Alternative approach to disabling certificate pinning

2019-05-15 20:06:12 -07:00 · 2019-05-15 20:06:12 -07:00 · e4a46fd74e
parent f2a5de13d5
commit e4a46fd74e
7 changed files with 34 additions and 45 deletions
--- a/ChatSecure/Classes/Controllers/XMPP/OTRXMPPManager.m
+++ b/ChatSecure/Classes/Controllers/XMPP/OTRXMPPManager.m
@ -107,8 +107,8 @@ typedef NS_ENUM(NSInteger, XMPPClientState) {
 #pragma mark Private
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

- (OTRXMPPStream*) newStream {
-    return [[OTRXMPPStream alloc] init];
+- (XMPPStream*) newStream {
+    return [[XMPPStream alloc] init];
 }

 - (void)setupStream
@ -121,7 +121,9 @@ typedef NS_ENUM(NSInteger, XMPPClientState) {
    self.xmppStream.tag = self.account.uniqueId;
    self.xmppStream.startTLSPolicy = XMPPStreamStartTLSPolicyRequired;
    
+    if (self.account.certificatePinning) {
        [self.certificatePinningModule activate:self.xmppStream];
+    }
    
    _deliveryReceipts = [[XMPPMessageDeliveryReceipts alloc] init];
    // We want to check if OTR messages can be decrypted
@ -458,9 +460,6 @@ typedef NS_ENUM(NSInteger, XMPPClientState) {
 	//	myJID = @"user@gmail.com/xmppframework";
 	//	myPassword = @"";
    
-	
-    
-    
    NSError * error = nil;
    NSString * domainString = [self accountDomainWithError:error];
    if (error) {
@ -473,9 +472,6 @@ typedef NS_ENUM(NSInteger, XMPPClientState) {
    
    [self.xmppStream setHostPort:self.account.port];
    
-    [self.xmppStream setCertificatePinning:self.account.certificatePinning];
-	
-    
 	error = nil;
 	if (![self.xmppStream connectWithTimeout:XMPPStreamTimeoutNone error:&error])
 	{
@ -786,7 +782,10 @@ typedef NS_ENUM(NSInteger, XMPPClientState) {
    
    settings[GCDAsyncSocketSSLProtocolVersionMin] = @(kTLSProtocol1);
    settings[GCDAsyncSocketSSLCipherSuites] = [OTRUtilities cipherSuites];
+    
+    if (self.account.certificatePinning) {
        settings[GCDAsyncSocketManuallyEvaluateTrust] = @(YES);
+    }
    
    self.loginStatus = OTRLoginStatusSecuring;
 }
@ -816,8 +815,6 @@ typedef NS_ENUM(NSInteger, XMPPClientState) {
 {
    //DDLogWarn(@"%@: %@ %@", THIS_FILE, THIS_METHOD, error);
    
-    self.loginStatus = OTRLoginStatusDisconnected;
-    
    if (error)
    {
        DDLogError(@"Disconnected from server %@ with error: %@", self.account.bareJID.domain, error);
@ -826,6 +823,8 @@ typedef NS_ENUM(NSInteger, XMPPClientState) {
        DDLogError(@"Disconnected from server %@.", self.account.bareJID.domain);
    }
    
+    self.loginStatus = OTRLoginStatusDisconnected;
+    
    //Reset buddy info to offline
    __block NSArray<OTRXMPPBuddy*> *allBuddies = nil;
    __block NSArray<OTRXMPPRoom*> *allRooms = nil;
--- a/ChatSecure/Classes/Controllers/XMPP/OTRXMPPManager_Private.h
+++ b/ChatSecure/Classes/Controllers/XMPP/OTRXMPPManager_Private.h
@ -17,7 +17,7 @@
 NS_ASSUME_NONNULL_BEGIN
@interface OTRXMPPManager() <OTRCertificatePinningDelegate>

-@property (nonatomic, strong, readonly) OTRXMPPStream *xmppStream;
+@property (nonatomic, strong, readonly) XMPPStream *xmppStream;
@property (nonatomic, strong, readonly) XMPPReconnect *xmppReconnect;
@property (nonatomic, strong, readonly) XMPPvCardTempModule *xmppvCardTempModule;
@property (nonatomic, strong, readonly) XMPPvCardAvatarModule *xmppvCardAvatarModule;
@ -57,7 +57,7 @@ NS_ASSUME_NONNULL_BEGIN
 - (void) connectUserInitiated:(BOOL)userInitiated;

 /** Return a newly allocated stream object. This is overridden in OTRXMPPTorManager to use ProxyXMPPStream instead of OTRXMPPStream */
- (OTRXMPPStream*) newStream;
+- (XMPPStream*) newStream;

@end
 NS_ASSUME_NONNULL_END
--- a/ChatSecure/Classes/Controllers/XMPP/OTRXMPPStream.h
+++ b/ChatSecure/Classes/Controllers/XMPP/OTRXMPPStream.h
@ -9,10 +9,10 @@
@import Foundation;
@import XMPPFramework;

-@interface OTRXMPPStream : XMPPStream
-
-@property (nonatomic, readonly) BOOL certificatePinning;
-
- (void)setCertificatePinning:(BOOL)certificatePinning;
-
-@end
+//@interface OTRXMPPStream : XMPPStream
+//
+//@property (nonatomic, readonly) BOOL certificatePinning;
+//
+//- (void)setCertificatePinning:(BOOL)certificatePinning;
+//
+//@end
--- a/ChatSecure/Classes/Controllers/XMPP/OTRXMPPStream.m
+++ b/ChatSecure/Classes/Controllers/XMPP/OTRXMPPStream.m
@ -7,12 +7,12 @@
 //

 #import "OTRXMPPStream.h"
-
-@implementation OTRXMPPStream
-
- (void)setCertificatePinning:(BOOL)certificatePinning
-{
-    _certificatePinning = certificatePinning;
-}
-
-@end
+//
+//@implementation OTRXMPPStream
+//
+//- (void)setCertificatePinning:(BOOL)certificatePinning
+//{
+//    _certificatePinning = certificatePinning;
+//}
+//
+//@end
--- a/ChatSecure/Classes/Controllers/XMPP/OTRXMPPTorManager.m
+++ b/ChatSecure/Classes/Controllers/XMPP/OTRXMPPTorManager.m
@ -30,7 +30,7 @@
 }

 /** Override XMPPStream with XMPPProxyStream */
- (OTRXMPPStream*) newStream {
+- (XMPPStream*) newStream {
    return [[ProxyXMPPStream alloc] init];
 }

--- a/ChatSecure/Classes/Controllers/XMPP/ProxyXMPPStream.h
+++ b/ChatSecure/Classes/Controllers/XMPP/ProxyXMPPStream.h
@ -9,7 +9,7 @@
 #import "OTRXMPPStream.h"
@import ProxyKit;

-@interface ProxyXMPPStream : OTRXMPPStream
+@interface ProxyXMPPStream : XMPPStream

 /**
 * Sets SOCKS proxy host and port
--- a/ChatSecure/Classes/Utilities/OTRCertificatePinning.m
+++ b/ChatSecure/Classes/Utilities/OTRCertificatePinning.m
@ -17,7 +17,6 @@

 #import "OTRConstants.h"
 #import "OTRLog.h"
-#import "OTRXMPPStream.h"


 ///////////////////////////////////////////////
@ -297,19 +296,15 @@ static id AFPublicKeyForCertificate(NSData *certificate) {
 **/
 #pragma - mark GCDAsyncSockeTDelegate Methods

- (void)xmppStream:(OTRXMPPStream *)sender didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL))completionHandler
+- (void)xmppStream:(XMPPStream *)sender didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL))completionHandler
 {
-    BOOL certificatePinning = sender.certificatePinning;
    NSString *hostName = sender.myJID.domain;
    // We should have a hostName. If we don't, something is wrong.
    NSParameterAssert(hostName.length > 0);
    if (!hostName.length) {
        completionHandler(NO);
    }
-    BOOL trusted = NO;
-    if (certificatePinning) {
-        trusted = [self isValidPinnedTrust:trust withHostName:hostName];
-    }
+    BOOL trusted = [self isValidPinnedTrust:trust withHostName:hostName];
    if (!trusted) {
        //Delegate firing off for user to verify with status
        SecTrustResultType result;
@ -317,16 +312,11 @@ static id AFPublicKeyForCertificate(NSData *certificate) {
        SecTrustSetPolicies(trust, policy);
        OSStatus status =  SecTrustEvaluate(trust, &result);
        CFRelease(policy);
-        if (!certificatePinning && (result == kSecTrustResultProceed || result == kSecTrustResultUnspecified)) {
-            trusted = YES;
-        } else if ([self.delegate respondsToSelector:@selector(newTrust:withHostName:systemTrustResult:)] && status == noErr) {
+        if ([self.delegate respondsToSelector:@selector(newTrust:withHostName:systemTrustResult:)] && status == noErr) {
            [self.delegate newTrust:trust withHostName:hostName systemTrustResult:result];
        }
    }
    completionHandler(trusted);
 }

-
-
-
@end