Date: Monday, March 27, 2017 @ 22:27:29
Author: jgc
Revision: 291737
archrelease: copy trunk to extra-i686, extra-x86_64
Added:
libimobiledevice/repos/extra-i686/0001-Add-new-function-to-get-the-underlying-file-descript.patch
(from rev 291736,
libimobiledevice/trunk/0001-Add-new-function-to-get-the-underlying-file-descript.patch)
libimobiledevice/repos/extra-i686/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
(from rev 291736,
libimobiledevice/trunk/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch)
libimobiledevice/repos/extra-i686/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
(from rev 291736,
libimobiledevice/trunk/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch)
libimobiledevice/repos/extra-i686/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
(from rev 291736,
libimobiledevice/trunk/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch)
libimobiledevice/repos/extra-i686/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
(from rev 291736,
libimobiledevice/trunk/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch)
libimobiledevice/repos/extra-i686/CVE-2016-5104.patch
(from rev 291736, libimobiledevice/trunk/CVE-2016-5104.patch)
libimobiledevice/repos/extra-i686/PKGBUILD
(from rev 291736, libimobiledevice/trunk/PKGBUILD)
libimobiledevice/repos/extra-x86_64/0001-Add-new-function-to-get-the-underlying-file-descript.patch
(from rev 291736,
libimobiledevice/trunk/0001-Add-new-function-to-get-the-underlying-file-descript.patch)
libimobiledevice/repos/extra-x86_64/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
(from rev 291736,
libimobiledevice/trunk/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch)
libimobiledevice/repos/extra-x86_64/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
(from rev 291736,
libimobiledevice/trunk/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch)
libimobiledevice/repos/extra-x86_64/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
(from rev 291736,
libimobiledevice/trunk/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch)
libimobiledevice/repos/extra-x86_64/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
(from rev 291736,
libimobiledevice/trunk/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch)
libimobiledevice/repos/extra-x86_64/CVE-2016-5104.patch
(from rev 291736, libimobiledevice/trunk/CVE-2016-5104.patch)
libimobiledevice/repos/extra-x86_64/PKGBUILD
(from rev 291736, libimobiledevice/trunk/PKGBUILD)
Deleted:
libimobiledevice/repos/extra-i686/CVE-2016-5104.patch
libimobiledevice/repos/extra-i686/PKGBUILD
libimobiledevice/repos/extra-i686/disable-sslv3.patch
libimobiledevice/repos/extra-x86_64/CVE-2016-5104.patch
libimobiledevice/repos/extra-x86_64/PKGBUILD
libimobiledevice/repos/extra-x86_64/disable-sslv3.patch
------------------------------------------------------------------------------+
/CVE-2016-5104.patch |
62 +++
/PKGBUILD |
128 +++++++
extra-i686/0001-Add-new-function-to-get-the-underlying-file-descript.patch |
62 +++
extra-i686/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch |
41 ++
extra-i686/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch |
54 +++
extra-i686/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch |
29 +
extra-i686/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch |
171 ++++++++++
extra-i686/CVE-2016-5104.patch |
31 -
extra-i686/PKGBUILD |
52 ---
extra-i686/disable-sslv3.patch |
12
extra-x86_64/0001-Add-new-function-to-get-the-underlying-file-descript.patch |
62 +++
extra-x86_64/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch |
41 ++
extra-x86_64/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch |
54 +++
extra-x86_64/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch |
29 +
extra-x86_64/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch |
171 ++++++++++
extra-x86_64/CVE-2016-5104.patch |
31 -
extra-x86_64/PKGBUILD |
52 ---
extra-x86_64/disable-sslv3.patch |
12
18 files changed, 904 insertions(+), 190 deletions(-)
Copied:
libimobiledevice/repos/extra-i686/0001-Add-new-function-to-get-the-underlying-file-descript.patch
(from rev 291736,
libimobiledevice/trunk/0001-Add-new-function-to-get-the-underlying-file-descript.patch)
===================================================================
--- extra-i686/0001-Add-new-function-to-get-the-underlying-file-descript.patch
(rev 0)
+++ extra-i686/0001-Add-new-function-to-get-the-underlying-file-descript.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,62 @@
+From 692f7c9de72ca7fcaba51659972270d445751438 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <[email protected]>
+Date: Wed, 23 Sep 2015 02:19:27 +0200
+Subject: [PATCH] Add new function to get the underlying file descriptor of an
+ idevice connection
+
+---
+ include/libimobiledevice/libimobiledevice.h | 10 ++++++++++
+ src/idevice.c | 16 ++++++++++++++++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/include/libimobiledevice/libimobiledevice.h
b/include/libimobiledevice/libimobiledevice.h
+index 016cadb..b125adf 100644
+--- a/include/libimobiledevice/libimobiledevice.h
++++ b/include/libimobiledevice/libimobiledevice.h
+@@ -239,6 +239,16 @@ idevice_error_t
idevice_connection_enable_ssl(idevice_connection_t connection);
+ */
+ idevice_error_t idevice_connection_disable_ssl(idevice_connection_t
connection);
+
++/**
++ * Get the underlying file descriptor for a connection
++ *
++ * @param connection The connection to get fd of
++ * @param fd Pointer to an int where the fd is stored
++ *
++ * @return IDEVICE_E_SUCCESS if ok, otherwise an error code.
++ */
++idevice_error_t idevice_connection_get_fd(idevice_connection_t connection,
int *fd);
++
+ /* misc */
+
+ /**
+diff --git a/src/idevice.c b/src/idevice.c
+index b776e84..5912aeb 100644
+--- a/src/idevice.c
++++ b/src/idevice.c
+@@ -463,6 +463,22 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_receive(idevice_connecti
+ return internal_connection_receive(connection, data, len, recv_bytes);
+ }
+
++LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_get_fd(idevice_connection_t connection, int *fd)
++{
++ if (!connection || !fd) {
++ return IDEVICE_E_INVALID_ARG;
++ }
++
++ idevice_error_t result = IDEVICE_E_UNKNOWN_ERROR;
++ if (connection->type == CONNECTION_USBMUXD) {
++ *fd = (int)(long)connection->data;
++ result = IDEVICE_E_SUCCESS;
++ } else {
++ debug_info("Unknown connection type %d", connection->type);
++ }
++ return result;
++}
++
+ LIBIMOBILEDEVICE_API idevice_error_t idevice_get_handle(idevice_t device,
uint32_t *handle)
+ {
+ if (!device)
+--
+2.9.3
+
Copied:
libimobiledevice/repos/extra-i686/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
(from rev 291736,
libimobiledevice/trunk/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch)
===================================================================
--- extra-i686/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
(rev 0)
+++ extra-i686/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,41 @@
+From 6070126868069f2ee01ea9414f4cfbe5de285267 Mon Sep 17 00:00:00 2001
+From: "Jay Freeman (saurik)" <[email protected]>
+Date: Wed, 21 Oct 2015 00:39:14 -0700
+Subject: [PATCH] Fix installation_proxy when using GnuTLS instead of OpenSSL
+
+---
+ src/idevice.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/idevice.c b/src/idevice.c
+index 7c33cdd..b776e84 100644
+--- a/src/idevice.c
++++ b/src/idevice.c
+@@ -393,10 +393,13 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_receive_timeout(idevice_
+ }
+
+ if (connection->ssl_data) {
+-#ifdef HAVE_OPENSSL
+ uint32_t received = 0;
+ while (received < len) {
++#ifdef HAVE_OPENSSL
+ int r = SSL_read(connection->ssl_data->session,
(void*)((char*)(data+received)), (int)len-received);
++#else
++ ssize_t r =
gnutls_record_recv(connection->ssl_data->session, (void*)(data+received),
(size_t)len-received);
++#endif
+ if (r > 0) {
+ received += r;
+ } else {
+@@ -404,9 +407,6 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_receive_timeout(idevice_
+ }
+ }
+ debug_info("SSL_read %d, received %d", len, received);
+-#else
+- ssize_t received =
gnutls_record_recv(connection->ssl_data->session, (void*)data, (size_t)len);
+-#endif
+ if (received > 0) {
+ *recv_bytes = received;
+ return IDEVICE_E_SUCCESS;
+--
+2.5.0
+
Copied:
libimobiledevice/repos/extra-i686/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
(from rev 291736,
libimobiledevice/trunk/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch)
===================================================================
--- extra-i686/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
(rev 0)
+++ extra-i686/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,54 @@
+From 2a5868411c57e25802d2f16fd6b77601f10d0b72 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <[email protected]>
+Date: Fri, 29 Apr 2016 22:58:34 +0200
+Subject: [PATCH] Updated gnutls certificate callback to new API (backwards
+ compatible)
+
+---
+ src/idevice.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/idevice.c b/src/idevice.c
+index 5912aeb..f2de6a3 100644
+--- a/src/idevice.c
++++ b/src/idevice.c
+@@ -642,7 +642,11 @@ static const char *ssl_error_to_string(int e)
+ /**
+ * Internally used gnutls callback function that gets called during handshake.
+ */
++#if GNUTLS_VERSION_NUMBER >= 0x020b07
++static int internal_cert_callback(gnutls_session_t session, const
gnutls_datum_t * req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t *
sign_algos, int sign_algos_length, gnutls_retr2_st * st)
++#else
+ static int internal_cert_callback(gnutls_session_t session, const
gnutls_datum_t * req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t *
sign_algos, int sign_algos_length, gnutls_retr_st * st)
++#endif
+ {
+ int res = -1;
+ gnutls_certificate_type_t type = gnutls_certificate_type_get(session);
+@@ -650,7 +654,12 @@ static int internal_cert_callback(gnutls_session_t
session, const gnutls_datum_t
+ ssl_data_t ssl_data =
(ssl_data_t)gnutls_session_get_ptr(session);
+ if (ssl_data && ssl_data->host_privkey && ssl_data->host_cert) {
+ debug_info("Passing certificate");
++#if GNUTLS_VERSION_NUMBER >= 0x020b07
++ st->cert_type = type;
++ st->key_type = GNUTLS_PRIVKEY_X509;
++#else
+ st->type = type;
++#endif
+ st->ncerts = 1;
+ st->cert.x509 = &ssl_data->host_cert;
+ st->key.x509 = ssl_data->host_privkey;
+@@ -759,7 +768,11 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_enable_ssl(idevice_conne
+ debug_info("enabling SSL mode");
+ errno = 0;
+ gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
++#if GNUTLS_VERSION_NUMBER >= 0x020b07
++ gnutls_certificate_set_retrieve_function(ssl_data_loc->certificate,
internal_cert_callback);
++#else
+
gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate,
internal_cert_callback);
++#endif
+ gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
+ gnutls_priority_set_direct(ssl_data_loc->session,
"NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL",
NULL);
+ gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE,
ssl_data_loc->certificate);
+--
+2.9.3
+
Copied:
libimobiledevice/repos/extra-i686/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
(from rev 291736,
libimobiledevice/trunk/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch)
===================================================================
--- extra-i686/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
(rev 0)
+++ extra-i686/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,29 @@
+From 72643b2b83990b9cf97cc84b285b30763d44a72d Mon Sep 17 00:00:00 2001
+From: "Jay Freeman (saurik)" <[email protected]>
+Date: Tue, 2 Aug 2016 03:08:04 -0700
+Subject: [PATCH] idevice: Update GnuTLS code to support iOS 10
+
+As of iOS 10 beta 4, the GnuTLS implementation idevice_connection_enable_ssl
+needs to be updated to support TLS. Using +VERS-TLS-ALL did not work on some
+of the devices I tested and I wasn't sure how to fix it, but +VERS-TLS1.0 is
+working on every device I've tested: iOS 9.0.2, 10.0b4, 8.1.1, 6.0, and 3.0.
+---
+ src/idevice.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/idevice.c b/src/idevice.c
+index 1dcdae2..b6dfe4e 100644
+--- a/src/idevice.c
++++ b/src/idevice.c
+@@ -774,7 +774,7 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_enable_ssl(idevice_conne
+
gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate,
internal_cert_callback);
+ #endif
+ gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
+- gnutls_priority_set_direct(ssl_data_loc->session,
"NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL",
NULL);
++ gnutls_priority_set_direct(ssl_data_loc->session,
"NONE:+VERS-TLS1.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL",
NULL);
+ gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE,
ssl_data_loc->certificate);
+ gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
+
+--
+2.9.3
+
Copied:
libimobiledevice/repos/extra-i686/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
(from rev 291736,
libimobiledevice/trunk/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch)
===================================================================
--- extra-i686/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
(rev 0)
+++ extra-i686/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,171 @@
+From 23069d10341ce637fdad7321d447c53752dba48c Mon Sep 17 00:00:00 2001
+From: Nikias Bassen <[email protected]>
+Date: Fri, 4 Nov 2016 02:11:39 +0100
+Subject: [PATCH] userpref: [GnuTLS] Fix pairing record generation and improve
+ error handling
+
+In newer GnuTLS versions the parameters supplied to
+gnutls_x509_privkey_import_rsa_raw() are actually checked for somewhat
+sane values. Since we were passing the same values for all parameters,
+this check fails and the device certificate is never generated.
+However due to missing checks the pairing record was saved anyway, with
+an empty device certificate. This led to TLS errors during communication,
+leading to the "GnuTLS: Error in pull function" error message appearing
+and the communication to fail.
+This commit fixes the issue by passing some sane values, and also improves
+the overall error handling during generation of the paring record.
+---
+ common/userpref.c | 85 +++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 45 insertions(+), 40 deletions(-)
+
+diff --git a/common/userpref.c b/common/userpref.c
+index d22c7f5..3ae503a 100644
+--- a/common/userpref.c
++++ b/common/userpref.c
+@@ -643,15 +643,13 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ gnutls_x509_crt_export(host_cert, GNUTLS_X509_FMT_PEM,
host_cert_pem.data, &host_cert_export_size);
+ host_cert_pem.size = host_cert_export_size;
+
+- ret = USERPREF_E_UNKNOWN_ERROR;
+-
+ gnutls_datum_t modulus = { NULL, 0 };
+ gnutls_datum_t exponent = { NULL, 0 };
+
+ /* now decode the PEM encoded key */
+- gnutls_datum_t der_pub_key;
+- if (GNUTLS_E_SUCCESS == gnutls_pem_base64_decode_alloc("RSA PUBLIC
KEY", &public_key, &der_pub_key)) {
+-
++ gnutls_datum_t der_pub_key = { NULL, 0 };
++ int gnutls_error = gnutls_pem_base64_decode_alloc("RSA PUBLIC KEY",
&public_key, &der_pub_key);
++ if (GNUTLS_E_SUCCESS == gnutls_error) {
+ /* initalize asn.1 parser */
+ ASN1_TYPE pkcs1 = ASN1_TYPE_EMPTY;
+ if (ASN1_SUCCESS == asn1_array2tree(pkcs1_asn1_tab, &pkcs1,
NULL)) {
+@@ -670,8 +668,14 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+
+ ret1 = asn1_read_value(asn1_pub_key, "modulus",
modulus.data, (int*)&modulus.size);
+ ret2 = asn1_read_value(asn1_pub_key,
"publicExponent", exponent.data, (int*)&exponent.size);
+- if (ASN1_SUCCESS == ret1 && ASN1_SUCCESS ==
ret2)
+- ret = USERPREF_E_SUCCESS;
++ if (ret1 != ASN1_SUCCESS || ret2 !=
ASN1_SUCCESS) {
++ gnutls_free(modulus.data);
++ modulus.data = NULL;
++ modulus.size = 0;
++ gnutls_free(exponent.data);
++ exponent.data = NULL;
++ exponent.size = 0;
++ }
+ }
+ if (asn1_pub_key)
+ asn1_delete_structure(&asn1_pub_key);
+@@ -679,12 +683,15 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ if (pkcs1)
+ asn1_delete_structure(&pkcs1);
+ } else {
+- debug_info("WARNING: Could not read public key");
++ debug_info("ERROR: Could not parse public key: %s",
gnutls_strerror(gnutls_error));
+ }
+
+- /* now generate certificates */
+- if (USERPREF_E_SUCCESS == ret && 0 != modulus.size && 0 !=
exponent.size) {
+- gnutls_datum_t essentially_null = { (unsigned
char*)strdup("abababababababab"), strlen("abababababababab") };
++ /* generate device certificate */
++ if (modulus.data && 0 != modulus.size && exponent.data && 0 !=
exponent.size) {
++
++ gnutls_datum_t prime_p = { (unsigned
char*)"\x00\xca\x4a\x03\x13\xdf\x9d\x7a\xfd", 9 };
++ gnutls_datum_t prime_q = { (unsigned
char*)"\x00\xf2\xff\xe0\x15\xd1\x60\x37\x63", 9 };
++ gnutls_datum_t coeff = { (unsigned
char*)"\x32\x07\xf1\x68\x57\xdf\x9a\xf4", 8 };
+
+ gnutls_x509_privkey_t fake_privkey;
+ gnutls_x509_crt_t dev_cert;
+@@ -692,8 +699,9 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ gnutls_x509_privkey_init(&fake_privkey);
+ gnutls_x509_crt_init(&dev_cert);
+
+- if (GNUTLS_E_SUCCESS ==
gnutls_x509_privkey_import_rsa_raw(fake_privkey, &modulus, &exponent,
&essentially_null, &essentially_null, &essentially_null, &essentially_null)) {
+- /* generate device certificate */
++ gnutls_error = gnutls_x509_privkey_import_rsa_raw(fake_privkey,
&modulus, &exponent, &exponent, &prime_p, &prime_q, &coeff);
++ if (GNUTLS_E_SUCCESS == gnutls_error) {
++ /* now generate device certificate */
+ gnutls_x509_crt_set_key(dev_cert, fake_privkey);
+ gnutls_x509_crt_set_serial(dev_cert, "\x00", 1);
+ gnutls_x509_crt_set_version(dev_cert, 3);
+@@ -712,9 +720,8 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ }
+
+ gnutls_x509_crt_set_key_usage(dev_cert,
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
+- gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey);
+-
+- if (USERPREF_E_SUCCESS == ret) {
++ gnutls_error = gnutls_x509_crt_sign(dev_cert,
root_cert, root_privkey);
++ if (GNUTLS_E_SUCCESS == gnutls_error) {
+ /* if everything went well, export in PEM
format */
+ size_t export_size = 0;
+ gnutls_x509_crt_export(dev_cert,
GNUTLS_X509_FMT_PEM, NULL, &export_size);
+@@ -722,13 +729,11 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ gnutls_x509_crt_export(dev_cert,
GNUTLS_X509_FMT_PEM, dev_cert_pem.data, &export_size);
+ dev_cert_pem.size = export_size;
+ } else {
+- debug_info("ERROR: Signing device certificate
with root private key failed!");
++ debug_info("ERROR: Signing device certificate
with root private key failed: %s", gnutls_strerror(gnutls_error));
+ }
++ } else {
++ debug_info("ERROR: Failed to import RSA key data: %s",
gnutls_strerror(gnutls_error));
+ }
+-
+- if (essentially_null.data)
+- free(essentially_null.data);
+-
+ gnutls_x509_crt_deinit(dev_cert);
+ gnutls_x509_privkey_deinit(fake_privkey);
+ }
+@@ -743,27 +748,27 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+
+ gnutls_free(der_pub_key.data);
+ #endif
+- if (NULL != root_cert_pem.data && 0 != root_cert_pem.size &&
+- NULL != host_cert_pem.data && 0 != host_cert_pem.size)
++
++ /* make sure that we have all we need */
++ if (root_cert_pem.data && 0 != root_cert_pem.size
++ && root_key_pem.data && 0 != root_key_pem.size
++ && host_cert_pem.data && 0 != host_cert_pem.size
++ && host_key_pem.data && 0 != host_key_pem.size
++ && dev_cert_pem.data && 0 != dev_cert_pem.size) {
++ /* now set keys and certificates */
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_DEVICE_CERTIFICATE_KEY, &dev_cert_pem);
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_HOST_PRIVATE_KEY_KEY, &host_key_pem);
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_HOST_CERTIFICATE_KEY, &host_cert_pem);
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_ROOT_PRIVATE_KEY_KEY, &root_key_pem);
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_ROOT_CERTIFICATE_KEY, &root_cert_pem);
+ ret = USERPREF_E_SUCCESS;
++ }
+
+- /* now set keys and certificates */
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_DEVICE_CERTIFICATE_KEY, &dev_cert_pem);
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_HOST_PRIVATE_KEY_KEY, &host_key_pem);
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_HOST_CERTIFICATE_KEY, &host_cert_pem);
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_ROOT_PRIVATE_KEY_KEY, &root_key_pem);
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_ROOT_CERTIFICATE_KEY, &root_cert_pem);
+-
+- if (dev_cert_pem.data)
+- free(dev_cert_pem.data);
+- if (root_key_pem.data)
+- free(root_key_pem.data);
+- if (root_cert_pem.data)
+- free(root_cert_pem.data);
+- if (host_key_pem.data)
+- free(host_key_pem.data);
+- if (host_cert_pem.data)
+- free(host_cert_pem.data);
++ free(dev_cert_pem.data);
++ free(root_key_pem.data);
++ free(root_cert_pem.data);
++ free(host_key_pem.data);
++ free(host_cert_pem.data);
+
+ return ret;
+ }
+--
+2.9.3
+
Deleted: extra-i686/CVE-2016-5104.patch
===================================================================
--- extra-i686/CVE-2016-5104.patch 2017-03-27 22:27:19 UTC (rev 291736)
+++ extra-i686/CVE-2016-5104.patch 2017-03-27 22:27:29 UTC (rev 291737)
@@ -1,31 +0,0 @@
-From df1f5c4d70d0c19ad40072f5246ca457e7f9849e Mon Sep 17 00:00:00 2001
-From: Joshua Hill <[email protected]>
-Date: Tue, 29 Dec 2015 22:27:17 +0100
-Subject: [PATCH] common: [security fix] Make sure sockets only listen locally
-
----
- common/socket.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/common/socket.c b/common/socket.c
-index b276864..e2968a6 100644
---- a/common/socket.c
-+++ b/common/socket.c
-@@ -172,7 +172,7 @@ int socket_create(uint16_t port)
-
- memset((void *) &saddr, 0, sizeof(saddr));
- saddr.sin_family = AF_INET;
-- saddr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
- saddr.sin_port = htons(port);
-
- if (0 > bind(sfd, (struct sockaddr *) &saddr, sizeof(saddr))) {
-@@ -329,7 +329,7 @@ int socket_accept(int fd, uint16_t port)
-
- memset(&addr, 0, sizeof(addr));
- addr.sin_family = AF_INET;
-- addr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
- addr.sin_port = htons(port);
-
- addr_len = sizeof(addr);
Copied: libimobiledevice/repos/extra-i686/CVE-2016-5104.patch (from rev 291736,
libimobiledevice/trunk/CVE-2016-5104.patch)
===================================================================
--- extra-i686/CVE-2016-5104.patch (rev 0)
+++ extra-i686/CVE-2016-5104.patch 2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,31 @@
+From df1f5c4d70d0c19ad40072f5246ca457e7f9849e Mon Sep 17 00:00:00 2001
+From: Joshua Hill <[email protected]>
+Date: Tue, 29 Dec 2015 22:27:17 +0100
+Subject: [PATCH] common: [security fix] Make sure sockets only listen locally
+
+---
+ common/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/socket.c b/common/socket.c
+index b276864..e2968a6 100644
+--- a/common/socket.c
++++ b/common/socket.c
+@@ -172,7 +172,7 @@ int socket_create(uint16_t port)
+
+ memset((void *) &saddr, 0, sizeof(saddr));
+ saddr.sin_family = AF_INET;
+- saddr.sin_addr.s_addr = htonl(INADDR_ANY);
++ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ saddr.sin_port = htons(port);
+
+ if (0 > bind(sfd, (struct sockaddr *) &saddr, sizeof(saddr))) {
+@@ -329,7 +329,7 @@ int socket_accept(int fd, uint16_t port)
+
+ memset(&addr, 0, sizeof(addr));
+ addr.sin_family = AF_INET;
+- addr.sin_addr.s_addr = htonl(INADDR_ANY);
++ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ addr.sin_port = htons(port);
+
+ addr_len = sizeof(addr);
Deleted: extra-i686/PKGBUILD
===================================================================
--- extra-i686/PKGBUILD 2017-03-27 22:27:19 UTC (rev 291736)
+++ extra-i686/PKGBUILD 2017-03-27 22:27:29 UTC (rev 291737)
@@ -1,52 +0,0 @@
-# $Id$
-# Maintainer : Tom Gundersen <[email protected]>
-# Maintainer : Ionut Biru <[email protected]>
-# Contributor: Gabriel Martinez < reitaka at gmail dot com >
-
-pkgname=libimobiledevice
-pkgver=1.2.0
-pkgrel=4
-pkgdesc="Library that talks the protocols to support iPhone and iPod Touch
devices on Linux"
-url="http://libimobiledevice.org/";
-arch=('i686' 'x86_64')
-license=('GPL2' 'LGPL2.1')
-depends=('libusbmuxd' 'usbmuxd')
-makedepends=('python2' 'cython2' 'python' 'cython' 'libplist'
'autoconf-archive')
-source=(http://libimobiledevice.org/downloads/$pkgname-$pkgver.tar.bz2
- disable-sslv3.patch
- CVE-2016-5104.patch)
-md5sums=('8757900ba7bbe2ef5f54342415d0223e'
- 'bac123da4cc67b2f5cc798727e6231a9'
- 'e3535be4b4082486804b033d3f165193')
-
-prepare() {
- cd "$pkgname-$pkgver"
- patch -Np1 -i ../disable-sslv3.patch
- patch -Np1 -i ../CVE-2016-5104.patch
- sed -e 's/AC_PYTHON_DEVEL/AX_PYTHON_DEVEL/' -i m4/cython_python.m4
- autoreconf -fi
-}
-
-build() {
- mkdir build-py2
- pushd build-py2
- PYTHON=/usr/bin/python2 CYTHON=/usr/bin/cython2
../$pkgname-$pkgver/configure --prefix=/usr
- sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
- make
- popd
-
- mkdir build-py3
- pushd build-py3
- PYTHON=/usr/bin/python CYTHON=/usr/bin/cython ../$pkgname-$pkgver/configure
--prefix=/usr
- sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
- make
-}
-
-package() {
- pushd build-py2
- make DESTDIR="$pkgdir" install
- popd
- pushd build-py3/cython
- make DESTDIR="$pkgdir" install
- popd
-}
Copied: libimobiledevice/repos/extra-i686/PKGBUILD (from rev 291736,
libimobiledevice/trunk/PKGBUILD)
===================================================================
--- extra-i686/PKGBUILD (rev 0)
+++ extra-i686/PKGBUILD 2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,64 @@
+# $Id$
+# Maintainer : Tom Gundersen <[email protected]>
+# Maintainer : Ionut Biru <[email protected]>
+# Contributor: Gabriel Martinez < reitaka at gmail dot com >
+
+pkgname=libimobiledevice
+pkgver=1.2.0
+pkgrel=6
+pkgdesc="Library that talks the protocols to support iPhone and iPod Touch
devices on Linux"
+url="http://libimobiledevice.org/";
+arch=('i686' 'x86_64')
+license=('GPL2' 'LGPL2.1')
+depends=('libusbmuxd' 'usbmuxd' 'gnutls')
+makedepends=('python2' 'cython2' 'python' 'cython' 'libplist'
'autoconf-archive')
+source=(http://libimobiledevice.org/downloads/$pkgname-$pkgver.tar.bz2
+ 0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
+ CVE-2016-5104.patch
+ 0001-Add-new-function-to-get-the-underlying-file-descript.patch
+ 0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
+ 0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
+ 0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch)
+sha256sums=('786b0de0875053bf61b5531a86ae8119e320edab724fc62fe2150cc931f11037'
+ '9fb1523276f9ab4273f0065728c52792ec6c99c09d587c28175c748175106a09'
+ '30d8032244859adc85f11df00a5b3adb017160821ddf4b22a8528f9b104c0951'
+ 'a4a1844dfedc933cb998afbbe4b2066d8bcedf8d305990715160b957f754922c'
+ '9e03d66e15ad036e7e3b8639b07788a0c1959016444766ad63f708e722bd516c'
+ '173291a36ea08226c221643580c007f44e430867f345d8106395cce0f52a38c5'
+ '7d3c5a89ce6611c219d80255a1cce4a02de4ca00fb58c32e87733d9a0e20c4ce')
+
+prepare() {
+ cd "$pkgname-$pkgver"
+ patch -Np1 -i
../0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
+ patch -Np1 -i ../CVE-2016-5104.patch
+ patch -Np1 -i
../0001-Add-new-function-to-get-the-underlying-file-descript.patch
+ patch -Np1 -i
../0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
+ patch -Np1 -i ../0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
+ patch -Np1 -i
../0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
+ sed -e 's/AC_PYTHON_DEVEL/AX_PYTHON_DEVEL/' -i m4/cython_python.m4
+ autoreconf -fi
+}
+
+build() {
+ mkdir build-py2
+ pushd build-py2
+ PYTHON=/usr/bin/python2 CYTHON=/usr/bin/cython2
../$pkgname-$pkgver/configure --prefix=/usr --disable-openssl
+ sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
+ make
+ popd
+
+ mkdir build-py3
+ pushd build-py3
+ PYTHON=/usr/bin/python CYTHON=/usr/bin/cython ../$pkgname-$pkgver/configure
--prefix=/usr --disable-openssl
+ sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
+ make
+}
+
+package() {
+ pushd build-py2
+ make DESTDIR="$pkgdir" install
+ popd
+ pushd build-py3/cython
+ make DESTDIR="$pkgdir" install
+ popd
+}
Deleted: extra-i686/disable-sslv3.patch
===================================================================
--- extra-i686/disable-sslv3.patch 2017-03-27 22:27:19 UTC (rev 291736)
+++ extra-i686/disable-sslv3.patch 2017-03-27 22:27:29 UTC (rev 291737)
@@ -1,12 +0,0 @@
-diff -u -r libimobiledevice-1.2.0/src/idevice.c
libimobiledevice-1.2.0-nossl3/src/idevice.c
---- libimobiledevice-1.2.0/src/idevice.c 2015-01-28 02:10:32.000000000
+0100
-+++ libimobiledevice-1.2.0-nossl3/src/idevice.c 2016-03-03
18:33:45.912308242 +0100
-@@ -678,7 +678,7 @@
- }
- BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE);
-
-- SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_method());
-+ SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv23_method());
- if (ssl_ctx == NULL) {
- debug_info("ERROR: Could not create SSL context.");
- BIO_free(ssl_bio);
Copied:
libimobiledevice/repos/extra-x86_64/0001-Add-new-function-to-get-the-underlying-file-descript.patch
(from rev 291736,
libimobiledevice/trunk/0001-Add-new-function-to-get-the-underlying-file-descript.patch)
===================================================================
---
extra-x86_64/0001-Add-new-function-to-get-the-underlying-file-descript.patch
(rev 0)
+++
extra-x86_64/0001-Add-new-function-to-get-the-underlying-file-descript.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,62 @@
+From 692f7c9de72ca7fcaba51659972270d445751438 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <[email protected]>
+Date: Wed, 23 Sep 2015 02:19:27 +0200
+Subject: [PATCH] Add new function to get the underlying file descriptor of an
+ idevice connection
+
+---
+ include/libimobiledevice/libimobiledevice.h | 10 ++++++++++
+ src/idevice.c | 16 ++++++++++++++++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/include/libimobiledevice/libimobiledevice.h
b/include/libimobiledevice/libimobiledevice.h
+index 016cadb..b125adf 100644
+--- a/include/libimobiledevice/libimobiledevice.h
++++ b/include/libimobiledevice/libimobiledevice.h
+@@ -239,6 +239,16 @@ idevice_error_t
idevice_connection_enable_ssl(idevice_connection_t connection);
+ */
+ idevice_error_t idevice_connection_disable_ssl(idevice_connection_t
connection);
+
++/**
++ * Get the underlying file descriptor for a connection
++ *
++ * @param connection The connection to get fd of
++ * @param fd Pointer to an int where the fd is stored
++ *
++ * @return IDEVICE_E_SUCCESS if ok, otherwise an error code.
++ */
++idevice_error_t idevice_connection_get_fd(idevice_connection_t connection,
int *fd);
++
+ /* misc */
+
+ /**
+diff --git a/src/idevice.c b/src/idevice.c
+index b776e84..5912aeb 100644
+--- a/src/idevice.c
++++ b/src/idevice.c
+@@ -463,6 +463,22 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_receive(idevice_connecti
+ return internal_connection_receive(connection, data, len, recv_bytes);
+ }
+
++LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_get_fd(idevice_connection_t connection, int *fd)
++{
++ if (!connection || !fd) {
++ return IDEVICE_E_INVALID_ARG;
++ }
++
++ idevice_error_t result = IDEVICE_E_UNKNOWN_ERROR;
++ if (connection->type == CONNECTION_USBMUXD) {
++ *fd = (int)(long)connection->data;
++ result = IDEVICE_E_SUCCESS;
++ } else {
++ debug_info("Unknown connection type %d", connection->type);
++ }
++ return result;
++}
++
+ LIBIMOBILEDEVICE_API idevice_error_t idevice_get_handle(idevice_t device,
uint32_t *handle)
+ {
+ if (!device)
+--
+2.9.3
+
Copied:
libimobiledevice/repos/extra-x86_64/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
(from rev 291736,
libimobiledevice/trunk/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch)
===================================================================
---
extra-x86_64/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
(rev 0)
+++
extra-x86_64/0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,41 @@
+From 6070126868069f2ee01ea9414f4cfbe5de285267 Mon Sep 17 00:00:00 2001
+From: "Jay Freeman (saurik)" <[email protected]>
+Date: Wed, 21 Oct 2015 00:39:14 -0700
+Subject: [PATCH] Fix installation_proxy when using GnuTLS instead of OpenSSL
+
+---
+ src/idevice.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/idevice.c b/src/idevice.c
+index 7c33cdd..b776e84 100644
+--- a/src/idevice.c
++++ b/src/idevice.c
+@@ -393,10 +393,13 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_receive_timeout(idevice_
+ }
+
+ if (connection->ssl_data) {
+-#ifdef HAVE_OPENSSL
+ uint32_t received = 0;
+ while (received < len) {
++#ifdef HAVE_OPENSSL
+ int r = SSL_read(connection->ssl_data->session,
(void*)((char*)(data+received)), (int)len-received);
++#else
++ ssize_t r =
gnutls_record_recv(connection->ssl_data->session, (void*)(data+received),
(size_t)len-received);
++#endif
+ if (r > 0) {
+ received += r;
+ } else {
+@@ -404,9 +407,6 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_receive_timeout(idevice_
+ }
+ }
+ debug_info("SSL_read %d, received %d", len, received);
+-#else
+- ssize_t received =
gnutls_record_recv(connection->ssl_data->session, (void*)data, (size_t)len);
+-#endif
+ if (received > 0) {
+ *recv_bytes = received;
+ return IDEVICE_E_SUCCESS;
+--
+2.5.0
+
Copied:
libimobiledevice/repos/extra-x86_64/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
(from rev 291736,
libimobiledevice/trunk/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch)
===================================================================
---
extra-x86_64/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
(rev 0)
+++
extra-x86_64/0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,54 @@
+From 2a5868411c57e25802d2f16fd6b77601f10d0b72 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <[email protected]>
+Date: Fri, 29 Apr 2016 22:58:34 +0200
+Subject: [PATCH] Updated gnutls certificate callback to new API (backwards
+ compatible)
+
+---
+ src/idevice.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/idevice.c b/src/idevice.c
+index 5912aeb..f2de6a3 100644
+--- a/src/idevice.c
++++ b/src/idevice.c
+@@ -642,7 +642,11 @@ static const char *ssl_error_to_string(int e)
+ /**
+ * Internally used gnutls callback function that gets called during handshake.
+ */
++#if GNUTLS_VERSION_NUMBER >= 0x020b07
++static int internal_cert_callback(gnutls_session_t session, const
gnutls_datum_t * req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t *
sign_algos, int sign_algos_length, gnutls_retr2_st * st)
++#else
+ static int internal_cert_callback(gnutls_session_t session, const
gnutls_datum_t * req_ca_rdn, int nreqs, const gnutls_pk_algorithm_t *
sign_algos, int sign_algos_length, gnutls_retr_st * st)
++#endif
+ {
+ int res = -1;
+ gnutls_certificate_type_t type = gnutls_certificate_type_get(session);
+@@ -650,7 +654,12 @@ static int internal_cert_callback(gnutls_session_t
session, const gnutls_datum_t
+ ssl_data_t ssl_data =
(ssl_data_t)gnutls_session_get_ptr(session);
+ if (ssl_data && ssl_data->host_privkey && ssl_data->host_cert) {
+ debug_info("Passing certificate");
++#if GNUTLS_VERSION_NUMBER >= 0x020b07
++ st->cert_type = type;
++ st->key_type = GNUTLS_PRIVKEY_X509;
++#else
+ st->type = type;
++#endif
+ st->ncerts = 1;
+ st->cert.x509 = &ssl_data->host_cert;
+ st->key.x509 = ssl_data->host_privkey;
+@@ -759,7 +768,11 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_enable_ssl(idevice_conne
+ debug_info("enabling SSL mode");
+ errno = 0;
+ gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
++#if GNUTLS_VERSION_NUMBER >= 0x020b07
++ gnutls_certificate_set_retrieve_function(ssl_data_loc->certificate,
internal_cert_callback);
++#else
+
gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate,
internal_cert_callback);
++#endif
+ gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
+ gnutls_priority_set_direct(ssl_data_loc->session,
"NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL",
NULL);
+ gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE,
ssl_data_loc->certificate);
+--
+2.9.3
+
Copied:
libimobiledevice/repos/extra-x86_64/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
(from rev 291736,
libimobiledevice/trunk/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch)
===================================================================
--- extra-x86_64/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
(rev 0)
+++ extra-x86_64/0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,29 @@
+From 72643b2b83990b9cf97cc84b285b30763d44a72d Mon Sep 17 00:00:00 2001
+From: "Jay Freeman (saurik)" <[email protected]>
+Date: Tue, 2 Aug 2016 03:08:04 -0700
+Subject: [PATCH] idevice: Update GnuTLS code to support iOS 10
+
+As of iOS 10 beta 4, the GnuTLS implementation idevice_connection_enable_ssl
+needs to be updated to support TLS. Using +VERS-TLS-ALL did not work on some
+of the devices I tested and I wasn't sure how to fix it, but +VERS-TLS1.0 is
+working on every device I've tested: iOS 9.0.2, 10.0b4, 8.1.1, 6.0, and 3.0.
+---
+ src/idevice.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/idevice.c b/src/idevice.c
+index 1dcdae2..b6dfe4e 100644
+--- a/src/idevice.c
++++ b/src/idevice.c
+@@ -774,7 +774,7 @@ LIBIMOBILEDEVICE_API idevice_error_t
idevice_connection_enable_ssl(idevice_conne
+
gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate,
internal_cert_callback);
+ #endif
+ gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
+- gnutls_priority_set_direct(ssl_data_loc->session,
"NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL",
NULL);
++ gnutls_priority_set_direct(ssl_data_loc->session,
"NONE:+VERS-TLS1.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL",
NULL);
+ gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE,
ssl_data_loc->certificate);
+ gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
+
+--
+2.9.3
+
Copied:
libimobiledevice/repos/extra-x86_64/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
(from rev 291736,
libimobiledevice/trunk/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch)
===================================================================
---
extra-x86_64/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
(rev 0)
+++
extra-x86_64/0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,171 @@
+From 23069d10341ce637fdad7321d447c53752dba48c Mon Sep 17 00:00:00 2001
+From: Nikias Bassen <[email protected]>
+Date: Fri, 4 Nov 2016 02:11:39 +0100
+Subject: [PATCH] userpref: [GnuTLS] Fix pairing record generation and improve
+ error handling
+
+In newer GnuTLS versions the parameters supplied to
+gnutls_x509_privkey_import_rsa_raw() are actually checked for somewhat
+sane values. Since we were passing the same values for all parameters,
+this check fails and the device certificate is never generated.
+However due to missing checks the pairing record was saved anyway, with
+an empty device certificate. This led to TLS errors during communication,
+leading to the "GnuTLS: Error in pull function" error message appearing
+and the communication to fail.
+This commit fixes the issue by passing some sane values, and also improves
+the overall error handling during generation of the paring record.
+---
+ common/userpref.c | 85 +++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 45 insertions(+), 40 deletions(-)
+
+diff --git a/common/userpref.c b/common/userpref.c
+index d22c7f5..3ae503a 100644
+--- a/common/userpref.c
++++ b/common/userpref.c
+@@ -643,15 +643,13 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ gnutls_x509_crt_export(host_cert, GNUTLS_X509_FMT_PEM,
host_cert_pem.data, &host_cert_export_size);
+ host_cert_pem.size = host_cert_export_size;
+
+- ret = USERPREF_E_UNKNOWN_ERROR;
+-
+ gnutls_datum_t modulus = { NULL, 0 };
+ gnutls_datum_t exponent = { NULL, 0 };
+
+ /* now decode the PEM encoded key */
+- gnutls_datum_t der_pub_key;
+- if (GNUTLS_E_SUCCESS == gnutls_pem_base64_decode_alloc("RSA PUBLIC
KEY", &public_key, &der_pub_key)) {
+-
++ gnutls_datum_t der_pub_key = { NULL, 0 };
++ int gnutls_error = gnutls_pem_base64_decode_alloc("RSA PUBLIC KEY",
&public_key, &der_pub_key);
++ if (GNUTLS_E_SUCCESS == gnutls_error) {
+ /* initalize asn.1 parser */
+ ASN1_TYPE pkcs1 = ASN1_TYPE_EMPTY;
+ if (ASN1_SUCCESS == asn1_array2tree(pkcs1_asn1_tab, &pkcs1,
NULL)) {
+@@ -670,8 +668,14 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+
+ ret1 = asn1_read_value(asn1_pub_key, "modulus",
modulus.data, (int*)&modulus.size);
+ ret2 = asn1_read_value(asn1_pub_key,
"publicExponent", exponent.data, (int*)&exponent.size);
+- if (ASN1_SUCCESS == ret1 && ASN1_SUCCESS ==
ret2)
+- ret = USERPREF_E_SUCCESS;
++ if (ret1 != ASN1_SUCCESS || ret2 !=
ASN1_SUCCESS) {
++ gnutls_free(modulus.data);
++ modulus.data = NULL;
++ modulus.size = 0;
++ gnutls_free(exponent.data);
++ exponent.data = NULL;
++ exponent.size = 0;
++ }
+ }
+ if (asn1_pub_key)
+ asn1_delete_structure(&asn1_pub_key);
+@@ -679,12 +683,15 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ if (pkcs1)
+ asn1_delete_structure(&pkcs1);
+ } else {
+- debug_info("WARNING: Could not read public key");
++ debug_info("ERROR: Could not parse public key: %s",
gnutls_strerror(gnutls_error));
+ }
+
+- /* now generate certificates */
+- if (USERPREF_E_SUCCESS == ret && 0 != modulus.size && 0 !=
exponent.size) {
+- gnutls_datum_t essentially_null = { (unsigned
char*)strdup("abababababababab"), strlen("abababababababab") };
++ /* generate device certificate */
++ if (modulus.data && 0 != modulus.size && exponent.data && 0 !=
exponent.size) {
++
++ gnutls_datum_t prime_p = { (unsigned
char*)"\x00\xca\x4a\x03\x13\xdf\x9d\x7a\xfd", 9 };
++ gnutls_datum_t prime_q = { (unsigned
char*)"\x00\xf2\xff\xe0\x15\xd1\x60\x37\x63", 9 };
++ gnutls_datum_t coeff = { (unsigned
char*)"\x32\x07\xf1\x68\x57\xdf\x9a\xf4", 8 };
+
+ gnutls_x509_privkey_t fake_privkey;
+ gnutls_x509_crt_t dev_cert;
+@@ -692,8 +699,9 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ gnutls_x509_privkey_init(&fake_privkey);
+ gnutls_x509_crt_init(&dev_cert);
+
+- if (GNUTLS_E_SUCCESS ==
gnutls_x509_privkey_import_rsa_raw(fake_privkey, &modulus, &exponent,
&essentially_null, &essentially_null, &essentially_null, &essentially_null)) {
+- /* generate device certificate */
++ gnutls_error = gnutls_x509_privkey_import_rsa_raw(fake_privkey,
&modulus, &exponent, &exponent, &prime_p, &prime_q, &coeff);
++ if (GNUTLS_E_SUCCESS == gnutls_error) {
++ /* now generate device certificate */
+ gnutls_x509_crt_set_key(dev_cert, fake_privkey);
+ gnutls_x509_crt_set_serial(dev_cert, "\x00", 1);
+ gnutls_x509_crt_set_version(dev_cert, 3);
+@@ -712,9 +720,8 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ }
+
+ gnutls_x509_crt_set_key_usage(dev_cert,
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
+- gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey);
+-
+- if (USERPREF_E_SUCCESS == ret) {
++ gnutls_error = gnutls_x509_crt_sign(dev_cert,
root_cert, root_privkey);
++ if (GNUTLS_E_SUCCESS == gnutls_error) {
+ /* if everything went well, export in PEM
format */
+ size_t export_size = 0;
+ gnutls_x509_crt_export(dev_cert,
GNUTLS_X509_FMT_PEM, NULL, &export_size);
+@@ -722,13 +729,11 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+ gnutls_x509_crt_export(dev_cert,
GNUTLS_X509_FMT_PEM, dev_cert_pem.data, &export_size);
+ dev_cert_pem.size = export_size;
+ } else {
+- debug_info("ERROR: Signing device certificate
with root private key failed!");
++ debug_info("ERROR: Signing device certificate
with root private key failed: %s", gnutls_strerror(gnutls_error));
+ }
++ } else {
++ debug_info("ERROR: Failed to import RSA key data: %s",
gnutls_strerror(gnutls_error));
+ }
+-
+- if (essentially_null.data)
+- free(essentially_null.data);
+-
+ gnutls_x509_crt_deinit(dev_cert);
+ gnutls_x509_privkey_deinit(fake_privkey);
+ }
+@@ -743,27 +748,27 @@ userpref_error_t
pair_record_generate_keys_and_certs(plist_t pair_record, key_da
+
+ gnutls_free(der_pub_key.data);
+ #endif
+- if (NULL != root_cert_pem.data && 0 != root_cert_pem.size &&
+- NULL != host_cert_pem.data && 0 != host_cert_pem.size)
++
++ /* make sure that we have all we need */
++ if (root_cert_pem.data && 0 != root_cert_pem.size
++ && root_key_pem.data && 0 != root_key_pem.size
++ && host_cert_pem.data && 0 != host_cert_pem.size
++ && host_key_pem.data && 0 != host_key_pem.size
++ && dev_cert_pem.data && 0 != dev_cert_pem.size) {
++ /* now set keys and certificates */
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_DEVICE_CERTIFICATE_KEY, &dev_cert_pem);
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_HOST_PRIVATE_KEY_KEY, &host_key_pem);
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_HOST_CERTIFICATE_KEY, &host_cert_pem);
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_ROOT_PRIVATE_KEY_KEY, &root_key_pem);
++ pair_record_set_item_from_key_data(pair_record,
USERPREF_ROOT_CERTIFICATE_KEY, &root_cert_pem);
+ ret = USERPREF_E_SUCCESS;
++ }
+
+- /* now set keys and certificates */
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_DEVICE_CERTIFICATE_KEY, &dev_cert_pem);
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_HOST_PRIVATE_KEY_KEY, &host_key_pem);
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_HOST_CERTIFICATE_KEY, &host_cert_pem);
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_ROOT_PRIVATE_KEY_KEY, &root_key_pem);
+- pair_record_set_item_from_key_data(pair_record,
USERPREF_ROOT_CERTIFICATE_KEY, &root_cert_pem);
+-
+- if (dev_cert_pem.data)
+- free(dev_cert_pem.data);
+- if (root_key_pem.data)
+- free(root_key_pem.data);
+- if (root_cert_pem.data)
+- free(root_cert_pem.data);
+- if (host_key_pem.data)
+- free(host_key_pem.data);
+- if (host_cert_pem.data)
+- free(host_cert_pem.data);
++ free(dev_cert_pem.data);
++ free(root_key_pem.data);
++ free(root_cert_pem.data);
++ free(host_key_pem.data);
++ free(host_cert_pem.data);
+
+ return ret;
+ }
+--
+2.9.3
+
Deleted: extra-x86_64/CVE-2016-5104.patch
===================================================================
--- extra-x86_64/CVE-2016-5104.patch 2017-03-27 22:27:19 UTC (rev 291736)
+++ extra-x86_64/CVE-2016-5104.patch 2017-03-27 22:27:29 UTC (rev 291737)
@@ -1,31 +0,0 @@
-From df1f5c4d70d0c19ad40072f5246ca457e7f9849e Mon Sep 17 00:00:00 2001
-From: Joshua Hill <[email protected]>
-Date: Tue, 29 Dec 2015 22:27:17 +0100
-Subject: [PATCH] common: [security fix] Make sure sockets only listen locally
-
----
- common/socket.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/common/socket.c b/common/socket.c
-index b276864..e2968a6 100644
---- a/common/socket.c
-+++ b/common/socket.c
-@@ -172,7 +172,7 @@ int socket_create(uint16_t port)
-
- memset((void *) &saddr, 0, sizeof(saddr));
- saddr.sin_family = AF_INET;
-- saddr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
- saddr.sin_port = htons(port);
-
- if (0 > bind(sfd, (struct sockaddr *) &saddr, sizeof(saddr))) {
-@@ -329,7 +329,7 @@ int socket_accept(int fd, uint16_t port)
-
- memset(&addr, 0, sizeof(addr));
- addr.sin_family = AF_INET;
-- addr.sin_addr.s_addr = htonl(INADDR_ANY);
-+ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
- addr.sin_port = htons(port);
-
- addr_len = sizeof(addr);
Copied: libimobiledevice/repos/extra-x86_64/CVE-2016-5104.patch (from rev
291736, libimobiledevice/trunk/CVE-2016-5104.patch)
===================================================================
--- extra-x86_64/CVE-2016-5104.patch (rev 0)
+++ extra-x86_64/CVE-2016-5104.patch 2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,31 @@
+From df1f5c4d70d0c19ad40072f5246ca457e7f9849e Mon Sep 17 00:00:00 2001
+From: Joshua Hill <[email protected]>
+Date: Tue, 29 Dec 2015 22:27:17 +0100
+Subject: [PATCH] common: [security fix] Make sure sockets only listen locally
+
+---
+ common/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/socket.c b/common/socket.c
+index b276864..e2968a6 100644
+--- a/common/socket.c
++++ b/common/socket.c
+@@ -172,7 +172,7 @@ int socket_create(uint16_t port)
+
+ memset((void *) &saddr, 0, sizeof(saddr));
+ saddr.sin_family = AF_INET;
+- saddr.sin_addr.s_addr = htonl(INADDR_ANY);
++ saddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ saddr.sin_port = htons(port);
+
+ if (0 > bind(sfd, (struct sockaddr *) &saddr, sizeof(saddr))) {
+@@ -329,7 +329,7 @@ int socket_accept(int fd, uint16_t port)
+
+ memset(&addr, 0, sizeof(addr));
+ addr.sin_family = AF_INET;
+- addr.sin_addr.s_addr = htonl(INADDR_ANY);
++ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ addr.sin_port = htons(port);
+
+ addr_len = sizeof(addr);
Deleted: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD 2017-03-27 22:27:19 UTC (rev 291736)
+++ extra-x86_64/PKGBUILD 2017-03-27 22:27:29 UTC (rev 291737)
@@ -1,52 +0,0 @@
-# $Id$
-# Maintainer : Tom Gundersen <[email protected]>
-# Maintainer : Ionut Biru <[email protected]>
-# Contributor: Gabriel Martinez < reitaka at gmail dot com >
-
-pkgname=libimobiledevice
-pkgver=1.2.0
-pkgrel=4
-pkgdesc="Library that talks the protocols to support iPhone and iPod Touch
devices on Linux"
-url="http://libimobiledevice.org/";
-arch=('i686' 'x86_64')
-license=('GPL2' 'LGPL2.1')
-depends=('libusbmuxd' 'usbmuxd')
-makedepends=('python2' 'cython2' 'python' 'cython' 'libplist'
'autoconf-archive')
-source=(http://libimobiledevice.org/downloads/$pkgname-$pkgver.tar.bz2
- disable-sslv3.patch
- CVE-2016-5104.patch)
-md5sums=('8757900ba7bbe2ef5f54342415d0223e'
- 'bac123da4cc67b2f5cc798727e6231a9'
- 'e3535be4b4082486804b033d3f165193')
-
-prepare() {
- cd "$pkgname-$pkgver"
- patch -Np1 -i ../disable-sslv3.patch
- patch -Np1 -i ../CVE-2016-5104.patch
- sed -e 's/AC_PYTHON_DEVEL/AX_PYTHON_DEVEL/' -i m4/cython_python.m4
- autoreconf -fi
-}
-
-build() {
- mkdir build-py2
- pushd build-py2
- PYTHON=/usr/bin/python2 CYTHON=/usr/bin/cython2
../$pkgname-$pkgver/configure --prefix=/usr
- sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
- make
- popd
-
- mkdir build-py3
- pushd build-py3
- PYTHON=/usr/bin/python CYTHON=/usr/bin/cython ../$pkgname-$pkgver/configure
--prefix=/usr
- sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
- make
-}
-
-package() {
- pushd build-py2
- make DESTDIR="$pkgdir" install
- popd
- pushd build-py3/cython
- make DESTDIR="$pkgdir" install
- popd
-}
Copied: libimobiledevice/repos/extra-x86_64/PKGBUILD (from rev 291736,
libimobiledevice/trunk/PKGBUILD)
===================================================================
--- extra-x86_64/PKGBUILD (rev 0)
+++ extra-x86_64/PKGBUILD 2017-03-27 22:27:29 UTC (rev 291737)
@@ -0,0 +1,64 @@
+# $Id$
+# Maintainer : Tom Gundersen <[email protected]>
+# Maintainer : Ionut Biru <[email protected]>
+# Contributor: Gabriel Martinez < reitaka at gmail dot com >
+
+pkgname=libimobiledevice
+pkgver=1.2.0
+pkgrel=6
+pkgdesc="Library that talks the protocols to support iPhone and iPod Touch
devices on Linux"
+url="http://libimobiledevice.org/";
+arch=('i686' 'x86_64')
+license=('GPL2' 'LGPL2.1')
+depends=('libusbmuxd' 'usbmuxd' 'gnutls')
+makedepends=('python2' 'cython2' 'python' 'cython' 'libplist'
'autoconf-archive')
+source=(http://libimobiledevice.org/downloads/$pkgname-$pkgver.tar.bz2
+ 0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
+ CVE-2016-5104.patch
+ 0001-Add-new-function-to-get-the-underlying-file-descript.patch
+ 0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
+ 0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
+ 0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch)
+sha256sums=('786b0de0875053bf61b5531a86ae8119e320edab724fc62fe2150cc931f11037'
+ '9fb1523276f9ab4273f0065728c52792ec6c99c09d587c28175c748175106a09'
+ '30d8032244859adc85f11df00a5b3adb017160821ddf4b22a8528f9b104c0951'
+ 'a4a1844dfedc933cb998afbbe4b2066d8bcedf8d305990715160b957f754922c'
+ '9e03d66e15ad036e7e3b8639b07788a0c1959016444766ad63f708e722bd516c'
+ '173291a36ea08226c221643580c007f44e430867f345d8106395cce0f52a38c5'
+ '7d3c5a89ce6611c219d80255a1cce4a02de4ca00fb58c32e87733d9a0e20c4ce')
+
+prepare() {
+ cd "$pkgname-$pkgver"
+ patch -Np1 -i
../0001-Fix-installation_proxy-when-using-GnuTLS-instead-of-.patch
+ patch -Np1 -i ../CVE-2016-5104.patch
+ patch -Np1 -i
../0001-Add-new-function-to-get-the-underlying-file-descript.patch
+ patch -Np1 -i
../0001-Updated-gnutls-certificate-callback-to-new-API-backw.patch
+ patch -Np1 -i ../0001-idevice-Update-GnuTLS-code-to-support-iOS-10.patch
+ patch -Np1 -i
../0001-userpref-GnuTLS-Fix-pairing-record-generation-and-im.patch
+ sed -e 's/AC_PYTHON_DEVEL/AX_PYTHON_DEVEL/' -i m4/cython_python.m4
+ autoreconf -fi
+}
+
+build() {
+ mkdir build-py2
+ pushd build-py2
+ PYTHON=/usr/bin/python2 CYTHON=/usr/bin/cython2
../$pkgname-$pkgver/configure --prefix=/usr --disable-openssl
+ sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
+ make
+ popd
+
+ mkdir build-py3
+ pushd build-py3
+ PYTHON=/usr/bin/python CYTHON=/usr/bin/cython ../$pkgname-$pkgver/configure
--prefix=/usr --disable-openssl
+ sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
+ make
+}
+
+package() {
+ pushd build-py2
+ make DESTDIR="$pkgdir" install
+ popd
+ pushd build-py3/cython
+ make DESTDIR="$pkgdir" install
+ popd
+}
Deleted: extra-x86_64/disable-sslv3.patch
===================================================================
--- extra-x86_64/disable-sslv3.patch 2017-03-27 22:27:19 UTC (rev 291736)
+++ extra-x86_64/disable-sslv3.patch 2017-03-27 22:27:29 UTC (rev 291737)
@@ -1,12 +0,0 @@
-diff -u -r libimobiledevice-1.2.0/src/idevice.c
libimobiledevice-1.2.0-nossl3/src/idevice.c
---- libimobiledevice-1.2.0/src/idevice.c 2015-01-28 02:10:32.000000000
+0100
-+++ libimobiledevice-1.2.0-nossl3/src/idevice.c 2016-03-03
18:33:45.912308242 +0100
-@@ -678,7 +678,7 @@
- }
- BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE);
-
-- SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_method());
-+ SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv23_method());
- if (ssl_ctx == NULL) {
- debug_info("ERROR: Could not create SSL context.");
- BIO_free(ssl_bio);
