Extract from https://www.imperialviolet.org/2014/02/22/applebug.html might be of interest to LINK given recent discussions (the posting continues with a cut down code fragment and discussion):
Yesterday, Apple pushed a rather spooky security update<http://support.apple.com/kb/HT6147> for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details. Since the answer is at the top<https://news.ycombinator.com/item?id=7281378> of the Hacker News thread, I guess the cat's out of the bag already and we're into the misinformation-quashing stage now. So here's the Apple bug: static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { OSStatus err; *...* if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; *...* fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; } (Quoted from Apple's published source code<http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c> .) Note the two goto fail lines in a row. ... -- Contact/projects https://sites.google.com/site/pmusumeci/ <https://cardiacchallenge.com.au/PhillipMusumeci> _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
