iOS 7.0.6 / iOS 6.1.6 is now available

Westyfield2 said:
For those interested in programming, have a look at the old source code http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c?txt and specifically line 631.

The first goto is bound to the if statement above, but the second goto isn't conditional and will always be executed. Result is that the SSL/TLS signature verification will never fail :eek:.

Lesson for programmers = Never use if statements without curly braces! :p
Click to expand...

:confused:confused:confused:
Its an always executed goto fail, wouldn't that make it never succeed?
(genuinely interested)
 
BunnyKillBot said:
:confused:confused:confused:
Its an always executed goto fail, wouldn't that make it never succeed?
(genuinely interested)
Click to expand...

So as the first goto is bound to the if statement above, but the second goto isn't conditional and will always be executed, we will always jump to the end from that second goto.
The variable err will contain a successful value because the SHA1 update operation was successful, and so the signature verification will never fail.

A fuller explanation from elsewhere:
This signature verification is checking the signature in a ServerKeyExchange message. This is used in DHE and ECDHE ciphersuites to communicate the ephemeral key for the connection. The server is saying “here's the ephemeral key and here's a signature, from my certificate, so you know that it's from me”. Now, if the link between the ephemeral key and the certificate chain is broken, then everything falls apart. It's possible to send a correct certificate chain to the client, but sign the handshake with the wrong private key, or not sign it at all! There's no proof that the server possesses the private key matching the public key in its certificate.
https://www.imperialviolet.org/2014/02/22/applebug.html
 
I've had a massive issue with my icloud email address over the last few days and I guess its related to this. Its been blocked by apple for security, removing all the contacts from my phone and forcing me to switch my email over on all accounts that I use. So bloody annoying.
 
You must log in or register to reply here.
Back
Top Bottom