DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th February 2014
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 563
Thanked 14 Times in 13 Posts
Default Apple SSL gaffe affects mobile and OS X

Quote:
Originally Posted by Reuters
Apple Inc. has pushed an update for iOS mobile devices to close a gaping hole in its security software, which gave spies and hackers the ability to grab e-mail, financial information and other sensitive data. An update for its Mac computers is reportedly coming "very soon."
Link
Reply With Quote
  #2   (View Single Post)  
Old 26th February 2014
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 563
Thanked 14 Times in 13 Posts
Default

A follow-up:

Apple issues fix for major OS X security flaw

Quote:
Originally Posted by Reuters
Apple has not said when or how it learned about the flaw in the way iOS handles sessions


Reply With Quote
  #3   (View Single Post)  
Old 26th February 2014
roddierod's Avatar
roddierod roddierod is offline
Real Name: Rod Person
VPN Cryptographer
 
Join Date: Apr 2008
Location: Pittsburgh, Pa
Posts: 376
Thanked 13 Times in 13 Posts
Default

I have that picture hanging in my cube at work.
__________________
"The basic tool for the manipulation of reality is the manipulation of words. If you can control the meaning of words, you can control the people who must use the words." -Philip K. Dick
Reply With Quote
  #4   (View Single Post)  
Old 26th February 2014
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,069
Thanked 198 Times in 156 Posts
Default

The bug was actually rather funny:

Code:
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
    OSStatus        err;
    ...
 
    if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail;
    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
        goto fail;
    ...
 
fail:
    SSLFreeBuffer(&signedHashes);
    SSLFreeBuffer(&hashCtx);
    return err;
}
[/list]
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #5   (View Single Post)  
Old 26th February 2014
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 563
Thanked 14 Times in 13 Posts
Default

Thanks, I'd read somewhere it was a single line, so nice to see exactly what it was. (I think I see it now, in an earlier version of this post I was confused. )

Last edited by IdOp; 26th February 2014 at 09:55 PM.
Reply With Quote
  #6   (View Single Post)  
Old 27th February 2014
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: Bronvaux, France
Posts: 108
Thanked 0 Times in 0 Posts
Default

Looks like a line has been deleted.

Maybe something like this :
Code:
if ((err = SSLHashSHA1.update(&hashCtx, &exchangeParams)) != 0)
__________________
In case of emergency
Reply With Quote
  #7   (View Single Post)  
Old 27th February 2014
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,069
Thanked 198 Times in 156 Posts
Default

Many lines have been snipped. The point is the double goto fail;.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #8   (View Single Post)  
Old 27th February 2014
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: Bronvaux, France
Posts: 108
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Carpetsmoker View Post
The point is the double goto fail;.
Yep, just like a missing line...
__________________
In case of emergency
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Adobe abandons mobile Flash shep News 1 10th November 2011 01:16 AM
Antivirus update affects medical computers. shep News 4 28th April 2010 04:10 PM
mobile client to ipsec gateway milo974 OpenBSD Security 8 22nd July 2009 05:19 AM
Mobile Broadband adapa OpenBSD General 3 23rd February 2009 09:09 PM
Kuro5hin: FreeBSD Owes Apple Big quique FreeBSD General 24 22nd November 2008 07:43 PM


All times are GMT. The time now is 08:21 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick