diff --git a/Podfile.lock b/Podfile.lock
index fedae6b00..5c5bdea45 100644
--- a/Podfile.lock
+++ b/Podfile.lock
@@ -170,7 +170,7 @@ SPEC CHECKSUMS:
PureLayout: 4d550abe49a94f24c2808b9b95db9131685fe4cd
Reachability: 33e18b67625424e47b6cde6d202dce689ad7af96
SAMKeychain: 483e1c9f32984d50ca961e26818a534283b4cd5c
- SignalServiceKit: bfac5572f3a1ff8a853ead9b5413274a075f3cb4
+ SignalServiceKit: b84d80de0bfd5f863994a1ce1f5b742b91c46cb5
SocketRocket: dbb1554b8fc288ef8ef370d6285aeca7361be31e
SQLCipher: 43d12c0eb9c57fb438749618fc3ce0065509a559
TwistedOakCollapsingFutures: f359b90f203e9ab13dfb92c9ff41842a7fe1cd0c
diff --git a/Signal.xcodeproj/project.pbxproj b/Signal.xcodeproj/project.pbxproj
index 512070ac8..700f37d3e 100644
--- a/Signal.xcodeproj/project.pbxproj
+++ b/Signal.xcodeproj/project.pbxproj
@@ -2040,6 +2040,12 @@
"${PODS_ROOT}/SAMKeychain/Support/SAMKeychain.bundle",
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/textsecure.cer",
"${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt",
+ "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR2.crt",
+ "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR4.crt",
+ "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt",
+ "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt",
+ "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt",
+ "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt",
);
name = "[CP] Copy Pods Resources";
outputPaths = (
diff --git a/Signal/Signal-Info.plist b/Signal/Signal-Info.plist
index 6a8e88db9..88a652edb 100644
--- a/Signal/Signal-Info.plist
+++ b/Signal/Signal-Info.plist
@@ -55,7 +55,7 @@
CFBundleVersion
- 2.18.0.7
+ 2.18.0.9
ITSAppUsesNonExemptEncryption
LOGS_EMAIL
diff --git a/Signal/src/ViewControllers/OWSCountryMetadata.m b/Signal/src/ViewControllers/OWSCountryMetadata.m
index 758a538d0..542100141 100644
--- a/Signal/src/ViewControllers/OWSCountryMetadata.m
+++ b/Signal/src/ViewControllers/OWSCountryMetadata.m
@@ -779,8 +779,8 @@ NS_ASSUME_NONNULL_BEGIN
googleDomain:@"google.co.ug"
countryCode:@"UG"],
[OWSCountryMetadata countryMetadataWithName:@"United States"
- tld:@".us"
- googleDomain:@"google.us"
+ tld:@".com"
+ googleDomain:@"google.com"
countryCode:@"US"],
[OWSCountryMetadata countryMetadataWithName:@"Uruguay"
tld:@".uy"
diff --git a/SignalServiceKit.podspec b/SignalServiceKit.podspec
index b71357df1..8c9bfd872 100644
--- a/SignalServiceKit.podspec
+++ b/SignalServiceKit.podspec
@@ -28,7 +28,14 @@ An Objective-C library for communicating with the Signal messaging service.
s.source_files = 'SignalServiceKit/src/**/*.{h,m,mm}'
s.resources = ['SignalServiceKit/src/Security/PinningCertificate/textsecure.cer',
- 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt']
+ 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt',
+ 'SignalServiceKit/src/Security/PinningCertificate/GSR2.crt',
+ 'SignalServiceKit/src/Security/PinningCertificate/GSR4.crt',
+ 'SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt',
+ 'SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt',
+ 'SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt',
+ 'SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt']
+
s.prefix_header_file = 'SignalServiceKit/src/TSPrefix.h'
s.xcconfig = { 'OTHER_CFLAGS' => '$(inherited) -DSQLITE_HAS_CODEC' }
diff --git a/SignalServiceKit/src/Network/OWSSignalService.m b/SignalServiceKit/src/Network/OWSSignalService.m
index 037ab126c..ad31ebbcc 100644
--- a/SignalServiceKit/src/Network/OWSSignalService.m
+++ b/SignalServiceKit/src/Network/OWSSignalService.m
@@ -5,6 +5,7 @@
#import "OWSSignalService.h"
#import "NSNotificationCenter+OWS.h"
#import "OWSCensorshipConfiguration.h"
+#import "OWSError.h"
#import "OWSHTTPSecurityPolicy.h"
#import "TSAccountManager.h"
#import "TSConstants.h"
@@ -157,7 +158,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
- (AFHTTPSessionManager *)signalServiceSessionManager
{
if (self.isCensorshipCircumventionActive) {
- DDLogInfo(@"%@ using reflector HTTPSessionManager", self.tag);
+ DDLogInfo(@"%@ using reflector HTTPSessionManager via: %@", self.tag, self.domainFrontingBaseURL);
return self.reflectorSignalServiceSessionManager;
} else {
return self.defaultSignalServiceSessionManager;
@@ -186,13 +187,18 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
// Target fronting domain
OWSAssert(self.isCensorshipCircumventionActive);
- NSString *frontingHost = [self.censorshipConfiguration frontingHost:localNumber];
+
+ NSURL *baseURL;
+
if (self.isCensorshipCircumventionManuallyActivated && self.manualCensorshipCircumventionDomain.length > 0) {
- frontingHost = self.manualCensorshipCircumventionDomain;
- };
- NSURL *baseURL = [[NSURL alloc] initWithString:[self.censorshipConfiguration frontingHost:localNumber]];
- OWSAssert(baseURL);
+ baseURL = [[NSURL alloc] initWithString:[NSString stringWithFormat:@"https://%@", self.manualCensorshipCircumventionDomain]];
+ }
+ if (baseURL == nil) {
+ baseURL = [[NSURL alloc] initWithString:[self.censorshipConfiguration frontingHost:localNumber]];
+ }
+
+ OWSAssert(baseURL);
return baseURL;
}
@@ -217,7 +223,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
- (AFHTTPSessionManager *)CDNSessionManager
{
if (self.isCensorshipCircumventionActive) {
- DDLogInfo(@"%@ using reflector CDNSessionManager", self.tag);
+ DDLogInfo(@"%@ using reflector CDNSessionManager via: %@", self.tag, self.domainFrontingBaseURL);
return self.reflectorCDNSessionManager;
} else {
return self.defaultCDNSessionManager;
@@ -259,35 +265,71 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
#pragma mark - Google Pinning Policy
++ (nullable NSData *)certificateDataWithName:(NSString *)name error:(NSError **)error
+{
+ if (!name.length) {
+ OWSFail(@"%@ expected name with length > 0", self.tag);
+ *error = OWSErrorMakeAssertionError();
+ return nil;
+ }
+
+ NSString *path = [NSBundle.mainBundle pathForResource:name ofType:@"crt"];
+ if (![[NSFileManager defaultManager] fileExistsAtPath:path]) {
+ OWSFail(@"%@ Missing certificate for name: %@", self.tag, name);
+ *error = OWSErrorMakeAssertionError();
+ return nil;
+ }
+
+ NSData *_Nullable certData = [NSData dataWithContentsOfFile:path options:0 error:error];
+
+ if (*error != nil) {
+ OWSFail(@"%@ Failed to read cert file with path: %@", self.tag, path);
+ return nil;
+ }
+
+ if (certData.length == 0) {
+ OWSFail(@"%@ empty certData for name: %@", self.tag, name);
+ return nil;
+ }
+
+ DDLogVerbose(@"%@ read cert data with name: %@ length: %lu", self.tag, name, (unsigned long)certData.length);
+ return certData;
+}
+
/**
* We use the Google Pinning Policy when connecting to our censorship circumventing reflector,
* which is hosted on Google.
*/
-+ (AFSecurityPolicy *)googlePinningPolicy {
++ (AFSecurityPolicy *)googlePinningPolicy
+{
static AFSecurityPolicy *securityPolicy = nil;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
- NSError *error;
- NSString *path = [NSBundle.mainBundle pathForResource:@"GIAG2" ofType:@"crt"];
-
- if (![[NSFileManager defaultManager] fileExistsAtPath:path]) {
- @throw [NSException
- exceptionWithName:@"Missing server certificate"
- reason:[NSString stringWithFormat:@"Missing signing certificate for service googlePinningPolicy"]
- userInfo:nil];
- }
-
- NSData *googleCertData = [NSData dataWithContentsOfFile:path options:0 error:&error];
- if (!googleCertData) {
+
+ NSMutableSet *certificates = [NSMutableSet new];
+
+ // GIAG2 cert plus root certs from pki.goog
+ NSArray *certNames = @[ @"GIAG2", @"GSR2", @"GSR4", @"GTSR1", @"GTSR2", @"GTSR3", @"GTSR4" ];
+
+ for (NSString *certName in certNames) {
+ NSError *error;
+ NSData *certData = [self certificateDataWithName:certName error:&error];
if (error) {
- @throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:@"Couln't read google pinning cert" userInfo:nil];
- } else {
- NSString *reason = [NSString stringWithFormat:@"Reading google pinning cert faile with error: %@", error];
- @throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:reason userInfo:nil];
+ DDLogError(@"%@ Failed to get %@ certificate data with error: %@", self.tag, certName, error);
+ @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
+ reason:error.description
+ userInfo:nil];
}
+
+ if (!certData) {
+ DDLogError(@"%@ No data for certificate: %@", self.tag, certName);
+ @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate"
+ reason:error.description
+ userInfo:nil];
+ }
+ [certificates addObject:certData];
}
-
- NSSet *certificates = [NSSet setWithObject:googleCertData];
+
securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certificates];
});
return securityPolicy;
diff --git a/SignalServiceKit/src/Security/PinningCertificate/GSR2.crt b/SignalServiceKit/src/Security/PinningCertificate/GSR2.crt
new file mode 100644
index 000000000..4d937187e
Binary files /dev/null and b/SignalServiceKit/src/Security/PinningCertificate/GSR2.crt differ
diff --git a/SignalServiceKit/src/Security/PinningCertificate/GSR4.crt b/SignalServiceKit/src/Security/PinningCertificate/GSR4.crt
new file mode 100644
index 000000000..160d545fc
Binary files /dev/null and b/SignalServiceKit/src/Security/PinningCertificate/GSR4.crt differ
diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt
new file mode 100644
index 000000000..c0310642c
Binary files /dev/null and b/SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt differ
diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt
new file mode 100644
index 000000000..79e2a480b
Binary files /dev/null and b/SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt differ
diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt
new file mode 100644
index 000000000..310219dfa
Binary files /dev/null and b/SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt differ
diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt
new file mode 100644
index 000000000..13d993b9e
Binary files /dev/null and b/SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt differ