv1 for older devices */ if (connection->device->version < DEVICE_VERSION(10,0,0)) { #ifdef SSL_OP_NO_TLSv1_1 - long opts = SSL_CTX_get_options(ssl_ctx); - opts |= SSL_OP_NO_TLSv1_1; + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); +#endif #ifdef SSL_OP_NO_TLSv1_2 - opts |= SSL_OP_NO_TLSv1_2; + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); #endif #ifdef SSL_OP_NO_TLSv1_3 - opts |= SSL_OP_NO_TLSv1_3; -#endif - SSL_CTX_set_options(ssl_ctx, opts); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); #endif } #else SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION); if (connection->device->version < DEVICE_VERSION(10,0,0)) { SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION); + if (connection->device->version == 0) { + /* + iOS 1 doesn't understand TLS1_VERSION, it can only speak SSL3_VERSION. + However, modern OpenSSL is usually compiled without SSLv3 support. + So if we set min_proto_version to SSL3_VERSION on an OpenSSL instance which doesn't support it, + it will just ignore min_proto_version altogether and fall back to an even higher version. + To avoid accidentally breaking iOS 2.0+, we set min version to 0 instead. + Here is what documentation says: + Setting the minimum or maximum version to 0, + will enable protocol versions down to the lowest version, + or up to the highest version supported by the library, respectively. + */ + SSL_CTX_set_min_proto_version(ssl_ctx, 0); + } } #endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) + /* + * For OpenSSL 3 and later, mark close_notify alerts as optional. + * For prior versions of OpenSSL we check for SSL_ERROR_SYSCALL when + * reading instead (this error changes to SSL_ERROR_SSL in OpenSSL 3). + */ + SSL_CTX_set_options(ssl_ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#endif +#if defined(SSL_OP_LEGACY_SERVER_CONNECT) + /* + * Without setting SSL_OP_LEGACY_SERVER_CONNECT, OpenSSL 3 fails with + * error "unsafe legacy renegotiation disabled" when talking to iOS 5 + */ + SSL_CTX_set_options(ssl_ctx, SSL_OP_LEGACY_SERVER_CONNECT); +#endif +#endif BIO* membp; X509* rootCert = NULL; @@ -1053,6 +1299,16 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne X509_free(rootCert); free(root_cert.data); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY* rootPrivKey = NULL; + membp = BIO_new_mem_buf(root_privkey.data, root_privkey.size); + PEM_read_bio_PrivateKey(membp, &rootPrivKey, NULL, NULL); + BIO_free(membp); + if (SSL_CTX_use_PrivateKey(ssl_ctx, rootPrivKey) != 1) { + debug_info("WARNING: Could not load RootPrivateKey"); + } + EVP_PKEY_free(rootPrivKey); +#else RSA* rootPrivKey = NULL; membp = BIO_new_mem_buf(root_privkey.data, root_privkey.size); PEM_read_bio_RSAPrivateKey(membp, &rootPrivKey, NULL, NULL); @@ -1061,6 +1317,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne debug_info("WARNING: Could not load RootPrivateKey"); } RSA_free(rootPrivKey); +#endif free(root_privkey.data); SSL *ssl = SSL_new(ssl_ctx); @@ -1102,7 +1359,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne } /* required for proper multi-thread clean up to prevent leaks */ openssl_remove_thread_state(); -#else +#elif defined(HAVE_GNUTLS) ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private)); /* Set up GnuTLS... */ @@ -1160,16 +1417,92 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne ret = IDEVICE_E_SUCCESS; debug_info("SSL mode enabled"); } +#elif defined(HAVE_MBEDTLS) + key_data_t root_cert = { NULL, 0 }; + key_data_t root_privkey = { NULL, 0 }; + + pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &root_cert); + pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, &root_privkey); + + plist_free(pair_record); + + ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private)); + + mbedtls_ssl_init(&ssl_data_loc->ctx); + mbedtls_ssl_config_init(&ssl_data_loc->config); + mbedtls_entropy_init(&ssl_data_loc->entropy); + mbedtls_ctr_drbg_init(&ssl_data_loc->ctr_drbg); + + int r = mbedtls_ctr_drbg_seed(&ssl_data_loc->ctr_drbg, mbedtls_entropy_func, &ssl_data_loc->entropy, NULL, 0); + if (r != 0) { + debug_info("ERROR: [mbedtls] mbedtls_ctr_drbg_seed failed: %d", r); + return ret; + } + + if (mbedtls_ssl_config_defaults(&ssl_data_loc->config, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0) { + debug_info("ERROR: [mbedtls] Failed to set config defaults"); + return ret; + } + + mbedtls_ssl_conf_rng(&ssl_data_loc->config, mbedtls_ctr_drbg_random, &ssl_data_loc->ctr_drbg); + + mbedtls_ssl_conf_dbg(&ssl_data_loc->config, _mbedtls_log_cb, NULL); + + mbedtls_ssl_conf_verify(&ssl_data_loc->config, cert_verify_cb, NULL); + + mbedtls_ssl_setup(&ssl_data_loc->ctx, &ssl_data_loc->config); + + mbedtls_ssl_set_bio(&ssl_data_loc->ctx, connection, (mbedtls_ssl_send_t*)&internal_ssl_write, (mbedtls_ssl_recv_t*)&internal_ssl_read, NULL); + + mbedtls_x509_crt_init(&ssl_data_loc->certificate); + + int crterr = mbedtls_x509_crt_parse(&ssl_data_loc->certificate, root_cert.data, root_cert.size); + if (crterr < 0) { + debug_info("ERROR: [mbedtls] parsing root cert failed: %d", crterr); + return ret; + } + + mbedtls_ssl_conf_ca_chain(&ssl_data_loc->config, &ssl_data_loc->certificate, NULL); + + mbedtls_pk_init(&ssl_data_loc->root_privkey); + +#if MBEDTLS_VERSION_NUMBER >= 0x03000000 + int pkerr = mbedtls_pk_parse_key(&ssl_data_loc->root_privkey, root_privkey.data, root_privkey.size, NULL, 0, &_mbedtls_f_rng, NULL); +#else + int pkerr = mbedtls_pk_parse_key(&ssl_data_loc->root_privkey, root_privkey.data, root_privkey.size, NULL, 0); +#endif + if (pkerr < 0) { + debug_info("ERROR: [mbedtls] parsing private key failed: %d (size=%d)", pkerr, root_privkey.size); + return ret; + } + + mbedtls_ssl_conf_own_cert(&ssl_data_loc->config, &ssl_data_loc->certificate, &ssl_data_loc->root_privkey); + + int return_me = 0; + do { + return_me = mbedtls_ssl_handshake(&ssl_data_loc->ctx); + } while (return_me == MBEDTLS_ERR_SSL_WANT_READ || return_me == MBEDTLS_ERR_SSL_WANT_WRITE); + + if (return_me != 0) { + debug_info("ERROR during SSL handshake: %d", return_me); + internal_ssl_cleanup(ssl_data_loc); + free(ssl_data_loc); + } else { + connection->ssl_data = ssl_data_loc; + ret = IDEVICE_E_SUCCESS; + debug_info("SSL mode enabled, %s, cipher: %s", mbedtls_ssl_get_version(&ssl_data_loc->ctx), mbedtls_ssl_get_ciphersuite(&ssl_data_loc->ctx)); + debug_info("SSL mode enabled"); + } #endif return ret; } -LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_disable_ssl(idevice_connection_t connection) +idevice_error_t idevice_connection_disable_ssl(idevice_connection_t connection) { return idevice_connection_disable_bypass_ssl(connection, 0); } -LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_disable_bypass_ssl(idevice_connection_t connection, uint8_t sslBypass) +idevice_error_t idevice_connection_disable_bypass_ssl(idevice_connection_t connection, uint8_t sslBypass) { if (!connection) return IDEVICE_E_INVALID_ARG; @@ -1181,7 +1514,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_disable_bypass_ssl(idevi // some services require plain text communication after SSL handshake // sending out SSL_shutdown will cause bytes if (!sslBypass) { -#ifdef HAVE_OPENSSL +#if defined(HAVE_OPENSSL) if (connection->ssl_data->session) { /* see: https://www.openssl.org/docs/ssl/SSL_shutdown.html#RETURN_VALUES */ if (SSL_shutdown(connection->ssl_data->session) == 0) { @@ -1190,14 +1523,16 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_disable_bypass_ssl(idevi if ((ssl_error = SSL_get_error(connection->ssl_data->session, 0)) == SSL_ERROR_NONE) { SSL_shutdown(connection->ssl_data->session); } else { - debug_info("Skipping bidirectional SSL shutdown. SSL error code: %i\n", ssl_error); + debug_info("Skipping bidirectional SSL shutdown. SSL error code: %i", ssl_error); } } } -#else +#elif defined(HAVE_GNUTLS) if (connection->ssl_data->session) { gnutls_bye(connection->ssl_data->session, GNUTLS_SHUT_RDWR); } +#elif defined(HAVE_MBEDTLS) + mbedtls_ssl_close_notify(&connection->ssl_data->ctx); #endif } |