UPDATE: I guess Apple has released a statement explaining that they’re not going to explain this issue, including how big of a deal it is. Ok, then I will.

UPDATE 2: Well, looks like Chad beat me to posting the file to Hacker News. Heh.

Tonight my friend Chad Brubaker[1] pointed me at an interesting problem.

Apple has been rolling out an iOS update to fix a critical flaw in their SSL implementation. His challenge to me: figure out the problem with the SSL stack. (I think he’d already figured it out but he went to bed before I could ask him.)

Unfortunately, people have been really tight-lipped about it. One researcher remarked that “It’s as bad as you could imagine, that’s all I can say.” So far no one has stepped forward to explain.

Well, after some snooping, it turns out to be a typo in the function SSLVerifySignedServerKeyExchange in sslKeyExchange.c. Specifically, near the bottom of the function we see the following code:

if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
    goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
    goto fail;
    goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
    goto fail;

err = sslRawVerify(ctx,
                   ctx->peerPubKey,
                   dataToSign,              /* plaintext */
                   dataToSignLen,           /* plaintext length */
                   signature,
                   signatureLen);

Notice anything weird? That second if has two goto fail statements underneath it. So:

• The function SSLVerifySignedServerKeyExchange is supposed to verify the key exchange.
• But, the second goto fail causes us to always jump to the fail label, no matter what. Even if the SHA1 update worked.
• In particular, this means that we always bypass the call to sslRawVerify, which would normally occur just beneath the if statements.
• And therefore, the error code err doesn’t get set in the event that the verification fails.
• As you can imagine, this is a pretty bad flaw. This makes it very easy to execute man-in-the-middle attacks on iOS users.

This has got to be the bug of the year. Needless to say, I recommend you upgrade your Apple products as soon as the patch is available.

[1] Chad works at a large, famous, and prestigious CS company. Fun fact about Chad: due to his background as a security researcher, he has developed pretty intense trust issues, and hence works on the only team in the industry that consists entirely of ponies. He is also one of the smartest people I’ve ever met.