Commit graph

537 commits

Author SHA1 Message Date
Scott Nonnenberg
b17a67ec65
Support pass-through proxies with HTTPS_PROXY env var (#1878)
We've simplified; HTTPS_PROXY or https_proxy is used for all requests.

We also require that only our self-signed certificates are used for
secure traffic. That rules out all SSL-terminating MITM proxies, since
we don't trust their root certificate.

Once we're sure that this system works for people, we'll improve config
on MacOS and Windows.
2017-12-08 10:38:01 -08:00
Scott Nonnenberg
f013eed9d1
Merge branch 'master' into development
Bringing beta up to date with production v1.0.40
2017-12-04 16:08:19 -08:00
Scott Nonnenberg
acc94edd23
Add proxy support based on environment variables (#1855)
We pull proxy settings from environment variables:

- HTTPS_PROXY for sending, profile pulls, and attachment download/upload
- WSS_PROXY for connecting to the websocket for receiving messages
- ALL_PROXY to provide one server for both

More details on our proxy handling:

- https://github.com/Rob--W/proxy-from-env#environment-variables
- https://github.com/TooTallNate/node-proxy-agent

This is the natural way of things for Linux. My understanding is that
most proxies on MacOS are system-wide and transparent, so it's not so
urgent. But Windows will likely require further UI for configuration.
Will need to do some testing with Windows users.
2017-12-04 15:35:50 -08:00
Scott Nonnenberg
2fdb048721
NullMessage sent before verification sync should not be silent (#1857) 2017-12-04 15:28:38 -08:00
Scott Nonnenberg
c195ba2630
Save prekeys optimistically, track confirms, new clean behavior (#1846)
* Re-enable libtextsecure unit tests, get passing, run in CI

* Save prekeys optimistically, track confirmed, new clean behavior

* Eliminate potential conflicts when rotating on startup

* Remove last symlink: get libtextsecure tests running on windows
2017-12-01 13:35:39 -08:00
Scott Nonnenberg
21325bc922
Move sync messages to silent = true (#1843)
* Set silent = true for all sync messages

* sendmessage.js: Remove brace-less if
2017-12-01 13:31:48 -08:00
Scott Nonnenberg
44da6924f9
A variety of logging improvements to track down bugs (#1832)
* Log when we get a blocked numbers sync message

* Save three old signed keys in addition to the current active

* Remove the mystery from all the error-related log messages

* Log successful load of signed key - to help debug prekey errors

* removeSignedPreKey: Don't hang or crash in error cases

* Log on top-level unhandled promise rejection

* Remove trailing comma in param list, Electron 1.6 does not like

* Harden top-level error handler for strange object shapes
2017-11-30 11:56:29 -08:00
Scott Nonnenberg
a5923c2177
Key rotation: log failures, retry, force on new version (#1833)
* Retry failed signed key rotation; start rotation when registered (#1772)

* rotateSignedPrekeys: Fix 'res is not defined' error

* If the server rejects key rotation, don't retry immediately

* Force a signed key rotation on launch of any new version
2017-11-30 11:55:59 -08:00
Scott Nonnenberg
aab4f10509
rotateSignedPrekeys: Fix 'res is not defined' error 2017-11-22 15:08:04 -08:00
Scott Nonnenberg
0e328f3911
Merge branch 'master' into development
This catches the development branch up with v1.0.39 in master.
2017-11-21 18:25:59 -08:00
Scott Nonnenberg
158b575885
Proper session reset: Delete sessions before and after (#1796)
* web requests: Don't fail if JSON not well-formed in error cases

Turns out that before our move to node-fetch, we ignored JSON.parse()
failures: https://github.com/WhisperSystems/Signal-Desktop/pull/1552/files#diff-1103a6aff0f28b6066715c6994278767L37518

* Update to libsignal v1.2.0, delete sessions on reset session

Previously we only archived sessions when sending or receiving a
'reset secure session, which didn't match up with the mobile apps.
2017-11-21 15:20:07 -08:00
Scott Nonnenberg
fd5fa666f9
Retry failed signed key rotation; start rotation when registered (#1772) 2017-11-16 16:19:24 -08:00
Scott Nonnenberg
9e6d50b966
Merge branch 'master' into development
Bringing our development (beta) branch inline with all the more urgent
fixes which went directly into the master (production) branch.
2017-11-08 17:02:00 -08:00
Scott Nonnenberg
cae2b10af6
Increase web request timeout, drop failed delivery receipts (#1699)
Increase web request timeout, drop failed delivery receipts, export error logging
2017-11-07 10:49:10 -08:00
Lilia
d1f7f5ee8c Fix json parsing exceptions obscuring server errors (#1605)
I got a 413 (Rate limit exceeded) error from the server while fetching prekeys.
The client tried to parse the response as json since we expect json from the
prekey endpoint, which threw an exception because the response was not json.
This change prevents us from treating the response as json unless it has the
Content-Type header set accordingly.

If for some reason, the client and server disagree on whether the response
should be or is json, we'll default to treating it as text.

// FREEBIE
2017-10-24 15:54:46 -07:00
Lilia
22ccd46f4c Fix setSignedPreKey request - don't expect a JSON response (#1595)
Don't expect a json response from this endpoint. It will only give you
empty responses and exceptions. And sadness.

// FREEBIE
2017-10-23 15:41:27 -07:00
Scott Nonnenberg
6a895f0e27 Better handling of online/offline behavior, socket shutdown (#1593)
* Online/offline: Always stop timer, don't connect if closed

* Sockets: Send our own close event faster, shutdown only on close

Seems that we were too-aggressively disconnecting from all socket
events. Also, we should be able to send our own close event a lot
faster with no ill effects.

* Catch-up libtextsecure changes
2017-10-23 14:38:43 -07:00
lilia
ce0e39aaa7 Fix timeouts
// FREEBIE
2017-10-23 09:26:50 -07:00
Scott Nonnenberg
735aec90e8 Add 5s timeout for all requests but attachment up/down, avatar (#1584)
* Remove hang workaround in api.js since we have global workaround

* Add 5s timeout for all requests exept attachment up/down, avatar
2017-10-20 17:02:44 -07:00
Lilia
af8b0164b5 Move to node fetch API for web requests instead of XHR (#1552)
* Use node-fetch instead of xhr

* Remove XMLHttpRequest.js

// FREEBIE

* Avoid calling json() on non json responses

Previously we would catch and swallow JSON parsing errors resulting from an
empty response, though empty responses are normal from a few endpoints, like
requesting sms or voice registration codes.

Since the JSON parsing call is now handled internally by node-fetch, we have to
keep closer track of our expected response type to avoid throwing an exception.

// FREEBIE
2017-10-20 15:52:02 -07:00
Scott Nonnenberg
fb7701576e Update autosize, which should fix stack overflow error (#1560)
* Update to the latest version of autosize.js

* gitignore: Restrict 'dist' matches to the root dist folder

The global search for 'dist' caused problems when updateing bower
components.

* A couple minor version updates: ByteBuffer, filesize, intlTel

moment-with-localse, ProtoBuf
2017-10-13 11:44:35 -07:00
Scott Nonnenberg
b64f2969fd Better handling of network disconnection/reconnection (#1546)
* Ensure that our preload.js setImmediate call finds right function

FREEBIE

* Our own socket close event, better logging, unregistration

FREEBIE

* Return CLOSED for NetworkStatusView if we've fully disconnected

* background.js: Remove messageReceiver = null, log in connect()

A null messageReciever makes the NetworkStatusView think we're online.

FREEBIE
2017-10-06 16:28:13 -07:00
Lilia
52cc8355a6 Feature: Blue check marks for read messages if opted in (#1489)
* Refactor delivery receipt event handler

* Rename the delivery receipt event

For less ambiguity with read receipts.

* Rename synced read event

For less ambiguity with read receipts from other Signal users.

* Add support for incoming receipt messages

Handle ReceiptMessages, which may include encrypted delivery receipts or read
receipts from recipients of our sent messages.

// FREEBIE

* Rename ReadReceipts to ReadSyncs

* Render read messages with blue double checks

* Send read receipts to senders of incoming messages

// FREEBIE

* Move ReadSyncs to their own file

// FREEBIE

* Fixup old comments on read receipts (now read syncs)

And some variable renaming for extra clarity.

// FREEBIE

* Add global setting for read receipts

Don't send read receipt messages unless the setting is enabled.
Don't process read receipts if the setting is disabled.

// FREEBIE

* Sync read receipt setting from mobile

Toggling this setting on your mobile device should sync it to Desktop. When
linking, use the setting in the provisioning message.

// FREEBIE

* Send receipt messages silently

Avoid generating phantom messages on ios

// FREEBIE

* Save recipients on the outgoing message models

For accurate tracking and display of sent/delivered/read state, even if group
membership changes later.

// FREEBIE

* Fix conversation type in profile key update handling

// FREEBIE

* Set recipients on synced sent messages

* Render saved recipients in message detail if available

For older messages, where we did not save the intended set of recipients at the
time of sending, fall back to the current group membership.

// FREEBIE

* Record who has been successfully sent to

// FREEBIE

* Record who a message has been delivered to

* Invert the not-clickable class

* Fix readReceipt setting sync when linking

* Render per recipient sent/delivered/read status

In the message detail view for outgoing messages, render each recipient's
individual sent/delivered/read status with respect to this message, as long as
there are no errors associated with the recipient (ie, safety number changes,
user not registered, etc...) since the error icon is displayed in that case.

*Messages sent before this change may not have per-recipient status lists
and will simply show no status icon.

// FREEBIE

* Add configuration sync request

Send these requests in a one-off fashion when:
  1. We have just setup from a chrome app import
  2. We have just upgraded to read-receipt support

// FREEBIE

* Expose sendRequestConfigurationSyncMessage

// FREEBIE

* Fix handling of incoming delivery receipts - union with array

FREEBIE
2017-10-04 15:28:43 -07:00
Scott Nonnenberg
95c85010c4 Only retry messages on startup, not every sockect reconnect (#1510)
FREEBIE
2017-09-28 14:58:45 -07:00
Scott Nonnenberg
6323f598b5 Disconnect from socket faster on loss of network access (#1512)
* Disconnect from socket faster on complete loss of network access

Today we wait for a keepalive request to fail; this change forces
disconnect in the case that the browser tells us that we're now offline.

FREEBIE

* MessageReceiver: don't react to errors after explicit close()

FREEBIE
2017-09-28 13:12:43 -07:00
Lilia
9f82a37d8b Log call messages instead of throwing error (#1504)
Rather than throw an error, just log call messages and drop them. This way we
distinguish them from incorrectly encoded content messages or new types of
messages we don't support yet, and don't insert unnecessary red flags and
stacktraces in debug logs.

// FREEBIE
2017-09-25 16:42:56 -07:00
Scott Nonnenberg
9db0cb49c4 setTimeout/setImmediate workaround for linux hangs (#1497)
FREEBIE
2017-09-22 11:06:52 -07:00
Lilia
fc952fbaf6
Handle provisioning messages with no profile key (#1470)
This can happen while linking to an older mobile client.

// FREEBIE
2017-09-14 17:04:03 -07:00
Lilia
c832324cb9
Trigger empty event on keepalive timeout (#1466) 2017-09-14 17:04:03 -07:00
Scott Nonnenberg
420cfc46be
Additional logging to help track down socket disconnect problems (#1469)
FREEBIE
2017-09-14 17:04:03 -07:00
Lilia
ae190fed44
Profiles (#1453)
* Add AES-GCM encryption for profiles

With tests.

* Add profileKey to DataMessage protobuf

// FREEBIE

* Decrypt and save profile names

// FREEBIE

* Save incoming profile keys

* Move pad/unpad to crypto module

// FREEBIE

* Support fetching avatars from the cdn

// FREEBIE

* Translate failed authentication errors

When AES-GCM authentication fails, webcrypto returns a very generic error. The
same error is thrown for invalid length inputs, but our earlier checks in
decryptProfile should rule out those failure modes and leave us safe to assume
that we either had bad ciphertext or the wrong key.

// FREEBIE

* Handle profile avatars (wip) and log decrypt errors

// FREEBIE

* Display profile avatars

Synced contact avatars will still override profile avatars.

* Display profile names in convo list

Only if we don't have a synced contact name.

// FREEBIE

* Make cdn url an environment config

Use different ones for staging and production

// FREEBIE

* Display profile name in conversation header

* Display profile name in group messages

* Update conversation header if profile avatar changes

// FREEBIE

* Style profile names small with ~

* Save profileKeys from contact sync messages

// FREEBIE

* Save profile keys from provisioning messages

For standalone accounts, generate a random profile key.

// FREEBIE

* Special case for one-time sync of our profile key

Android will use a contact sync message to sync a profile key from Android
clients who have just upgraded and generated their profile key. Normally we
should receive this data in a provisioning message.

// FREEBIE

* Infer profile sharing from synced data messages

* Populate profile keys on outgoing messages

Requires that `profileSharing` be set on the conversation.

// FREEBIE

* Support for the profile key update flag

When receiving a message with this flag, don't init a message record, just
process the profile key and move on.

// FREEBIE

* Display profile names in group member list

* Refresh contact's profile on profile key changes

// FREEBIE

* Catch errors on profile save

// FREEBIE

* Save our own synced contact info

Don't return early if we get a contact sync for our own number

// FREEBIE
2017-09-14 17:04:00 -07:00
Lilia
50c470e53d
Certificate pinning via node XMLHttpRequest implementation (#1394)
* Add certificate pinning on https service requests

Make https requests to the server using node apis instead of browser apis, so we
can specify our own CA list, which contains only our own CA.

This protects us from MITM by a rogue CA.

As a bonus, this let's us drop the use of non-standard ports and just use good
ol' default 443 all the time, at least for http requests.

// FREEBIE

* Make certificateAuthorities an option on requests

Modify node-based xhr implementation based on driverdan/node-XMLHttpRequest,
adding support for setting certificate authorities on each request.

This allows us to pin our master CA for requests to the server and cdn but not
to the s3 attachment server, for instance. Also fix an exception when sending
binary data in a request: it is submitted as an array buffer, and must be
converted to a node Buffer since we are now using a node based request api.

// FREEBIE

* Import node-based xhr implementation

Add a copy of https://github.com/driverdan/node-XMLHttpRequest@86ff70e, and
expose it to the renderer in the preload script.

In later commits this module will be extended to support custom certificate
authorities.

// FREEBIE

* Support "arraybuffer" responseType on requests

When fetching attachments, we want the result as binary data rather than a utf8
string. This lets our node-based XMLHttpRequest honor the responseType property
if it is set on the xhr.

Note that naively using the raw `.buffer` from a node Buffer won't work, since
it is a reuseable backing buffer that is often much larger than the actual
content defined by the Buffer's offset and length.

Instead, we'll prepare a return buffer based on the response's content length
header, and incrementally write chunks of data into it as they arrive.

// FREEBIE

* Switch to self-signed server endpoint

* Log more error info on failed requests

With the node-based xhr, relevant error info are stored in statusText and
responseText when a request fails.

// FREEBIE

* Add node-based websocket w/ support for custom CA

// FREEBIE

* Support handling array buffers instead of blobs

Our node-based websocket calls onmessage with an arraybuffer instead of a blob.
For robustness (on the off chance we switch or update the socket implementation
agian) I've kept the machinery for converting blobs to array buffers.

// FREEBIE

* Destroy all wacky server ports

// FREEBIE
2017-09-14 17:03:17 -07:00
Scott Nonnenberg
0fbe43c2dc
Protobufs: More logging on failure to load protobufs, fix tests
FREEBIE
2017-09-14 17:02:45 -07:00
Scott Nonnenberg
3a3aa3efb6
Remove test/protos symlink, use window.PROTO_ROOT for config 2017-09-14 16:53:48 -07:00
Scott Nonnenberg
c8013d930c
Proto-loading: Throw if we get an error 2017-09-14 16:53:47 -07:00
lilia
859d49b3f4
Use relative paths
// FREEBIE
2017-09-14 16:53:34 -07:00
Scott Nonnenberg
1e694fe8d7 Log entry max to 2k, remove logging in hot codepaths (#1459)
On a recent trip through a CPU profile taken while Signal Desktop
churned through a large backlog of messages, it was clear that
console.log was a major source of time spent, primarily the sort
operation required after every new entry is added to the Backbone
collection. So, three different techniques to combat this:

1) Reduce the maximum number of entries in the collection from 5k to 2k
2) No more logging of add/update/remove queue in MessageReceiver
3) No more log entries in Message.handleDataMessage main codepath

FREEBIE
2017-09-12 09:34:49 -07:00
Lilia
51cd28bb4a Fix race handling contact sync with verified info (#1419)
When processing a contact sync with embedded identity key verification info, we
were running overlapping async fetch/save operations on the same conversation
model, causing a race that tends to clobber updates to the contact info.

In this change we extend the application-level contact info handler to block on
a subsequent call to the verification handler, which effectively serializes the
fetch/save calls, and relieves the need for the message receiver to trigger a
seperate event concerning the verification info on contact sync messages.

Fixes #1408

// FREEBIE
2017-09-01 07:42:41 -07:00
Scott Nonnenberg
36e8b82b5f Remove unknown group messages from cache - no need to retry! (#1414)
FREEBIE
2017-08-30 14:40:08 -07:00
Scott Nonnenberg
46b64e306f createTaskWithTimeout: Don't log expiration if task threw (#1412)
FREEBIE
2017-08-30 13:33:55 -07:00
Scott Nonnenberg
4011e26b50 Fix handling of sync message with blocked numbers (#1411)
FREEBIE
2017-08-30 11:55:17 -07:00
Scott Nonnenberg
c0cd733139 Full export, migration banner, and full migration workflow - behind flag (#1342)
* Add support for backup and restore

This first pass works for all stores except messages, pending some scaling
improvements.

// FREEBIE

* Import of messages and attachments

Properly sanitize filenames. Logging information that will help with
debugging but won't threaten privacy (no contact or group names),
where the on-disk directories have this information to make things
human-readable

FREEBIE

* First fully operational single-action export and import!

FREEBIE

* Add migration export flow

A banner alert leads to a blocking ui for the migration. We close the socket and
wait for incoming messages to drain before starting the export.

FREEBIE

* A number of updates for the export flow

1. We don't immediately pop the directory selection dialog box, instead
  showing an explicit 'choose directory' button after explaining what is
  about to happen
2. We show a 'submit debug log' button on most steps of the process
3. We handle export errors and encourage the user to double-check their
  filesystem then submit their log
4. We are resilient to restarts during the process
5. We handle the user cancelling out of the directory selection dialog
  differently from other errors.
6. The export process is now serialized: non-messages, then messages.
7. After successful export, show where the data is on disk

FREEBUE

* Put migration behind a flag

FREEBIE

* Shut down websocket before proceeding with export

FREEBIE

* Add MigrationView to test/index.html to fix test

FREEBIE

* Remove 'Submit Debug Log' button when the export process is complete

FREEBIE

* Create a 'Signal Export' directory below user-chosen dir

This cleans things up a bit so we don't litter the user's target
directory with lots of stuff.

FREEBIE

* Clarify MessageReceiver.drain() method comments

FREEBIE

* A couple updates for clarity - event names, else handling

Also the removal of wait(), which wasn't used anywhere.

FREEBIE

* A number of wording updates for the export flow

FREEBIE

* Export complete: put dir on its own line, make text selectable

FREEBIE
2017-08-28 13:06:10 -07:00
Scott Nonnenberg
9fb079253c Remove errors from the cache when they are shown to the user (#1392)
There's really no reason to retry encryption errors again if they've
already been made user-visible in a conversation.

Also, refactor e->error in background.js onError(), since both e and ev
in this method made it too easy to make a mistake.
2017-08-25 14:24:16 -07:00
Scott Nonnenberg
84fd605ad3 MessageReceiver cache: Don't convert to string for save
Because IndexedDB supports ArrayBuffer natively.

FREEBIE
2017-08-25 13:53:47 -07:00
Scott Nonnenberg
4ef36cc95c Add logging to help track down problems with Sync
Seems like we're running into errors sending the message to kick off the
sync, so positive logging as well as error logging is included.

FREEBIE
2017-08-17 17:33:22 -07:00
Scott Nonnenberg
7e9ed1481b Set receivedAt after decrypt, sort by received then sent
FREEBIE
2017-08-14 12:12:36 -07:00
Scott Nonnenberg
620b71a649 Maintain original received time when processing queued/error msgs
FREEBIE
2017-08-12 13:17:53 -07:00
Scott Nonnenberg
8700112f6d Decrypt any IncomingIdentityKeyError still sticking around
FREEBIE
2017-08-12 13:17:53 -07:00
Scott Nonnenberg
b33c5c4c07 MessageReceiver: Wait for all code paths in handleSyncMessage
Without this, the recent changes to wait for read receipts and delivery
receipts don't have much of an effect.

FREEBIE
2017-08-08 11:22:41 -07:00
Scott Nonnenberg
2130795708 Fix 'retry message' scenario: they are now content messages
FREEBIE
2017-08-07 16:14:49 -07:00