From 860bcb08381040eeff9b1879f1b5f55d1e1c57dc Mon Sep 17 00:00:00 2001
From: Vikas Kumar <vikask@duosecurity.com>
Date: Mon, 12 May 2014 14:19:31 -0400
Subject: [PATCH] Disable use of Apple's Trust Evaluation Agent for certificate
 validation, to enforce proper CA pinning on OS X

---
 autotools/ax_check_x509.m4 | 36 ++++++++++++++++++++++++++++++++++++
 configure.ac               |  3 ++-
 lib/https.c                | 14 ++++++++++++--
 3 files changed, 50 insertions(+), 3 deletions(-)
 create mode 100644 autotools/ax_check_x509.m4

diff --git a/autotools/ax_check_x509.m4 b/autotools/ax_check_x509.m4
new file mode 100644
index 00000000..66a44e35
--- /dev/null
+++ b/autotools/ax_check_x509.m4
@@ -0,0 +1,36 @@
+#
+#   Copyright (c) 2014 Duo Security
+#   All rights reserved, all wrongs reversed
+#
+# SYNOPSIS
+#
+#   AX_CHECK_X509([action-if-found[, action-if-not-found]])
+#
+# DESCRIPTION
+#
+#   Checks to see if the function X509_TEA_set_state exists in OPENSSL_LIBS
+#
+#serial 1
+
+AU_ALIAS([CHECK_X509], [AX_CHECK_X509])
+AC_DEFUN([AX_CHECK_X509],[
+    AC_MSG_CHECKING([whether X509_TEA_set_state runs])
+    save_LIBS="$LIBS"
+    save_LDFLAGS="$LDFLAGS"
+    save_CPPFLAGS="$CPPFLAGS"
+    LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+    LIBS="$OPENSSL_LIBS $LIBS"
+    CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
+    AC_RUN_IFELSE(
+        AC_LANG_PROGRAM([void X509_TEA_set_state(int change);], [X509_TEA_set_state(0);]),
+        [
+            AC_MSG_RESULT([yes])
+            $1
+        ], [
+            AC_MSG_RESULT([no])
+            $2
+    ])
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+])
\ No newline at end of file
diff --git a/configure.ac b/configure.ac
index 2812168c..691fbeac 100644
--- a/configure.ac
+++ b/configure.ac
@@ -86,7 +86,8 @@ AC_CHECK_HEADERS([inttypes.h limits.h memory.h stdint.h stdlib.h string.h unistd
 
 # Check OpenSSL
 AX_CHECK_OPENSSL([], AC_MSG_FAILURE([OpenSSL not found]))
-
+# Define if X509_TEA_set_state exists
+AX_CHECK_X509(AC_DEFINE([HAVE_X509_TEA_SET_STATE],[1],[Define if X509_set_state exists]), [])
 # Default PAM install dir
 case "$host" in
      *darwin*)         PAM_DIR="/usr/lib/pam" ;;
diff --git a/lib/https.c b/lib/https.c
index 2cdda325..4dbb5077 100644
--- a/lib/https.c
+++ b/lib/https.c
@@ -32,6 +32,10 @@
 #include "https.h"
 #include "match.h"
 
+#ifdef HAVE_X509_TEA_SET_STATE
+extern void X509_TEA_set_state(int change);
+#endif
+
 struct https_ctx {
         SSL_CTX              *ssl_ctx;
         char	             *ikey;
@@ -104,7 +108,6 @@ _SSL_check_server_cert(SSL *ssl, const char *hostname)
         ASN1_STRING *tmp;
         int i, n, match = -1;
         const char *p;
-        
         if (SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE ||
             (cert = SSL_get_peer_certificate(ssl)) == NULL) {
                 return (1);
@@ -203,7 +206,7 @@ https_init(const char *ikey, const char *skey,
         X509 *cert;
         BIO *bio;
         char *p;
-        
+
         if ((ctx = calloc(1, sizeof(*ctx))) == NULL ||
             (ctx->ikey = strdup(ikey)) == NULL ||
             (ctx->skey = strdup(skey)) == NULL ||
@@ -212,6 +215,13 @@ https_init(const char *ikey, const char *skey,
                 return (HTTPS_ERR_SYSTEM);
         }
         /* Initialize SSL context */
+#ifdef HAVE_X509_TEA_SET_STATE
+        /* If applicable, disable use of Apple's Trust Evaluation Agent for certificate
+         * validation, to enforce proper CA pinning:
+         * http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.h
+         */
+        X509_TEA_set_state(0);
+#endif
         SSL_library_init();
         SSL_load_error_strings();
         OpenSSL_add_all_algorithms();