goto fail

Looking for some Saturday evening programmer entertainment? How about a serious security flaw in very widely deployed software caused by a goto statement? What could possibly go wrong?

xkcd-292
from xkcd.com/292/

Here’s Apple’s equivalent of the raptor mauling you. That’s the official version, which doesn’t provide any details (“Apples does not disclose any details”). It just says:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

But you can find the details in this blog post by Adam Langley, who works at Google on Chrome (I think; the blog post implies that, the site doesn’t say). From that post:

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
	OSStatus        err;
	...

	if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
		goto fail;
	if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
		goto fail;
		goto fail;
	if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
		goto fail;
	...

fail:
	SSLFreeBuffer(&signedHashes);
	SSLFreeBuffer(&hashCtx);
	return err;
}

Note the two goto fail lines in a row. The first one is correctly bound to the if statement but the second, despite the indentation, isn’t conditional at all. The code will always jump to the end from that second goto, err will contain a successful value because the SHA1 update operation was successful and so the signature verification will never fail.

Someone found that entertaining enough to put it on a t-shirt. A few more pre-orders and it’ll get printed.

-Jörn