Merge tag '2.18.0.9'

Podfile.lock

@@ -170,7 +170,7 @@ SPEC CHECKSUMS:
   PureLayout: 4d550abe49a94f24c2808b9b95db9131685fe4cd
   Reachability: 33e18b67625424e47b6cde6d202dce689ad7af96
   SAMKeychain: 483e1c9f32984d50ca961e26818a534283b4cd5c
-  SignalServiceKit: bfac5572f3a1ff8a853ead9b5413274a075f3cb4
+  SignalServiceKit: b84d80de0bfd5f863994a1ce1f5b742b91c46cb5
   SocketRocket: dbb1554b8fc288ef8ef370d6285aeca7361be31e
   SQLCipher: 43d12c0eb9c57fb438749618fc3ce0065509a559
   TwistedOakCollapsingFutures: f359b90f203e9ab13dfb92c9ff41842a7fe1cd0c

Signal.xcodeproj/project.pbxproj

@@ -2040,6 +2040,12 @@
 				"${PODS_ROOT}/SAMKeychain/Support/SAMKeychain.bundle",
 				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/textsecure.cer",
 				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR2.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR4.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt",
+				"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt",
 			);
 			name = "[CP] Copy Pods Resources";
 			outputPaths = (

Signal/Signal-Info.plist

@@ -55,7 +55,7 @@
 		</dict>
 	</array>
 	<key>CFBundleVersion</key>
-	<string>2.18.0.7</string>
+	<string>2.18.0.9</string>
 	<key>ITSAppUsesNonExemptEncryption</key>
 	<false/>
 	<key>LOGS_EMAIL</key>

Signal/src/ViewControllers/OWSCountryMetadata.m

@@ -779,8 +779,8 @@ NS_ASSUME_NONNULL_BEGIN
                                            googleDomain:@"google.co.ug"
                                             countryCode:@"UG"],
             [OWSCountryMetadata countryMetadataWithName:@"United States"
-                                                    tld:@".us"
-                                           googleDomain:@"google.us"
+                                                    tld:@".com"
+                                           googleDomain:@"google.com"
                                             countryCode:@"US"],
             [OWSCountryMetadata countryMetadataWithName:@"Uruguay"
                                                     tld:@".uy"

SignalServiceKit.podspec

@@ -28,7 +28,14 @@ An Objective-C library for communicating with the Signal messaging service.
   s.source_files = 'SignalServiceKit/src/**/*.{h,m,mm}'
 
   s.resources = ['SignalServiceKit/src/Security/PinningCertificate/textsecure.cer',
-                 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt']
+                 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GSR2.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GSR4.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt',
+                 'SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt']
+
   s.prefix_header_file = 'SignalServiceKit/src/TSPrefix.h'
   s.xcconfig = { 'OTHER_CFLAGS' => '$(inherited) -DSQLITE_HAS_CODEC' }
 

SignalServiceKit/src/Network/OWSSignalService.m

@@ -5,6 +5,7 @@
 #import "OWSSignalService.h"
 #import "NSNotificationCenter+OWS.h"
 #import "OWSCensorshipConfiguration.h"
+#import "OWSError.h"
 #import "OWSHTTPSecurityPolicy.h"
 #import "TSAccountManager.h"
 #import "TSConstants.h"
@@ -157,7 +158,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
 - (AFHTTPSessionManager *)signalServiceSessionManager
 {
     if (self.isCensorshipCircumventionActive) {
-        DDLogInfo(@"%@ using reflector HTTPSessionManager", self.tag);
+        DDLogInfo(@"%@ using reflector HTTPSessionManager via: %@", self.tag, self.domainFrontingBaseURL);
         return self.reflectorSignalServiceSessionManager;
     } else {
         return self.defaultSignalServiceSessionManager;
@@ -186,13 +187,18 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
 
     // Target fronting domain
     OWSAssert(self.isCensorshipCircumventionActive);
-    NSString *frontingHost = [self.censorshipConfiguration frontingHost:localNumber];
+    
+    NSURL *baseURL;
+
     if (self.isCensorshipCircumventionManuallyActivated && self.manualCensorshipCircumventionDomain.length > 0) {
-        frontingHost = self.manualCensorshipCircumventionDomain;
-    };
-    NSURL *baseURL = [[NSURL alloc] initWithString:[self.censorshipConfiguration frontingHost:localNumber]];
-    OWSAssert(baseURL);
+        baseURL = [[NSURL alloc] initWithString:[NSString stringWithFormat:@"https://%@", self.manualCensorshipCircumventionDomain]];
+    }
     
+    if (baseURL == nil) {
+        baseURL = [[NSURL alloc] initWithString:[self.censorshipConfiguration frontingHost:localNumber]];
+    }
+    
+    OWSAssert(baseURL);
     return baseURL;
 }
 
@@ -217,7 +223,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
 - (AFHTTPSessionManager *)CDNSessionManager
 {
     if (self.isCensorshipCircumventionActive) {
-        DDLogInfo(@"%@ using reflector CDNSessionManager", self.tag);
+        DDLogInfo(@"%@ using reflector CDNSessionManager via: %@", self.tag, self.domainFrontingBaseURL);
         return self.reflectorCDNSessionManager;
     } else {
         return self.defaultCDNSessionManager;
@@ -259,35 +265,71 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
 
 #pragma mark - Google Pinning Policy
 
++ (nullable NSData *)certificateDataWithName:(NSString *)name error:(NSError **)error
+{
+    if (!name.length) {
+        OWSFail(@"%@ expected name with length > 0", self.tag);
+        *error = OWSErrorMakeAssertionError();
+        return nil;
+    }
+
+    NSString *path = [NSBundle.mainBundle pathForResource:name ofType:@"crt"];
+    if (![[NSFileManager defaultManager] fileExistsAtPath:path]) {
+        OWSFail(@"%@ Missing certificate for name: %@", self.tag, name);
+        *error = OWSErrorMakeAssertionError();
+        return nil;
+    }
+
+    NSData *_Nullable certData = [NSData dataWithContentsOfFile:path options:0 error:error];
+
+    if (*error != nil) {
+        OWSFail(@"%@ Failed to read cert file with path: %@", self.tag, path);
+        return nil;
+    }
+
+    if (certData.length == 0) {
+        OWSFail(@"%@ empty certData for name: %@", self.tag, name);
+        return nil;
+    }
+
+    DDLogVerbose(@"%@ read cert data with name: %@ length: %lu", self.tag, name, (unsigned long)certData.length);
+    return certData;
+}
+
 /**
  * We use the Google Pinning Policy when connecting to our censorship circumventing reflector,
  * which is hosted on Google.
  */
-+ (AFSecurityPolicy *)googlePinningPolicy {
++ (AFSecurityPolicy *)googlePinningPolicy
+{
     static AFSecurityPolicy *securityPolicy = nil;
     static dispatch_once_t onceToken;
     dispatch_once(&onceToken, ^{
-        NSError *error;
-        NSString *path = [NSBundle.mainBundle pathForResource:@"GIAG2" ofType:@"crt"];
-
-        if (![[NSFileManager defaultManager] fileExistsAtPath:path]) {
-            @throw [NSException
-                    exceptionWithName:@"Missing server certificate"
-                    reason:[NSString stringWithFormat:@"Missing signing certificate for service googlePinningPolicy"]
-                    userInfo:nil];
-        }
-        
-        NSData *googleCertData = [NSData dataWithContentsOfFile:path options:0 error:&error];
-        if (!googleCertData) {
+
+        NSMutableSet<NSData *> *certificates = [NSMutableSet new];
+
+        // GIAG2 cert plus root certs from pki.goog
+        NSArray<NSString *> *certNames = @[ @"GIAG2", @"GSR2", @"GSR4", @"GTSR1", @"GTSR2", @"GTSR3", @"GTSR4" ];
+
+        for (NSString *certName in certNames) {
+            NSError *error;
+            NSData *certData = [self certificateDataWithName:certName error:&error];
             if (error) {
-                @throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:@"Couln't read google pinning cert" userInfo:nil];
-            } else {
-                NSString *reason = [NSString stringWithFormat:@"Reading google pinning cert faile with error: %@", error];
-                @throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:reason userInfo:nil];
+                DDLogError(@"%@ Failed to get %@ certificate data with error: %@", self.tag, certName, error);
+                @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
+                                               reason:error.description
+                                             userInfo:nil];
             }
+
+            if (!certData) {
+                DDLogError(@"%@ No data for certificate: %@", self.tag, certName);
+                @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
+                                               reason:error.description
+                                             userInfo:nil];
+            }
+            [certificates addObject:certData];
         }
-        
-        NSSet<NSData *> *certificates = [NSSet setWithObject:googleCertData];
+
         securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certificates];
     });
     return securityPolicy;