From e39e9774a46498a083baec88fc8a00e82bfc2dcf Mon Sep 17 00:00:00 2001 From: Nora Trapp Date: Tue, 25 Jun 2019 18:41:42 -0700 Subject: [PATCH] Interact with cloudfront directly for iOS 13 --- .../src/Network/OWSCensorshipConfiguration.h | 2 ++ .../src/Network/OWSSignalService.m | 26 ++++++++++++++++++- SignalServiceKit/src/TSConstants.h | 1 + 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/SignalServiceKit/src/Network/OWSCensorshipConfiguration.h b/SignalServiceKit/src/Network/OWSCensorshipConfiguration.h index 5b0a161933..84d8614679 100644 --- a/SignalServiceKit/src/Network/OWSCensorshipConfiguration.h +++ b/SignalServiceKit/src/Network/OWSCensorshipConfiguration.h @@ -23,6 +23,8 @@ extern NSString *const OWSFrontingHost_GoogleQatar; + (BOOL)isCensoredPhoneNumber:(NSString *)e164PhoneNumber; ++ (AFSecurityPolicy *)pinningPolicyWithCertNames:(NSArray *)certNames; + @property (nonatomic, readonly) NSString *signalServiceReflectorHost; @property (nonatomic, readonly) NSString *CDNReflectorHost; @property (nonatomic, readonly) NSURL *domainFrontBaseURL; diff --git a/SignalServiceKit/src/Network/OWSSignalService.m b/SignalServiceKit/src/Network/OWSSignalService.m index d882d2e32b..8b1648e5e9 100644 --- a/SignalServiceKit/src/Network/OWSSignalService.m +++ b/SignalServiceKit/src/Network/OWSSignalService.m @@ -239,7 +239,13 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange = OWSLogInfo(@"using reflector CDNSessionManager via: %@", censorshipConfiguration.domainFrontBaseURL); result = [self reflectorCDNSessionManagerWithCensorshipConfiguration:censorshipConfiguration]; } else { - result = self.defaultCDNSessionManager; + // On iOS 13 there is a bug that currently prevents us from telling iOS our CDN is trusted. + // As a workaround, connect to cloudfront directly for now. + if (@available(iOS 13, *)) { + result = self.iOS13CDNSessionManager; + } else { + result = self.defaultCDNSessionManager; + } } // By default, CDN content should be binary. result.responseSerializer = [AFHTTPResponseSerializer serializer]; @@ -263,6 +269,24 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange = return sessionManager; } +- (AFHTTPSessionManager *)iOS13CDNSessionManager +{ + NSURL *baseURL = [[NSURL alloc] initWithString:textSecureDirectCDNServerURL]; + OWSAssertDebug(baseURL); + + NSURLSessionConfiguration *sessionConf = NSURLSessionConfiguration.ephemeralSessionConfiguration; + AFHTTPSessionManager *sessionManager = [[AFHTTPSessionManager alloc] initWithBaseURL:baseURL + sessionConfiguration:sessionConf]; + + sessionManager.securityPolicy = + [OWSCensorshipConfiguration pinningPolicyWithCertNames:@[ @"DigiCertGlobalRootG2" ]]; + + // Default acceptable content headers are rejected by AWS + sessionManager.responseSerializer.acceptableContentTypes = nil; + + return sessionManager; +} + - (AFHTTPSessionManager *)reflectorCDNSessionManagerWithCensorshipConfiguration: (OWSCensorshipConfiguration *)censorshipConfiguration { diff --git a/SignalServiceKit/src/TSConstants.h b/SignalServiceKit/src/TSConstants.h index 7eab9a536f..4fc920edb6 100644 --- a/SignalServiceKit/src/TSConstants.h +++ b/SignalServiceKit/src/TSConstants.h @@ -28,6 +28,7 @@ typedef NS_ENUM(NSInteger, TSWhisperMessageType) { #define textSecureWebSocketAPI @"wss://textsecure-service.whispersystems.org/v1/websocket/" #define textSecureServerURL @"https://textsecure-service.whispersystems.org/" #define textSecureCDNServerURL @"https://cdn.signal.org" +#define textSecureDirectCDNServerURL @"https://d83eunklitikj.cloudfront.net" // Use same reflector for service and CDN #define textSecureServiceReflectorHost @"europe-west1-signal-cdn-reflector.cloudfunctions.net" #define textSecureCDNReflectorHost @"europe-west1-signal-cdn-reflector.cloudfunctions.net"