subject:"Bug#840931\: libimobiledevice4 GnuTLS settings broken with iOS 10"

Bug#840931: libimobiledevice4 GnuTLS settings broken with iOS 10

2017-01-02 Thread Nicolas Boulenguez

Package: libimobiledevice4
Followup-For: Bug #840931
Control: reassign 840931 libimobiledevice6 1.2.0+dfsg-3
Control: affects 840931 ifuse
Control: merge 840931 847977
Control: tags 840931 patch

Hello.

The attached diff applies the two upstream commits described above, as
well as another one described at the end of
https://github.com/libimobiledevice/libimobiledevice/issues/413.

All three patches are required to connect an iOS 4.5.1.
diff -Nru libimobiledevice-1.2.0+dfsg/debian/changelog libimobiledevice-1.2.0+dfsg/debian/changelog
--- libimobiledevice-1.2.0+dfsg/debian/changelog	2016-06-02 18:55:15.0 +0200
+++ libimobiledevice-1.2.0+dfsg/debian/changelog	2017-01-03 01:32:36.0 +0100
@@ -1,3 +1,12 @@
+libimobiledevice (1.2.0+dfsg-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Upstream commits replacing SSL3.0 with TLS1.0. Closes: #840931, #847977.
+Also fix related bug in GNUTLS pairing record generation, see
+https://github.com/libimobiledevice/libimobiledevice/issues/413.
+
+ -- Nicolas Boulenguez   Tue, 03 Jan 2017 01:32:36 +0100
+
 libimobiledevice (1.2.0+dfsg-3) unstable; urgency=high
 
   * Team upload
diff -Nru libimobiledevice-1.2.0+dfsg/debian/patches/fix-ssl-version-negotiation-for-newer-versions-of-openssl.diff libimobiledevice-1.2.0+dfsg/debian/patches/fix-ssl-version-negotiation-for-newer-versions-of-openssl.diff
--- libimobiledevice-1.2.0+dfsg/debian/patches/fix-ssl-version-negotiation-for-newer-versions-of-openssl.diff	1970-01-01 01:00:00.0 +0100
+++ libimobiledevice-1.2.0+dfsg/debian/patches/fix-ssl-version-negotiation-for-newer-versions-of-openssl.diff	2017-01-03 01:32:36.0 +0100
@@ -0,0 +1,20 @@
+Description: Fix SSL version negotiation for newer versions of OpenSSL
+ Depending on the OpenSSL version (and custom distribution patches), `SSLv3_method()`
+ would return NULL on some systems and also `SSLv23_method()` fails with some older
+ iOS versions...
+Origin: upstream, https://cgit.libimobiledevice.org/libimobiledevice.git/commit/?id=13bf235cac2201747de11652cf14fe2714ca0718
+Author: David Weinstein
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840931
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847977
+
+--- a/src/idevice.c
 b/src/idevice.c
+@@ -687,7 +687,7 @@
+ 	}
+ 	BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE);
+ 
+-	SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_method());
++	SSL_CTX *ssl_ctx = SSL_CTX_new(TLSv1_method());
+ 	if (ssl_ctx == NULL) {
+ 		debug_info("ERROR: Could not create SSL context.");
+ 		BIO_free(ssl_bio);
diff -Nru libimobiledevice-1.2.0+dfsg/debian/patches/idevice-update-gnutls-code-to-support-ios-10.diff libimobiledevice-1.2.0+dfsg/debian/patches/idevice-update-gnutls-code-to-support-ios-10.diff
--- libimobiledevice-1.2.0+dfsg/debian/patches/idevice-update-gnutls-code-to-support-ios-10.diff	1970-01-01 01:00:00.0 +0100
+++ libimobiledevice-1.2.0+dfsg/debian/patches/idevice-update-gnutls-code-to-support-ios-10.diff	2017-01-03 01:32:36.0 +0100
@@ -0,0 +1,21 @@
+Description: idevice: Update GnuTLS code to support iOS 10
+ As of iOS 10 beta 4, the GnuTLS implementation idevice_connection_enable_ssl
+ needs to be updated to support TLS. Using +VERS-TLS-ALL did not work on some
+ of the devices I tested and I wasn't sure how to fix it, but +VERS-TLS1.0 is
+ working on every device I've tested: iOS 9.0.2, 10.0b4, 8.1.1, 6.0, and 3.0.
+Origin: upstream, https://cgit.libimobiledevice.org/libimobiledevice.git/commit/?id=72643b2b83990b9cf97cc84b285b30763d44a72d
+Author: Jay Freeman (saurik)
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840931
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847977
+
+--- a/src/idevice.c
 b/src/idevice.c
+@@ -758,7 +758,7 @@
+ 	gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate, internal_cert_callback);
+ #endif
+ 	gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
+-	gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
++	gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-TLS1.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
+ 	gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
+ 	gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
+ 
diff -Nru libimobiledevice-1.2.0+dfsg/debian/patches/series libimobiledevice-1.2.0+dfsg/debian/patches/series
--- libimobiledevice-1.2.0+dfsg/debian/patches/series	2016-06-02 18:55:15.0 +0200
+++ libimobiledevice-1.2.0+dfsg/debian/patches/series	2017-01-03 01:32:36.0 +0100
@@ -2,3 +2,6 @@
 09_use_python_config.patch
 local-only-sockets.patch
 gnutls-api-update.patch
+fix-ssl-version-negotiation-for-newer-versions-of-openssl.diff
+idevice-update-gnutls-code-to-support-ios-10.diff
+userpref-gnutls-fix-pairing-record-generation-and-improve-err

Bug#840931: libimobiledevice4 GnuTLS settings broken with iOS 10

2016-10-16 Thread Nathan Kennedy


Package: libimobiledevice4
Version: 1.1.6+dfsg-3.1

On devices (iPhones) upgraded to iOS 10, there are errors that prevent 
connecting. I did not find this in deb bugs.


This was fixed in master upstream, using TLS1.0 instead of SSL3.0. We 
should really get this fixed in jessie (in 1.1.6), otherwise iOS 10 
devices become unusable with Debian.


Requires two commits:
13bf235cac2201747de11652cf14fe2714ca0718
72643b2b83990b9cf97cc84b285b30763d44a72d

After these, rebuilding and reinstalling, the iOS 10 devices works fine 
for me.


Nathan

Patch:
--- libimobiledevice-1.1.6+dfsg.orig/src/idevice.c
+++ libimobiledevice-1.1.6+dfsg/src/idevice.c
@@ -777,7 +777,7 @@ idevice_error_t idevice_connection_enabl
 }
 BIO_set_fd(ssl_bio, (int)(long)connection->data, BIO_NOCLOSE);

-SSL_CTX *ssl_ctx = SSL_CTX_new(SSLv3_method());
+SSL_CTX *ssl_ctx = SSL_CTX_new(TLSv1_method());
 if (ssl_ctx == NULL) {
 debug_info("ERROR: Could not create SSL context.");
 BIO_free(ssl_bio);
@@ -838,7 +838,7 @@ idevice_error_t idevice_connection_enabl
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
gnutls_certificate_client_set_retrieve_function(ssl_data_loc->certificate, 
internal_cert_callback);

 gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
-gnutls_priority_set_direct(ssl_data_loc->session, 
"NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", 
NULL);
+gnutls_priority_set_direct(ssl_data_loc->session, 
"NONE:+VERS-TLS1.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", 
NULL);
 gnutls_credentials_set(ssl_data_loc->session, 
GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);

 gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);

Bug#840931: libimobiledevice4 GnuTLS settings broken with iOS 10

Bug#840931: libimobiledevice4 GnuTLS settings broken with iOS 10

2 matches

Site Navigation

Mail list logo

Footer information