Add censorship circumvention support for KBS and Storage Service

This commit is contained in:
Nora Trapp 2020-02-05 19:18:31 -08:00
parent 37ead70db4
commit e737e0aa73
6 changed files with 56 additions and 34 deletions

View File

@ -636,8 +636,8 @@ NSString *const kProfileView_LastPresentedDate = @"kProfileView_LastPresentedDat
OWSAssertIsOnMainThread();
OWSLogVerbose(@"");
// If the user already has a pin or censorship circumvention is enabled, just go home
if ([OWS2FAManager sharedManager].is2FAEnabled || OWSSignalService.sharedInstance.isCensorshipCircumventionActive) {
// If the user already has a pin, just go home
if ([OWS2FAManager sharedManager].is2FAEnabled) {
return [self showConversationSplitView];
}

View File

@ -1,5 +1,5 @@
//
// Copyright (c) 2019 Open Whisper Systems. All rights reserved.
// Copyright (c) 2020 Open Whisper Systems. All rights reserved.
//
NS_ASSUME_NONNULL_BEGIN
@ -23,8 +23,6 @@ extern NSString *const OWSFrontingHost_GoogleQatar;
+ (BOOL)isCensoredPhoneNumber:(NSString *)e164PhoneNumber;
@property (nonatomic, readonly) NSString *signalServiceReflectorHost;
@property (nonatomic, readonly) NSString *CDNReflectorHost;
@property (nonatomic, readonly) NSURL *domainFrontBaseURL;
@property (nonatomic, readonly) AFSecurityPolicy *domainFrontSecurityPolicy;

View File

@ -1,5 +1,5 @@
//
// Copyright (c) 2019 Open Whisper Systems. All rights reserved.
// Copyright (c) 2020 Open Whisper Systems. All rights reserved.
//
#import "OWSCensorshipConfiguration.h"
@ -79,18 +79,6 @@ NSString *const OWSFrontingHost_Default = @"www.google.com";
return self;
}
// MARK: Public Getters
- (NSString *)signalServiceReflectorHost
{
return TSConstants.textSecureServiceReflectorHost;
}
- (NSString *)CDNReflectorHost
{
return TSConstants.textSecureCDNReflectorHost;
}
// MARK: Util
+ (NSDictionary<NSString *, NSString *> *)censoredCountryCodes

View File

@ -1,5 +1,5 @@
//
// Copyright (c) 2019 Open Whisper Systems. All rights reserved.
// Copyright (c) 2020 Open Whisper Systems. All rights reserved.
//
#import "OWSSignalService.h"
@ -240,7 +240,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
sessionManager.securityPolicy = censorshipConfiguration.domainFrontSecurityPolicy;
sessionManager.requestSerializer = [AFJSONRequestSerializer serializer];
[sessionManager.requestSerializer setValue:censorshipConfiguration.signalServiceReflectorHost
[sessionManager.requestSerializer setValue:TSConstants.censorshipReflectorHost
forHTTPHeaderField:@"Host"];
sessionManager.responseSerializer = [AFJSONResponseSerializer serializer];
// Disable default cookie handling for all requests.
@ -296,7 +296,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
sessionManager.securityPolicy = censorshipConfiguration.domainFrontSecurityPolicy;
sessionManager.requestSerializer = [AFJSONRequestSerializer serializer];
[sessionManager.requestSerializer setValue:censorshipConfiguration.CDNReflectorHost forHTTPHeaderField:@"Host"];
[sessionManager.requestSerializer setValue:TSConstants.censorshipReflectorHost forHTTPHeaderField:@"Host"];
sessionManager.responseSerializer = [AFJSONResponseSerializer serializer];
@ -306,6 +306,21 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
#pragma mark - Storage Service
- (AFHTTPSessionManager *)storageServiceSessionManager
{
AFHTTPSessionManager *result;
if (self.isCensorshipCircumventionActive) {
OWSCensorshipConfiguration *censorshipConfiguration = [self buildCensorshipConfiguration];
OWSLogInfo(@"using reflector storageServiceSessionManager via: %@", censorshipConfiguration.domainFrontBaseURL);
result = [self reflectorStorageServiceSessionManagerWithCensorshipConfiguration:censorshipConfiguration];
} else {
result = self.defaultStorageServiceSessionManager;
}
// By default, CDN content should be binary.
result.responseSerializer = [AFHTTPResponseSerializer serializer];
return result;
}
- (AFHTTPSessionManager *)defaultStorageServiceSessionManager
{
NSURL *baseURL = [[NSURL alloc] initWithString:TSConstants.storageServiceURL];
OWSAssertDebug(baseURL);
@ -324,6 +339,26 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange =
return sessionManager;
}
- (AFHTTPSessionManager *)reflectorStorageServiceSessionManagerWithCensorshipConfiguration:
(OWSCensorshipConfiguration *)censorshipConfiguration
{
NSURLSessionConfiguration *sessionConf = NSURLSessionConfiguration.ephemeralSessionConfiguration;
NSURL *frontingURL = censorshipConfiguration.domainFrontBaseURL;
NSURL *baseURL = [frontingURL URLByAppendingPathComponent:TSConstants.storageServiceCensorshipPrefix];
AFHTTPSessionManager *sessionManager =
[[AFHTTPSessionManager alloc] initWithBaseURL:baseURL sessionConfiguration:sessionConf];
sessionManager.securityPolicy = censorshipConfiguration.domainFrontSecurityPolicy;
sessionManager.requestSerializer = [AFJSONRequestSerializer serializer];
[sessionManager.requestSerializer setValue:TSConstants.censorshipReflectorHost forHTTPHeaderField:@"Host"];
sessionManager.responseSerializer = [AFJSONResponseSerializer serializer];
return sessionManager;
}
#pragma mark - Events
- (void)registrationStateDidChange:(NSNotification *)notification

View File

@ -6,17 +6,18 @@ private protocol TSConstantsProtocol: class {
var textSecureWebSocketAPI: String { get }
var textSecureServerURL: String { get }
var textSecureCDNServerURL: String { get }
var textSecureServiceReflectorHost: String { get }
var textSecureCDNReflectorHost: String { get }
var contactDiscoveryURL: String { get }
var keyBackupURL: String { get }
var storageServiceURL: String { get }
var kUDTrustRoot: String { get }
var censorshipReflectorHost: String { get }
var serviceCensorshipPrefix: String { get }
var cdnCensorshipPrefix: String { get }
var contactDiscoveryCensorshipPrefix: String { get }
var keyBackupCensorshipPrefix: String { get }
var storageServiceCensorshipPrefix: String { get }
var contactDiscoveryEnclaveName: String { get }
var contactDiscoveryMrEnclave: String { get }
@ -48,10 +49,6 @@ public class TSConstants: NSObject {
@objc
public static var textSecureCDNServerURL: String { return shared.textSecureCDNServerURL }
@objc
public static var textSecureServiceReflectorHost: String { return shared.textSecureServiceReflectorHost }
@objc
public static var textSecureCDNReflectorHost: String { return shared.textSecureCDNReflectorHost }
@objc
public static var contactDiscoveryURL: String { return shared.contactDiscoveryURL }
@objc
public static var keyBackupURL: String { return shared.keyBackupURL }
@ -60,6 +57,9 @@ public class TSConstants: NSObject {
@objc
public static var kUDTrustRoot: String { return shared.kUDTrustRoot }
@objc
public static var censorshipReflectorHost: String { return shared.censorshipReflectorHost }
@objc
public static var serviceCensorshipPrefix: String { return shared.serviceCensorshipPrefix }
@objc
@ -68,6 +68,8 @@ public class TSConstants: NSObject {
public static var contactDiscoveryCensorshipPrefix: String { return shared.contactDiscoveryCensorshipPrefix }
@objc
public static var keyBackupCensorshipPrefix: String { return shared.keyBackupCensorshipPrefix }
@objc
public static var storageServiceCensorshipPrefix: String { return shared.storageServiceCensorshipPrefix }
@objc
public static var contactDiscoveryEnclaveName: String { return shared.contactDiscoveryEnclaveName }
@ -145,18 +147,18 @@ private class TSConstantsProduction: TSConstantsProtocol {
public let textSecureWebSocketAPI = "wss://textsecure-service.whispersystems.org/v1/websocket/"
public let textSecureServerURL = "https://textsecure-service.whispersystems.org/"
public let textSecureCDNServerURL = "https://cdn.signal.org"
// Use same reflector for service and CDN
public let textSecureServiceReflectorHost = "europe-west1-signal-cdn-reflector.cloudfunctions.net"
public let textSecureCDNReflectorHost = "europe-west1-signal-cdn-reflector.cloudfunctions.net"
public let contactDiscoveryURL = "https://api.directory.signal.org"
public let keyBackupURL = "https://api.backup.signal.org"
public let storageServiceURL = "https://storage.signal.org"
public let kUDTrustRoot = "BXu6QIKVz5MA8gstzfOgRQGqyLqOwNKHL6INkv3IHWMF"
public let censorshipReflectorHost = "europe-west1-signal-cdn-reflector.cloudfunctions.net"
public let serviceCensorshipPrefix = "service"
public let cdnCensorshipPrefix = "cdn"
public let contactDiscoveryCensorshipPrefix = "directory"
public let keyBackupCensorshipPrefix = "backup"
public let storageServiceCensorshipPrefix = "storage"
public let contactDiscoveryEnclaveName = "cd6cfc342937b23b1bdd3bbf9721aa5615ac9ff50a75c5527d441cd3276826c9"
public var contactDiscoveryMrEnclave: String {
@ -185,17 +187,18 @@ private class TSConstantsStaging: TSConstantsProtocol {
public let textSecureWebSocketAPI = "wss://textsecure-service-staging.whispersystems.org/v1/websocket/"
public let textSecureServerURL = "https://textsecure-service-staging.whispersystems.org/"
public let textSecureCDNServerURL = "https://cdn-staging.signal.org"
public let textSecureServiceReflectorHost = "europe-west1-signal-cdn-reflector.cloudfunctions.net"
public let textSecureCDNReflectorHost = "europe-west1-signal-cdn-reflector.cloudfunctions.net"
public let contactDiscoveryURL = "https://api-staging.directory.signal.org"
public let keyBackupURL = "https://api-staging.backup.signal.org"
public let storageServiceURL = "https://storage-staging.signal.org"
public let kUDTrustRoot = "BbqY1DzohE4NUZoVF+L18oUPrK3kILllLEJh2UnPSsEx"
public let censorshipReflectorHost = "europe-west1-signal-cdn-reflector.cloudfunctions.net"
public let serviceCensorshipPrefix = "service-staging"
public let cdnCensorshipPrefix = "cdn-staging"
public let contactDiscoveryCensorshipPrefix = "directory-staging"
public let keyBackupCensorshipPrefix = "backup-staging"
public let storageServiceCensorshipPrefix = "storage-staging"
// CDS uses the same EnclaveName and MrEnclave
public let contactDiscoveryEnclaveName = "e0f7dee77dc9d705ccc1376859811da12ecec3b6119a19dc39bdfbf97173aa18"

View File

@ -34,8 +34,6 @@ public class RemoteConfig: NSObject {
// This feature latches "on" once they have a master key in KBS,
// even if we turn it off on the server they will keep using KBS.
guard !KeyBackupService.hasMasterKey else { return true }
// For now, KBS does not work for censorship circumvention users.
guard !OWSSignalService.sharedInstance().isCensorshipCircumventionActive else { return false }
return isEnabled("ios.kbs")
}