Hi, I would like to report a security bug in libgadu. libgadu is using openSSL library for creating secure connections.
A program using openSSL can perform SSL handshake by invoking the SSL_connect function. Some cetrificate validation errors are signaled through , the return values of the SSL_connect, while for the others errors SSL_connect returns OK but sets internal "verify result" flags. Application must call ssl_get_verify_result function to check if any such errors occurred. This check is missing in libgadu. And thus a man-in-the-middle attack is possible failing all the SSL protection. (Please refer :- https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf) Another way to verify SSL certificate is using the api SSL_CTX_set_verify.The SSL_CTX_set_verify() API allows you to set the verification flags in the SSL_CTX structure and a callback function for customized verification as its third argument. (Setting NULL to the callback function means the built-in default verification function is used.) In the second argument of SSL_CTX_set_verify(), you can set the following macro (Please refer:- http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html) 1. SSL_VERIFY_NONE Server mode: the server will not send a client certificate request to the client, so the client will not send a certificate. Client mode: if not using an anonymous cipher (by default disabled), the server will send a certificate which will be checked. The result of the certificate verification process can be checked after the TLS/SSL handshake using the SSL_get_verify_result function. The handshake will be continued regardless of the verification result. 2. SSL_VERIFY_PEER 3. SSL_VERIFY_FAIL_IF_NO_PEER_CERT 4. SSL_VERIFY_CLIENT_ONCE However, In libgadu SSL_CTX_set_verify() API is used but the second parameter is SSL_VERIFY_NONE and third parameter is NULL, Which means we should use SSL_get_verify_result API to verify the peer certificate. But SSL_get_verify_result API is not used anywhere in libgadu code base which make the product vulnerable to man-in-the-middle attack. So the product using libgadu will be vulnerable to man-in-the-middle attack. On Sun, Jun 2, 2013 at 2:54 AM, Rafał Malinowski < rafal.przemyslaw.malinow...@gmail.com> wrote: > Hello. > > Please use this mailing list to report bugs. > > Regards, > Rafał Malinowski > _______________________________________________ > libgadu-devel mailing list > libgadu-devel@lists.ziew.org > http://lists.ziew.org/mailman/listinfo/libgadu-devel > -- Regards, Radhesh Krishnan K.
_______________________________________________ libgadu-devel mailing list libgadu-devel@lists.ziew.org http://lists.ziew.org/mailman/listinfo/libgadu-devel