Главная Обзор Помощь
Вход
yosoyhendrix
/
psiphon-tunnel-core
зеркало из https://github.com/Psiphon-Labs/psiphon-tunnel-core
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: f230c8e212
Ветки Метки
psiphon-tunnel-...
/
MobileLibrary
/
iOS
/
SampleApps
/
Common
/
AuthURLSessionTaskDelegate.h

AuthURLSessionTaskDelegate.h 2.3 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 
  1. //
    2. 

  2. //  AuthURLSessionTaskDelegate.h
    3. 

  3. //  TunneledWebRequest
    4. 

  4. //
    5. 

  5. /*
    6. 

  6.  Licensed under Creative Commons Zero (CC0).
    7. 

  7.  https://creativecommons.org/publicdomain/zero/1.0/
    8. 

  8.  */
    9. 

  9. 

  10. 

  11. // NOTE: this file is shared by TunneledWebRequest and TunneledWebView
    12. 

  12. 

  13. #import <Foundation/Foundation.h>
    14. 

  14. #import "OCSPCache.h"
    15. 

  15. 

  16. NS_ASSUME_NONNULL_BEGIN
    17. 

  17. 

  18. /*!
    19. 

  19.  * AuthURLSessionTaskDelegate implements URLSession:task:didReceiveChallenge:completionHandler:
    20. 

  20.  * of the NSURLSessionTaskDelegate protocol.
    21. 

  21.  *
    22. 

  22.  * The main motivation of AuthURLSessionTaskDelegate is to ensure that OCSP requests are not
    23. 

  23.  * sent in plaintext outside of the tunnel.
    24. 

  24.  *
    25. 

  25.  * If the policy object for checking the revocation of certificates is created with
    26. 

  26.  * SecPolicyCreateRevocation(kSecRevocationOCSPMethod | ...), and network access is allowed
    27. 

  27.  * (the kSecRevocationNetworkAccessDisabled flag is not provided), a plaintext OCSP request over
    28. 

  28.  * HTTP is triggered when SecTrustEvaluate() is called. This request does not respect NSURLProtocol
    29. 

  29.  * subclassing.
    30. 

  30.  *
    31. 

  31.  * The solution is to inspect each X.509 certificate for the Online Certificate Status Protocol
    32. 

  32.  * (1.3.6.1.5.5.7.48.1) Authority Information Access Method, which contains the locations (URLs) of
    33. 

  33.  * the OCSP servers; then OCSP requests are then made to these servers through the local HTTP proxy.
    34. 

  34.  *
    35. 

  35.  * Note: AuthURLSessionTaskDelegate only checks revocation status with OCSP.
    36. 

  36.  *
    37. 

  37.  * Note: The OCSP Authority Information Access Method is found in the Certificate Authority
    38. 

  38.  *       Information Access (1.3.6.1.5.5.7.1.1) X.509v3 extension --
    39. 

  39.  *       https://tools.ietf.org/html/rfc2459#section-4.2.2.1.
    40. 

  40.  */
    41. 

  41. @interface AuthURLSessionTaskDelegate : NSObject <NSURLSessionDelegate>
    42. 

  42. 

  43. /*!
    44. 

  44.  * Logger for errors.
    45. 

  45.  */
    46. 

  46. @property (nonatomic, strong) void (^logger)(NSString*);
    47. 

  47. 

  48. /*!
    49. 

  49.  * Local HTTP proxy port.
    50. 

  50.  *
    51. 

  51.  * OCSP request URL is constructed as:
    52. 

  52.  *   http://127.0.0.1:<HTTP proxy port>/tunneled/<URL encoded OCSP request>
    53. 

  53.  */
    54. 

  54. @property (atomic, assign) NSInteger localHTTPProxyPort;
    55. 

  55. 

  56. -  (id)initWithLogger:(void (^)(NSString*))logger
    57. 

  57. andLocalHTTPProxyPort:(NSInteger)port;
    58. 

  58. 

  59. - (void)URLSession:(NSURLSession *)session
    60. 

  60.               task:(NSURLSessionTask *)task
    61. 

  61. didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
    62. 

  62.  completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler;
    63. 

  63. 

  64. @end
    65. 

  65. 

  66. NS_ASSUME_NONNULL_END
    67.