keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Enhancements to certificate pinning

Browse Source 
//FREEBIE
pull/1/head
Frederic Jacobs 10 years ago
parent aca4733ac0
commit f5bbf9d480
9 changed files with 48 additions and 19 deletions
Show Stats Download Patch File Download Diff File

10
Signal.xcodeproj/project.pbxproj
Unescape Escape View File

@ -381,7 +381,7 @@
B621B079198C69A100D36C3D /* Localizable.strings in Resources */ = {isa = PBXBuildFile; fileRef = B621B017198C69A100D36C3D /* Localizable.strings */; }; B621B079198C69A100D36C3D /* Localizable.strings in Resources */ = {isa = PBXBuildFile; fileRef = B621B017198C69A100D36C3D /* Localizable.strings */; };
B67ADDC41989FF8700E1A773 /* CallServerRequestsManager.m in Sources */ = {isa = PBXBuildFile; fileRef = B67ADDC31989FF8700E1A773 /* CallServerRequestsManager.m */; }; B67ADDC41989FF8700E1A773 /* CallServerRequestsManager.m in Sources */ = {isa = PBXBuildFile; fileRef = B67ADDC31989FF8700E1A773 /* CallServerRequestsManager.m */; };
B67EBF5D19194AC60084CCFD /* Settings.bundle in Resources */ = {isa = PBXBuildFile; fileRef = B67EBF5C19194AC60084CCFD /* Settings.bundle */; }; B67EBF5D19194AC60084CCFD /* Settings.bundle in Resources */ = {isa = PBXBuildFile; fileRef = B67EBF5C19194AC60084CCFD /* Settings.bundle */; };
B69B6305199573970072E805 /* whisperFake.cer in Resources */ = {isa = PBXBuildFile; fileRef = B69B6304199573970072E805 /* whisperFake.cer */; }; B6850E5A1995A4710068E715 /* whisperFake.cer in Resources */ = {isa = PBXBuildFile; fileRef = B6850E591995A4710068E715 /* whisperFake.cer */; };
B69CD25119773E79005CE69A /* XCTest.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = B69CD25019773E79005CE69A /* XCTest.framework */; }; B69CD25119773E79005CE69A /* XCTest.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = B69CD25019773E79005CE69A /* XCTest.framework */; };
B6B1013C196D213F007E3930 /* SGNKeychainUtil.m in Sources */ = {isa = PBXBuildFile; fileRef = B6B1013B196D213F007E3930 /* SGNKeychainUtil.m */; }; B6B1013C196D213F007E3930 /* SGNKeychainUtil.m in Sources */ = {isa = PBXBuildFile; fileRef = B6B1013B196D213F007E3930 /* SGNKeychainUtil.m */; };
B6B9ECFC198B31BA00C620D3 /* PushManager.m in Sources */ = {isa = PBXBuildFile; fileRef = B6B9ECFB198B31BA00C620D3 /* PushManager.m */; }; B6B9ECFC198B31BA00C620D3 /* PushManager.m in Sources */ = {isa = PBXBuildFile; fileRef = B6B9ECFB198B31BA00C620D3 /* PushManager.m */; };
@ -1116,7 +1116,7 @@
B67ADDC21989FF8700E1A773 /* CallServerRequestsManager.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallServerRequestsManager.h; sourceTree = "<group>"; }; B67ADDC21989FF8700E1A773 /* CallServerRequestsManager.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallServerRequestsManager.h; sourceTree = "<group>"; };
B67ADDC31989FF8700E1A773 /* CallServerRequestsManager.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CallServerRequestsManager.m; sourceTree = "<group>"; }; B67ADDC31989FF8700E1A773 /* CallServerRequestsManager.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CallServerRequestsManager.m; sourceTree = "<group>"; };
B67EBF5C19194AC60084CCFD /* Settings.bundle */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.plug-in"; name = Settings.bundle; path = SettingsBundle/Settings.bundle; sourceTree = SOURCE_ROOT; }; B67EBF5C19194AC60084CCFD /* Settings.bundle */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.plug-in"; name = Settings.bundle; path = SettingsBundle/Settings.bundle; sourceTree = SOURCE_ROOT; };
B69B6304199573970072E805 /* whisperFake.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = whisperFake.cer; sourceTree = "<group>"; }; B6850E591995A4710068E715 /* whisperFake.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = whisperFake.cer; sourceTree = "<group>"; };
B69CD25019773E79005CE69A /* XCTest.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = XCTest.framework; path = Library/Frameworks/XCTest.framework; sourceTree = DEVELOPER_DIR; }; B69CD25019773E79005CE69A /* XCTest.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = XCTest.framework; path = Library/Frameworks/XCTest.framework; sourceTree = DEVELOPER_DIR; };
B6B1013A196D213F007E3930 /* SGNKeychainUtil.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SGNKeychainUtil.h; sourceTree = "<group>"; }; B6B1013A196D213F007E3930 /* SGNKeychainUtil.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SGNKeychainUtil.h; sourceTree = "<group>"; };
B6B1013B196D213F007E3930 /* SGNKeychainUtil.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SGNKeychainUtil.m; sourceTree = "<group>"; }; B6B1013B196D213F007E3930 /* SGNKeychainUtil.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SGNKeychainUtil.m; sourceTree = "<group>"; };
@ -2232,7 +2232,6 @@
A15706EA17F0CD6D007C2BD6 /* test */ = { A15706EA17F0CD6D007C2BD6 /* test */ = {
isa = PBXGroup; isa = PBXGroup;
children = ( children = (
B69B6304199573970072E805 /* whisperFake.cer */,
76919BF51805D169008C664A /* contact */, 76919BF51805D169008C664A /* contact */,
A15706EB17F0CD6D007C2BD6 /* async */, A15706EB17F0CD6D007C2BD6 /* async */,
A15706F217F0CD6D007C2BD6 /* audio */, A15706F217F0CD6D007C2BD6 /* audio */,
@ -2397,6 +2396,7 @@
A157073917F0CD6D007C2BD6 /* Supporting Files */ = { A157073917F0CD6D007C2BD6 /* Supporting Files */ = {
isa = PBXGroup; isa = PBXGroup;
children = ( children = (
B6850E591995A4710068E715 /* whisperFake.cer */,
A157073A17F0CD6D007C2BD6 /* SignalTests-Info.plist */, A157073A17F0CD6D007C2BD6 /* SignalTests-Info.plist */,
); );
path = "Supporting Files"; path = "Supporting Files";
@ -3260,7 +3260,6 @@
E14874F418A06930002CC4F3 /* volume_low@2x.png in Resources */, E14874F418A06930002CC4F3 /* volume_low@2x.png in Resources */,
E14874F518A06930002CC4F3 /* whisper_notification_icon.png in Resources */, E14874F518A06930002CC4F3 /* whisper_notification_icon.png in Resources */,
E14874F618A06930002CC4F3 /* whisper_notification_icon@2x.png in Resources */, E14874F618A06930002CC4F3 /* whisper_notification_icon@2x.png in Resources */,
E1370BF618A068A600826894 /* whisperReal.cer in Resources */,
E1370BEA18A0689000826894 /* AppIcon29x29.jpg in Resources */, E1370BEA18A0689000826894 /* AppIcon29x29.jpg in Resources */,
E1370BEB18A0689000826894 /* AppIcon29x29.png in Resources */, E1370BEB18A0689000826894 /* AppIcon29x29.png in Resources */,
E1370BEC18A0689000826894 /* AppIcon29x29@2x.png in Resources */, E1370BEC18A0689000826894 /* AppIcon29x29@2x.png in Resources */,
@ -3286,6 +3285,7 @@
E148751318A06AFD002CC4F3 /* HelveticaNeueLTStd-Th.otf in Resources */, E148751318A06AFD002CC4F3 /* HelveticaNeueLTStd-Th.otf in Resources */,
E148751418A06AFD002CC4F3 /* HelveticaNeueLTStd-Lt.otf in Resources */, E148751418A06AFD002CC4F3 /* HelveticaNeueLTStd-Lt.otf in Resources */,
E148751518A06AFD002CC4F3 /* HelveticaNeueLTStd-Md.otf in Resources */, E148751518A06AFD002CC4F3 /* HelveticaNeueLTStd-Md.otf in Resources */,
E1370BF618A068A600826894 /* whisperReal.cer in Resources */,
); );
runOnlyForDeploymentPostprocessing = 0; runOnlyForDeploymentPostprocessing = 0;
}; };
@ -3309,7 +3309,7 @@
76EB067918170B34006006FC /* InCallViewController.xib in Resources */, 76EB067918170B34006006FC /* InCallViewController.xib in Resources */,
76EB068318170B34006006FC /* SettingsViewController.xib in Resources */, 76EB068318170B34006006FC /* SettingsViewController.xib in Resources */,
76EB068118170B34006006FC /* RegisterViewController.xib in Resources */, 76EB068118170B34006006FC /* RegisterViewController.xib in Resources */,
B69B6305199573970072E805 /* whisperFake.cer in Resources */, B6850E5A1995A4710068E715 /* whisperFake.cer in Resources */,
B97CBFB218861023008E0DE9 /* CountryCodeTableViewCell.xib in Resources */, B97CBFB218861023008E0DE9 /* CountryCodeTableViewCell.xib in Resources */,
B9A578B5183D610300C17105 /* FavouriteTableViewCell.xib in Resources */, B9A578B5183D610300C17105 /* FavouriteTableViewCell.xib in Resources */,
B9B89C58185A2B7000A24465 /* LeftSideMenuCell.xib in Resources */, B9B89C58185A2B7000A24465 /* LeftSideMenuCell.xib in Resources */,

2
Signal/src/network/PushManager.m
Unescape Escape View File

@ -119,7 +119,7 @@
} }
} }
} failure:^(NSURLSessionDataTask *task, NSError *error) { } failure:^(NSURLSessionDataTask *task, NSError *error) {
[self registerForPushWithToken:token]; [self registerFailureWithToken:token];
}]; }];
} }

7
Signal/src/network/http/CallServerRequestsManager.m
Unescape Escape View File

@ -34,6 +34,13 @@ MacrosSingletonImplemention
NSURLSessionConfiguration *sessionConf = [NSURLSessionConfiguration ephemeralSessionConfiguration]; NSURLSessionConfiguration *sessionConf = [NSURLSessionConfiguration ephemeralSessionConfiguration];
self.operationManager = [[AFHTTPSessionManager alloc] initWithBaseURL:endPointURL sessionConfiguration:sessionConf]; self.operationManager = [[AFHTTPSessionManager alloc] initWithBaseURL:endPointURL sessionConfiguration:sessionConf];
[self.operationManager setSecurityPolicy:[AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]]; [self.operationManager setSecurityPolicy:[AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]];
NSString *certPath = [[NSBundle mainBundle] pathForResource:@"whisperReal" ofType:@"cer"];
NSData *certData = [NSData dataWithContentsOfFile:certPath];
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)(certData));
self.operationManager.securityPolicy.pinnedCertificates = @[(__bridge_transfer NSData *)SecCertificateCopyData(cert)];
self.operationManager.securityPolicy.allowInvalidCertificates = YES; // We use a custom certificate, not signed by a CA. self.operationManager.securityPolicy.allowInvalidCertificates = YES; // We use a custom certificate, not signed by a CA.
self.operationManager.responseSerializer = [AFJSONResponseSerializer serializer]; self.operationManager.responseSerializer = [AFJSONResponseSerializer serializer];
} }

4
Signal/src/network/tcp/tls/Certificate.h
Unescape Escape View File

@ -5,9 +5,7 @@
* Certificate is responsible for loading, exposing, and managing a SecCertificateRef. * Certificate is responsible for loading, exposing, and managing a SecCertificateRef.
* *
*/ */
@interface Certificate : NSObject { @interface Certificate : NSObject
@private SecCertificateRef secCertificateRef;
}
+(Certificate*) certificateFromTrust:(SecTrustRef)trust +(Certificate*) certificateFromTrust:(SecTrustRef)trust
atIndex:(CFIndex)index; atIndex:(CFIndex)index;

14
Signal/src/network/tcp/tls/Certificate.m
Unescape Escape View File

@ -1,6 +1,10 @@
#import "Certificate.h" #import "Certificate.h"
#import "Util.h" #import "Util.h"
@interface Certificate ()
@property SecCertificateRef secCertificateRef;
@end
@implementation Certificate @implementation Certificate
+(Certificate*) certificateFromTrust:(SecTrustRef)trust +(Certificate*) certificateFromTrust:(SecTrustRef)trust
@ -13,7 +17,7 @@
CFRetain(cert); CFRetain(cert);
Certificate* instance = [Certificate new]; Certificate* instance = [Certificate new];
instance->secCertificateRef = cert; instance.secCertificateRef = cert;
return instance; return instance;
} }
@ -30,12 +34,12 @@
checkOperation(cert != nil); checkOperation(cert != nil);
Certificate* instance = [Certificate new]; Certificate* instance = [Certificate new];
instance->secCertificateRef = cert; instance.secCertificateRef = cert;
return instance; return instance;
} }
-(void) dealloc { -(void) dealloc {
CFRelease(secCertificateRef); CFRelease(self.secCertificateRef);
} }
-(void) setAsAnchorForTrust:(SecTrustRef)trust { -(void) setAsAnchorForTrust:(SecTrustRef)trust {
@ -44,7 +48,7 @@
CFMutableArrayRef anchorCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks); CFMutableArrayRef anchorCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
checkOperation(anchorCerts != NULL); checkOperation(anchorCerts != NULL);
CFArrayAppendValue(anchorCerts, secCertificateRef); CFArrayAppendValue(anchorCerts, self.secCertificateRef);
OSStatus setAnchorResult = SecTrustSetAnchorCertificates(trust, anchorCerts); OSStatus setAnchorResult = SecTrustSetAnchorCertificates(trust, anchorCerts);
CFRelease(anchorCerts); CFRelease(anchorCerts);
@ -54,7 +58,7 @@
} }
-(NSString *)description { -(NSString *)description {
return (__bridge_transfer NSString*)SecCertificateCopySubjectSummary(secCertificateRef); return (__bridge_transfer NSString*)SecCertificateCopySubjectSummary(self.secCertificateRef);
} }
@end @end

9
Signal/src/view controllers/RegisterViewController.m
Unescape Escape View File

@ -133,7 +133,6 @@
return [futurePhoneRegistrationStarted then:^(id _) { return [futurePhoneRegistrationStarted then:^(id _) {
[self showViewNumber:CHALLENGE_VIEW_NUMBER]; [self showViewNumber:CHALLENGE_VIEW_NUMBER];
[Environment setRegistered:YES];
[self.challengeNumberLabel setText:[phoneNumber description]]; [self.challengeNumberLabel setText:[phoneNumber description]];
[_registerCancelButton removeFromSuperview]; [_registerCancelButton removeFromSuperview];
[self startVoiceVerificationCountdownTimer]; [self startVoiceVerificationCountdownTimer];
@ -196,14 +195,17 @@
}]; }];
[futureDone thenDo:^(id result) { [futureDone thenDo:^(id result) {
[futureChallengeAcceptedSource trySetResult:@YES];
}];
[futureChallengeAcceptedSource thenDo:^(id value) {
[[PushManager sharedManager] askForPushRegistrationWithSuccess:^{ [[PushManager sharedManager] askForPushRegistrationWithSuccess:^{
[Environment setRegistered:YES]; [Environment setRegistered:YES];
[[[Environment getCurrent] phoneDirectoryManager] forceUpdate];
[registered trySetResult:@YES]; [registered trySetResult:@YES];
[self dismissView]; [self dismissView];
[futureChallengeAcceptedSource trySetResult:result];
_challengeButton.enabled = YES; _challengeButton.enabled = YES;
[_challengeActivityIndicator stopAnimating]; [_challengeActivityIndicator stopAnimating];
[[[Environment getCurrent] phoneDirectoryManager] forceUpdate];
} failure:^{ } failure:^{
UIAlertView *alertView = [[UIAlertView alloc] initWithTitle:REGISTER_ERROR_ALERT_VIEW_TITLE message:REGISTER_ERROR_ALERT_VIEW_BODY delegate:nil cancelButtonTitle:REGISTER_ERROR_ALERT_VIEW_DISMISS otherButtonTitles:nil, nil]; UIAlertView *alertView = [[UIAlertView alloc] initWithTitle:REGISTER_ERROR_ALERT_VIEW_TITLE message:REGISTER_ERROR_ALERT_VIEW_BODY delegate:nil cancelButtonTitle:REGISTER_ERROR_ALERT_VIEW_DISMISS otherButtonTitles:nil, nil];
[alertView show]; [alertView show];
@ -211,6 +213,7 @@
[_challengeActivityIndicator stopAnimating]; [_challengeActivityIndicator stopAnimating];
}]; }];
}]; }];
} }
- (void)showViewNumber:(NSInteger)viewNumber { - (void)showViewNumber:(NSInteger)viewNumber {

0
Signal/test/whisperFake.cer → Signal/test/Supporting Files/whisperFake.cer
Unescape Escape View File

3
Signal/test/audio/AudioRemoteIOTest.m
Unescape Escape View File

@ -10,7 +10,8 @@
@implementation AudioRemoteIOTest @implementation AudioRemoteIOTest
-(void) testPlaysAndRecordsAudio { // Disabled because won't work on Travis
-(void)___testPlaysAndRecordsAudio {
__block RemoteIOAudio* a = nil; __block RemoteIOAudio* a = nil;
__block double t = 0; __block double t = 0;

16
Signal/test/network/tcp/tls/NetworkStreamTest.m
Unescape Escape View File

@ -19,6 +19,10 @@
@end @end
@interface Certificate ()
@property SecCertificateRef secCertificateRef;
@end
@implementation NetworkStreamTest @implementation NetworkStreamTest
- (void)setUp{ - (void)setUp{
@ -93,9 +97,20 @@
[s terminate]; [s terminate];
} }
-(void) testAuthenticationFail_WrongCert { -(void) testAuthenticationFail_WrongCert {
[Environment setCurrent:testEnv]; [Environment setCurrent:testEnv];
NSString *certPath = [[[NSBundle bundleForClass:[NetworkStream class]] resourcePath] stringByAppendingPathComponent:@"whisperFake.cer"];
NSData *certData = [[NSData alloc] initWithContentsOfFile:certPath];
checkOperation(certData != nil);
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
checkOperation(cert != nil);
Certificate* instance = [Certificate new];
instance.secCertificateRef = cert;
SecureEndPoint* e = [SecureEndPoint secureEndPointForHost:[HostNameEndPoint hostNameEndPointWithHostName:TEST_SERVER_HOST andPort:TEST_SERVER_PORT] SecureEndPoint* e = [SecureEndPoint secureEndPointForHost:[HostNameEndPoint hostNameEndPointWithHostName:TEST_SERVER_HOST andPort:TEST_SERVER_PORT]
identifiedByCertificate:[Certificate certificateFromResourcePath:TEST_SERVER_INCORRECT_CERT_PATH identifiedByCertificate:[Certificate certificateFromResourcePath:TEST_SERVER_INCORRECT_CERT_PATH
ofType:TEST_SERVER_INCORRECT_CERT_TYPE]]; ofType:TEST_SERVER_INCORRECT_CERT_TYPE]];
@ -116,6 +131,7 @@
[s terminate]; [s terminate];
} }
-(void) testAuthenticationFail_WrongHostName { -(void) testAuthenticationFail_WrongHostName {
[Environment setCurrent:testEnv]; [Environment setCurrent:testEnv];

Write Preview
Loading…
Cancel
Save