Merge tag '2.18.0.9'
This commit is contained in:
commit
e07a240ee5
|
@ -170,7 +170,7 @@ SPEC CHECKSUMS:
|
|||
PureLayout: 4d550abe49a94f24c2808b9b95db9131685fe4cd
|
||||
Reachability: 33e18b67625424e47b6cde6d202dce689ad7af96
|
||||
SAMKeychain: 483e1c9f32984d50ca961e26818a534283b4cd5c
|
||||
SignalServiceKit: bfac5572f3a1ff8a853ead9b5413274a075f3cb4
|
||||
SignalServiceKit: b84d80de0bfd5f863994a1ce1f5b742b91c46cb5
|
||||
SocketRocket: dbb1554b8fc288ef8ef370d6285aeca7361be31e
|
||||
SQLCipher: 43d12c0eb9c57fb438749618fc3ce0065509a559
|
||||
TwistedOakCollapsingFutures: f359b90f203e9ab13dfb92c9ff41842a7fe1cd0c
|
||||
|
|
|
@ -2040,6 +2040,12 @@
|
|||
"${PODS_ROOT}/SAMKeychain/Support/SAMKeychain.bundle",
|
||||
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/textsecure.cer",
|
||||
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt",
|
||||
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR2.crt",
|
||||
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR4.crt",
|
||||
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt",
|
||||
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt",
|
||||
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt",
|
||||
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt",
|
||||
);
|
||||
name = "[CP] Copy Pods Resources";
|
||||
outputPaths = (
|
||||
|
|
|
@ -55,7 +55,7 @@
|
|||
</dict>
|
||||
</array>
|
||||
<key>CFBundleVersion</key>
|
||||
<string>2.18.0.7</string>
|
||||
<string>2.18.0.9</string>
|
||||
<key>ITSAppUsesNonExemptEncryption</key>
|
||||
<false/>
|
||||
<key>LOGS_EMAIL</key>
|
||||
|
|
|
@ -779,8 +779,8 @@ NS_ASSUME_NONNULL_BEGIN
|
|||
googleDomain:@"google.co.ug"
|
||||
countryCode:@"UG"],
|
||||
[OWSCountryMetadata countryMetadataWithName:@"United States"
|
||||
tld:@".us"
|
||||
googleDomain:@"google.us"
|
||||
tld:@".com"
|
||||
googleDomain:@"google.com"
|
||||
countryCode:@"US"],
|
||||
[OWSCountryMetadata countryMetadataWithName:@"Uruguay"
|
||||
tld:@".uy"
|
||||
|
|
|
@ -28,7 +28,14 @@ An Objective-C library for communicating with the Signal messaging service.
|
|||
s.source_files = 'SignalServiceKit/src/**/*.{h,m,mm}'
|
||||
|
||||
s.resources = ['SignalServiceKit/src/Security/PinningCertificate/textsecure.cer',
|
||||
'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt']
|
||||
'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt',
|
||||
'SignalServiceKit/src/Security/PinningCertificate/GSR2.crt',
|
||||
'SignalServiceKit/src/Security/PinningCertificate/GSR4.crt',
|
||||
'SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt',
|
||||
'SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt',
|
||||
'SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt',
|
||||
'SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt']
|
||||
|
||||
s.prefix_header_file = 'SignalServiceKit/src/TSPrefix.h'
|
||||
s.xcconfig = { 'OTHER_CFLAGS' => '$(inherited) -DSQLITE_HAS_CODEC' }
|
||||
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
#import "OWSSignalService.h"
|
||||
#import "NSNotificationCenter+OWS.h"
|
||||
#import "OWSCensorshipConfiguration.h"
|
||||
#import "OWSError.h"
|
||||
#import "OWSHTTPSecurityPolicy.h"
|
||||
#import "TSAccountManager.h"
|
||||
#import "TSConstants.h"
|
||||
|
@ -157,7 +158,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
|
|||
- (AFHTTPSessionManager *)signalServiceSessionManager
|
||||
{
|
||||
if (self.isCensorshipCircumventionActive) {
|
||||
DDLogInfo(@"%@ using reflector HTTPSessionManager", self.tag);
|
||||
DDLogInfo(@"%@ using reflector HTTPSessionManager via: %@", self.tag, self.domainFrontingBaseURL);
|
||||
return self.reflectorSignalServiceSessionManager;
|
||||
} else {
|
||||
return self.defaultSignalServiceSessionManager;
|
||||
|
@ -186,13 +187,18 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
|
|||
|
||||
// Target fronting domain
|
||||
OWSAssert(self.isCensorshipCircumventionActive);
|
||||
NSString *frontingHost = [self.censorshipConfiguration frontingHost:localNumber];
|
||||
if (self.isCensorshipCircumventionManuallyActivated && self.manualCensorshipCircumventionDomain.length > 0) {
|
||||
frontingHost = self.manualCensorshipCircumventionDomain;
|
||||
};
|
||||
NSURL *baseURL = [[NSURL alloc] initWithString:[self.censorshipConfiguration frontingHost:localNumber]];
|
||||
OWSAssert(baseURL);
|
||||
|
||||
NSURL *baseURL;
|
||||
|
||||
if (self.isCensorshipCircumventionManuallyActivated && self.manualCensorshipCircumventionDomain.length > 0) {
|
||||
baseURL = [[NSURL alloc] initWithString:[NSString stringWithFormat:@"https://%@", self.manualCensorshipCircumventionDomain]];
|
||||
}
|
||||
|
||||
if (baseURL == nil) {
|
||||
baseURL = [[NSURL alloc] initWithString:[self.censorshipConfiguration frontingHost:localNumber]];
|
||||
}
|
||||
|
||||
OWSAssert(baseURL);
|
||||
return baseURL;
|
||||
}
|
||||
|
||||
|
@ -217,7 +223,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
|
|||
- (AFHTTPSessionManager *)CDNSessionManager
|
||||
{
|
||||
if (self.isCensorshipCircumventionActive) {
|
||||
DDLogInfo(@"%@ using reflector CDNSessionManager", self.tag);
|
||||
DDLogInfo(@"%@ using reflector CDNSessionManager via: %@", self.tag, self.domainFrontingBaseURL);
|
||||
return self.reflectorCDNSessionManager;
|
||||
} else {
|
||||
return self.defaultCDNSessionManager;
|
||||
|
@ -259,35 +265,71 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
|
|||
|
||||
#pragma mark - Google Pinning Policy
|
||||
|
||||
+ (nullable NSData *)certificateDataWithName:(NSString *)name error:(NSError **)error
|
||||
{
|
||||
if (!name.length) {
|
||||
OWSFail(@"%@ expected name with length > 0", self.tag);
|
||||
*error = OWSErrorMakeAssertionError();
|
||||
return nil;
|
||||
}
|
||||
|
||||
NSString *path = [NSBundle.mainBundle pathForResource:name ofType:@"crt"];
|
||||
if (![[NSFileManager defaultManager] fileExistsAtPath:path]) {
|
||||
OWSFail(@"%@ Missing certificate for name: %@", self.tag, name);
|
||||
*error = OWSErrorMakeAssertionError();
|
||||
return nil;
|
||||
}
|
||||
|
||||
NSData *_Nullable certData = [NSData dataWithContentsOfFile:path options:0 error:error];
|
||||
|
||||
if (*error != nil) {
|
||||
OWSFail(@"%@ Failed to read cert file with path: %@", self.tag, path);
|
||||
return nil;
|
||||
}
|
||||
|
||||
if (certData.length == 0) {
|
||||
OWSFail(@"%@ empty certData for name: %@", self.tag, name);
|
||||
return nil;
|
||||
}
|
||||
|
||||
DDLogVerbose(@"%@ read cert data with name: %@ length: %lu", self.tag, name, (unsigned long)certData.length);
|
||||
return certData;
|
||||
}
|
||||
|
||||
/**
|
||||
* We use the Google Pinning Policy when connecting to our censorship circumventing reflector,
|
||||
* which is hosted on Google.
|
||||
*/
|
||||
+ (AFSecurityPolicy *)googlePinningPolicy {
|
||||
+ (AFSecurityPolicy *)googlePinningPolicy
|
||||
{
|
||||
static AFSecurityPolicy *securityPolicy = nil;
|
||||
static dispatch_once_t onceToken;
|
||||
dispatch_once(&onceToken, ^{
|
||||
NSError *error;
|
||||
NSString *path = [NSBundle.mainBundle pathForResource:@"GIAG2" ofType:@"crt"];
|
||||
|
||||
if (![[NSFileManager defaultManager] fileExistsAtPath:path]) {
|
||||
@throw [NSException
|
||||
exceptionWithName:@"Missing server certificate"
|
||||
reason:[NSString stringWithFormat:@"Missing signing certificate for service googlePinningPolicy"]
|
||||
userInfo:nil];
|
||||
}
|
||||
|
||||
NSData *googleCertData = [NSData dataWithContentsOfFile:path options:0 error:&error];
|
||||
if (!googleCertData) {
|
||||
NSMutableSet<NSData *> *certificates = [NSMutableSet new];
|
||||
|
||||
// GIAG2 cert plus root certs from pki.goog
|
||||
NSArray<NSString *> *certNames = @[ @"GIAG2", @"GSR2", @"GSR4", @"GTSR1", @"GTSR2", @"GTSR3", @"GTSR4" ];
|
||||
|
||||
for (NSString *certName in certNames) {
|
||||
NSError *error;
|
||||
NSData *certData = [self certificateDataWithName:certName error:&error];
|
||||
if (error) {
|
||||
@throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:@"Couln't read google pinning cert" userInfo:nil];
|
||||
} else {
|
||||
NSString *reason = [NSString stringWithFormat:@"Reading google pinning cert faile with error: %@", error];
|
||||
@throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:reason userInfo:nil];
|
||||
DDLogError(@"%@ Failed to get %@ certificate data with error: %@", self.tag, certName, error);
|
||||
@throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
|
||||
reason:error.description
|
||||
userInfo:nil];
|
||||
}
|
||||
|
||||
if (!certData) {
|
||||
DDLogError(@"%@ No data for certificate: %@", self.tag, certName);
|
||||
@throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
|
||||
reason:error.description
|
||||
userInfo:nil];
|
||||
}
|
||||
[certificates addObject:certData];
|
||||
}
|
||||
|
||||
NSSet<NSData *> *certificates = [NSSet setWithObject:googleCertData];
|
||||
|
||||
securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certificates];
|
||||
});
|
||||
return securityPolicy;
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue