From a5123879a0817185084ded0ac6551406d039d10f Mon Sep 17 00:00:00 2001 From: Dustin Barker Date: Thu, 27 Jun 2013 22:46:09 -0700 Subject: [PATCH 1/5] Fix bug where examples always used AFSSLPinningModeNone --- Example/Classes/AFAppDotNetAPIClient.m | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Example/Classes/AFAppDotNetAPIClient.m b/Example/Classes/AFAppDotNetAPIClient.m index 0ce976d..5db15d2 100644 --- a/Example/Classes/AFAppDotNetAPIClient.m +++ b/Example/Classes/AFAppDotNetAPIClient.m @@ -51,10 +51,10 @@ static NSString * const kAFAppDotNetAPIBaseURLString = @"https://alpha-api.app.n // By default, the example ships with SSL pinning enabled for the app.net API pinned against the public key of adn.cer file included with the example. In order to make it easier for developers who are new to AFNetworking, SSL pinning is automatically disabled if the base URL has been changed. This will allow developers to hack around with the example, without getting tripped up by SSL pinning. if ([[url scheme] isEqualToString:@"https"] && [[url host] isEqualToString:@"alpha-api.app.net"]) { - [self setDefaultSSLPinningMode:AFSSLPinningModePublicKey]; + self.defaultSSLPinningMode = AFSSLPinningModePublicKey; + } else { + self.defaultSSLPinningMode = AFSSLPinningModeNone; } - - self.defaultSSLPinningMode = AFSSLPinningModeNone; return self; } From 4a969694c58dc73c6d8a97925436714af4d16770 Mon Sep 17 00:00:00 2001 From: Dustin Barker Date: Thu, 27 Jun 2013 22:18:36 -0700 Subject: [PATCH 2/5] Remove all _AFNETWORKING_PIN_SSL_CERTIFICATES_ conditions Fixes #1098 --- AFNetworking/AFHTTPClient.h | 2 - AFNetworking/AFHTTPClient.m | 4 -- AFNetworking/AFURLConnectionOperation.h | 35 ----------- AFNetworking/AFURLConnectionOperation.m | 78 ------------------------- Example/Prefix.pch | 2 - 5 files changed, 121 deletions(-) diff --git a/AFNetworking/AFHTTPClient.h b/AFNetworking/AFHTTPClient.h index 2e5d504..e7083f5 100644 --- a/AFNetworking/AFHTTPClient.h +++ b/AFNetworking/AFHTTPClient.h @@ -141,9 +141,7 @@ typedef enum { /** Default SSL pinning mode for each `AFHTTPRequestOperation` created by `HTTPRequestOperationWithRequest:success:failure:`. */ -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ @property (nonatomic, assign) AFURLConnectionOperationSSLPinningMode defaultSSLPinningMode; -#endif /** Whether each `AFHTTPRequestOperation` created by `HTTPRequestOperationWithRequest:success:failure:` should accept an invalid SSL certificate. diff --git a/AFNetworking/AFHTTPClient.m b/AFNetworking/AFHTTPClient.m index 09049af..7d9d166 100644 --- a/AFNetworking/AFHTTPClient.m +++ b/AFNetworking/AFHTTPClient.m @@ -212,9 +212,7 @@ NSArray * AFQueryStringPairsFromKeyAndValue(NSString *key, id value) { @synthesize networkReachabilityStatus = _networkReachabilityStatus; @synthesize networkReachabilityStatusBlock = _networkReachabilityStatusBlock; #endif -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ @synthesize defaultSSLPinningMode = _defaultSSLPinningMode; -#endif @synthesize allowsInvalidSSLCertificate = _allowsInvalidSSLCertificate; + (instancetype)clientWithBaseURL:(NSURL *)url { @@ -556,9 +554,7 @@ static void AFNetworkReachabilityReleaseCallback(const void *info) { [operation setCompletionBlockWithSuccess:success failure:failure]; operation.credential = self.defaultCredential; -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ operation.SSLPinningMode = self.defaultSSLPinningMode; -#endif operation.allowsInvalidSSLCertificate = self.allowsInvalidSSLCertificate; return operation; diff --git a/AFNetworking/AFURLConnectionOperation.h b/AFNetworking/AFURLConnectionOperation.h index 3866a2e..a86788b 100644 --- a/AFNetworking/AFURLConnectionOperation.h +++ b/AFNetworking/AFURLConnectionOperation.h @@ -45,15 +45,7 @@ - `connection:willCacheResponse:` - `connectionShouldUseCredentialStorage:` - `connection:needNewBodyStream:` - - When _AFNETWORKING_PIN_SSL_CERTIFICATES_ is defined, the following authentication delegate method is implemented: - - `connection:willSendRequestForAuthenticationChallenge:` - - Otherwise, the following authentication delegate methods are implemented: - - - `connection:canAuthenticateAgainstProtectionSpace:` - - `connection:didReceiveAuthenticationChallenge:` If any of these methods are overridden in a subclass, they _must_ call the `super` implementation first. @@ -91,13 +83,11 @@ - Operation copies do not include `completionBlock`. `completionBlock` often strongly captures a reference to `self`, which would otherwise have the unintuitive side-effect of pointing to the _original_ operation when copied. */ -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ typedef enum { AFSSLPinningModeNone, AFSSLPinningModePublicKey, AFSSLPinningModeCertificate, } AFURLConnectionOperationSSLPinningMode; -#endif @interface AFURLConnectionOperation : NSOperation = 50000) || \ @@ -185,9 +175,7 @@ NSCoding, NSCopying> To enable SSL Pinning, `#define _AFNETWORKING_PIN_SSL_CERTIFICATES_` in `Prefix.pch`. Also, make sure that the Security framework is linked with the binary. See the "SSL Pinning" section in the `AFURLConnectionOperation`" header for more information. */ -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ @property (nonatomic, assign) AFURLConnectionOperationSSLPinningMode SSLPinningMode; -#endif ///------------------------ /// @name Accessing Streams @@ -289,7 +277,6 @@ NSCoding, NSCopying> /// @name Setting NSURLConnection Delegate Callbacks ///------------------------------------------------- -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ /** Sets a block to be executed when the connection will authenticate a challenge in order to download its request, as handled by the `NSURLConnectionDelegate` method `connection:willSendRequestForAuthenticationChallenge:`. @@ -299,28 +286,6 @@ NSCoding, NSCopying> */ - (void)setWillSendRequestForAuthenticationChallengeBlock:(void (^)(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge))block; -#else - -/** - Sets a block to be executed to determine whether the connection should be able to respond to a protection space's form of authentication, as handled by the `NSURLConnectionDelegate` method `connection:canAuthenticateAgainstProtectionSpace:`. - - If `allowsInvalidSSLCertificate` is set to YES, `connection:canAuthenticateAgainstProtectionSpace:` will accept invalid SSL certificates, returning `YES` if the protection space authentication method is `NSURLAuthenticationMethodServerTrust`. - - @param block A block object to be executed to determine whether the connection should be able to respond to a protection space's form of authentication. The block has a `BOOL` return type and takes two arguments: the URL connection object, and the protection space to authenticate against. - */ -- (void)setAuthenticationAgainstProtectionSpaceBlock:(BOOL (^)(NSURLConnection *connection, NSURLProtectionSpace *protectionSpace))block; - -/** - Sets a block to be executed when the connection must authenticate a challenge in order to download its request, as handled by the `NSURLConnectionDelegate` method `connection:didReceiveAuthenticationChallenge:`. - - @param block A block object to be executed when the connection must authenticate a challenge in order to download its request. The block has no return type and takes two arguments: the URL connection object, and the challenge that must be authenticated. - - If `allowsInvalidSSLCertificate` is set to YES, `connection:didReceiveAuthenticationChallenge:` will attempt to have the challenge sender use credentials with invalid SSL certificates. - */ -- (void)setAuthenticationChallengeBlock:(void (^)(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge))block; - -#endif - /** Sets a block to be executed when the server redirects the request from one URL to another URL, or when the request URL changed by the `NSURLProtocol` subclass handling the request in order to standardize its format, as handled by the `NSURLConnectionDelegate` method `connection:willSendRequest:redirectResponse:`. diff --git a/AFNetworking/AFURLConnectionOperation.m b/AFNetworking/AFURLConnectionOperation.m index c5ea309..06b203d 100644 --- a/AFNetworking/AFURLConnectionOperation.m +++ b/AFNetworking/AFURLConnectionOperation.m @@ -56,9 +56,6 @@ NSString * const AFNetworkingOperationDidStartNotification = @"com.alamofire.net NSString * const AFNetworkingOperationDidFinishNotification = @"com.alamofire.networking.operation.finish"; typedef void (^AFURLConnectionOperationProgressBlock)(NSUInteger bytes, long long totalBytes, long long totalBytesExpected); -#ifndef _AFNETWORKING_PIN_SSL_CERTIFICATES_ -typedef BOOL (^AFURLConnectionOperationAuthenticationAgainstProtectionSpaceBlock)(NSURLConnection *connection, NSURLProtectionSpace *protectionSpace); -#endif typedef void (^AFURLConnectionOperationAuthenticationChallengeBlock)(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge); typedef NSCachedURLResponse * (^AFURLConnectionOperationCacheResponseBlock)(NSURLConnection *connection, NSCachedURLResponse *cachedResponse); typedef NSURLRequest * (^AFURLConnectionOperationRedirectResponseBlock)(NSURLConnection *connection, NSURLRequest *request, NSURLResponse *redirectResponse); @@ -142,9 +139,6 @@ static BOOL AFSecKeyIsEqualToKey(SecKeyRef key1, SecKeyRef key2) { @property (readwrite, nonatomic, assign) AFBackgroundTaskIdentifier backgroundTaskIdentifier; @property (readwrite, nonatomic, copy) AFURLConnectionOperationProgressBlock uploadProgress; @property (readwrite, nonatomic, copy) AFURLConnectionOperationProgressBlock downloadProgress; -#ifndef _AFNETWORKING_PIN_SSL_CERTIFICATES_ -@property (readwrite, nonatomic, copy) AFURLConnectionOperationAuthenticationAgainstProtectionSpaceBlock authenticationAgainstProtectionSpace; -#endif @property (readwrite, nonatomic, copy) AFURLConnectionOperationAuthenticationChallengeBlock authenticationChallenge; @property (readwrite, nonatomic, copy) AFURLConnectionOperationCacheResponseBlock cacheResponse; @property (readwrite, nonatomic, copy) AFURLConnectionOperationRedirectResponseBlock redirectResponse; @@ -170,18 +164,13 @@ static BOOL AFSecKeyIsEqualToKey(SecKeyRef key1, SecKeyRef key2) { @dynamic inputStream; @synthesize outputStream = _outputStream; @synthesize credential = _credential; -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ @synthesize SSLPinningMode = _SSLPinningMode; -#endif @synthesize shouldUseCredentialStorage = _shouldUseCredentialStorage; @synthesize userInfo = _userInfo; @synthesize backgroundTaskIdentifier = _backgroundTaskIdentifier; @synthesize uploadProgress = _uploadProgress; @synthesize downloadProgress = _downloadProgress; @synthesize authenticationChallenge = _authenticationChallenge; -#ifndef _AFNETWORKING_PIN_SSL_CERTIFICATES_ -@synthesize authenticationAgainstProtectionSpace = _authenticationAgainstProtectionSpace; -#endif @synthesize cacheResponse = _cacheResponse; @synthesize redirectResponse = _redirectResponse; @synthesize lock = _lock; @@ -207,7 +196,6 @@ static BOOL AFSecKeyIsEqualToKey(SecKeyRef key1, SecKeyRef key2) { return _networkRequestThread; } -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ + (NSArray *)pinnedCertificates { static NSArray *_pinnedCertificates = nil; static dispatch_once_t onceToken; @@ -265,7 +253,6 @@ static BOOL AFSecKeyIsEqualToKey(SecKeyRef key1, SecKeyRef key2) { return _pinnedPublicKeys; } -#endif - (id)initWithRequest:(NSURLRequest *)urlRequest { NSParameterAssert(urlRequest); @@ -394,24 +381,10 @@ static BOOL AFSecKeyIsEqualToKey(SecKeyRef key1, SecKeyRef key2) { self.downloadProgress = block; } -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ - - (void)setWillSendRequestForAuthenticationChallengeBlock:(void (^)(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge))block { self.authenticationChallenge = block; } -#else - -- (void)setAuthenticationAgainstProtectionSpaceBlock:(BOOL (^)(NSURLConnection *, NSURLProtectionSpace *))block { - self.authenticationAgainstProtectionSpace = block; -} - -- (void)setAuthenticationChallengeBlock:(void (^)(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge))block { - self.authenticationChallenge = block; -} - -#endif - - (void)setCacheResponseBlock:(NSCachedURLResponse * (^)(NSURLConnection *connection, NSCachedURLResponse *cachedResponse))block { self.cacheResponse = block; } @@ -593,8 +566,6 @@ static BOOL AFSecKeyIsEqualToKey(SecKeyRef key1, SecKeyRef key2) { #pragma mark - NSURLConnectionDelegate -#ifdef _AFNETWORKING_PIN_SSL_CERTIFICATES_ - - (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { @@ -698,52 +669,6 @@ willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challe } } -#else - -- (BOOL)connection:(NSURLConnection *)connection -canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace -{ - if (self.allowsInvalidSSLCertificate && - [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { - return YES; - } - - if (self.authenticationAgainstProtectionSpace) { - return self.authenticationAgainstProtectionSpace(connection, protectionSpace); - } else if ([protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust] || [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate]) { - return NO; - } else { - return YES; - } -} - -- (void)connection:(NSURLConnection *)connection -didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge -{ - - if (self.allowsInvalidSSLCertificate - && [challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { - [challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge]; - return; - } - - if (self.authenticationChallenge) { - self.authenticationChallenge(connection, challenge); - } else { - if ([challenge previousFailureCount] == 0) { - if (self.credential) { - [[challenge sender] useCredential:self.credential forAuthenticationChallenge:challenge]; - } else { - [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge]; - } - } else { - [[challenge sender] continueWithoutCredentialForAuthenticationChallenge:challenge]; - } - } -} - -#endif - - (BOOL)connectionShouldUseCredentialStorage:(NSURLConnection __unused *)connection { return self.shouldUseCredentialStorage; } @@ -896,9 +821,6 @@ didReceiveResponse:(NSURLResponse *)response operation.uploadProgress = self.uploadProgress; operation.downloadProgress = self.downloadProgress; -#ifndef _AFNETWORKING_PIN_SSL_CERTIFICATES_ - operation.authenticationAgainstProtectionSpace = self.authenticationAgainstProtectionSpace; -#endif operation.authenticationChallenge = self.authenticationChallenge; operation.cacheResponse = self.cacheResponse; operation.redirectResponse = self.redirectResponse; diff --git a/Example/Prefix.pch b/Example/Prefix.pch index df78b3c..18b984d 100644 --- a/Example/Prefix.pch +++ b/Example/Prefix.pch @@ -1,7 +1,5 @@ #import -#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ - #if __IPHONE_OS_VERSION_MIN_REQUIRED #ifndef __IPHONE_3_0 #warning "This project uses features only available in iPhone SDK 3.0 and later." From 4ca6efb08753ce9484553bc1a19171eb7e5497fa Mon Sep 17 00:00:00 2001 From: Dustin Barker Date: Thu, 27 Jun 2013 22:20:57 -0700 Subject: [PATCH 3/5] Update documentation re: _AFNETWORKING_PIN_SSL_CERTIFICATES_ --- AFNetworking/AFURLConnectionOperation.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/AFNetworking/AFURLConnectionOperation.h b/AFNetworking/AFURLConnectionOperation.h index a86788b..2ce5609 100644 --- a/AFNetworking/AFURLConnectionOperation.h +++ b/AFNetworking/AFURLConnectionOperation.h @@ -65,7 +65,7 @@ SSL with certificate pinning is strongly recommended for any application that transmits sensitive information to an external webservice. - When `_AFNETWORKING_PIN_SSL_CERTIFICATES_` is defined and the Security framework is linked, connections will be validated on all matching certificates with a `.cer` extension in the bundle root. + When `defaultSSLPinningMode` is defined on `AFHTTPClient` and the Security framework is linked, connections will be validated on all matching certificates with a `.cer` extension in the bundle root. ## NSCoding & NSCopying Conformance @@ -173,7 +173,7 @@ NSCoding, NSCopying> /** The pinning mode which will be used for SSL connections. `AFSSLPinningModePublicKey` by default. - To enable SSL Pinning, `#define _AFNETWORKING_PIN_SSL_CERTIFICATES_` in `Prefix.pch`. Also, make sure that the Security framework is linked with the binary. See the "SSL Pinning" section in the `AFURLConnectionOperation`" header for more information. + SSL Pinning requires that the Security framework is linked with the binary. See the "SSL Pinning" section in the `AFURLConnectionOperation`" header for more information. */ @property (nonatomic, assign) AFURLConnectionOperationSSLPinningMode SSLPinningMode; From 33ba5685fb75f9640f62d6a7bcb41d0b796e436b Mon Sep 17 00:00:00 2001 From: Dustin Barker Date: Thu, 27 Jun 2013 22:32:02 -0700 Subject: [PATCH 4/5] Remove reference to _AFNETWORKING_PIN_SSL_CERTIFICATES_ --- AFNetworking.podspec | 2 -- Tests/AFNetworking-Prefix.pch | 2 -- 2 files changed, 4 deletions(-) diff --git a/AFNetworking.podspec b/AFNetworking.podspec index 1368a55..f14d101 100644 --- a/AFNetworking.podspec +++ b/AFNetworking.podspec @@ -18,8 +18,6 @@ Pod::Spec.new do |s| s.prefix_header_contents = <<-EOS #import -#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ - #if __IPHONE_OS_VERSION_MIN_REQUIRED #import #import diff --git a/Tests/AFNetworking-Prefix.pch b/Tests/AFNetworking-Prefix.pch index 6f34220..59f8ee7 100644 --- a/Tests/AFNetworking-Prefix.pch +++ b/Tests/AFNetworking-Prefix.pch @@ -2,8 +2,6 @@ // Prefix header for all source files of the 'AFNetworking' target in the 'AFNetworking' project // -#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ - #ifdef __OBJC__ #import From 035e628d968f2567e55e36a6e13c164ee4b138fd Mon Sep 17 00:00:00 2001 From: Dustin Barker Date: Thu, 27 Jun 2013 22:39:08 -0700 Subject: [PATCH 5/5] Add adn certificate to Mac example --- Example/AFNetworking Mac Example.xcodeproj/project.pbxproj | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Example/AFNetworking Mac Example.xcodeproj/project.pbxproj b/Example/AFNetworking Mac Example.xcodeproj/project.pbxproj index 91a8e8a..b60c866 100644 --- a/Example/AFNetworking Mac Example.xcodeproj/project.pbxproj +++ b/Example/AFNetworking Mac Example.xcodeproj/project.pbxproj @@ -7,6 +7,7 @@ objects = { /* Begin PBXBuildFile section */ + B304CCE8177D58DD00F4FC85 /* adn.cer in Resources */ = {isa = PBXBuildFile; fileRef = B304CCE7177D58DD00F4FC85 /* adn.cer */; }; F8129C001591061B009BFE23 /* Cocoa.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = F8129BFF1591061B009BFE23 /* Cocoa.framework */; }; F8129C321591073C009BFE23 /* AFAppDotNetAPIClient.m in Sources */ = {isa = PBXBuildFile; fileRef = F8129C251591073C009BFE23 /* AFAppDotNetAPIClient.m */; }; F8129C341591073C009BFE23 /* Post.m in Sources */ = {isa = PBXBuildFile; fileRef = F8129C2B1591073C009BFE23 /* Post.m */; }; @@ -27,6 +28,7 @@ /* End PBXBuildFile section */ /* Begin PBXFileReference section */ + B304CCE7177D58DD00F4FC85 /* adn.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = adn.cer; sourceTree = SOURCE_ROOT; }; F8129BFB1591061B009BFE23 /* AFNetworking Example.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = "AFNetworking Example.app"; sourceTree = BUILT_PRODUCTS_DIR; }; F8129BFF1591061B009BFE23 /* Cocoa.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Cocoa.framework; path = System/Library/Frameworks/Cocoa.framework; sourceTree = SDKROOT; }; F8129C021591061B009BFE23 /* AppKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppKit.framework; path = System/Library/Frameworks/AppKit.framework; sourceTree = SDKROOT; }; @@ -139,6 +141,7 @@ F8129C061591061B009BFE23 /* Supporting Files */ = { isa = PBXGroup; children = ( + B304CCE7177D58DD00F4FC85 /* adn.cer */, F8129C6E15910B15009BFE23 /* main.m */, F8129C7015910B3E009BFE23 /* MainMenu.xib */, ); @@ -238,6 +241,7 @@ buildActionMask = 2147483647; files = ( F8129C7115910B3E009BFE23 /* MainMenu.xib in Resources */, + B304CCE8177D58DD00F4FC85 /* adn.cer in Resources */, ); runOnlyForDeploymentPostprocessing = 0; };