Add TransferURLsAlwaysSkipVerify

Setting this flag programmatically, based on iOS version, allows us to start
configuring TransferURL.SkipVerify = false on iOS without risking crashes on
iOS < 12 or exceeding the VPN extension memory limit on iOS < 15.

MobileLibrary/iOS/PsiphonTunnel/PsiphonTunnel/PsiphonTunnel.m

@@ -848,6 +848,24 @@ typedef NS_ERROR_ENUM(PsiphonTunnelErrorDomain, PsiphonTunnelErrorCode) {
 
     }
 
+    // Where required, enable TransferURLsAlwaysSkipVerify, which overrides
+    // the TransferURL.SkipVerify configuration for remote server list
+    // downloads and feedback uploads. Both of these operations have
+    // additional security at the payload level. Verifying TLS certificates
+    // is preferred, as an additional security and circumvention layer, but
+    // is not possible in these circumstances:
+    // - On iOS < 12, Go 1.18+ does not support loading the system root CAs.
+    // - On iOS < 15 and in the VPN extension, loading the system root CAs
+    //   exceeds the extension memory limit.
+
+    BOOL alwaysSkipVerify = TRUE;
+    if (@available(iOS 15.0, *)) {
+        alwaysSkipVerify = FALSE;
+    } else if (@available(iOS 12.0, *)) {
+        alwaysSkipVerify = *tunnelWholeDevice;
+    }
+    config[@"TransferURLsAlwaysSkipVerify"] = @(alwaysSkipVerify);
+
     NSString *finalConfigStr = [[[SBJson4Writer alloc] init] stringWithObject:config];
     
     if (finalConfigStr == nil) {

psiphon/config.go

@@ -419,6 +419,16 @@ type Config struct {
 	// operating system.
 	TrustedCACertificatesFilename string
 
+	// TransferURLsAlwaysSkipVerify, when true, forces TransferURL.SkipVerify
+	// to true for all remote server list downloads, upgrade downloads, and
+	// feedback uploads. Each of these transfers has additional security at
+	// the payload level. Verifying TLS certificates is preferred, as an
+	// additional security and circumvention layer; set
+	// TransferURLsAlwaysSkipVerify only in cases where system root CAs
+	// cannot be loaded; for example, if unsupported (iOS < 12) or
+	// insufficient memory (VPN extension on iOS < 15).
+	TransferURLsAlwaysSkipVerify bool
+
 	// DisablePeriodicSshKeepAlive indicates whether to send an SSH keepalive
 	// every 1-2 minutes, when the tunnel is idle. If the SSH keepalive times
 	// out, the tunnel is considered to have failed.
@@ -891,12 +901,12 @@ func (config *Config) IsCommitted() bool {
 // DataRootDirectory.
 //
 // For each migration operation:
-// - In the case of directories that could have defaulted to the current working
-//   directory, persistent files and directories created by Psiphon are
-//   precisely targeted to avoid moving files which were not created by Psiphon.
-// - If no file is found at the specified path, or an error is encountered while
-//   migrating the file, then an error is logged and execution continues
-//   normally.
+//   - In the case of directories that could have defaulted to the current working
+//     directory, persistent files and directories created by Psiphon are
+//     precisely targeted to avoid moving files which were not created by Psiphon.
+//   - If no file is found at the specified path, or an error is encountered while
+//     migrating the file, then an error is logged and execution continues
+//     normally.
 //
 // A sentinel file which signals that file migration has been completed, and
 // should not be attempted again, is created under DataRootDirectory after one

psiphon/feedback.go

@@ -183,7 +183,7 @@ func SendFeedback(ctx context.Context, config *Config, diagnostics, uploadPath s
 			feedbackUploadCtx,
 			config,
 			untunneledDialConfig,
-			uploadURL.SkipVerify)
+			uploadURL.SkipVerify || config.TransferURLsAlwaysSkipVerify)
 		if err != nil {
 			return errors.Trace(err)
 		}

psiphon/remoteServerList.go

@@ -71,7 +71,7 @@ func FetchCommonRemoteServerList(
 		downloadTimeout,
 		downloadURL.URL,
 		canonicalURL,
-		downloadURL.SkipVerify,
+		downloadURL.SkipVerify || config.TransferURLsAlwaysSkipVerify,
 		"",
 		config.GetRemoteServerListDownloadFilename())
 	if err != nil {

psiphon/upgradeDownload.go

@@ -92,7 +92,7 @@ func DownloadUpgrade(
 		config,
 		tunnel,
 		untunneledDialConfig,
-		downloadURL.SkipVerify)
+		downloadURL.SkipVerify || config.TransferURLsAlwaysSkipVerify)
 	if err != nil {
 		return errors.Trace(err)
 	}