From a9e69b1252e5918b6d8ada1209ccefde301cfa26 Mon Sep 17 00:00:00 2001 From: Nikias Bassen Date: Thu, 5 Sep 2019 19:50:24 +0200 Subject: idevice: Fix handling SSL/TLS version selection for OpenSSL 1.1.0+ and for older devices --- src/idevice.c | 30 +++++++++++++++++++----------- src/idevice.h | 4 +++- src/lockdown.c | 4 ++-- 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/src/idevice.c b/src/idevice.c index 382e9d2..fd1f4b5 100644 --- a/src/idevice.c +++ b/src/idevice.c @@ -320,7 +320,7 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connect(idevice_t device, uint16_t new_connection->type = CONNECTION_USBMUXD; new_connection->data = (void*)(long)sfd; new_connection->ssl_data = NULL; - idevice_get_udid(device, &new_connection->udid); + new_connection->device = device; *connection = new_connection; return IDEVICE_E_SUCCESS; } else { @@ -348,9 +348,6 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_disconnect(idevice_connection_t con debug_info("Unknown connection type %d", connection->type); } - if (connection->udid) - free(connection->udid); - free(connection); connection = NULL; @@ -759,9 +756,9 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne #endif plist_t pair_record = NULL; - userpref_read_pair_record(connection->udid, &pair_record); + userpref_read_pair_record(connection->device->udid, &pair_record); if (!pair_record) { - debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->udid); + debug_info("ERROR: Failed enabling SSL. Unable to read pair record for udid %s.", connection->device->udid); return ret; } @@ -789,16 +786,27 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne return ret; } - /* force use of TLSv1 */ +#if OPENSSL_VERSION_NUMBER < 0x10100002L || \ + (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2060000fL)) + /* force use of TLSv1 for older devices */ + if (connection->device->version < DEVICE_VERSION(10,0,0)) { #ifdef SSL_OP_NO_TLSv1_1 - int opts = SSL_OP_NO_TLSv1_1; + long opts = SSL_CTX_get_options(ssl_ctx); + opts |= SSL_OP_NO_TLSv1_1; #ifdef SSL_OP_NO_TLSv1_2 - opts |= SSL_OP_NO_TLSv1_2; + opts |= SSL_OP_NO_TLSv1_2; #endif #ifdef SSL_OP_NO_TLSv1_3 - opts |= SSL_OP_NO_TLSv1_3; + opts |= SSL_OP_NO_TLSv1_3; +#endif + SSL_CTX_set_options(ssl_ctx, opts); #endif - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | opts); + } +#else + SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION); + if (connection->device->version < DEVICE_VERSION(10,0,0)) { + SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION); + } #endif BIO* membp; diff --git a/src/idevice.h b/src/idevice.h index 94e828b..f403c55 100644 --- a/src/idevice.h +++ b/src/idevice.h @@ -46,6 +46,8 @@ #include "common/userpref.h" #include "libimobiledevice/libimobiledevice.h" +#define DEVICE_VERSION(maj, min, patch) (((maj & 0xFF) << 16) | ((min & 0xFF) << 8) | (patch & 0xFF)) + enum connection_type { CONNECTION_USBMUXD = 1 }; @@ -66,7 +68,7 @@ struct ssl_data_private { typedef struct ssl_data_private *ssl_data_t; struct idevice_connection_private { - char *udid; + idevice_t device; enum connection_type type; void *data; ssl_data_t ssl_data; diff --git a/src/lockdown.c b/src/lockdown.c index 23f2782..694fb47 100644 --- a/src/lockdown.c +++ b/src/lockdown.c @@ -715,7 +715,7 @@ LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_client_new_with_handshake(idevi char *s_version = NULL; plist_get_string_val(p_version, &s_version); if (s_version && sscanf(s_version, "%d.%d.%d", &vers[0], &vers[1], &vers[2]) >= 2) { - device->version = ((vers[0] & 0xFF) << 16) | ((vers[1] & 0xFF) << 8) | (vers[2] & 0xFF); + device->version = DEVICE_VERSION(vers[0], vers[1], vers[2]); } free(s_version); } @@ -738,7 +738,7 @@ LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_client_new_with_handshake(idevi plist_free(pair_record); pair_record = NULL; - if (device->version < 0x070000) { + if (device->version < DEVICE_VERSION(7,0,0)) { /* for older devices, we need to validate pairing to receive trusted host status */ ret = lockdownd_validate_pair(client_loc, NULL); -- cgit v1.1-32-gdbae