diumenge, 23 de febrer del 2014

Understanding Apple's SSL/TLS bug


Yesterday, an entry about a serious Apple's bug reached the top of Hacker News The  bug was related with SSL/TTL connections.

 Any time you have a bug that affects SSL/TLS you should pay close attention. As a quick refresher, SSL/TLS refers to encryption protocols that are widely and commonly used to encrypt the transmission of sensitive data. Any bug affecting SSL/TLS has the ability to undermine many, if not all, of the secure transmissions made from your devices.

Fortunately the code is open sourced, and the culprit was quickly spotted, here is the Apple bug:



static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
 OSStatus        err;
 ...

 if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
  goto fail;
 if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
  goto fail;
  goto fail;
 if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
  goto fail;
 ...

fail:
 SSLFreeBuffer(&signedHashes);
 SSLFreeBuffer(&hashCtx);
 return err;
}

Wow, note the two goto fail lines in a row.The first one is correctly bound to the if statement but the second, despite the indentation, isn't conditional at all. The code will always jump to the end from that second goto, err will contain a successful value because the SHA1 update operation was successful and so the signature verification will never fail.

UPDATE 1. More information here 

UPDATE 2. Apple promises fix 'very soon' for Macs with failed encryption

a Cap comentari:

divendres, 21 de febrer del 2014

Checking network availability


In order to check the network availability of your device you can use the Apple Reachability class.  You can even hook up to be notified of network status changes through the ReachabilityCallback. 

 But if you prefer a  a quick and dirty solution use this:
Write the following C code and save on a file named Goodies.h:
#include<unistd.h>
#include<netdb.h>
#include <stdbool.h>
#include <sys/types.h>
#include <sys/socket.h>


extern bool is_NetworkAvailable();

 The matching implementation is Goodies.m
#include <stdio.h>
#include "Goodies.h"


bool is_NetworkAvailable()
{
    char *hostname;
    hostname = "google.com";
    
    struct addrinfo *res = NULL;
    int s = getaddrinfo(hostname, "http", NULL, &res);
    bool network_ok = (s == 0 && res != NULL);
    freeaddrinfo(res);
    if (network_ok ) {
        return 1;
    }
    else {
        return 0;
    }
    

}

And that's all. Now import Goodies.h an you can use the function is_NetworkAvailable() everywhre.
 



boolean _isNetworkAvailable = is_NetworkAvailable();

if (_isNetworkAvailable) {

          // Network related tasks

} else {

       UIAlertView *message = [[UIAlertView alloc]                                initWithTitle:@"Alert"
                 message:@"Nointernet connectivity." delegate:nil
                 cancelButtonTitle:@"OK"
                 otherButtonTitles:nil];

      [message show];

}

a Cap comentari:

dissabte, 15 de febrer del 2014

Apple releases Secure Coding Guide

















You can download the document here (apple.com).
a Cap comentari:

dimarts, 4 de febrer del 2014

How to download Facebook Paper if you don't live in the US


Thanks to TUAW reporter John Michael Bond for this trick!
  1. First thing, go to the App Store.
  2. Go to Apple ID (Store- View Account)
  3. Log in with your password as you normally would
  4. Once you've logged in, go to your settings, find "country," then "change country or region" and change your country to "United States."
  5. Click "none" when it asks you for payment information.
  6. Search for Paper, download it, then change your country back to wherever you're from.
Voila! You've got Paper, at least until Facebook updates the app with a region lock.


a Cap comentari: