From 900431c9cfa5d48decda05365f80a29bcb7ae061 Mon Sep 17 00:00:00 2001 From: Jan Niklas Grabowski Date: Mon, 3 Mar 2025 16:02:41 +0100 Subject: [PATCH] feat: remove hash server validation (MESSENGER-6759) --- Config/BWIBuildSettings.swift | 59 ------------------ Riot/Modules/Application/LegacyAppDelegate.m | 1 - .../Common/AuthenticationModels.swift | 2 + ...enticationServerSelectionCoordinator.swift | 1 - bwi/AppConfig/AppConfigService.swift | 1 - .../LoginProtectionService.swift | 16 ----- bwi/Tests/LoginProtectionTests.swift | 60 ------------------- 7 files changed, 2 insertions(+), 138 deletions(-) delete mode 100644 bwi/Tests/LoginProtectionTests.swift diff --git a/Config/BWIBuildSettings.swift b/Config/BWIBuildSettings.swift index 3182ef811..768485202 100644 --- a/Config/BWIBuildSettings.swift +++ b/Config/BWIBuildSettings.swift @@ -170,65 +170,6 @@ class BWIBuildSettings: NSObject { var bwiEnableLoginProtection = true - var bwiHashes = [ "a3f65e35a7476799afe8d80282fb3c45b39dab06d1d8c70dc98e45ab7d8e93a9", - "2fda1a831655c22a5e6096d7cfbff4429fbf27891141e191b46adbf168142a11", - "4f8cbb3fef885f7284d0477d797d7007f0e1ba76221834132752f4d645796e28", - "24c2ec541e61e8e68944b96dc45ed5df12f6bdbda283cb0b3a522742aa970256", - "1be0b314a6c915d4475290522baef5b642db1b6d68937792b8e0eb5b7b0d6666", - "3deb73db8cafcd1d5a59e25e251c35816162e1f6ee67b5d7d011da0e8d6ef931", - "42e57985d61202c2c7dd87d898cef9bdce020877a4c7a8c7cd699f6a28f58c0c", - "e1c3c7cac12bd65bd48de79a2677187d2e768d2769377627534023588b8d7a33", - "300f100961520d2909686f405bf97f53273f8ea82fa5359d981af8bf755f56ea", - "642e9a5b1276d65cd12f913b96a3d05fe022489f5481e0c888dfd0654b25177d", - "f7b8efdec2f424dbc912f4592d2489cc26232a621feecade73c33205a0a5cd8a", - "7cfd1c9b9405146681e43f6339ea487f083a3a12cea7cf669810ea160407781a", - "72d9a018893555073840bd90d80301417d2caa8b6ada7973d3365bcf929d6321", - "28e0940e355717de28a9b48add20ebb7ed178875937015033d394129d9356cb3", - "58077bffe53341e53ad18363dafc09498c314dd05a4fbaa2150c48dbd5d35e09", - "74c038bb4e26fb1d0fcc14474ec9ff6fe3ec158e13286a787b90a22ee638ac18", - "3740163f98aeda7dba285d2af1bfc351db395868268e2759ca701f926a6605a5", - "240b05d9a54999140d23f21d104109fbc5e5179366ba3a7e58c8fad763aa88bd", - "4d5b6dcf02396274be58a69c4bbeba175b529f6b19c504fc99a37892ee1cf0b5", - "0d157119821bd9d76ac4f24c7f14f56e6bb5b766a6d5ee7dad6634420e79271a", - "e3573fe09d518cce80cececedf80f8e0020cbc150f22db8b64827bff2e27abd9", - "b76a62ccd8ea70d01c3a35ec3839e49ed2c83c8e3276f40a1b2c2cdf7cd77d01", - "4a610a4d5fd3d8a1e1fd5669abdf1e0c5f7f5ff0c6b559e0f360cfa092ecb115", - "32752f6d21f3005587941415cd64812ee28c19e6e01ed307edf9ddf4f6a91583", - "704c6eaa107b13ef0694eb7ddd041bb6f595b53670a2e0c3c16e199947a9e013", - "6921f031357cf63fb8538d9a1d1971efae95899907fdbf05a05082b6d1a6d0fb", - "9f960fc663f5eaae67eecff75b131dea130b3ab1cf889c45fc74c688a48aea30", - "160c35279484a027031b131183f3f203b1166306bab214355b00cf28502bce11", - "d5a7298dde23aa0269c4cbd3b2a543e6ede94ce78fc20e4bfb888eb6057b5c52", - "00136d830dd2acd5047efcf8419e939ef7ef97a84bef1930df86aace3f855265", - "64cbbeea37237814445b35c941d010b9d5d024e4c584a476864b00c7c9909bce", - "e79f4ce0f3c2772b45fd492a9c11e4e10e869ca21af68f13ff48c9c3bbd446ea", - "2d582bed323f226a0e18b6b7104c0d28ccc36423833220a7b5fd2854262ab27e", - "c56904235e283557626c327f8013c3b1c654eae86a5e314531e3a6fcb200ff92", - "202bbbaa7c5cd665106d14012c29bcda8217a4b3606cce83e6e6ea0d30733229", - "cca10f6b4b583da69bbd3815ee0fccd193cf0cfd046aee1aeffaa7b5245e8f83", - "36a9ec7368bddedd9deb1e2d1c627bd7304865135c9be30b1979659e3ac9ad07", - "dbaf8618e8a2f8d681591dfbcc73243c921c10dec69a2e5ee50bc91ca7dedcda", - "ed1af0fd873ec749f17c3b61ce4e481ab1644c132003f97a9c4e36516325788a", - "081e6ef90ba86102d678756fd13b07ca744340ad4d58a340e1956dca992f18e3", - "40b22592f2417c8031a0c38098c83dd0bfd28dee4c77ed1e9a022556c6ec0ded", - "098d7b8e7487c2228e6848c1baf6b5fec716b8d94d0210c22bad6adba5a332bf", - "bce875bbf120c13246f2591af8681bbc554068d0b0cbf3837604607fdf99001e", - "8362cb3205fb58345f1cc43115023027ea420b589da099271e127b9e9addb06c", - "2ae47272786b03f790ffef1331dc92b114f65bc2fc321f82ca78a32ae471043e", - "224185dd537000a0f5be5e09be1bd39103363b38bb8e49719d14f680a4d5e5ee", - "8bab8d8d993259213d7ef2295e3494382b4611f2d68596a120e7cdfbb33485d2", - "b9aa60d0067f63aa81eb6521af2120f2405e4bde4963b060ac34890e41734937", - "2fd5548d873cdd2b48691593d3a3121b452e4f990d2b0eddfca2bc44255ccb46", - "05a294b2e2214e326d9dc55a5ae4b1d91d0bd0e95177e59159c42ebaf8dae243", - "983a96007faae2d5321aadf10198bf1a568d4166eec24f9c878de12ad5da8b85", - "09940562c6e5d1b4071873c1be36dfe526c33a9c87bce30935c43ed451a67d72", - "c58c1892ba63b2a482a2ad72d563d523eff08759e6026b8630d64d41b48e7ae0", - "db0c9012e0886da4cbbaf4fae3d4c8d345a95fcc004c0fa8132b5f718963750d", - "e4920edcf64870e0d86a8e511ad3ba0dc91f7208c891329d6ee9a64b4b7a07e6", - "9f60d10d6ee4d1be2a5f301c57aae3224a3d010564c302346395ab1a7e2aa35f", - "ddf38402e479dcfe29066efd81fde1fdd2e767b1780d1736bdb8def2753065d1", - "6e9020ced31422578601a91bc96474c1e36c1b0c2f4a4193c9c49f1bde6749fb" - ] // bwi #6162 login protection with jwt tokens var bwiEnableTokenizedLoginProtection = false diff --git a/Riot/Modules/Application/LegacyAppDelegate.m b/Riot/Modules/Application/LegacyAppDelegate.m index 8da0fe9d3..112968541 100644 --- a/Riot/Modules/Application/LegacyAppDelegate.m +++ b/Riot/Modules/Application/LegacyAppDelegate.m @@ -4367,7 +4367,6 @@ NSString *const AppDelegateUniversalLinkDidChangeNotification = @"AppDelegateUni - (void)checkUrlSavetyWithURL:(NSString *)serverURL { if (BWIBuildSettings.shared.bwiEnableLoginProtection || BWIBuildSettings.shared.bwiEnableTokenizedLoginProtection) { LoginProtectionService *protectionService = [LoginProtectionService new]; - protectionService.hashes = BWIBuildSettings.shared.bwiHashes; MXWeakify(self); [protectionService isValid:serverURL ignoreNetworkConnectionLost:YES completionHandler:^(BOOL isVaild) { diff --git a/RiotSwiftUI/Modules/Authentication/Common/AuthenticationModels.swift b/RiotSwiftUI/Modules/Authentication/Common/AuthenticationModels.swift index b15b5d711..ead90b84e 100644 --- a/RiotSwiftUI/Modules/Authentication/Common/AuthenticationModels.swift +++ b/RiotSwiftUI/Modules/Authentication/Common/AuthenticationModels.swift @@ -85,6 +85,8 @@ class HomeserverAddress: NSObject { if !address.contains("://") { address = "https://\(address)" + } else if address.contains("http") && !address.contains("https") { + address = address.replacingOccurrences(of: "http://", with: "https://") } address = address.trimmingCharacters(in: CharacterSet(charactersIn: "/")) diff --git a/RiotSwiftUI/Modules/Authentication/ServerSelection/Coordinator/AuthenticationServerSelectionCoordinator.swift b/RiotSwiftUI/Modules/Authentication/ServerSelection/Coordinator/AuthenticationServerSelectionCoordinator.swift index 81c109721..7d92be4b7 100644 --- a/RiotSwiftUI/Modules/Authentication/ServerSelection/Coordinator/AuthenticationServerSelectionCoordinator.swift +++ b/RiotSwiftUI/Modules/Authentication/ServerSelection/Coordinator/AuthenticationServerSelectionCoordinator.swift @@ -165,7 +165,6 @@ final class AuthenticationServerSelectionCoordinator: Coordinator, Presentable { if BWIBuildSettings.shared.bwiEnableLoginProtection || BWIBuildSettings.shared.bwiEnableTokenizedLoginProtection { let protectionService = LoginProtectionService() - protectionService.hashes = BWIBuildSettings.shared.bwiHashes return await protectionService.isValid(homeserverAddress) } diff --git a/bwi/AppConfig/AppConfigService.swift b/bwi/AppConfig/AppConfigService.swift index 0ea41f62e..4dbfedf25 100644 --- a/bwi/AppConfig/AppConfigService.swift +++ b/bwi/AppConfig/AppConfigService.swift @@ -79,7 +79,6 @@ extension UserDefaults private func checkUrlSavety(_ serverUrl: String) async -> Bool { if BWIBuildSettings.shared.bwiEnableLoginProtection { let protectionService = LoginProtectionService() - protectionService.hashes = BWIBuildSettings.shared.bwiHashes return await protectionService.isValid(serverUrl) } else { diff --git a/bwi/LoginProtection/LoginProtectionService.swift b/bwi/LoginProtection/LoginProtectionService.swift index 3fb21d00e..fefabc416 100644 --- a/bwi/LoginProtection/LoginProtectionService.swift +++ b/bwi/LoginProtection/LoginProtectionService.swift @@ -19,7 +19,6 @@ import Foundation import CryptoKit @objcMembers class LoginProtectionService : NSObject { - var hashes: [String]? @objc func isValid(_ homeserverAddress: String, ignoreNetworkConnectionLost: Bool = false) async -> Bool { // bwi #6162 a homeserveraddress is valid when there is either @@ -45,15 +44,6 @@ import CryptoKit } } - if BWIBuildSettings.shared.bwiEnableLoginProtection && !validHomeserver { - if let hashes = hashes { - let string = self.normalizeLoginUrl(homeserverAddress) - let hashedString = self.hashedString(string) - - validHomeserver = hashes.contains(hashedString) - } - } - return validHomeserver } @@ -63,10 +53,4 @@ import CryptoKit return tmpString } - - private func hashedString(_ string: String) -> String { - let data = Data(string.utf8) - let hash = SHA256.hash(data: data) - return hash.compactMap { String(format: "%02x", $0) }.joined() - } } diff --git a/bwi/Tests/LoginProtectionTests.swift b/bwi/Tests/LoginProtectionTests.swift deleted file mode 100644 index 464136244..000000000 --- a/bwi/Tests/LoginProtectionTests.swift +++ /dev/null @@ -1,60 +0,0 @@ -// -/* - * Copyright (c) 2022 BWI GmbH - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -import XCTest -@testable import Element - -class LoginProtectionTests: XCTestCase { - - let hashes = ["34f2dfdb69edeef64ae9f53cea21c7e27db19566d440174c5bc3949d87ae90f6", - "04feebbb6cc530f26db673ee7d781c57870cfc7c6d1814d63dc703a3da522619" - ] - - func testValidURL() throws { - let service = LoginProtectionService() - service.hashes = hashes - - XCTAssertTrue(service.isValid("https://www.wellbehaved.de")) - } - - func testInvalidURL() throws { - let service = LoginProtectionService() - service.hashes = hashes - - XCTAssertFalse(service.isValid("https://www.unknown.org")) - } - - func testSimpleURL() throws { - let service = LoginProtectionService() - service.hashes = hashes - - XCTAssertTrue(service.isValid("www.simple.com")) - } - - func testMalformatedURL() throws { - let service = LoginProtectionService() - service.hashes = hashes - - XCTAssertFalse(service.isValid("ur%%l@blalalal")) - } - - func testNoHashlist() throws { - let service = LoginProtectionService() - - XCTAssertFalse(service.isValid("https://www.wellbehaved.de")) - } -}