Bug 1385200 - libimobiledevice/usbmuxd fails with new version of GnuTLS
Summary: libimobiledevice/usbmuxd fails with new version of GnuTLS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libimobiledevice
Version: 24
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Peter Robinson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-15 05:44 UTC by rosenp
Modified: 2016-12-20 06:22 UTC (History)
4 users (show)

Fixed In Version: libimobiledevice-1.2.0-8.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-20 06:22:32 UTC
Type: Bug


Attachments (Terms of Use)

Description rosenp 2016-10-15 05:44:09 UTC
Description of problem:

Once I upgrade my version of GnuTLS, I can no longer have any iOS mounts under GVFS. Well, everything except MTP breaks actually. I think the reason has to do with SSLv3 being disabled at compile time.

Version-Release number of selected component (if applicable):
last working version seems to be 3.4.12-1

How reproducible:

Always

Steps to Reproduce:
1. Connect an iOS device

Actual results:

Nothing except MTP gets mounted

Expected results:

AFC stuff gets mounted.

Additional info:

Upstream has fixed this so a patch is needed in the meantime. Patch is here: 

https://github.com/libimobiledevice/libimobiledevice/commit/72643b2b83990b9cf97cc84b285b30763d44a72d

Another solution would be to switch to OpenSSL and backport this patch: 

https://github.com/libimobiledevice/libimobiledevice/commit/13bf235cac2201747de11652cf14fe2714ca0718

Comment 1 Nikos Mavrogiannopoulos 2016-11-04 06:50:53 UTC
Note that there are multiple issues concerning that. The following patch is also required to be applied:
https://github.com/libimobiledevice/libimobiledevice/commit/23069d10341ce637fdad7321d447c53752dba48c

Comment 2 Peter Robinson 2016-11-04 09:07:51 UTC
I'll look at this shortly, will likely move to openssl

Comment 3 Nikos Mavrogiannopoulos 2016-11-04 09:09:59 UTC
(In reply to Peter Robinson from comment #2)
> I'll look at this shortly, will likely move to openssl

Please don't, if you cannot apply the patches please accept my commit access and I'll look into it.

Comment 4 Peter Robinson 2016-11-04 13:16:24 UTC
> Please don't

Please don't do what? Please be specific.

Comment 5 Nikos Mavrogiannopoulos 2016-11-04 14:19:45 UTC
don't switch to openssl

Comment 6 Peter Robinson 2016-11-04 14:39:07 UTC
(In reply to Nikos Mavrogiannopoulos from comment #5)
> don't switch to openssl

why? as I said before please be specific

Comment 7 Nikos Mavrogiannopoulos 2016-11-04 14:51:39 UTC
I think I was specific. If you want a reason for my suggestion is because I am the maintainer of gnutls and I would like to verify that the upstream fix works.

Comment 8 Peter Robinson 2016-11-04 15:03:40 UTC
(In reply to Nikos Mavrogiannopoulos from comment #7)
> I think I was specific. If you want a reason for my suggestion is because I
> am the maintainer of gnutls and I would like to verify that the upstream fix
> works.

I'm sorry all you said was "don't switch to openssl" without any reason as to why. That is NOT specific!

The problem I have found with gnutls, and I've been considering this change for some time, is it doesn't have a stable API and randomly breaks stuff like this forcing things to unnecessarily pull in patches mid-stream to fix those issues. Literally everytime! I originally moved from openssl as I wasn't convinced of it's security, since heartbleed this has improved and they have the actual ability to communicate changes in API with proper details rather than just randomly breaking shit.

Comment 9 Nikos Mavrogiannopoulos 2016-11-04 15:20:06 UTC
(In reply to Peter Robinson from comment #8)
> (In reply to Nikos Mavrogiannopoulos from comment #7)
> > I think I was specific. If you want a reason for my suggestion is because I
> > am the maintainer of gnutls and I would like to verify that the upstream fix
> > works.
> I'm sorry all you said was "don't switch to openssl" without any reason as
> to why. That is NOT specific!
> The problem I have found with gnutls, and I've been considering this change
> for some time, is it doesn't have a stable API and randomly breaks stuff
> like this forcing things to unnecessarily pull in patches mid-stream to fix
> those issues. Literally everytime!

While there have been ABI changes, the API hasn't changed for several years. What has changed though is thorough checking of input parameters (IMO a good thing), and that's what broke libimobiledevice.

Unfortunately the libimobiledevice gnutls support was not very well written (as seen in the patches above). Notice that the patches above, enable TLS 1.0 (which exists since 1996), introduce error checking (which was not there) and fix wrong use of the API (such as setting invalid RSA keys). So for that particular case the gnutls API is unchanged but the introduced sanity checks to prevent applications from using invalid keys broke libimobile lib.

I could help improving that by reviewing the upstream code, if you keep that support.

> I originally moved from openssl as I
> wasn't convinced of it's security, since heartbleed this has improved and
> they have the actual ability to communicate changes in API with proper
> details rather than just randomly breaking shit.

Both are C libraries and I wouldn't try to make statements that one is more secure than the others. Such issues like heartbleed could happen to C libraries, but note that both libraries have had such issues found once in a decade or so. So security-wise I would say that both are equivalent or at least not far from each other.

Comment 10 Fedora Update System 2016-12-02 17:46:15 UTC
libimobiledevice-1.2.0-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e9b731e067

Comment 11 Fedora Update System 2016-12-03 05:43:47 UTC
libimobiledevice-1.2.0-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e9b731e067

Comment 12 Fedora Update System 2016-12-20 06:22:32 UTC
libimobiledevice-1.2.0-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.