Hi,

I would like to report a security bug in libgadu.  libgadu is using openSSL
library for creating secure connections.

A program using openSSL can perform SSL handshake by invoking the
SSL_connect function. Some cetrificate validation errors are signaled
through , the return values of the SSL_connect, while for the others errors
SSL_connect returns OK but sets internal "verify result" flags. Application
must call ssl_get_verify_result function to check if any such errors
occurred.  This check is missing in libgadu. And thus a man-in-the-middle
attack is possible failing all the SSL protection. (Please refer :-
https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)

Another way to verify SSL certificate is using the api
SSL_CTX_set_verify.The SSL_CTX_set_verify() API allows you to set the
verification flags in the SSL_CTX structure and a callback function for
customized verification as its third argument. (Setting NULL to the
callback function means the built-in default verification function is
used.) In the second argument of SSL_CTX_set_verify(), you can set the
following macro
(Please refer:- http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html)

1. SSL_VERIFY_NONE
Server mode: the server will not send a client certificate request to the
client, so the client will not send a certificate.

Client mode: if not using an anonymous cipher (by default disabled), the
server will send a certificate which will be checked. The result of the
certificate verification process can be checked after the TLS/SSL handshake
using the SSL_get_verify_result function. The handshake will be continued
regardless of the verification result.

2. SSL_VERIFY_PEER
3. SSL_VERIFY_FAIL_IF_NO_PEER_CERT
4. SSL_VERIFY_CLIENT_ONCE

However, In libgadu SSL_CTX_set_verify() API  is used but the second
parameter is SSL_VERIFY_NONE and third parameter is NULL, Which means we
should  use SSL_get_verify_result API to verify the peer certificate. But
SSL_get_verify_result API is not used anywhere in libgadu code base which
make the product vulnerable to man-in-the-middle attack.

So the product using libgadu will be vulnerable to  man-in-the-middle
attack.


On Sun, Jun 2, 2013 at 2:54 AM, Rafał Malinowski <
rafal.przemyslaw.malinow...@gmail.com> wrote:

> Hello.
>
> Please use this mailing list to report bugs.
>
> Regards,
> Rafał Malinowski
> _______________________________________________
> libgadu-devel mailing list
> libgadu-devel@lists.ziew.org
> http://lists.ziew.org/mailman/listinfo/libgadu-devel
>



-- 




Regards,
Radhesh Krishnan K.
_______________________________________________
libgadu-devel mailing list
libgadu-devel@lists.ziew.org
http://lists.ziew.org/mailman/listinfo/libgadu-devel

Reply via email to