keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dev
voice-calls-2
voice-calls
authentication
2.5.0
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.2
2.3.1
2.3.0
2.2.14
2.2.13
2.2.12
2.2.11
2.2.10
2.2.9
2.2.6
2.2.4
2.2.2
2.2.1
2.2.0
2.1.1
2.0.3
2.0.2
2.0.1
2.0.0
1.0.0-alpha.1
audit-2
audit
2.8.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7.0
2.6.3
2.6.2
2.6.1
2.6.0
2.2.8
2.2.7
2.2.5
2.2.3
2.1.0
1.9.7
1.9.6
1.9.5
1.9.4
1.9.3
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.0
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1-beta
1.5.0-beta
1.5.0
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.0-beta
1.4.0
1.3.0-alpha.1
1.3.0
1.2.6
1.2.5
1.2.4
1.2.3
1.2.1
1.2.0-alpha.2
1.2.0-alpha.1
1.2.0
1.13.0
1.12.9
1.12.8
1.12.7
1.12.6
1.12.5
1.12.4
1.12.2
1.12.1
1.11.9
1.11.8
1.11.7
1.11.6
1.11.5
1.11.4
1.11.3
1.11.24
1.11.23
1.11.22
1.11.21
1.11.20
1.11.2
1.11.19
1.11.18
1.11.17
1.11.16
1.11.15
1.11.14
1.11.13
1.11.12
1.11.11
1.11.10
1.11.1
1.11.0
1.10.2
1.10.1
1.10.0
1.1.0-alpha.4
1.1.0-alpha.3
1.1.0-alpha.2
1.1.0-alpha.1
1.1.0
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0-alpha.3
1.0.0-alpha.2
1.0.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '958d249ee5'
${ noResults }
session-ios/SignalServiceKit/src/Network/OWSCensorshipConfiguration.m

241 lines
8.0 KiB
Objective-C
Raw Blame History

//
// Copyright (c) 2018 Open Whisper Systems. All rights reserved.
//
#import "OWSCensorshipConfiguration.h"
#import "OWSCountryMetadata.h"
#import "OWSError.h"
#import "OWSPrimaryStorage.h"
#import "TSConstants.h"
#import <AFNetworking/AFHTTPSessionManager.h>
NS_ASSUME_NONNULL_BEGIN
NSString *const OWSCensorshipConfiguration_SouqFrontingHost = @"cms.souqcdn.com";
NSString *const OWSCensorshipConfiguration_YahooViewFrontingHost = @"view.yahoo.com";
NSString *const OWSCensorshipConfiguration_DefaultFrontingHost = OWSCensorshipConfiguration_YahooViewFrontingHost;
@implementation OWSCensorshipConfiguration
// returns nil if phone number is not known to be censored
+ (nullable instancetype)censorshipConfigurationWithPhoneNumber:(NSString *)e164PhoneNumber
{
NSString *countryCode = [self censoredCountryCodeWithPhoneNumber:e164PhoneNumber];
if (countryCode.length == 0) {
return nil;
}
return [self censorshipConfigurationWithCountryCode:countryCode];
}
// returns best censorship configuration for country code. Will return a default if one hasn't
// been specifically configured.
+ (instancetype)censorshipConfigurationWithCountryCode:(NSString *)countryCode
{
OWSCountryMetadata *countryMetadadata = [OWSCountryMetadata countryMetadataForCountryCode:countryCode];
OWSAssert(countryMetadadata);
NSString *_Nullable specifiedDomain = countryMetadadata.frontingDomain;
NSURL *baseURL;
AFSecurityPolicy *securityPolicy;
if (specifiedDomain.length > 0) {
NSString *frontingURLString = [NSString stringWithFormat:@"https://%@", specifiedDomain];
baseURL = [NSURL URLWithString:frontingURLString];
securityPolicy = [self securityPolicyForDomain:(NSString *)specifiedDomain];
} else {
NSString *frontingURLString =
[NSString stringWithFormat:@"https://%@", OWSCensorshipConfiguration_DefaultFrontingHost];
baseURL = [NSURL URLWithString:frontingURLString];
securityPolicy = [self securityPolicyForDomain:OWSCensorshipConfiguration_DefaultFrontingHost];
}
OWSAssert(baseURL);
OWSAssert(securityPolicy);
return [[OWSCensorshipConfiguration alloc] initWithDomainFrontBaseURL:baseURL securityPolicy:securityPolicy];
}
- (instancetype)initWithDomainFrontBaseURL:(NSURL *)domainFrontBaseURL securityPolicy:(AFSecurityPolicy *)securityPolicy
{
OWSAssert(domainFrontBaseURL);
OWSAssert(securityPolicy);
self = [super init];
if (!self) {
return self;
}
_domainFrontBaseURL = domainFrontBaseURL;
_domainFrontSecurityPolicy = securityPolicy;
return self;
}
// MARK: Public Getters
- (NSString *)signalServiceReflectorHost
{
return textSecureServiceReflectorHost;
}
- (NSString *)CDNReflectorHost
{
return textSecureCDNReflectorHost;
}
// MARK: Util
+ (NSDictionary<NSString *, NSString *> *)censoredCountryCodes
{
// The set of countries for which domain fronting should be automatically enabled.
//
// If you want to use a domain front other than the default, specify the domain front
// in OWSCountryMetadata, and ensure we have a Security Policy for that domain in
// `securityPolicyForDomain:`
return @{
// Egypt
@"+20" : @"EG",
// Oman
@"+968" : @"OM",
// Qatar
@"+974" : @"QA",
// UAE
@"+971" : @"AE",
};
}
// Returns nil if the phone number is not known to be censored
+ (BOOL)isCensoredPhoneNumber:(NSString *)e164PhoneNumber;
{
return [self censoredCountryCodeWithPhoneNumber:e164PhoneNumber].length > 0;
}
// Returns nil if the phone number is not known to be censored
+ (nullable NSString *)censoredCountryCodeWithPhoneNumber:(NSString *)e164PhoneNumber
{
NSDictionary<NSString *, NSString *> *censoredCountryCodes = self.censoredCountryCodes;
for (NSString *callingCode in censoredCountryCodes) {
if ([e164PhoneNumber hasPrefix:callingCode]) {
return censoredCountryCodes[callingCode];
}
}
return nil;
}
#pragma mark - Reflector Pinning Policy
// When using censorship circumvention, we pin to the fronted domain host.
// Adding a new domain front entails adding a corresponding AFSecurityPolicy
// and pinning to it's CA.
// If the security policy requires new certificates, include them in the SSK bundle
+ (AFSecurityPolicy *)securityPolicyForDomain:(NSString *)domain
{
if ([domain isEqualToString:OWSCensorshipConfiguration_SouqFrontingHost]) {
return [self souqPinningPolicy];
} else if ([domain isEqualToString:OWSCensorshipConfiguration_YahooViewFrontingHost]) {
return [self yahooViewPinningPolicy];
} else {
OWSFail(@"unknown pinning domain.");
return [self yahooViewPinningPolicy];
}
}
+ (AFSecurityPolicy *)pinningPolicyWithCertNames:(NSArray<NSString *> *)certNames
{
NSMutableSet<NSData *> *certificates = [NSMutableSet new];
for (NSString *certName in certNames) {
NSError *error;
NSData *certData = [self certificateDataWithName:certName error:&error];
if (error) {
DDLogError(@"%@ reading data for certificate: %@ failed with error: %@", self.logTag, certName, error);
OWSRaiseException(@"OWSSignalService_UnableToReadCertificate", @"%@", error.description);
}
if (!certData) {
DDLogError(@"%@ No data for certificate: %@", self.logTag, certName);
OWSRaiseException(@"OWSSignalService_UnableToReadCertificate", @"%@", error.description);
}
[certificates addObject:certData];
}
return [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certificates];
}
+ (nullable NSData *)certificateDataWithName:(NSString *)name error:(NSError **)error
{
if (!name.length) {
NSString *failureDescription = [NSString stringWithFormat:@"%@ expected name with length > 0", self.logTag];
*error = OWSErrorMakeAssertionError(failureDescription);
return nil;
}
NSBundle *bundle = [NSBundle bundleForClass:self.class];
NSString *path = [bundle pathForResource:name ofType:@"crt"];
if (![[NSFileManager defaultManager] fileExistsAtPath:path]) {
NSString *failureDescription =
[NSString stringWithFormat:@"%@ Missing certificate for name: %@", self.logTag, name];
*error = OWSErrorMakeAssertionError(failureDescription);
return nil;
}
NSData *_Nullable certData = [NSData dataWithContentsOfFile:path options:0 error:error];
if (*error != nil) {
OWSFail(@"%@ Failed to read cert file with path: %@", self.logTag, path);
return nil;
}
if (certData.length == 0) {
OWSFail(@"%@ empty certData for name: %@", self.logTag, name);
return nil;
}
DDLogVerbose(@"%@ read cert data with name: %@ length: %lu", self.logTag, name, (unsigned long)certData.length);
return certData;
}
+ (AFSecurityPolicy *)yahooViewPinningPolicy
{
static AFSecurityPolicy *securityPolicy = nil;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
// DigiCertGlobalRootG2 - view.yahoo.com
NSArray<NSString *> *certNames = @[ @"DigiCertSHA2HighAssuranceServerCA" ];
securityPolicy = [self pinningPolicyWithCertNames:certNames];
});
return securityPolicy;
}
+ (AFSecurityPolicy *)souqPinningPolicy
{
static AFSecurityPolicy *securityPolicy = nil;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
// SFSRootCAG2 - cms.souqcdn.com
NSArray<NSString *> *certNames = @[ @"SFSRootCAG2" ];
securityPolicy = [self pinningPolicyWithCertNames:certNames];
});
return securityPolicy;
}
+ (AFSecurityPolicy *)googlePinningPolicy_deprecated
{
static AFSecurityPolicy *securityPolicy = nil;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
// GIAG2 cert plus root certs from pki.goog
NSArray<NSString *> *certNames = @[ @"GIAG2", @"GSR2", @"GSR4", @"GTSR1", @"GTSR2", @"GTSR3", @"GTSR4" ];
securityPolicy = [self pinningPolicyWithCertNames:certNames];
});
return securityPolicy;
}
@end
NS_ASSUME_NONNULL_END
Reference in New Issue View Git Blame Copy Permalink