From e7328bd6737e68d5c94f797c68334773e6fc67b8 Mon Sep 17 00:00:00 2001
From: Frederic Jacobs <github@fredericjacobs.com>
Date: Wed, 15 Jul 2015 04:30:37 +0200
Subject: [PATCH] Upgrading cert pinning & flagging release.

---
 Signal/Certificates/redphone.cer              | Bin 1026 -> 1001 bytes
 Signal/Signal-Info.plist                      |   2 +-
 .../network/http/RPServerRequestsManager.m    |  12 +++++++-----
 .../textsecure/Network/API/TSNetworkManager.m |   2 +-
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/Signal/Certificates/redphone.cer b/Signal/Certificates/redphone.cer
index d2c37c7aaae47a8b0a66406e1ccf077c5c1f1026..35bbbe6c07bdcef06c9337c2012148470d7ca070 100644
GIT binary patch
delta 662
zcmV;H0%`q%2<ZnHFoFZ+FoFWjpaTK{0s;vD!t_GO5iaR&kr1C7GB7nVIWjXcH!(9>
z7Y#8tFf}qbGBYwaF*90`AB>Ys0U&?1*dljL3Lt91R)Ggd_XO|njNP0@Wby~i7+T%|
z)h8g`MGR+~Kue5P?JMC%;)#xdYN;C@M*WLt$rM1V$^rCzwrTk_`IvY3S3F#|usMQ1
z2r!~`SNvgYZH?UW#V0SqWC-T@<jRR|<JCzQb)9FpVtLGQgIP!`h-ssbyP1EpwvIt&
z6SDejxwNX4V4PeWdqv!tW!4k`6h3Dlg{-c?@*6GX|Ig4yYO;ZTm3J`mG@!nZ&pV^i
z0QKYJ`LRT1$@4T9YL_)~y$#n4bb8>dS{t6D<rnXCLmRk7K0+CR?2jiYqnF{RN^kPE
zPIKo&Rx!|dz3@<(ep-8+Hohv0_W}a}00E;=FitQX1_M<c4g?ki6b^S1>=Ns(*Nv^m
zrq74;kGyvs-IL7%B7Y19163Up1O+ey0RjIo4F(A+hDe6@4FLfK1potr0RaF8Y3%_`
z4||pFP=N;G(8F~_a`NUOe0HaOP^l{``l-87EM*sNa)fv~&K5oImW!>gGKS<%55=Z`
z2wZKLmYGjF88|K^k^YrFb8z8Ga8JF=3gj6FR6=!%#yHC^yMMdt_-Tv_qL$`8-Z>d3
zc#Pq`s%4+C>HA*&P%ObRP+U7|rjuI7g^@s!%9grFE;31?bsDe@#>7{@`ytyTxujt7
zXob`@xO0O;e^Ur|jAWEzPf6y!&&(L%Yt#-F0oZ4*avZ0z#LPdbHSMD-256me%QF}M
wdGe6>R=mTT`6IRdh;31>UI(9UMNrihAA5ZoO!9oYCkzZBwl%x1g0!Uu#-H#hc>n+a

delta 792
zcmaFK-oznb(8T=Dpo!_(0%j&gCMHJKi4yZ=jSb8VO+eVxGD@7+&=iSlP(M*iIY!n%
znvFS>g^NeTzaTYFAv`0qxFEGiA-J-*BsI6#5Gu`$Uz(XmL`$z6qO};JQ!l?LeR3?L
zV*SJ40l&93ZKzc^Kkec4`}H?!%UUwHPfn<CUb(DV{5JPDSAm(?$)8soTCvn>&yQmZ
z)p~<A#>ULfDYh*a=x{h563uigWHs{|18<)D@8=r&$xEGo6~Q#I$ZFos%Nx&qkGgZ}
z^!Y@N_=7jh7p*)~w&9PkqEuG5!tPa?zne2IFZ=q-rhew`UIm_OTf0v$vlca+?Hy<}
z-DIPg>Lcxf+RCX{6gL-#PSCrTlpFuNx3F=7PQ<CTDzkqqiaO)Grd|87S@M+VR;m8=
z#@lzrx$pHlx=8J@%1oA%jR$tR>ewVJgwD}xlKA}U>dW{qe|B#(;as)GqtO4}iq&sh
zZl@^zsj+lZaS1q|Y*fv}%*epFxZ0r7fD;(hvcfD(1`Gx|Y@7*g9*k{2oEUjo<i%t`
zp&uOVqu`#Jms*rqlA5C6oLW?pnU<Lh<QT|;H1e^Cv4|}F_c20fO{eu4>+I>wyBxBQ
zt-d;E@-il+dR{h8tu~Lg@4SqRtgH;oO^l2TYqOR<;rsXT>*8mBcB(twKj*OPSJCYw
zvAWll3bl)_{QA4%kG<>qO3h`T^rx5mn0kFbw!UxG$}{dwDwazhZMoZ4DLRue-rdQ&
z=8f~}Yaeyk)b?x4c`^CjzSX8h6Mn?!tzdb%aFNgAaE~_;cY`GBna{NgNHWcy!7}?G
zZ*Rq&f6sbkJa@{y`r60+m~Z<;iJ*VMe{ZaC){e@GXwvE2HO)>;ASu3dn&hHgxvx#a
zxFQ$y&SL$u|JK=~d58T?cKq1+hdb&@uHGrTi;5Z6U8}5ht~<<~=F_w2fvdvWfX;pY
t6P}mzr7imJc>j3ayJ}`nUM^AQAl3!eC)ccBkfrqO@1@|0W+iEXO8~yVQ`Z0h

diff --git a/Signal/Signal-Info.plist b/Signal/Signal-Info.plist
index 885331c83..fb8c08396 100644
--- a/Signal/Signal-Info.plist
+++ b/Signal/Signal-Info.plist
@@ -23,7 +23,7 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>2.1.1</string>
+	<string>2.1.2</string>
 	<key>CFBundleSignature</key>
 	<string>????</string>
 	<key>CFBundleURLTypes</key>
diff --git a/Signal/src/network/http/RPServerRequestsManager.m b/Signal/src/network/http/RPServerRequestsManager.m
index 3b548d39b..631fd73e5 100644
--- a/Signal/src/network/http/RPServerRequestsManager.m
+++ b/Signal/src/network/http/RPServerRequestsManager.m
@@ -32,16 +32,18 @@ MacrosSingletonImplemention
     self = [super init];
     
     if (self) {
+        NSURLSessionConfiguration *sessionConfig = [NSURLSessionConfiguration defaultSessionConfiguration];
         HostNameEndPoint *endpoint = Environment.getCurrent.masterServerSecureEndPoint.hostNameEndPoint;
         NSURL *endPointURL = [NSURL URLWithString:[NSString stringWithFormat:@"https://%@:%hu", endpoint.hostname, endpoint.port]];
-        NSURLSessionConfiguration *sessionConf = NSURLSessionConfiguration.defaultSessionConfiguration;
-        self.operationManager = [[AFHTTPSessionManager alloc] initWithBaseURL:endPointURL sessionConfiguration:sessionConf];
-        self.operationManager.securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey];
-        self.operationManager.securityPolicy.allowInvalidCertificates = YES;
+        self.operationManager = [[AFHTTPSessionManager alloc] initWithBaseURL:endPointURL sessionConfiguration:sessionConfig];
+        AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
+        securityPolicy.allowInvalidCertificates  = YES; //The certificate is not signed by a CA in the iOS trust store.
+        securityPolicy.validatesCertificateChain = NO;  //Looking at AFNetworking's implementation of chain checking, we don't need to pin all certs in chain. https://github.com/AFNetworking/AFNetworking/blob/e4855e9f25e4914ac2eb5caee26bc6e7a024a840/AFNetworking/AFSecurityPolicy.m#L271 Trust to the trusted cert is already vertified before by AFServerTrustIsValid();
         NSString *certPath = [NSBundle.mainBundle pathForResource:@"redphone" ofType:@"cer"];
         NSData *certData = [NSData dataWithContentsOfFile:certPath];
         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)(certData));
-        self.operationManager.securityPolicy.pinnedCertificates = @[(__bridge_transfer NSData *)SecCertificateCopyData(cert)];
+        securityPolicy.pinnedCertificates = @[(__bridge_transfer NSData *)SecCertificateCopyData(cert)];
+        self.operationManager.securityPolicy = securityPolicy;
     }
     return self;
 }
diff --git a/Signal/src/textsecure/Network/API/TSNetworkManager.m b/Signal/src/textsecure/Network/API/TSNetworkManager.m
index 8f36a05f2..4f7a2e04c 100644
--- a/Signal/src/textsecure/Network/API/TSNetworkManager.m
+++ b/Signal/src/textsecure/Network/API/TSNetworkManager.m
@@ -40,7 +40,7 @@
         self.operationManager = [[AFHTTPSessionManager alloc] initWithBaseURL:[[NSURL alloc] initWithString:textSecureServerURL] sessionConfiguration:sessionConf];
         AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
         policy.allowInvalidCertificates  = YES; //The certificate is not signed by a CA in the iOS trust store.
-        policy.validatesCertificateChain = NO;  //Looking at AFNetworking's implementation of chain checking, we don't need to pin all certs in chain. https://github.com/AFNetworking/AFNetworking/blob/104ce04105098466ea0ea4e337af554d7b9df195/AFNetworking/AFSecurityPolicy.m#L281 Trust to the trusted cert is already vertified before by AFServerTrustIsValid();
+        policy.validatesCertificateChain = NO;  //Looking at AFNetworking's implementation of chain checking, we don't need to pin all certs in chain. https://github.com/AFNetworking/AFNetworking/blob/e4855e9f25e4914ac2eb5caee26bc6e7a024a840/AFNetworking/AFSecurityPolicy.m#L271 Trust to the trusted cert is already vertified before by AFServerTrustIsValid();
         NSString *certPath = [NSBundle.mainBundle pathForResource:@"textsecure" ofType:@"cer"];
         NSData *certData = [NSData dataWithContentsOfFile:certPath];
         SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)(certData));