Merge branch 'dev'

datatheorem · Jul 14, 2015 · d69677c · d69677c
2 parents d7fb26a + 035b3fc
commit d69677c
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 6 deletions.
diff --git a/TrustKit.podspec b/TrustKit.podspec
@@ -1,6 +1,6 @@
 Pod::Spec.new do |s|
  s.name = "TrustKit"
- s.version = "1.1.0"
+ s.version = "1.1.1"
  s.summary = 'TrustKit is an open source framework that makes it easy to deploy SSL pinning in any iOS or OS X App.'
  s.homepage = "https://datatheorem.github.io/TrustKit"
  s.documentation_url = 'https://datatheorem.github.io/TrustKit/documentation/'

diff --git a/TrustKit.xcodeproj/project.pbxproj b/TrustKit.xcodeproj/project.pbxproj
@@ -414,7 +414,7 @@
  isa = PBXProject;
  attributes = {
  CLASSPREFIX = TSK;
- LastUpgradeCheck = 0610;
+ LastUpgradeCheck = 0640;
  ORGANIZATIONNAME = TrustKit;
  TargetAttributes = {
  8C8480461A896EE30017C155 = {
@@ -626,6 +626,7 @@
  APPLICATION_EXTENSION_API_ONLY = "$(inherited)";
  CODE_SIGN_IDENTITY = "iPhone Developer";
  "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
+ COMBINE_HIDPI_IMAGES = YES;
  DEFINES_MODULE = YES;
  DYLIB_COMPATIBILITY_VERSION = 1;
  DYLIB_CURRENT_VERSION = 1;
@@ -653,6 +654,7 @@
  APPLICATION_EXTENSION_API_ONLY = "$(inherited)";
  CODE_SIGN_IDENTITY = "iPhone Developer";
  "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
+ COMBINE_HIDPI_IMAGES = YES;
  DEFINES_MODULE = YES;
  DYLIB_COMPATIBILITY_VERSION = 1;
  DYLIB_CURRENT_VERSION = 1;
@@ -677,6 +679,8 @@
  8C8480611A896EE30017C155 /* Debug */ = {
  isa = XCBuildConfiguration;
  buildSettings = {
+ APPLICATION_EXTENSION_API_ONLY = NO;
+ COMBINE_HIDPI_IMAGES = YES;
  FRAMEWORK_SEARCH_PATHS = (
  "$(SDKROOT)",
  "$(inherited)",
@@ -698,6 +702,8 @@
  8C8480621A896EE30017C155 /* Release */ = {
  isa = XCBuildConfiguration;
  buildSettings = {
+ APPLICATION_EXTENSION_API_ONLY = NO;
+ COMBINE_HIDPI_IMAGES = YES;
  FRAMEWORK_SEARCH_PATHS = (
  "$(SDKROOT)",
  "$(inherited)",
@@ -716,6 +722,7 @@
  isa = XCBuildConfiguration;
  buildSettings = {
  APPLICATION_EXTENSION_API_ONLY = "$(inherited)";
+ COMBINE_HIDPI_IMAGES = YES;
  DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
  GCC_NO_COMMON_BLOCKS = YES;
  GCC_PREPROCESSOR_DEFINITIONS = (
@@ -739,6 +746,7 @@
  isa = XCBuildConfiguration;
  buildSettings = {
  APPLICATION_EXTENSION_API_ONLY = "$(inherited)";
+ COMBINE_HIDPI_IMAGES = YES;
  COPY_PHASE_STRIP = NO;
  DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
  GCC_NO_COMMON_BLOCKS = YES;

diff --git a/TrustKit.xcodeproj/xcshareddata/xcschemes/TrustKit.xcscheme b/TrustKit.xcodeproj/xcshareddata/xcschemes/TrustKit.xcscheme
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
- LastUpgradeVersion = "0630"
+ LastUpgradeVersion = "0640"
  version = "1.3">
  <BuildAction
  parallelizeBuildables = "YES"

diff --git a/TrustKit.xcodeproj/xcshareddata/xcschemes/TrustKit_Static.xcscheme b/TrustKit.xcodeproj/xcshareddata/xcschemes/TrustKit_Static.xcscheme
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Scheme
- LastUpgradeVersion = "0630"
+ LastUpgradeVersion = "0640"
  version = "1.3">
  <BuildAction
  parallelizeBuildables = "YES"

diff --git a/TrustKit/Pinning/ssl_pin_verifier.m b/TrustKit/Pinning/ssl_pin_verifier.m
@@ -28,6 +28,7 @@ static BOOL isSubdomain(NSString *domain, NSString *subdomain)
  }
 
  // Retrieve the main domain without the TLD
+ // When initializing TrustKit, we check that [domain length] > domainRegistryLength
  NSString *domainLabel = [domain substringToIndex:([domain length] - domainRegistryLength - 1)];
 
  // Retrieve the subdomain's domain without the TLD

diff --git a/TrustKit/TrustKit.m b/TrustKit/TrustKit.m
@@ -88,7 +88,7 @@ void sendPinFailureReport_async(TSKPinValidationResult validationResult, SecTrus
 
 #if !DEBUG
  // For release builds, also enable the default reporting URL
- if ([domainConfig[kTSKDisableDefaultReportUri] boolValue] == NO)
+ if ([notedHostnameConfig[kTSKDisableDefaultReportUri] boolValue] == NO)
  {
  [reportUris addObject:[NSURL URLWithString:kTSKDefaultReportUri]];
  }
@@ -209,7 +209,7 @@ static OSStatus replaced_SSLHandshake(SSLContextRef context)
 
  for (NSString *domainName in TrustKitArguments)
  {
- // Sanity check on the domain name
+ // Sanity checks on the domain name
  if (GetRegistryLength([domainName UTF8String]) == 0)
  {
  [NSException raise:@"TrustKit configuration invalid"
@@ -226,6 +226,17 @@ static OSStatus replaced_SSLHandshake(SSLContextRef context)
  NSNumber *shouldIncludeSubdomains = domainTrustKitArguments[kTSKIncludeSubdomains];
  if (shouldIncludeSubdomains)
  {
+ if ([shouldIncludeSubdomains boolValue] == YES)
+ {
+ // Prevent pinning on *.com
+ // Ran into this issue with *.appspot.com which is part of the public suffix list
+ if (GetRegistryLength([domainName UTF8String]) == [domainName length])
+ {
+ [NSException raise:@"TrustKit configuration invalid"
+ format:@"TrustKit was initialized with includeSubdomains for a domain suffix %@", domainName];
+ }
+ }
+
  domainFinalConfiguration[kTSKIncludeSubdomains] = shouldIncludeSubdomains;
  }
  else

diff --git a/TrustKitTests/TSKPinConfigurationTests.m b/TrustKitTests/TSKPinConfigurationTests.m
@@ -138,6 +138,18 @@ - (void)testIncludeSubdomainsEnabledNotSubdomain
 }
 
 
+- (void)testIncludeSubdomainsEnabledForSuffix
+{
+ XCTAssertThrows(parseTrustKitArguments(@{@"com" : @{
+ kTSKIncludeSubdomains : @YES,
+ kTSKPublicKeyAlgorithms : @[kTSKAlgorithmRsa4096],
+ kTSKPublicKeyHashes : @[@"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
+ @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY="
+ ]}}),
+ @"Configuration that pins *.com must be rejected");
+}
+
+
 - (void)testIncludeSubdomainsDisabled
 {
  NSDictionary *trustKitConfig;