Disable use of Apple's Trust Evaluation Agent for certificate validat…

…ion, to enforce proper CA pinning on OS X
xdesai · May 12, 2014 · 860bcb0 · 860bcb0
1 parent 90caa47
commit 860bcb0
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 3 deletions.
diff --git a/autotools/ax_check_x509.m4 b/autotools/ax_check_x509.m4
@@ -0,0 +1,36 @@
+#
+#   Copyright (c) 2014 Duo Security
+#   All rights reserved, all wrongs reversed
+#
+# SYNOPSIS
+#
+#   AX_CHECK_X509([action-if-found[, action-if-not-found]])
+#
+# DESCRIPTION
+#
+#   Checks to see if the function X509_TEA_set_state exists in OPENSSL_LIBS
+#
+#serial 1
+
+AU_ALIAS([CHECK_X509], [AX_CHECK_X509])
+AC_DEFUN([AX_CHECK_X509],[
+    AC_MSG_CHECKING([whether X509_TEA_set_state runs])
+    save_LIBS="$LIBS"
+    save_LDFLAGS="$LDFLAGS"
+    save_CPPFLAGS="$CPPFLAGS"
+    LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+    LIBS="$OPENSSL_LIBS $LIBS"
+    CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
+    AC_RUN_IFELSE(
+        AC_LANG_PROGRAM([void X509_TEA_set_state(int change);], [X509_TEA_set_state(0);]),
+        [
+            AC_MSG_RESULT([yes])
+            $1
+        ], [
+            AC_MSG_RESULT([no])
+            $2
+    ])
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+])
diff --git a/configure.ac b/configure.ac
@@ -86,7 +86,8 @@ AC_CHECK_HEADERS([inttypes.h limits.h memory.h stdint.h stdlib.h string.h unistd
 
 # Check OpenSSL
 AX_CHECK_OPENSSL([], AC_MSG_FAILURE([OpenSSL not found]))
-
+# Define if X509_TEA_set_state exists
+AX_CHECK_X509(AC_DEFINE([HAVE_X509_TEA_SET_STATE],[1],[Define if X509_set_state exists]), [])
 # Default PAM install dir
 case "$host" in
      *darwin*)         PAM_DIR="/usr/lib/pam" ;;

diff --git a/lib/https.c b/lib/https.c
@@ -32,6 +32,10 @@
 #include "https.h"
 #include "match.h"
 
+#ifdef HAVE_X509_TEA_SET_STATE
+extern void X509_TEA_set_state(int change);
+#endif
+
 struct https_ctx {
         SSL_CTX              *ssl_ctx;
         char	             *ikey;
@@ -104,7 +108,6 @@ _SSL_check_server_cert(SSL *ssl, const char *hostname)
         ASN1_STRING *tmp;
         int i, n, match = -1;
         const char *p;
-
         if (SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE ||
             (cert = SSL_get_peer_certificate(ssl)) == NULL) {
                 return (1);
@@ -203,7 +206,7 @@ https_init(const char *ikey, const char *skey,
         X509 *cert;
         BIO *bio;
         char *p;
-        
+
         if ((ctx = calloc(1, sizeof(*ctx))) == NULL ||
             (ctx->ikey = strdup(ikey)) == NULL ||
             (ctx->skey = strdup(skey)) == NULL ||
@@ -212,6 +215,13 @@ https_init(const char *ikey, const char *skey,
                 return (HTTPS_ERR_SYSTEM);
         }
         /* Initialize SSL context */
+#ifdef HAVE_X509_TEA_SET_STATE
+        /* If applicable, disable use of Apple's Trust Evaluation Agent for certificate
+         * validation, to enforce proper CA pinning:
+         * http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.h
+         */
+        X509_TEA_set_state(0);
+#endif
         SSL_library_init();
         SSL_load_error_strings();
         OpenSSL_add_all_algorithms();