PCFormat Forum Archive

An archive of the South African PCFormat forums.
https://tuhinga.ron2k.za.net/pcformat/

iOS code bug that even YOU could have spotted

https://tuhinga.ron2k.za.net/pcformat/viewtopic.php?t=41766

Page 1 of 1

iOS code bug that even YOU could have spotted

Posted: 24 Feb 2014, 09:32
by hamin_aus
www.cs.columbia.edu wrote: As you've probably heard by now, there's a serious bug in the TLS implementations in iOS (the iPhone and iPad operating system) and MacOS. I'll skip the details (but see Adam Langley's excellent blog post if you're interested); the effect is that under certain conditions, an attacker can sit in the middle of an encrypted connection and read all of the traffic.

Here's the code in question:

Code: Select all

	if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
		goto fail;
	if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
		goto fail;
		goto fail;
	if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
		goto fail;
Note the doubled
goto fail;
goto fail;
That's incorrect and is at the root of the problem.
goto fail; INDEED :lol:

Re: iOS code bug that even YOU could have spotted

Posted: 24 Feb 2014, 10:47
by KALSTER
Image

Re: iOS code bug that even YOU could have spotted

Posted: 24 Feb 2014, 13:14
by rustypup
"closed source is far more secure".....

right..

also, the amount of drama around this is amusing... MitM has been around for some time....

reducing the risks would include: step 1 - don't log in to services over public wif... oh, wait... apple users.... never mind. carry on. the magic apple will protect you from yourself...
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited