diff --git a/TrustKit.podspec b/TrustKit.podspec index 0944ddb0..e18dac00 100644 --- a/TrustKit.podspec +++ b/TrustKit.podspec @@ -1,6 +1,6 @@ Pod::Spec.new do |s| s.name = "TrustKit" - s.version = "1.1.0" + s.version = "1.1.1" s.summary = 'TrustKit is an open source framework that makes it easy to deploy SSL pinning in any iOS or OS X App.' s.homepage = "https://datatheorem.github.io/TrustKit" s.documentation_url = 'https://datatheorem.github.io/TrustKit/documentation/' diff --git a/TrustKit.xcodeproj/project.pbxproj b/TrustKit.xcodeproj/project.pbxproj index 2c5546cb..5f846db6 100644 --- a/TrustKit.xcodeproj/project.pbxproj +++ b/TrustKit.xcodeproj/project.pbxproj @@ -414,7 +414,7 @@ isa = PBXProject; attributes = { CLASSPREFIX = TSK; - LastUpgradeCheck = 0610; + LastUpgradeCheck = 0640; ORGANIZATIONNAME = TrustKit; TargetAttributes = { 8C8480461A896EE30017C155 = { @@ -626,6 +626,7 @@ APPLICATION_EXTENSION_API_ONLY = "$(inherited)"; CODE_SIGN_IDENTITY = "iPhone Developer"; "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; + COMBINE_HIDPI_IMAGES = YES; DEFINES_MODULE = YES; DYLIB_COMPATIBILITY_VERSION = 1; DYLIB_CURRENT_VERSION = 1; @@ -653,6 +654,7 @@ APPLICATION_EXTENSION_API_ONLY = "$(inherited)"; CODE_SIGN_IDENTITY = "iPhone Developer"; "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer"; + COMBINE_HIDPI_IMAGES = YES; DEFINES_MODULE = YES; DYLIB_COMPATIBILITY_VERSION = 1; DYLIB_CURRENT_VERSION = 1; @@ -677,6 +679,8 @@ 8C8480611A896EE30017C155 /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { + APPLICATION_EXTENSION_API_ONLY = NO; + COMBINE_HIDPI_IMAGES = YES; FRAMEWORK_SEARCH_PATHS = ( "$(SDKROOT)", "$(inherited)", @@ -698,6 +702,8 @@ 8C8480621A896EE30017C155 /* Release */ = { isa = XCBuildConfiguration; buildSettings = { + APPLICATION_EXTENSION_API_ONLY = NO; + COMBINE_HIDPI_IMAGES = YES; FRAMEWORK_SEARCH_PATHS = ( "$(SDKROOT)", "$(inherited)", @@ -716,6 +722,7 @@ isa = XCBuildConfiguration; buildSettings = { APPLICATION_EXTENSION_API_ONLY = "$(inherited)"; + COMBINE_HIDPI_IMAGES = YES; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; GCC_NO_COMMON_BLOCKS = YES; GCC_PREPROCESSOR_DEFINITIONS = ( @@ -739,6 +746,7 @@ isa = XCBuildConfiguration; buildSettings = { APPLICATION_EXTENSION_API_ONLY = "$(inherited)"; + COMBINE_HIDPI_IMAGES = YES; COPY_PHASE_STRIP = NO; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; GCC_NO_COMMON_BLOCKS = YES; diff --git a/TrustKit.xcodeproj/xcshareddata/xcschemes/TrustKit.xcscheme b/TrustKit.xcodeproj/xcshareddata/xcschemes/TrustKit.xcscheme index 345645f6..d2a9444f 100644 --- a/TrustKit.xcodeproj/xcshareddata/xcschemes/TrustKit.xcscheme +++ b/TrustKit.xcodeproj/xcshareddata/xcschemes/TrustKit.xcscheme @@ -1,6 +1,6 @@ domainRegistryLength NSString *domainLabel = [domain substringToIndex:([domain length] - domainRegistryLength - 1)]; // Retrieve the subdomain's domain without the TLD diff --git a/TrustKit/TrustKit.m b/TrustKit/TrustKit.m index 6e3b4a68..2ca792cd 100644 --- a/TrustKit/TrustKit.m +++ b/TrustKit/TrustKit.m @@ -88,7 +88,7 @@ void sendPinFailureReport_async(TSKPinValidationResult validationResult, SecTrus #if !DEBUG // For release builds, also enable the default reporting URL - if ([domainConfig[kTSKDisableDefaultReportUri] boolValue] == NO) + if ([notedHostnameConfig[kTSKDisableDefaultReportUri] boolValue] == NO) { [reportUris addObject:[NSURL URLWithString:kTSKDefaultReportUri]]; } @@ -209,7 +209,7 @@ static OSStatus replaced_SSLHandshake(SSLContextRef context) for (NSString *domainName in TrustKitArguments) { - // Sanity check on the domain name + // Sanity checks on the domain name if (GetRegistryLength([domainName UTF8String]) == 0) { [NSException raise:@"TrustKit configuration invalid" @@ -226,6 +226,17 @@ static OSStatus replaced_SSLHandshake(SSLContextRef context) NSNumber *shouldIncludeSubdomains = domainTrustKitArguments[kTSKIncludeSubdomains]; if (shouldIncludeSubdomains) { + if ([shouldIncludeSubdomains boolValue] == YES) + { + // Prevent pinning on *.com + // Ran into this issue with *.appspot.com which is part of the public suffix list + if (GetRegistryLength([domainName UTF8String]) == [domainName length]) + { + [NSException raise:@"TrustKit configuration invalid" + format:@"TrustKit was initialized with includeSubdomains for a domain suffix %@", domainName]; + } + } + domainFinalConfiguration[kTSKIncludeSubdomains] = shouldIncludeSubdomains; } else diff --git a/TrustKitTests/TSKPinConfigurationTests.m b/TrustKitTests/TSKPinConfigurationTests.m index e72495d9..9f87bb45 100644 --- a/TrustKitTests/TSKPinConfigurationTests.m +++ b/TrustKitTests/TSKPinConfigurationTests.m @@ -138,6 +138,18 @@ - (void)testIncludeSubdomainsEnabledNotSubdomain } +- (void)testIncludeSubdomainsEnabledForSuffix +{ + XCTAssertThrows(parseTrustKitArguments(@{@"com" : @{ + kTSKIncludeSubdomains : @YES, + kTSKPublicKeyAlgorithms : @[kTSKAlgorithmRsa4096], + kTSKPublicKeyHashes : @[@"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=", + @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=" + ]}}), + @"Configuration that pins *.com must be rejected"); +} + + - (void)testIncludeSubdomainsDisabled { NSDictionary *trustKitConfig;