2017-06-06 20:12:50 +02:00
|
|
|
//
|
|
|
|
|
// Copyright (c) 2017 Open Whisper Systems. All rights reserved.
|
|
|
|
|
//
|
|
|
|
|
|
|
|
|
|
#import "OWSIdentityManager.h"
|
|
|
|
|
#import "NotificationsProtocol.h"
|
2017-06-06 21:16:09 +02:00
|
|
|
#import "OWSMessageSender.h"
|
2017-06-06 20:12:50 +02:00
|
|
|
#import "OWSRecipientIdentity.h"
|
2017-06-06 21:16:09 +02:00
|
|
|
#import "TextSecureKitEnv.h"
|
2017-06-06 20:12:50 +02:00
|
|
|
#import "TSAccountManager.h"
|
|
|
|
|
#import "TSContactThread.h"
|
|
|
|
|
#import "TSErrorMessage.h"
|
|
|
|
|
#import "TSGroupThread.h"
|
2017-06-06 21:16:09 +02:00
|
|
|
#import "TSStorageManager.h"
|
2017-06-06 20:12:50 +02:00
|
|
|
#import <25519/Curve25519.h>
|
|
|
|
|
|
|
|
|
|
NS_ASSUME_NONNULL_BEGIN
|
|
|
|
|
|
|
|
|
|
// Storing our own identity key
|
|
|
|
|
NSString *const TSStorageManagerIdentityKeyStoreIdentityKey = @"TSStorageManagerIdentityKeyStoreIdentityKey";
|
|
|
|
|
NSString *const TSStorageManagerIdentityKeyStoreCollection = @"TSStorageManagerIdentityKeyStoreCollection";
|
|
|
|
|
|
|
|
|
|
// Storing recipients identity keys
|
|
|
|
|
NSString *const TSStorageManagerTrustedKeysCollection = @"TSStorageManagerTrustedKeysCollection";
|
|
|
|
|
|
|
|
|
|
// Don't trust an identity for sending to unless they've been around for at least this long
|
|
|
|
|
const NSTimeInterval kIdentityKeyStoreNonBlockingSecondsThreshold = 5.0;
|
|
|
|
|
|
2017-06-06 21:01:11 +02:00
|
|
|
NSString *const kNSNotificationName_IdentityStateDidChange = @"kNSNotificationName_IdentityStateDidChange";
|
|
|
|
|
|
2017-06-06 20:12:50 +02:00
|
|
|
@interface OWSIdentityManager ()
|
|
|
|
|
|
|
|
|
|
@property (nonatomic, readonly) TSStorageManager *storageManager;
|
|
|
|
|
@property (nonatomic, readonly) OWSMessageSender *messageSender;
|
|
|
|
|
|
|
|
|
|
@end
|
|
|
|
|
|
|
|
|
|
#pragma mark -
|
|
|
|
|
|
|
|
|
|
@implementation OWSIdentityManager
|
|
|
|
|
|
|
|
|
|
+ (instancetype)sharedManager
|
|
|
|
|
{
|
|
|
|
|
static OWSIdentityManager *sharedMyManager = nil;
|
|
|
|
|
static dispatch_once_t onceToken;
|
|
|
|
|
dispatch_once(&onceToken, ^{
|
|
|
|
|
sharedMyManager = [[self alloc] initDefault];
|
|
|
|
|
});
|
|
|
|
|
return sharedMyManager;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (instancetype)initDefault
|
|
|
|
|
{
|
|
|
|
|
TSStorageManager *storageManager = [TSStorageManager sharedManager];
|
|
|
|
|
OWSMessageSender *messageSender = [TextSecureKitEnv sharedEnv].messageSender;
|
|
|
|
|
|
|
|
|
|
return [self initWithStorageManager:storageManager messageSender:messageSender];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (instancetype)initWithStorageManager:(TSStorageManager *)storageManager
|
|
|
|
|
messageSender:(OWSMessageSender *)messageSender
|
|
|
|
|
{
|
|
|
|
|
self = [super init];
|
|
|
|
|
|
|
|
|
|
if (!self) {
|
|
|
|
|
return self;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
OWSAssert(storageManager);
|
|
|
|
|
OWSAssert(messageSender);
|
|
|
|
|
|
|
|
|
|
_storageManager = storageManager;
|
|
|
|
|
_messageSender = messageSender;
|
|
|
|
|
|
|
|
|
|
OWSSingletonAssert();
|
|
|
|
|
|
|
|
|
|
return self;
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-06 21:43:42 +02:00
|
|
|
- (BOOL)isCurrentIdentityTrustedForSendingToRecipientId:(NSString *)recipientId
|
2017-06-06 20:12:50 +02:00
|
|
|
{
|
|
|
|
|
OWSAssert(recipientId.length > 0);
|
|
|
|
|
|
|
|
|
|
@synchronized(self)
|
|
|
|
|
{
|
|
|
|
|
OWSRecipientIdentity *currentIdentity = [OWSRecipientIdentity fetchObjectWithUniqueID:recipientId];
|
|
|
|
|
return [self isTrustedIdentityKey:currentIdentity.identityKey
|
|
|
|
|
recipientId:recipientId
|
|
|
|
|
direction:TSMessageDirectionOutgoing];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (void)generateNewIdentityKey
|
|
|
|
|
{
|
|
|
|
|
[self.storageManager setObject:[Curve25519 generateKeyPair]
|
|
|
|
|
forKey:TSStorageManagerIdentityKeyStoreIdentityKey
|
|
|
|
|
inCollection:TSStorageManagerIdentityKeyStoreCollection];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (nullable NSData *)identityKeyForRecipientId:(NSString *)recipientId
|
|
|
|
|
{
|
|
|
|
|
@synchronized(self)
|
|
|
|
|
{
|
|
|
|
|
return [OWSRecipientIdentity fetchObjectWithUniqueID:recipientId].identityKey;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (nullable ECKeyPair *)identityKeyPair
|
|
|
|
|
{
|
|
|
|
|
return [self.storageManager keyPairForKey:TSStorageManagerIdentityKeyStoreIdentityKey
|
|
|
|
|
inCollection:TSStorageManagerIdentityKeyStoreCollection];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (int)localRegistrationId
|
|
|
|
|
{
|
|
|
|
|
return (int)[TSAccountManager getOrGenerateRegistrationId];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (BOOL)saveRemoteIdentity:(NSData *)identityKey recipientId:(NSString *)recipientId
|
|
|
|
|
{
|
|
|
|
|
OWSAssert(identityKey != nil);
|
|
|
|
|
OWSAssert(recipientId != nil);
|
|
|
|
|
|
|
|
|
|
@synchronized(self)
|
|
|
|
|
{
|
|
|
|
|
// Deprecated. We actually no longer use the TSStorageManagerTrustedKeysCollection for trust
|
|
|
|
|
// decisions, but it's desirable to try to keep it up to date with our trusted identitys
|
|
|
|
|
// while we're switching between versions, e.g. so we don't get into a state where we have a
|
|
|
|
|
// session for an identity not in our key store.
|
|
|
|
|
[self.storageManager setObject:identityKey
|
|
|
|
|
forKey:recipientId
|
|
|
|
|
inCollection:TSStorageManagerTrustedKeysCollection];
|
|
|
|
|
|
|
|
|
|
OWSRecipientIdentity *existingIdentity = [OWSRecipientIdentity fetchObjectWithUniqueID:recipientId];
|
|
|
|
|
|
|
|
|
|
if (existingIdentity == nil) {
|
2017-06-06 21:01:11 +02:00
|
|
|
DDLogInfo(@"%@ saving first use identity for recipient: %@", self.tag, recipientId);
|
2017-06-06 20:12:50 +02:00
|
|
|
[[[OWSRecipientIdentity alloc] initWithRecipientId:recipientId
|
|
|
|
|
identityKey:identityKey
|
|
|
|
|
isFirstKnownKey:YES
|
|
|
|
|
createdAt:[NSDate new]
|
2017-06-06 21:01:11 +02:00
|
|
|
verificationState:OWSVerificationStateDefault] save];
|
|
|
|
|
|
|
|
|
|
[self fireIdentityStateChangeNotification];
|
|
|
|
|
|
2017-06-06 20:12:50 +02:00
|
|
|
return NO;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (![existingIdentity.identityKey isEqual:identityKey]) {
|
2017-06-06 21:01:11 +02:00
|
|
|
OWSVerificationState verificationState;
|
|
|
|
|
switch (existingIdentity.verificationState) {
|
|
|
|
|
case OWSVerificationStateDefault:
|
|
|
|
|
verificationState = OWSVerificationStateDefault;
|
|
|
|
|
break;
|
|
|
|
|
case OWSVerificationStateVerified:
|
|
|
|
|
case OWSVerificationStateNoLongerVerified:
|
|
|
|
|
verificationState = OWSVerificationStateNoLongerVerified;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DDLogInfo(@"%@ replacing identity for existing recipient: %@ (%@ -> %@)",
|
|
|
|
|
self.tag,
|
|
|
|
|
recipientId,
|
|
|
|
|
OWSVerificationStateToString(existingIdentity.verificationState),
|
|
|
|
|
OWSVerificationStateToString(verificationState));
|
2017-06-06 20:12:50 +02:00
|
|
|
[self createIdentityChangeInfoMessageForRecipientId:recipientId];
|
2017-06-06 21:01:11 +02:00
|
|
|
|
2017-06-06 20:12:50 +02:00
|
|
|
[[[OWSRecipientIdentity alloc] initWithRecipientId:recipientId
|
|
|
|
|
identityKey:identityKey
|
|
|
|
|
isFirstKnownKey:NO
|
|
|
|
|
createdAt:[NSDate new]
|
2017-06-06 21:01:11 +02:00
|
|
|
verificationState:verificationState] save];
|
|
|
|
|
|
|
|
|
|
[self fireIdentityStateChangeNotification];
|
2017-06-06 20:12:50 +02:00
|
|
|
|
|
|
|
|
return YES;
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-06 21:01:11 +02:00
|
|
|
DDLogDebug(@"%@ no changes for identity saved for recipient: %@", self.tag, recipientId);
|
|
|
|
|
return NO;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (void)setVerificationState:(OWSVerificationState)verificationState
|
|
|
|
|
identityKey:(NSData *)identityKey
|
|
|
|
|
recipientId:(NSString *)recipientId
|
|
|
|
|
sendSyncMessage:(BOOL)sendSyncMessage
|
|
|
|
|
{
|
|
|
|
|
OWSAssert(identityKey.length > 0);
|
|
|
|
|
OWSAssert(recipientId.length > 0);
|
|
|
|
|
|
|
|
|
|
@synchronized(self)
|
|
|
|
|
{
|
2017-06-06 21:16:09 +02:00
|
|
|
// Ensure a remote identity exists for this key. We may be learning about
|
|
|
|
|
// it for the first time.
|
2017-06-06 21:01:11 +02:00
|
|
|
[self saveRemoteIdentity:identityKey recipientId:recipientId];
|
|
|
|
|
|
|
|
|
|
OWSRecipientIdentity *identity = [OWSRecipientIdentity fetchObjectWithUniqueID:recipientId];
|
|
|
|
|
|
|
|
|
|
if (identity == nil) {
|
|
|
|
|
OWSFail(@"Missing expected identity: %@", recipientId);
|
|
|
|
|
return;
|
2017-06-06 20:12:50 +02:00
|
|
|
}
|
|
|
|
|
|
2017-06-06 21:01:11 +02:00
|
|
|
if (identity.verificationState == verificationState) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DDLogInfo(@"%@ setVerificationState: %@ (%@ -> %@)",
|
|
|
|
|
self.tag,
|
|
|
|
|
recipientId,
|
|
|
|
|
OWSVerificationStateToString(identity.verificationState),
|
|
|
|
|
OWSVerificationStateToString(verificationState));
|
|
|
|
|
|
|
|
|
|
[identity updateWithVerificationState:verificationState];
|
2017-06-06 20:12:50 +02:00
|
|
|
}
|
2017-06-06 21:01:11 +02:00
|
|
|
|
|
|
|
|
[self fireIdentityStateChangeNotification];
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-06 21:16:09 +02:00
|
|
|
- (OWSVerificationState)verificationStateForRecipientId:(NSString *)recipientId
|
|
|
|
|
{
|
|
|
|
|
OWSAssert(recipientId.length > 0);
|
|
|
|
|
|
|
|
|
|
@synchronized(self)
|
|
|
|
|
{
|
|
|
|
|
OWSRecipientIdentity *_Nullable currentIdentity = [OWSRecipientIdentity fetchObjectWithUniqueID:recipientId];
|
|
|
|
|
|
|
|
|
|
if (!currentIdentity) {
|
|
|
|
|
// We might not know the identity for this recipient yet.
|
|
|
|
|
return OWSVerificationStateDefault;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return currentIdentity.verificationState;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-06 21:43:42 +02:00
|
|
|
- (nullable OWSRecipientIdentity *)noLongerVerifiedIdentityForRecipientId:(NSString *)recipientId
|
2017-06-06 21:32:43 +02:00
|
|
|
{
|
|
|
|
|
OWSAssert(recipientId.length > 0);
|
|
|
|
|
|
|
|
|
|
@synchronized(self)
|
|
|
|
|
{
|
|
|
|
|
OWSRecipientIdentity *_Nullable identity = [OWSRecipientIdentity fetchObjectWithUniqueID:recipientId];
|
|
|
|
|
|
|
|
|
|
if (identity && identity.verificationState == OWSVerificationStateNoLongerVerified) {
|
|
|
|
|
return identity;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil;
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-06 21:01:11 +02:00
|
|
|
- (void)fireIdentityStateChangeNotification
|
|
|
|
|
{
|
|
|
|
|
dispatch_async(dispatch_get_main_queue(), ^{
|
|
|
|
|
[[NSNotificationCenter defaultCenter] postNotificationName:kNSNotificationName_IdentityStateDidChange
|
|
|
|
|
object:nil
|
|
|
|
|
userInfo:nil];
|
|
|
|
|
});
|
2017-06-06 20:12:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (BOOL)isTrustedIdentityKey:(NSData *)identityKey
|
|
|
|
|
recipientId:(NSString *)recipientId
|
|
|
|
|
direction:(TSMessageDirection)direction
|
|
|
|
|
{
|
|
|
|
|
OWSAssert(identityKey != nil);
|
|
|
|
|
OWSAssert(recipientId != nil);
|
|
|
|
|
OWSAssert(direction != TSMessageDirectionUnknown);
|
|
|
|
|
|
|
|
|
|
@synchronized(self)
|
|
|
|
|
{
|
|
|
|
|
if ([[[self class] localNumber] isEqualToString:recipientId]) {
|
|
|
|
|
if ([[self identityKeyPair].publicKey isEqualToData:identityKey]) {
|
|
|
|
|
return YES;
|
|
|
|
|
} else {
|
|
|
|
|
DDLogError(@"%s Wrong identity: %@ for local key: %@",
|
|
|
|
|
__PRETTY_FUNCTION__,
|
|
|
|
|
identityKey,
|
|
|
|
|
[self identityKeyPair].publicKey);
|
|
|
|
|
OWSAssert(NO);
|
|
|
|
|
return NO;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (direction) {
|
|
|
|
|
case TSMessageDirectionIncoming: {
|
|
|
|
|
return YES;
|
|
|
|
|
}
|
|
|
|
|
case TSMessageDirectionOutgoing: {
|
|
|
|
|
OWSRecipientIdentity *existingIdentity = [OWSRecipientIdentity fetchObjectWithUniqueID:recipientId];
|
|
|
|
|
return [self isTrustedKey:identityKey forSendingToIdentity:existingIdentity];
|
|
|
|
|
}
|
|
|
|
|
default: {
|
|
|
|
|
DDLogError(@"%s unexpected message direction: %ld", __PRETTY_FUNCTION__, (long)direction);
|
|
|
|
|
OWSAssert(NO);
|
|
|
|
|
return NO;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (BOOL)isTrustedKey:(NSData *)identityKey forSendingToIdentity:(nullable OWSRecipientIdentity *)recipientIdentity
|
|
|
|
|
{
|
|
|
|
|
OWSAssert(identityKey != nil);
|
|
|
|
|
|
|
|
|
|
@synchronized(self)
|
|
|
|
|
{
|
|
|
|
|
if (recipientIdentity == nil) {
|
|
|
|
|
DDLogDebug(
|
|
|
|
|
@"%s Trusting on first use for recipient: %@", __PRETTY_FUNCTION__, recipientIdentity.recipientId);
|
|
|
|
|
return YES;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
OWSAssert(recipientIdentity.identityKey != nil);
|
|
|
|
|
if (![recipientIdentity.identityKey isEqualToData:identityKey]) {
|
|
|
|
|
DDLogWarn(@"%s key mismatch for recipient: %@", __PRETTY_FUNCTION__, recipientIdentity.recipientId);
|
|
|
|
|
return NO;
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-06 21:01:11 +02:00
|
|
|
switch (recipientIdentity.verificationState) {
|
|
|
|
|
case OWSVerificationStateDefault: {
|
|
|
|
|
BOOL isNew = (fabs([recipientIdentity.createdAt timeIntervalSinceNow])
|
|
|
|
|
< kIdentityKeyStoreNonBlockingSecondsThreshold);
|
|
|
|
|
if (isNew) {
|
|
|
|
|
DDLogWarn(@"%s not trusting new identity for recipient: %@",
|
|
|
|
|
__PRETTY_FUNCTION__,
|
|
|
|
|
recipientIdentity.recipientId);
|
|
|
|
|
return NO;
|
|
|
|
|
} else {
|
|
|
|
|
DDLogWarn(@"%s trusting existing identity for recipient: %@",
|
|
|
|
|
__PRETTY_FUNCTION__,
|
|
|
|
|
recipientIdentity.recipientId);
|
|
|
|
|
return YES;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
case OWSVerificationStateVerified:
|
|
|
|
|
DDLogWarn(@"%s trusting verified identity for recipient: %@",
|
|
|
|
|
__PRETTY_FUNCTION__,
|
|
|
|
|
recipientIdentity.recipientId);
|
|
|
|
|
return YES;
|
|
|
|
|
case OWSVerificationStateNoLongerVerified:
|
|
|
|
|
DDLogWarn(@"%s not trusting no longer verified identity for recipient: %@",
|
|
|
|
|
__PRETTY_FUNCTION__,
|
|
|
|
|
recipientIdentity.recipientId);
|
|
|
|
|
return NO;
|
2017-06-06 20:12:50 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (void)createIdentityChangeInfoMessageForRecipientId:(NSString *)recipientId
|
|
|
|
|
{
|
|
|
|
|
OWSAssert(recipientId != nil);
|
|
|
|
|
|
|
|
|
|
TSContactThread *contactThread = [TSContactThread getOrCreateThreadWithContactId:recipientId];
|
|
|
|
|
OWSAssert(contactThread != nil);
|
|
|
|
|
|
|
|
|
|
TSErrorMessage *errorMessage =
|
|
|
|
|
[TSErrorMessage nonblockingIdentityChangeInThread:contactThread recipientId:recipientId];
|
|
|
|
|
[errorMessage save];
|
|
|
|
|
|
|
|
|
|
[[TextSecureKitEnv sharedEnv].notificationsManager notifyUserForErrorMessage:errorMessage inThread:contactThread];
|
|
|
|
|
|
|
|
|
|
for (TSGroupThread *groupThread in [TSGroupThread groupThreadsWithRecipientId:recipientId]) {
|
|
|
|
|
[[TSErrorMessage nonblockingIdentityChangeInThread:groupThread recipientId:recipientId] save];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#pragma mark - Logging
|
|
|
|
|
|
|
|
|
|
+ (NSString *)tag
|
|
|
|
|
{
|
|
|
|
|
return [NSString stringWithFormat:@"[%@]", self.class];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
- (NSString *)tag
|
|
|
|
|
{
|
|
|
|
|
return self.class.tag;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@end
|
|
|
|
|
|
|
|
|
|
NS_ASSUME_NONNULL_END
|
