diff options
| -rw-r--r-- | src/lockdown.c | 210 | ||||
| -rw-r--r-- | src/lockdown.h | 2 | ||||
| -rw-r--r-- | src/property_list_service.c | 132 | ||||
| -rw-r--r-- | src/property_list_service.h | 7 |
4 files changed, 55 insertions, 296 deletions
diff --git a/src/lockdown.c b/src/lockdown.c index 7609426..5568f03 100644 --- a/src/lockdown.c +++ b/src/lockdown.c @@ -123,173 +123,6 @@ static void plist_dict_add_label(plist_t plist, const char *label) } } -/** gnutls callback for writing data to the device. - * - * @param transport It's really the lockdownd client, but the method signature has to match - * @param buffer The data to send - * @param length The length of data to send in bytes - * - * @return The number of bytes sent - */ -static ssize_t lockdownd_ssl_write(gnutls_transport_ptr_t transport, char *buffer, size_t length) -{ - uint32_t bytes = 0; - lockdownd_client_t client; - client = (lockdownd_client_t) transport; - debug_info("pre-send length = %zi", length); - iphone_device_send(property_list_service_get_connection(client->parent), buffer, length, &bytes); - debug_info("post-send sent %i bytes", bytes); - return bytes; -} - -/** gnutls callback for reading data from the device. - * - * @param transport It's really the lockdownd client, but the method signature has to match - * @param buffer The buffer to store data in - * @param length The length of data to read in bytes - * - * @return The number of bytes read - */ -static ssize_t lockdownd_ssl_read(gnutls_transport_ptr_t transport, char *buffer, size_t length) -{ - int bytes = 0, pos_start_fill = 0; - size_t tbytes = 0; - int this_len = length; - iphone_error_t res; - lockdownd_client_t client; - client = (lockdownd_client_t) transport; - char *recv_buffer; - - debug_info("pre-read client wants %zi bytes", length); - - recv_buffer = (char *) malloc(sizeof(char) * this_len); - - /* repeat until we have the full data or an error occurs */ - do { - if ((res = iphone_device_recv(property_list_service_get_connection(client->parent), recv_buffer, this_len, (uint32_t*)&bytes)) != LOCKDOWN_E_SUCCESS) { - debug_info("ERROR: iphone_device_recv returned %d", res); - return res; - } - debug_info("post-read we got %i bytes", bytes); - - // increase read count - tbytes += bytes; - - // fill the buffer with what we got right now - memcpy(buffer + pos_start_fill, recv_buffer, bytes); - pos_start_fill += bytes; - - if (tbytes >= length) { - break; - } - - this_len = length - tbytes; - debug_info("re-read trying to read missing %i bytes", this_len); - } while (tbytes < length); - - if (recv_buffer) { - free(recv_buffer); - } - - return tbytes; -} - -/** Starts communication with lockdownd after the iPhone has been paired, - * and if the device requires it, switches to SSL mode. - * - * @param client The lockdownd client - * - * @return an error code (LOCKDOWN_E_SUCCESS on success) - */ -static lockdownd_error_t lockdownd_ssl_start_session(lockdownd_client_t client) -{ - lockdownd_error_t ret = LOCKDOWN_E_SSL_ERROR; - uint32_t return_me = 0; - - // Set up GnuTLS... - debug_info("enabling SSL mode"); - errno = 0; - gnutls_global_init(); - gnutls_certificate_allocate_credentials(&client->ssl_certificate); - gnutls_certificate_set_x509_trust_file(client->ssl_certificate, "hostcert.pem", GNUTLS_X509_FMT_PEM); - gnutls_init(&client->ssl_session, GNUTLS_CLIENT); - { - int protocol_priority[16] = { GNUTLS_SSL3, 0 }; - int kx_priority[16] = { GNUTLS_KX_ANON_DH, GNUTLS_KX_RSA, 0 }; - int cipher_priority[16] = { GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, 0 }; - int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; - int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; - - gnutls_cipher_set_priority(client->ssl_session, cipher_priority); - gnutls_compression_set_priority(client->ssl_session, comp_priority); - gnutls_kx_set_priority(client->ssl_session, kx_priority); - gnutls_protocol_set_priority(client->ssl_session, protocol_priority); - gnutls_mac_set_priority(client->ssl_session, mac_priority); - } - gnutls_credentials_set(client->ssl_session, GNUTLS_CRD_CERTIFICATE, client->ssl_certificate); // this part is killing me. - - debug_info("GnuTLS step 1..."); - gnutls_transport_set_ptr(client->ssl_session, (gnutls_transport_ptr_t) client); - debug_info("GnuTLS step 2..."); - gnutls_transport_set_push_function(client->ssl_session, (gnutls_push_func) & lockdownd_ssl_write); - debug_info("GnuTLS step 3..."); - gnutls_transport_set_pull_function(client->ssl_session, (gnutls_pull_func) & lockdownd_ssl_read); - debug_info("GnuTLS step 4 -- now handshaking..."); - if (errno) - debug_info("WARN: errno says %s before handshake!", strerror(errno)); - return_me = gnutls_handshake(client->ssl_session); - debug_info("GnuTLS handshake done..."); - - if (return_me != GNUTLS_E_SUCCESS) { - debug_info("GnuTLS reported something wrong."); - gnutls_perror(return_me); - debug_info("oh.. errno says %s", strerror(errno)); - } else { - client->ssl_enabled = 1; - ret = LOCKDOWN_E_SUCCESS; - debug_info("SSL mode enabled"); - } - - return ret; -} - -/** - * Shuts down the SSL session by performing a close notify, which is done - * by "gnutls_bye". - * - * @param client The lockdown client - * - * @return an error code (LOCKDOWN_E_SUCCESS on success) - */ -static lockdownd_error_t lockdownd_ssl_stop_session(lockdownd_client_t client) -{ - if (!client) { - debug_info("invalid argument!"); - return LOCKDOWN_E_INVALID_ARG; - } - lockdownd_error_t ret = LOCKDOWN_E_SUCCESS; - - if (client->ssl_enabled) { - debug_info("sending SSL close notify"); - gnutls_bye(client->ssl_session, GNUTLS_SHUT_RDWR); - } - if (client->ssl_session) { - gnutls_deinit(client->ssl_session); - } - if (client->ssl_certificate) { - gnutls_certificate_free_credentials(client->ssl_certificate); - } - client->ssl_enabled = 0; - - if (client->session_id) - free(client->session_id); - client->session_id = NULL; - - debug_info("SSL mode disabled"); - - return ret; -} - /** * Closes the lockdownd communication session, by sending the StopSession * Request to the device. @@ -339,10 +172,9 @@ lockdownd_error_t lockdownd_stop_session(lockdownd_client_t client, const char * } plist_free(dict); dict = NULL; - - /* stop ssl session */ - lockdownd_ssl_stop_session(client); - + if (client->ssl_enabled) { + property_list_service_disable_ssl(client->parent); + } return ret; } @@ -411,16 +243,9 @@ lockdownd_error_t lockdownd_recv(lockdownd_client_t client, plist_t *plist) lockdownd_error_t ret = LOCKDOWN_E_SUCCESS; property_list_service_error_t err; - if (!client->ssl_enabled) { - err = property_list_service_receive_plist(client->parent, plist); - if (err != PROPERTY_LIST_SERVICE_E_SUCCESS) { - ret = LOCKDOWN_E_UNKNOWN_ERROR; - } - } else { - err = property_list_service_receive_encrypted_plist(client->ssl_session, plist); - if (err != PROPERTY_LIST_SERVICE_E_SUCCESS) { - return LOCKDOWN_E_SSL_ERROR; - } + err = property_list_service_receive_plist(client->parent, plist); + if (err != PROPERTY_LIST_SERVICE_E_SUCCESS) { + ret = LOCKDOWN_E_UNKNOWN_ERROR; } if (!*plist) @@ -447,16 +272,9 @@ lockdownd_error_t lockdownd_send(lockdownd_client_t client, plist_t plist) lockdownd_error_t ret = LOCKDOWN_E_SUCCESS; iphone_error_t err; - if (!client->ssl_enabled) { - err = property_list_service_send_xml_plist(client->parent, plist); - if (err != PROPERTY_LIST_SERVICE_E_SUCCESS) { - ret = LOCKDOWN_E_UNKNOWN_ERROR; - } - } else { - err = property_list_service_send_encrypted_xml_plist(client->ssl_session, plist); - if (err != PROPERTY_LIST_SERVICE_E_SUCCESS) { - ret = LOCKDOWN_E_SSL_ERROR; - } + err = property_list_service_send_xml_plist(client->parent, plist); + if (err != PROPERTY_LIST_SERVICE_E_SUCCESS) { + ret = LOCKDOWN_E_UNKNOWN_ERROR; } return ret; } @@ -775,8 +593,6 @@ lockdownd_error_t lockdownd_client_new(iphone_device_t device, lockdownd_client_ lockdownd_client_t client_loc = (lockdownd_client_t) malloc(sizeof(struct lockdownd_client_int)); client_loc->parent = plistclient; - client_loc->ssl_session = NULL; - client_loc->ssl_certificate = NULL; client_loc->ssl_enabled = 0; client_loc->session_id = NULL; client_loc->uuid = NULL; @@ -848,8 +664,7 @@ lockdownd_error_t lockdownd_client_new_with_handshake(iphone_device_t device, lo if (LOCKDOWN_E_SUCCESS == ret) { ret = lockdownd_start_session(client_loc, host_id, NULL, NULL); if (LOCKDOWN_E_SUCCESS != ret) { - ret = LOCKDOWN_E_SSL_ERROR; - debug_info("SSL Session opening failed."); + debug_info("Session opening failed."); } if (host_id) { @@ -1313,7 +1128,10 @@ lockdownd_error_t lockdownd_start_session(lockdownd_client_t client, const char } debug_info("Enable SSL Session: %s", (use_ssl?"true":"false")); if (use_ssl) { - ret = lockdownd_ssl_start_session(client); + ret = property_list_service_enable_ssl(client->parent); + if (ret == PROPERTY_LIST_SERVICE_E_SUCCESS) { + client->ssl_enabled = 1; + } } else { client->ssl_enabled = 0; ret = LOCKDOWN_E_SUCCESS; diff --git a/src/lockdown.h b/src/lockdown.h index 9da3872..82ea01f 100644 --- a/src/lockdown.h +++ b/src/lockdown.h @@ -30,8 +30,6 @@ struct lockdownd_client_int { property_list_service_client_t parent; - gnutls_session_t ssl_session; - gnutls_certificate_credentials_t ssl_certificate; int ssl_enabled; char *session_id; char *uuid; diff --git a/src/property_list_service.c b/src/property_list_service.c index e39c7bb..b4c2f44 100644 --- a/src/property_list_service.c +++ b/src/property_list_service.c @@ -43,6 +43,8 @@ static property_list_service_error_t iphone_to_property_list_service_error(iphon return PROPERTY_LIST_SERVICE_E_SUCCESS; case IPHONE_E_INVALID_ARG: return PROPERTY_LIST_SERVICE_E_INVALID_ARG; + case IPHONE_E_SSL_ERROR: + return PROPERTY_LIST_SERVICE_E_SSL_ERROR; default: break; } @@ -106,12 +108,8 @@ property_list_service_error_t property_list_service_client_free(property_list_se * Internally used generic plist send function. * * @param client The property list service client to use for sending. - * Can be NULL if ssl_session is non-NULL. * @param plist plist to send * @param binary 1 = send binary plist, 0 = send xml plist - * @param ssl_session If set to NULL, the communication will be unencrypted. - * For encrypted communication, pass a valid and properly initialized - * gnutls_session_t. client is ignored when ssl_session is non-NULL. * * @return PROPERTY_LIST_SERVICE_E_SUCCESS on success, * PROPERTY_LIST_SERVICE_E_INVALID_ARG when one or more parameters are @@ -119,7 +117,7 @@ property_list_service_error_t property_list_service_client_free(property_list_se * plist, or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR when an unspecified * error occurs. */ -static property_list_service_error_t internal_plist_send(property_list_service_client_t client, plist_t plist, int binary, gnutls_session_t ssl_session) +static property_list_service_error_t internal_plist_send(property_list_service_client_t client, plist_t plist, int binary) { property_list_service_error_t res = PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR; char *content = NULL; @@ -127,7 +125,7 @@ static property_list_service_error_t internal_plist_send(property_list_service_c uint32_t nlen = 0; int bytes = 0; - if ((!client && !ssl_session) || (client && !client->connection) || !plist) { + if (!client || (client && !client->connection) || !plist) { return PROPERTY_LIST_SERVICE_E_INVALID_ARG; } @@ -143,17 +141,9 @@ static property_list_service_error_t internal_plist_send(property_list_service_c nlen = htonl(length); debug_info("sending %d bytes", length); - if (ssl_session) { - bytes = gnutls_record_send(ssl_session, (const char*)&nlen, sizeof(nlen)); - } else { - iphone_device_send(client->connection, (const char*)&nlen, sizeof(nlen), (uint32_t*)&bytes); - } + iphone_device_send(client->connection, (const char*)&nlen, sizeof(nlen), (uint32_t*)&bytes); if (bytes == sizeof(nlen)) { - if (ssl_session) { - bytes = gnutls_record_send(ssl_session, content, length); - } else { - iphone_device_send(client->connection, content, length, (uint32_t*)&bytes); - } + iphone_device_send(client->connection, content, length, (uint32_t*)&bytes); if (bytes > 0) { debug_info("sent %d bytes", bytes); debug_buffer(content, bytes); @@ -186,7 +176,7 @@ static property_list_service_error_t internal_plist_send(property_list_service_c */ property_list_service_error_t property_list_service_send_xml_plist(property_list_service_client_t client, plist_t plist) { - return internal_plist_send(client, plist, 0, NULL); + return internal_plist_send(client, plist, 0); } /** @@ -202,39 +192,7 @@ property_list_service_error_t property_list_service_send_xml_plist(property_list */ property_list_service_error_t property_list_service_send_binary_plist(property_list_service_client_t client, plist_t plist) { - return internal_plist_send(client, plist, 1, NULL); -} - -/** - * Sends an encrypted XML plist. - * - * @param ssl_session Valid and properly initialized gnutls_session_t. - * @param plist plist to send - * - * @return PROPERTY_LIST_SERVICE_E_SUCCESS on success, - * PROPERTY_LIST_SERVICE_E_INVALID_ARG when ssl_session or plist is NULL - * PROPERTY_LIST_SERVICE_E_PLIST_ERROR when dict is not a valid plist, - * or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR when an unspecified error occurs. - */ -property_list_service_error_t property_list_service_send_encrypted_xml_plist(gnutls_session_t ssl_session, plist_t plist) -{ - return internal_plist_send(NULL, plist, 0, ssl_session); -} - -/** - * Sends an encrypted binary plist. - * - * @param ssl_session Valid and properly initialized gnutls_session_t. - * @param plist plist to send - * - * @return PROPERTY_LIST_SERVICE_E_SUCCESS on success, - * PROPERTY_LIST_SERVICE_E_INVALID_ARG when ssl_session or plist is NULL, - * PROPERTY_LIST_SERVICE_E_PLIST_ERROR when dict is not a valid plist, - * or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR when an unspecified error occurs. - */ -property_list_service_error_t property_list_service_send_encrypted_binary_plist(gnutls_session_t ssl_session, plist_t plist) -{ - return internal_plist_send(NULL, plist, 1, ssl_session); + return internal_plist_send(client, plist, 1); } /** @@ -244,36 +202,26 @@ property_list_service_error_t property_list_service_send_encrypted_binary_plist( * @param client The property list service client to use for receiving * @param plist pointer to a plist_t that will point to the received plist * upon successful return - * @param timeout Maximum time in milliseconds to wait for data. This parameter - * is ignored when ssl_session is not NULL (i.e. encrypted communication is - * used). A timeout has to be implemented inside the functions passed to - * gnutls_transport_set_push_function / gnutls_transport_set_pull_function. - * @param ssl_session If set to NULL, the communication will be unencrypted. - * For encrypted communication, pass a valid and properly initialized - * gnutls_session_t. + * @param timeout Maximum time in milliseconds to wait for data. * * @return PROPERTY_LIST_SERVICE_E_SUCCESS on success, * PROPERTY_LIST_SERVICE_E_INVALID_ARG when client or *plist is NULL, * PROPERTY_LIST_SERVICE_E_PLIST_ERROR when the received data cannot be * converted to a plist, PROPERTY_LIST_SERVICE_E_MUX_ERROR when a - * communication error occurs, or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR when - * an unspecified error occurs. + * communication error occurs, or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR + * when an unspecified error occurs. */ -static property_list_service_error_t internal_plist_recv_timeout(property_list_service_client_t client, plist_t *plist, unsigned int timeout, gnutls_session_t ssl_session) +static property_list_service_error_t internal_plist_recv_timeout(property_list_service_client_t client, plist_t *plist, unsigned int timeout) { property_list_service_error_t res = PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR; uint32_t pktlen = 0; uint32_t bytes = 0; - if ((!client && !ssl_session) || (client && !client->connection) || !plist) { + if (!client || (client && !client->connection) || !plist) { return PROPERTY_LIST_SERVICE_E_INVALID_ARG; } - if (ssl_session) { - bytes = gnutls_record_recv(ssl_session, (char*)&pktlen, sizeof(pktlen)); - } else { - iphone_device_recv_timeout(client->connection, (char*)&pktlen, sizeof(pktlen), &bytes, timeout); - } + iphone_device_recv_timeout(client->connection, (char*)&pktlen, sizeof(pktlen), &bytes, timeout); debug_info("initial read=%i", bytes); if (bytes < 4) { debug_info("initial read failed!"); @@ -287,11 +235,7 @@ static property_list_service_error_t internal_plist_recv_timeout(property_list_s content = (char*)malloc(pktlen); while (curlen < pktlen) { - if (ssl_session) { - bytes = gnutls_record_recv(ssl_session, content+curlen, pktlen-curlen); - } else { - iphone_device_recv(client->connection, content+curlen, pktlen-curlen, &bytes); - } + iphone_device_recv(client->connection, content+curlen, pktlen-curlen, &bytes); if (bytes <= 0) { res = PROPERTY_LIST_SERVICE_E_MUX_ERROR; break; @@ -338,7 +282,7 @@ static property_list_service_error_t internal_plist_recv_timeout(property_list_s */ property_list_service_error_t property_list_service_receive_plist_with_timeout(property_list_service_client_t client, plist_t *plist, unsigned int timeout) { - return internal_plist_recv_timeout(client, plist, timeout, NULL); + return internal_plist_recv_timeout(client, plist, timeout); } /** @@ -362,41 +306,41 @@ property_list_service_error_t property_list_service_receive_plist_with_timeout(p */ property_list_service_error_t property_list_service_receive_plist(property_list_service_client_t client, plist_t *plist) { - return internal_plist_recv_timeout(client, plist, 10000, NULL); + return internal_plist_recv_timeout(client, plist, 10000); } /** - * Receives an encrypted plist. - * Binary or XML plists are automatically handled. - * This function is like property_list_service_receive_encrypted_plist_with_timeout - * with a timeout value of 10 seconds. + * Enable SSL for the given property list service client. * - * @param ssl_session Valid and properly initialized gnutls_session_t. - * @param plist pointer to a plist_t that will point to the received plist - * upon successful return + * @param client The connected property list service client for which SSL + * should be enabled. * * @return PROPERTY_LIST_SERVICE_E_SUCCESS on success, - * PROPERTY_LIST_SERVICE_E_INVALID_ARG when ssl_session or *plist is NULL, - * PROPERTY_LIST_SERVICE_E_PLIST_ERROR when the received data cannot be - * converted to a plist, PROPERTY_LIST_SERVICE_E_MUX_ERROR when a - * communication error occurs, or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR when - * an unspecified error occurs. + * PROPERTY_LIST_SERVICE_E_INVALID_ARG if client or client->connection is + * NULL, PROPERTY_LIST_SERVICE_E_SSL_ERROR when SSL could not be enabled, + * or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR otherwise. */ -property_list_service_error_t property_list_service_receive_encrypted_plist(gnutls_session_t ssl_session, plist_t *plist) +property_list_service_error_t property_list_service_enable_ssl(property_list_service_client_t client) { - return internal_plist_recv_timeout(NULL, plist, 10000, ssl_session); + if (!client || !client->connection) + return PROPERTY_LIST_SERVICE_E_INVALID_ARG; + return iphone_to_property_list_service_error(iphone_connection_enable_ssl(client->connection)); } /** - * Getter for the iphone_connection_t used by this client. + * Disable SSL for the given property list service client. * - * @param client The property list service client to get the connection for. + * @param client The connected property list service client for which SSL + * should be disabled. * - * @return The connection used by client. + * @return PROPERTY_LIST_SERVICE_E_SUCCESS on success, + * PROPERTY_LIST_SERVICE_E_INVALID_ARG if client or client->connection is + * NULL, or PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR otherwise. */ -iphone_connection_t property_list_service_get_connection(property_list_service_client_t client) +property_list_service_error_t property_list_service_disable_ssl(property_list_service_client_t client) { - if (!client) - return NULL; - return client->connection; + if (!client || !client->connection) + return PROPERTY_LIST_SERVICE_E_INVALID_ARG; + return iphone_to_property_list_service_error(iphone_connection_disable_ssl(client->connection)); } + diff --git a/src/property_list_service.h b/src/property_list_service.h index 39d4a0c..bc3122b 100644 --- a/src/property_list_service.h +++ b/src/property_list_service.h @@ -28,6 +28,7 @@ #define PROPERTY_LIST_SERVICE_E_INVALID_ARG -1 #define PROPERTY_LIST_SERVICE_E_PLIST_ERROR -2 #define PROPERTY_LIST_SERVICE_E_MUX_ERROR -3 +#define PROPERTY_LIST_SERVICE_E_SSL_ERROR -4 #define PROPERTY_LIST_SERVICE_E_UNKNOWN_ERROR -256 @@ -46,15 +47,13 @@ property_list_service_error_t property_list_service_client_free(property_list_se /* sending */ property_list_service_error_t property_list_service_send_xml_plist(property_list_service_client_t client, plist_t plist); property_list_service_error_t property_list_service_send_binary_plist(property_list_service_client_t client, plist_t plist); -property_list_service_error_t property_list_service_send_encrypted_xml_plist(gnutls_session_t ssl_session, plist_t plist); -property_list_service_error_t property_list_service_send_encrypted_binary_plist(gnutls_session_t ssl_session, plist_t plist); /* receiving */ property_list_service_error_t property_list_service_receive_plist_with_timeout(property_list_service_client_t client, plist_t *plist, unsigned int timeout); property_list_service_error_t property_list_service_receive_plist(property_list_service_client_t client, plist_t *plist); -property_list_service_error_t property_list_service_receive_encrypted_plist(gnutls_session_t ssl_session, plist_t *plist); /* misc */ -iphone_connection_t property_list_service_get_connection(property_list_service_client_t client); +property_list_service_error_t property_list_service_enable_ssl(property_list_service_client_t client); +property_list_service_error_t property_list_service_disable_ssl(property_list_service_client_t client); #endif |