Use SocketRocket pluggable policies (#15)

* Use SocketRocket pluggable policies Pluggable policies are currently only in our fork, but pending upstream PR: https://github.com/facebook/SocketRocket/pull/429 Also: * rebased SocketRocket against latest upstream to incorporate bug fixes. * adapt to new upstream API for error handling (vs previous exception throwing) * renamed AFSecurityOWSPolicy -> OWSHTTPSecurityPolicy to differentiate it from OSWWebSocketSecurityPolicy * Follow conventional singleton pattern with onceToken * bump xcode version to play nice with SWIFT_NAME in SocketRocket // FREEBIE
9 years ago · 664162fe24
parent 80671b247f
commit 664162fe24
11 changed files with 78 additions and 48 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,7 +1,6 @@
 language: objective-c

-osx_image: xcode7.1
-xcode_sdk: iphonesimulator9.1
+osx_image: xcode7.3
 env:
  - TEST_DIR=Example/TSKitiOSTestApp

@ -14,6 +13,11 @@ before_install:

 install: pod install

+script:
+- |
+  set -o pipefail
+  xcodebuild -workspace TSKitiOSTestApp.xcworkspace -scheme TSKitiOSTestApp -sdk iphonesimulator build test
+
 xcode_workspace: TSKitiOSTestApp.xcworkspace
 xcode_scheme: TSKitiOSTestApp

--- a/Example/TSKitiOSTestApp/Podfile
+++ b/Example/TSKitiOSTestApp/Podfile
@ -2,8 +2,8 @@ platform :ios, '8.0'
 source 'https://github.com/CocoaPods/Specs.git'

 target 'TSKitiOSTestApp' do
+  pod 'SocketRocket', git: 'https://github.com/WhisperSystems/SocketRocket.git', branch: 'pluggable-security-policies'
  pod 'SignalServiceKit', :path => '../../SignalServiceKit.podspec'
-  pod 'SocketRocket', git: 'https://github.com/WhisperSystems/SocketRocket.git', branch: 'signal-ios'

  target 'TSKitiOSTestAppTests' do
     inherit! :search_paths
--- a/Example/TSKitiOSTestApp/Podfile.lock
+++ b/Example/TSKitiOSTestApp/Podfile.lock
@ -34,7 +34,7 @@ PODS:
  - Mantle/extobjc (2.0.7)
  - ProtocolBuffers (1.9.10)
  - Reachability (3.2)
-  - SignalServiceKit (0.0.4):
+  - SignalServiceKit (0.0.6):
    - '25519'
    - AFNetworking
    - AxolotlKit
@ -105,18 +105,18 @@ PODS:

 DEPENDENCIES:
  - SignalServiceKit (from `../../SignalServiceKit.podspec`)
-  - SocketRocket (from `https://github.com/WhisperSystems/SocketRocket.git`, branch `signal-ios`)
+  - SocketRocket (from `https://github.com/WhisperSystems/SocketRocket.git`, branch `pluggable-security-policies`)

 EXTERNAL SOURCES:
  SignalServiceKit:
    :path: "../../SignalServiceKit.podspec"
  SocketRocket:
-    :branch: signal-ios
+    :branch: pluggable-security-policies
    :git: https://github.com/WhisperSystems/SocketRocket.git

 CHECKOUT OPTIONS:
  SocketRocket:
-    :commit: 587ad297eb63eb0d64d4caeb32a7da646ad1132b
+    :commit: cb2cf164c0d215aaff4666918efcc2fca33fc54b
    :git: https://github.com/WhisperSystems/SocketRocket.git

 SPEC CHECKSUMS:
@ -129,7 +129,7 @@ SPEC CHECKSUMS:
  Mantle: bc40bb061d8c2c6fb48d5083e04d928c3b7f73d9
  ProtocolBuffers: d088180c10072b3d24a9939a6314b7b9bcc2340b
  Reachability: 33e18b67625424e47b6cde6d202dce689ad7af96
-  SignalServiceKit: e27a3025c2d5c61696386e44a50ac8d2fe83151e
+  SignalServiceKit: 850620cd1535f8628474121e7ea142ff1fe236a6
  SocketRocket: 3f77ec2104cc113add553f817ad90a77114f5d43
  SQLCipher: 4c768761421736a247ed6cf412d9045615d53dff
  SSKeychain: c71293fa57216a40ab06c23f4085387583293de4
@ -137,6 +137,6 @@ SPEC CHECKSUMS:
  UnionFind: c33be5adb12983981d6e827ea94fc7f9e370f52d
  YapDatabase: c00f4197bba2fea17bdbd82c8e8e3f7104b6fa67

-PODFILE CHECKSUM: 6bebc6fc58d19a6a56c27878035f7a074da10006
+PODFILE CHECKSUM: 2954694f716c25ed9c0cbb599e1dae9612f0da5e

 COCOAPODS: 1.0.1
--- a/SignalServiceKit.podspec
+++ b/SignalServiceKit.podspec
@ -8,7 +8,7 @@

 Pod::Spec.new do |s|
  s.name             = "SignalServiceKit"
-  s.version          = "0.0.5"
+  s.version          = "0.0.6"
  s.summary          = "An Objective-C library for communicating with the Signal messaging service."

  s.description      = <<-DESC
--- a/src/Network/API/TSNetworkManager.m
+++ b/src/Network/API/TSNetworkManager.m
@ -8,7 +8,7 @@

 #import <AFNetworking/AFNetworking.h>

-#import "AFSecurityOWSPolicy.h"
+#import "OWSHTTPSecurityPolicy.h"

 #import "NSURLSessionDataTask+StatusCode.h"
 #import "TSAccountManager.h"
@ -45,7 +45,7 @@ typedef void (^failureBlock)(NSURLSessionDataTask *task, NSError *error);
        self.operationManager =
            [[AFHTTPSessionManager alloc] initWithBaseURL:[[NSURL alloc] initWithString:textSecureServerURL]
                                     sessionConfiguration:sessionConf];
-        self.operationManager.securityPolicy = [AFSecurityOWSPolicy OWS_PinningPolicy];
+        self.operationManager.securityPolicy = [OWSHTTPSecurityPolicy sharedPolicy];
    }
    return self;
 }
--- a/src/Network/WebSockets/TSSocketManager.m
+++ b/src/Network/WebSockets/TSSocketManager.m
@ -14,7 +14,7 @@
 #import "TSSocketManager.h"
 #import "TSStorageManager+keyingMaterial.h"

-#import "AFSecurityOWSPolicy.h"
+#import "OWSWebsocketSecurityPolicy.h"
 #import "Cryptography.h"

 #define kWebSocketHeartBeat 30
@ -100,9 +100,8 @@ NSString *const SocketConnectingNotification = @"SocketConnectingNotification";
        [textSecureWebSocketAPI stringByAppendingString:[[self sharedManager] webSocketAuthenticationString]];
    NSURL *webSocketConnectURL   = [NSURL URLWithString:webSocketConnect];
    NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:webSocketConnectURL];
-    request.SR_securityPolicy    = [AFSecurityOWSPolicy OWS_PinningPolicy];

-    socket          = [[SRWebSocket alloc] initWithURLRequest:request];
+    socket          = [[SRWebSocket alloc] initWithURLRequest:request securityPolicy:[OWSWebsocketSecurityPolicy sharedPolicy]];
    socket.delegate = [self sharedManager];

    [[self sharedManager] setWebsocket:socket];
@ -226,10 +225,11 @@ NSString *const SocketConnectingNotification = @"SocketConnectingNotification";
 }

 - (void)webSocketHeartBeat {
-    @try {
-        [self.websocket sendPing:nil];
-    } @catch (NSException *exception) {
-        DDLogWarn(@"Caught exception while trying to write on the socket %@", exception.debugDescription);
+    NSError *error;
+
+    [self.websocket sendPing:nil error:&error];
+    if (error) {
+        DDLogWarn(@"Error in websocket heartbeat: %@", error.localizedDescription);
    }
 }

--- a/src/Security/AFSecurityOWSPolicy.h
+++ b/src/Security/AFSecurityOWSPolicy.h
@ -1,16 +0,0 @@
-//
-//  AFSecurityPolicyNone.h
-//  Signal
-//
-//  Created by Fred on 01/09/15.
-//  Copyright © 2015 Open Whisper Systems. All rights reserved.
-//
-
-#import <SocketRocket/NSURLRequest+SRWebSocket.h>
-#import "AFSecurityPolicy.h"
-
-@interface AFSecurityOWSPolicy : AFSecurityPolicy <SRSecurityPolicy>
-
-+ (instancetype)OWS_PinningPolicy;
-
-@end
--- a/src/Security/OWSHTTPSecurityPolicy.h
+++ b/src/Security/OWSHTTPSecurityPolicy.h
@ -0,0 +1,12 @@
+//
+//  Created by Fred on 01/09/15.
+//  Copyright © 2015 Open Whisper Systems. All rights reserved.
+//
+
+#import <AFNetworking/AFSecurityPolicy.h>
+
+@interface OWSHTTPSecurityPolicy : AFSecurityPolicy
+
+ (instancetype)sharedPolicy;
+
+@end
--- a/src/Security/OWSHTTPSecurityPolicy.m
+++ b/src/Security/OWSHTTPSecurityPolicy.m
@ -1,23 +1,21 @@
 //
-//  AFSecurityPolicyNone.m
-//  Signal
-//
 //  Created by Fred on 01/09/15.
 //  Copyright © 2015 Open Whisper Systems. All rights reserved.
 //

+#import "OWSHTTPSecurityPolicy.h"
+
 #import <AssertMacros.h>
-#import "AFSecurityOWSPolicy.h"

-@implementation AFSecurityOWSPolicy
+@implementation OWSHTTPSecurityPolicy

-+ (instancetype)OWS_PinningPolicy {
-    static AFSecurityOWSPolicy *sharedMyManager = nil;
-    @synchronized(self) {
-        if (sharedMyManager == nil)
-            sharedMyManager = [[self alloc] initWithOWSPolicy];
-    }
-    return sharedMyManager;
+ (instancetype)sharedPolicy {
+    static OWSHTTPSecurityPolicy *httpSecurityPolicy = nil;
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+        httpSecurityPolicy = [[self alloc] initWithOWSPolicy];
+    });
+    return httpSecurityPolicy;
 }

 - (instancetype)initWithOWSPolicy {
@ -84,7 +82,6 @@
    return YES;
 }

-
 static BOOL AFServerTrustIsValid(SecTrustRef serverTrust) {
    BOOL isValid = NO;
    SecTrustResultType result;
--- a/src/Security/OWSWebsocketSecurityPolicy.h
+++ b/src/Security/OWSWebsocketSecurityPolicy.h
@ -0,0 +1,9 @@
+//  Copyright © 2016 Open Whisper Systems. All rights reserved.
+
+#import <SocketRocket/SRSecurityPolicy.h>
+
+@interface OWSWebsocketSecurityPolicy : SRSecurityPolicy
+
+ (instancetype)sharedPolicy;
+
+@end
--- a/src/Security/OWSWebsocketSecurityPolicy.m
+++ b/src/Security/OWSWebsocketSecurityPolicy.m
@ -0,0 +1,24 @@
+//  Copyright © 2016 Open Whisper Systems. All rights reserved.
+
+#import "OWSWebsocketSecurityPolicy.h"
+
+#import <SocketRocket/SRSecurityPolicy.h>
+#import "OWSHTTPSecurityPolicy.h"
+
+@implementation OWSWebsocketSecurityPolicy
+
+ (instancetype)sharedPolicy {
+    static OWSWebsocketSecurityPolicy *websocketSecurityPolicy = nil;
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+        websocketSecurityPolicy = [[self alloc] initWithCertificateChainValidationEnabled:NO];
+    });
+    return websocketSecurityPolicy;
+}
+
+- (BOOL)evaluateServerTrust:(SecTrustRef)serverTrust forDomain:(NSString *)domain {
+  // Delegate server trust to our existing HTTP policy.
+  return [[OWSHTTPSecurityPolicy sharedPolicy] evaluateServerTrust:serverTrust forDomain:domain];
+}
+
+@end