Discussion:
SSL and TLS broken and now open to even 12-year-old script kiddies
(too old to reply)
Thad Floryan
2014-03-05 05:29:33 UTC
Permalink
Raw Message
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

"Hi Ho, Hi Ho, it's back to Windows we go". :-)

This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.

by Dan Goodin - Mar 4, 2014 6:56 pm UTC

Hundreds of open source packages, including the Red Hat, Ubuntu, and
Debian distributions of Linux, are susceptible to attacks that
circumvent the most widely used technology to prevent eavesdropping on
the Internet, thanks to an extremely critical vulnerability in a widely
used cryptographic code library.

{ full article at above URL }

Thad
Keith Keller
2014-03-05 06:23:48 UTC
Permalink
Raw Message
Post by Thad Floryan
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
"Hi Ho, Hi Ho, it's back to Windows we go". :-)
This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.
It does sound very bad. So I'm wondering why RedHat didn't label it as
"critical":

https://rhn.redhat.com/errata/RHSA-2014-0246.html

RH's score for it is only 5.8:

https://access.redhat.com/security/cve/CVE-2014-0092

The scoring criteria they use don't seem to imply that this would be
"critical:

https://access.redhat.com/site/security/updates/classification/

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Roy
2014-03-05 06:30:13 UTC
Permalink
Raw Message
I checked several of my Linux servers and NONE of them have GnuTLS
installed. They all use OpenSSL.
Post by Thad Floryan
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
"Hi Ho, Hi Ho, it's back to Windows we go". :-)
This GnuTLS bug is worse than the big Apple "goto fail" bug patched last week.
by Dan Goodin - Mar 4, 2014 6:56 pm UTC
Hundreds of open source packages, including the Red Hat, Ubuntu, and
Debian distributions of Linux, are susceptible to attacks that
circumvent the most widely used technology to prevent eavesdropping on
the Internet, thanks to an extremely critical vulnerability in a widely
used cryptographic code library.
{ full article at above URL }
Thad
Keith Keller
2014-03-06 00:51:31 UTC
Permalink
Raw Message
Post by Roy
I checked several of my Linux servers and NONE of them have GnuTLS
installed. They all use OpenSSL.
Most of my servers have gnutls installed, but so far only a small
handful of apps are linked to it. The only one I've found is cups,
which I never use but some packages have it as a dependency (which is a
little frustrating).

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
David Kaye
2014-03-05 10:37:06 UTC
Permalink
Raw Message
Post by Thad Floryan
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
Yipes, it's another stupid mistake that good programming practice would have
prevented. In Apple's case a few days ago (and apparently stretching back
for YEARS) there's a bunch of if/then checking that sets error codes if the
encryption check fails, EXCEPT that there's an extra "goto fail" with no
conditions on it, and it doesn't set an error code either, so dropping down
to the "fail" block results in no error and thus the user is allowed
passage.

Why didn't the Apple programmer, genius that s/he is supposed to be, set an
error code FIRST before the if/then statements, so that it would ALWAYS
return an error unless the encryption condition was met? This is SO SIMPLE!

So, now this Linux bug is very similar, using "goto cleanup" followed by
"goto fail" in a collection of if/thens. HELLO? First of all, who uses
goto statements anymore? But even so, anybody with even a rudimentary grasp
of the code would clearly see the logic error just from the routine names.

I mean, heck, when I was writing medical software and banking software
before that I realized that 20% of the time was coding and 80% was
debugging. How on earth could people send such garbage out the door?

Sheesh!
Travis James
2014-03-05 16:04:37 UTC
Permalink
Raw Message
Post by David Kaye
Post by Thad Floryan
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
...
Why didn't the Apple programmer, genius that s/he is supposed to be, set an
error code FIRST before the if/then statements, so that it would ALWAYS
return an error unless the encryption condition was met? This is SO SIMPLE!
...
So, now this Linux bug is very similar, using "goto cleanup" followed by
"goto fail" in a collection of if/thens. HELLO? First of all, who uses
goto statements anymore? But even so, anybody with even a rudimentary grasp
of the code would clearly see the logic error just from the routine names.
I agree with your assertion that it's a better practice to initialize
your return variable in a failed state. The real problem was the
duplicated "goto fail" line. Our coding standards at my work are to use
braces for all conditionals including one liners. It's just easier to
evaluate and review each others code.

Here's that offending code. The bug is pretty clear:

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer
signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
...

if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
...

fail:
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
David Kaye
2014-03-05 20:17:56 UTC
Permalink
Raw Message
I agree with your assertion that it's a better practice to initialize your
return variable in a failed state. The real problem was the duplicated
"goto fail" line.
Yes, but if the error variable had been set at the top of the code the
duplicate "goto fail" line wouldn't have caused a problem.
Steve Pope
2014-03-05 23:06:16 UTC
Permalink
Raw Message
Post by Travis James
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer
signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
...
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
...
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
Priceless.


Steve
Roy
2014-03-05 23:37:21 UTC
Permalink
Raw Message
"goto". There is the problem right there.

http://en.wikipedia.org/wiki/Structured_programming

I spent four years on a product on which "structured programming" and
"picture on a page" were rigidly enforced. "goto" was forbidden. We
turned out 1M lines of code in three years. Its probably been updated
and enhanced over the years but AFAIK it is still out there floating
around with 24 nuclear missiles attached.
Post by Steve Pope
Post by Travis James
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer
signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
...
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
...
SSLFreeBuffer(&signedHashes);
SSLFreeBuffer(&hashCtx);
return err;
}
Priceless.
Steve
Thad Floryan
2014-03-06 00:49:37 UTC
Permalink
Raw Message
Post by Roy
"goto". There is the problem right there.
http://en.wikipedia.org/wiki/Structured_programming
I spent four years on a product on which "structured programming" and
"picture on a page" were rigidly enforced. "goto" was forbidden. We
turned out 1M lines of code in three years. Its probably been updated
and enhanced over the years but AFAIK it is still out there floating
around with 24 nuclear missiles attached.
Hi Roy,

I believe that. One of my companies founded in Los Altos in 1971 was
National Information Systems, Inc. (NIS).

The Pentagon was one of our larger customers and that's how I got to
use Emacs in 1975 and be exposed to ZORK. The Pentagon was using the
DEC20s as we were and they kept shipping tapes to us. :-) Another
large client was NUWES ([US] Naval Undersea Weapons Electronic Station)
using a DBMS I designed, developed, implemented, and shipped based on
structured programming design.

One of NIS' first contracts was with NASA/JPL to "prove" the tenets of
structured program design and portability. Very long story short -- we
succeeded and used those techniques in all our software which also was
ALWAYS QA'd for both regression and comprehensive testing. Regression
QA was to assure no old bugs or problems ever resurfaced and comprehensive
QA was to assure everything in the manual worked as documented.

One of my projects (over a period of six weeks) was to design/implement
a VTS (Vessel Test System) for light water nuclear reactors (LWR) for a
company named Dunegan/Endevco (ex. LLNL and moved to San Juan Capistrano).
In that six weeks I wrote an assembler on a CDC 3300 to compile assembly
code for an Interdata 8/32 used as the heart of the VTS, designed and coded
the VTS system, and took it down to San Juan Capistrano to install it on the
hardware. There was only one bug and it was Texas Instruments' fault due
to an error in carriage return timing with their thermal printers -- I was
able to patch a new value in and the system (multiple ones around the USA)
ran for decades with not one single bug thanks to structured design.

What I also had to design for the VTS was a super-high-speed floating-point
lib to handle the VTS data in real-time as it was being detected on the LWR
pressure spheres. Of interest is that modified quadraphonic photo cartridges
were held in a geodesic-like support over the pressure spheres and I had to
convert the inputs and draw on the CRT where faults very occurring on the
sphere -- this was shortly after the "discovery" that stressed metal produces
high frequency sound waves hence the need for the quadro photo cartridges
which operated to 55kHz. Bob Carver (brother of Bill Carver of Carver Audio)
was the hardware guy and, of course, I was the software guy.

I have used the structured design techniques ever since even after leaving
NIS after 20 years and my programs are bug-free. One of the most popular
ones in comp.sources.unix was my tprobe program; shortest URL to a shar
(ASCII text shell archive) of it today is here:

http://ae-www.technion.ac.il/pkgs/g-k/in/tprobe/tprobe

You can read about it in Dr. Dobbs Journal here (scroll down about 30%
or search for 'tprobe' on that page):

http://www.drdobbs.com/on-the-networks/184402700?_requestid=139511

If you don't know what a shar file is, it's how we posted source code to
Usenet and it's described here:

http://en.wikipedia.org/wiki/Shar

Thad
b***@MIX.COM
2014-03-06 02:12:08 UTC
Permalink
Raw Message
Post by Roy
"goto". There is the problem right there.
Here's some fun from the past (1968) (not sure if this
has been mentioned here, sorry if it has..) -

EWD 215: A Case against the GO TO Statement
https://www.cs.utexas.edu/users/EWD/ewd02xx/EWD215.PDF

Billy Y..
--
sub #'9+1 ,r0 ; convert ascii byte
add #9.+1 ,r0 ; to an integer
bcc 20$ ; not a number
Loading...