Replace openssl with rustls

Cargo.lock

@@ -146,6 +146,29 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "aws-lc-rs"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19b756939cb2f8dc900aa6dcd505e6e2428e9cae7ff7b028c49e3946efa70878"
+dependencies = [
+ "aws-lc-sys",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.28.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9f7720b74ed28ca77f90769a71fd8c637a0137f6fae4ae947e1050229cff57f"
+dependencies = [
+ "bindgen 0.69.5",
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
+
 [[package]]
 name = "backtrace"
 version = "0.3.74"
@@ -185,11 +208,34 @@ dependencies = [
  "proc-macro2",
  "quote",
  "regex",
- "rustc-hash",
+ "rustc-hash 1.1.0",
  "shlex",
  "which",
 ]
 
+[[package]]
+name = "bindgen"
+version = "0.69.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088"
+dependencies = [
+ "bitflags 2.8.0",
+ "cexpr",
+ "clang-sys",
+ "itertools",
+ "lazy_static",
+ "lazycell",
+ "log",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash 1.1.0",
+ "shlex",
+ "syn 2.0.100",
+ "which",
+]
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -307,6 +353,8 @@ version = "1.2.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "13208fcbb66eaeffe09b99fffbe1af420f00a7b35aa99ad683dfc1aa76145229"
 dependencies = [
+ "jobserver",
+ "libc",
  "shlex",
 ]
 
@@ -412,6 +460,15 @@ version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
 
+[[package]]
+name = "cmake"
+version = "0.1.54"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7caa3f9de89ddbe2c607f4101924c5abec803763ae9534e4f4d7d8f84aa81f0"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "colorchoice"
 version = "1.0.3"
@@ -456,22 +513,6 @@ dependencies = [
  "url",
 ]
 
-[[package]]
-name = "core-foundation"
-version = "0.9.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
-[[package]]
-name = "core-foundation-sys"
-version = "0.8.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
-
 [[package]]
 name = "cpufeatures"
 version = "0.2.17"
@@ -545,6 +586,12 @@ dependencies = [
  "litrs",
 ]
 
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
 [[package]]
 name = "either"
 version = "1.15.0"
@@ -655,21 +702,6 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
-[[package]]
-name = "foreign-types"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
-dependencies = [
- "foreign-types-shared",
-]
-
-[[package]]
-name = "foreign-types-shared"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
-
 [[package]]
 name = "form_urlencoded"
 version = "1.2.1"
@@ -679,6 +711,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "futures"
 version = "0.3.31"
@@ -806,8 +844,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -817,8 +857,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "wasi 0.13.3+wasi-0.2.2",
+ "wasm-bindgen",
  "windows-targets 0.52.6",
 ]
 
@@ -834,25 +876,6 @@ version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2"
 
-[[package]]
-name = "h2"
-version = "0.4.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ccae279728d634d083c00f6099cb58f01cc99c145b84b8be2f6c74618d79922e"
-dependencies = [
- "atomic-waker",
- "bytes",
- "fnv",
- "futures-core",
- "futures-sink",
- "http",
- "indexmap",
- "slab",
- "tokio",
- "tokio-util",
- "tracing",
-]
-
 [[package]]
 name = "hashbrown"
 version = "0.15.2"
@@ -944,7 +967,6 @@ dependencies = [
  "bytes",
  "futures-channel",
  "futures-util",
- "h2",
  "http",
  "http-body",
  "httparse",
@@ -970,22 +992,7 @@ dependencies = [
  "tokio",
  "tokio-rustls",
  "tower-service",
-]
+ "webpki-roots",
-
-[[package]]
-name = "hyper-tls"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
-dependencies = [
- "bytes",
- "http-body-util",
- "hyper",
- "hyper-util",
- "native-tls",
- "tokio",
- "tokio-native-tls",
- "tower-service",
 ]
 
 [[package]]
@@ -1140,16 +1147,16 @@ dependencies = [
  "json",
  "log",
  "ns-keyed-archive",
- "openssl",
  "plist",
  "rand 0.9.0",
  "reqwest",
+ "rustls",
  "serde",
  "serde_json",
  "sha2",
  "thiserror",
  "tokio",
- "tokio-openssl",
+ "tokio-rustls",
  "tun-rs 2.0.8",
  "uuid",
 ]
@@ -1163,7 +1170,6 @@ dependencies = [
  "libc",
  "log",
  "once_cell",
- "openssl-sys",
  "plist",
  "plist_plus",
  "simplelog",
@@ -1230,6 +1236,15 @@ version = "1.70.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
 
+[[package]]
+name = "itertools"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569"
+dependencies = [
+ "either",
+]
+
 [[package]]
 name = "itoa"
 version = "1.0.14"
@@ -1260,6 +1275,15 @@ dependencies = [
  "syn 2.0.100",
 ]
 
+[[package]]
+name = "jobserver"
+version = "0.1.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "js-sys"
 version = "0.3.77"
@@ -1395,23 +1419,6 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
-[[package]]
-name = "native-tls"
-version = "0.2.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0dab59f8e050d5df8e4dd87d9206fb6f65a483e20ac9fda365ade4fab353196c"
-dependencies = [
- "libc",
- "log",
- "openssl",
- "openssl-probe",
- "openssl-sys",
- "schannel",
- "security-framework",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "nix"
 version = "0.28.0"
@@ -1507,60 +1514,6 @@ version = "1.21.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d75b0bedcc4fe52caa0e03d9f1151a323e4aa5e2d78ba3580400cd3c9e2bc4bc"
 
-[[package]]
-name = "openssl"
-version = "0.10.69"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f5e534d133a060a3c19daec1eb3e98ec6f4685978834f2dbadfe2ec215bab64e"
-dependencies = [
- "bitflags 2.8.0",
- "cfg-if",
- "foreign-types",
- "libc",
- "once_cell",
- "openssl-macros",
- "openssl-sys",
-]
-
-[[package]]
-name = "openssl-macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.100",
-]
-
-[[package]]
-name = "openssl-probe"
-version = "0.1.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
-
-[[package]]
-name = "openssl-src"
-version = "300.4.1+3.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "faa4eac4138c62414b5622d1b31c5c304f34b406b013c079c2bbc652fdd6678c"
-dependencies = [
- "cc",
-]
-
-[[package]]
-name = "openssl-sys"
-version = "0.9.104"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741"
-dependencies = [
- "cc",
- "libc",
- "openssl-src",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "parking"
 version = "2.2.1"
@@ -1625,12 +1578,6 @@ dependencies = [
  "futures-io",
 ]
 
-[[package]]
-name = "pkg-config"
-version = "0.3.31"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
-
 [[package]]
 name = "plist"
 version = "1.7.1"
@@ -1651,7 +1598,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "167429a361cacecf5cab907c235e620b3faf5f36b97d7f72c32907ccdca700cf"
 dependencies = [
  "autotools",
- "bindgen",
+ "bindgen 0.59.2",
  "cc",
  "libc",
  "log",
@@ -1688,6 +1635,16 @@ dependencies = [
  "zerocopy",
 ]
 
+[[package]]
+name = "prettyplease"
+version = "0.2.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5316f57387668042f561aae71480de936257848f9c43ce528e311d89a07cadeb"
+dependencies = [
+ "proc-macro2",
+ "syn 2.0.100",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.93"
@@ -1706,6 +1663,60 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "quinn"
+version = "0.11.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3bd15a6f2967aef83887dcb9fec0014580467e33720d073560cf015a5683012"
+dependencies = [
+ "bytes",
+ "cfg_aliases 0.2.1",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash 2.1.1",
+ "rustls",
+ "socket2",
+ "thiserror",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b820744eb4dc9b57a3398183639c511b5a26d2ed702cedd3febaa1393caa22cc"
+dependencies = [
+ "bytes",
+ "getrandom 0.3.1",
+ "rand 0.9.0",
+ "ring",
+ "rustc-hash 2.1.1",
+ "rustls",
+ "rustls-pki-types",
+ "slab",
+ "thiserror",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "541d0f57c6ec747a90738a52741d3221f7960e8ac2f0ff4b1a63680e033b4ab5"
+dependencies = [
+ "cfg_aliases 0.2.1",
+ "libc",
+ "once_cell",
+ "socket2",
+ "tracing",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.38"
@@ -1821,39 +1832,38 @@ checksum = "43e734407157c3c2034e0258f5e4473ddb361b1e85f95a66690d67264d7cd1da"
 dependencies = [
  "base64",
  "bytes",
- "encoding_rs",
  "futures-core",
  "futures-util",
- "h2",
  "http",
  "http-body",
  "http-body-util",
  "hyper",
  "hyper-rustls",
- "hyper-tls",
  "hyper-util",
  "ipnet",
  "js-sys",
  "log",
  "mime",
- "native-tls",
  "once_cell",
  "percent-encoding",
  "pin-project-lite",
+ "quinn",
+ "rustls",
  "rustls-pemfile",
+ "rustls-pki-types",
  "serde",
  "serde_json",
  "serde_urlencoded",
  "sync_wrapper",
- "system-configuration",
  "tokio",
- "tokio-native-tls",
+ "tokio-rustls",
  "tower",
  "tower-service",
  "url",
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "web-sys",
+ "webpki-roots",
  "windows-registry",
 ]
 
@@ -1884,6 +1894,12 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
 
+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
 [[package]]
 name = "rustix"
 version = "0.38.44"
@@ -1903,6 +1919,7 @@ version = "0.23.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f287924602bf649d949c63dc8ac8b235fa5387d394020705b80c4eb597ce5b8"
 dependencies = [
+ "aws-lc-rs",
  "log",
  "once_cell",
  "ring",
@@ -1926,6 +1943,9 @@ name = "rustls-pki-types"
 version = "1.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d2bf47e6ff922db3825eb750c4e2ff784c6ff8fb9e13046ef6a1d1c5401b0b37"
+dependencies = [
+ "web-time",
+]
 
 [[package]]
 name = "rustls-webpki"
@@ -1933,6 +1953,7 @@ version = "0.102.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
 dependencies = [
+ "aws-lc-rs",
  "ring",
  "rustls-pki-types",
  "untrusted",
@@ -1950,44 +1971,12 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
 
-[[package]]
-name = "schannel"
-version = "0.1.27"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f29ebaa345f945cec9fbbc532eb307f0fdad8161f281b6369539c8d84876b3d"
-dependencies = [
- "windows-sys 0.59.0",
-]
-
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
-[[package]]
-name = "security-framework"
-version = "2.11.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
-dependencies = [
- "bitflags 2.8.0",
- "core-foundation",
- "core-foundation-sys",
- "libc",
- "security-framework-sys",
-]
-
-[[package]]
-name = "security-framework-sys"
-version = "2.14.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49db231d56a190491cb4aeda9527f1ad45345af50b0851622a7adb8c03b01c32"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
 [[package]]
 name = "serde"
 version = "1.0.217"
@@ -2175,27 +2164,6 @@ dependencies = [
  "syn 2.0.100",
 ]
 
-[[package]]
-name = "system-configuration"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
-dependencies = [
- "bitflags 2.8.0",
- "core-foundation",
- "system-configuration-sys",
-]
-
-[[package]]
-name = "system-configuration-sys"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
 [[package]]
 name = "tempfile"
 version = "3.16.0"
@@ -2291,6 +2259,21 @@ dependencies = [
  "zerovec",
 ]
 
+[[package]]
+name = "tinyvec"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09b3661f17e86524eccd4371ab0429194e0d7c008abb45f7a7495b1719463c71"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
 [[package]]
 name = "tokio"
 version = "1.44.1"
@@ -2320,27 +2303,6 @@ dependencies = [
  "syn 2.0.100",
 ]
 
-[[package]]
-name = "tokio-native-tls"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
-dependencies = [
- "native-tls",
- "tokio",
-]
-
-[[package]]
-name = "tokio-openssl"
-version = "0.6.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "59df6849caa43bb7567f9a36f863c447d95a11d5903c9cc334ba32576a27eadd"
-dependencies = [
- "openssl",
- "openssl-sys",
- "tokio",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.26.1"
@@ -2351,19 +2313,6 @@ dependencies = [
  "tokio",
 ]
 
-[[package]]
-name = "tokio-util"
-version = "0.7.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7fcaa8d55a2bdd6b83ace262b016eca0d79ee02818c5c1bcdf0305114081078"
-dependencies = [
- "bytes",
- "futures-core",
- "futures-sink",
- "pin-project-lite",
- "tokio",
-]
-
 [[package]]
 name = "toml"
 version = "0.8.20"
@@ -2610,12 +2559,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "vcpkg"
-version = "0.2.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
-
 [[package]]
 name = "vec_map"
 version = "0.8.2"
@@ -2733,6 +2676,16 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "webpki-roots"
 version = "0.26.7"

ffi/Cargo.toml

@@ -11,7 +11,6 @@ simplelog = "0.12.2"
 once_cell = "1.21.1"
 tokio = { version = "1.44.1", features = ["full"] }
 libc = "0.2.171"
-openssl-sys = { version = "0.9", features = ["vendored"] }
 plist = "1.7.1"
 plist_plus = { version = "0.2.6", features = ["dynamic"] }
 

ffi/src/errors.rs

@@ -7,8 +7,8 @@ pub enum IdeviceErrorCode {
     IdeviceSuccess = 0,
     // Main library
     Socket = -1,
-    Ssl = -2,
+    Tls = -2,
-    SslSetup = -3,
+    TlsBuilderFailed = -3,
     Plist = -4,
     Utf8 = -5,
     UnexpectedResponse = -6,
@@ -55,8 +55,8 @@ impl From<IdeviceError> for IdeviceErrorCode {
     fn from(err: IdeviceError) -> Self {
         match err {
             IdeviceError::Socket(_) => IdeviceErrorCode::Socket,
-            IdeviceError::Ssl(_) => IdeviceErrorCode::Ssl,
+            IdeviceError::Rustls(_) => IdeviceErrorCode::Tls,
-            IdeviceError::SslSetup(_) => IdeviceErrorCode::SslSetup,
+            IdeviceError::TlsBuilderFailed(_) => IdeviceErrorCode::TlsBuilderFailed,
             IdeviceError::Plist(_) => IdeviceErrorCode::Plist,
             IdeviceError::Utf8(_) => IdeviceErrorCode::Utf8,
             IdeviceError::UnexpectedResponse => IdeviceErrorCode::UnexpectedResponse,

idevice/Cargo.toml

@@ -12,7 +12,8 @@ keywords = ["lockdownd", "ios"]
 
 [dependencies]
 tokio = { version = "1.43", features = ["io-util"] }
-tokio-openssl = { version = "0.6" }
+tokio-rustls = "0.26"
+rustls = "0.23"
 
 plist = { version = "1.7" }
 serde = { version = "1", features = ["derive"] }
@@ -32,7 +33,10 @@ serde_json = { version = "1", optional = true }
 json = { version = "0.12", optional = true }
 byteorder = { version = "1.5", optional = true }
 
-reqwest = { version = "0.12", features = ["json"], optional = true }
+reqwest = { version = "0.12", features = [
+  "json",
+  "rustls-tls",
+], optional = true, default-features = false }
 rand = { version = "0.9", optional = true }
 futures = { version = "0.3", optional = true }
 
@@ -85,10 +89,3 @@ full = [
   "tunneld",
   "sbservices",
 ]
-
-# Why: https://github.com/rust-lang/cargo/issues/1197
-[target.'cfg(windows)'.dependencies]
-openssl = { version = "0.10", features = ["vendored"] }
-
-[target.'cfg(not(windows))'.dependencies]
-openssl = { version = "0.10" }

idevice/src/lib.rs

@@ -23,6 +23,7 @@ pub mod pairing_file;
 pub mod provider;
 #[cfg(feature = "sbservices")]
 pub mod sbservices;
+mod sni;
 #[cfg(feature = "tunnel_tcp_stack")]
 pub mod tcp;
 #[cfg(feature = "tss")]
@@ -36,9 +37,12 @@ mod util;
 pub mod xpc;
 
 use log::{debug, error, trace};
-use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
 use provider::IdeviceProvider;
-use std::io::{self, BufWriter};
+use rustls::{crypto::CryptoProvider, pki_types::ServerName};
+use std::{
+    io::{self, BufWriter},
+    sync::Arc,
+};
 use thiserror::Error;
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
 
@@ -213,24 +217,18 @@ impl Idevice {
         &mut self,
         pairing_file: &pairing_file::PairingFile,
     ) -> Result<(), IdeviceError> {
-        let connector = SslConnector::builder(SslMethod::tls()).unwrap();
+        if CryptoProvider::get_default().is_none() {
-
+            CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider()).unwrap();
-        let mut connector = connector
+        }
-            .build()
+        let config = sni::create_client_config(pairing_file)?;
-            .configure()
+        let connector = tokio_rustls::TlsConnector::from(Arc::new(config));
-            .unwrap()
-            .into_ssl("ur mom")
-            .unwrap();
-
-        connector.set_certificate(&pairing_file.host_certificate)?;
-        connector.set_private_key(&pairing_file.host_private_key)?;
-        connector.set_verify(SslVerifyMode::empty());
 
         let socket = self.socket.take().unwrap();
+        let socket = connector
+            .connect(ServerName::try_from("iOS").unwrap(), socket)
+            .await?;
 
-        let mut ssl_stream = tokio_openssl::SslStream::new(connector, socket)?;
+        self.socket = Some(Box::new(socket));
-        std::pin::Pin::new(&mut ssl_stream).connect().await?;
-        self.socket = Some(Box::new(ssl_stream));
 
         Ok(())
     }
@@ -241,10 +239,12 @@ impl Idevice {
 pub enum IdeviceError {
     #[error("device socket io failed")]
     Socket(#[from] io::Error),
-    #[error("ssl io failed")]
+    #[error("PEM parse failed")]
-    Ssl(#[from] openssl::ssl::Error),
+    PemParseFailed(#[from] rustls::pki_types::pem::Error),
-    #[error("ssl failed to setup")]
+    #[error("TLS error")]
-    SslSetup(#[from] openssl::error::ErrorStack),
+    Rustls(#[from] rustls::Error),
+    #[error("TLS verifiction build failed")]
+    TlsBuilderFailed(#[from] rustls::server::VerifierBuilderError),
     #[error("io on plist")]
     Plist(#[from] plist::Error),
     #[error("can't convert bytes to utf8")]

idevice/src/mounter.rs

@@ -1,7 +1,6 @@
 // Jackson Coxson
 
 use log::debug;
-use openssl::sha::Sha384;
 
 use crate::{lockdownd::LockdowndClient, Idevice, IdeviceError, IdeviceService};
 
@@ -364,9 +363,10 @@ impl ImageMounter {
         S: Clone,
     {
         // Try to fetch personalization manifest
+        use sha2::{Digest, Sha384};
         let mut hasher = Sha384::new();
         hasher.update(&image);
-        let image_hash = hasher.finish();
+        let image_hash = hasher.finalize();
         let manifest = match self
             .query_personalization_manifest("DeveloperDiskImage", image_hash.to_vec())
             .await

idevice/src/pairing_file.rs

@@ -3,20 +3,17 @@
 use std::path::Path;
 
 use log::warn;
-use openssl::{
-    pkey::{PKey, Private},
-    x509::X509,
-};
 use plist::Data;
+use rustls::pki_types::{pem::PemObject, CertificateDer};
 use serde::{Deserialize, Serialize};
 
 #[derive(Clone, Debug)]
 pub struct PairingFile {
-    pub device_certificate: X509,
+    pub device_certificate: CertificateDer<'static>,
-    pub host_private_key: PKey<Private>,
+    pub host_private_key: Vec<u8>, // the private key doesn't implement clone...
-    pub host_certificate: X509,
+    pub host_certificate: CertificateDer<'static>,
-    pub root_private_key: PKey<Private>,
+    pub root_private_key: Vec<u8>,
-    pub root_certificate: X509,
+    pub root_certificate: CertificateDer<'static>,
     pub system_buid: String,
     pub host_id: String,
     pub escrow_bag: Vec<u8>,
@@ -74,7 +71,7 @@ impl PairingFile {
     }
 
     pub fn serialize(self) -> Result<Vec<u8>, crate::IdeviceError> {
-        let raw = RawPairingFile::try_from(self)?;
+        let raw = RawPairingFile::from(self);
 
         let mut buf = Vec::new();
         plist::to_writer_xml(&mut buf, &raw)?;
@@ -83,19 +80,21 @@ impl PairingFile {
 }
 
 impl TryFrom<RawPairingFile> for PairingFile {
-    type Error = openssl::error::ErrorStack;
+    type Error = rustls::pki_types::pem::Error;
 
     fn try_from(value: RawPairingFile) -> Result<Self, Self::Error> {
         Ok(Self {
-            device_certificate: X509::from_pem(&Into::<Vec<u8>>::into(value.device_certificate))?,
+            device_certificate: CertificateDer::from_pem_slice(&Into::<Vec<u8>>::into(
-            host_private_key: PKey::private_key_from_pem(&Into::<Vec<u8>>::into(
+                value.device_certificate,
-                value.host_private_key,
             ))?,
-            host_certificate: X509::from_pem(&Into::<Vec<u8>>::into(value.host_certificate))?,
+            host_private_key: Into::<Vec<u8>>::into(value.host_private_key),
-            root_private_key: PKey::private_key_from_pem(&Into::<Vec<u8>>::into(
+            host_certificate: CertificateDer::from_pem_slice(&Into::<Vec<u8>>::into(
-                value.root_private_key,
+                value.host_certificate,
+            ))?,
+            root_private_key: Into::<Vec<u8>>::into(value.root_private_key),
+            root_certificate: CertificateDer::from_pem_slice(&Into::<Vec<u8>>::into(
+                value.root_certificate,
             ))?,
-            root_certificate: X509::from_pem(&Into::<Vec<u8>>::into(value.root_certificate))?,
             system_buid: value.system_buid,
             host_id: value.host_id,
             escrow_bag: value.escrow_bag.into(),
@@ -105,22 +104,20 @@ impl TryFrom<RawPairingFile> for PairingFile {
     }
 }
 
-impl TryFrom<PairingFile> for RawPairingFile {
+impl From<PairingFile> for RawPairingFile {
-    type Error = openssl::error::ErrorStack;
+    fn from(value: PairingFile) -> Self {
-
+        Self {
-    fn try_from(value: PairingFile) -> Result<Self, Self::Error> {
+            device_certificate: Data::new(value.device_certificate.to_vec()),
-        Ok(Self {
+            host_private_key: Data::new(value.host_private_key),
-            device_certificate: Data::new(value.device_certificate.to_pem()?),
+            host_certificate: Data::new(value.host_certificate.to_vec()),
-            host_private_key: Data::new(value.host_private_key.private_key_to_pem_pkcs8()?),
+            root_private_key: Data::new(value.root_private_key),
-            host_certificate: Data::new(value.host_certificate.to_pem()?),
+            root_certificate: Data::new(value.root_certificate.to_vec()),
-            root_private_key: Data::new(value.root_private_key.private_key_to_pem_pkcs8()?),
-            root_certificate: Data::new(value.root_certificate.to_pem()?),
             system_buid: value.system_buid,
             host_id: value.host_id.clone(),
             escrow_bag: Data::new(value.escrow_bag),
             wifi_mac_address: value.wifi_mac_address,
             udid: value.udid,
-        })
+        }
     }
 }
 

idevice/src/sni.rs

@@ -0,0 +1,82 @@
+// Jackson Coxson
+// https://gist.github.com/doroved/2c92ddd5e33f257f901c763b728d1b61
+//
+// Why:
+// https://github.com/rustls/rustls/issues/578
+// We aren't in control of the certs served.
+// Assuming that there's no use for unchecked certs is naive.
+
+use rustls::{
+    client::{
+        danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
+        WebPkiServerVerifier,
+    },
+    pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer, ServerName, UnixTime},
+    ClientConfig, DigitallySignedStruct,
+};
+use std::sync::Arc;
+
+use crate::{pairing_file::PairingFile, IdeviceError};
+
+#[derive(Debug)]
+pub struct NoServerNameVerification {
+    inner: Arc<WebPkiServerVerifier>,
+}
+
+impl NoServerNameVerification {
+    pub fn new(inner: Arc<WebPkiServerVerifier>) -> Self {
+        Self { inner }
+    }
+}
+
+impl ServerCertVerifier for NoServerNameVerification {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
+        _ocsp: &[u8],
+        _now: UnixTime,
+    ) -> Result<ServerCertVerified, rustls::Error> {
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer<'_>,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        self.inner.supported_verify_schemes()
+    }
+}
+
+pub fn create_client_config(pairing_file: &PairingFile) -> Result<ClientConfig, IdeviceError> {
+    let mut root_store = rustls::RootCertStore::empty();
+    root_store.add(pairing_file.root_certificate.clone())?;
+    let private_key = PrivateKeyDer::from_pem_slice(&pairing_file.host_private_key)?;
+
+    let mut config = ClientConfig::builder()
+        .with_root_certificates(root_store.clone())
+        .with_client_auth_cert(vec![pairing_file.host_certificate.clone()], private_key)
+        .unwrap();
+
+    let inner = rustls::client::WebPkiServerVerifier::builder(Arc::new(root_store)).build()?;
+    let verifier = Arc::new(NoServerNameVerification::new(inner));
+    config.dangerous().set_certificate_verifier(verifier);
+
+    Ok(config)
+}