Apple於最近放出了iOS 7.0.6韌體升級,修複了SSL串連驗證時的BUG。用升級後的ios系統開啟漏洞測試頁面https://www.imperialviolet.org:1266已經無法開啟。頁面提示無法建立安全連結。自此,據說被蘋果遺忘了18個月的重大BUG被成功修複。但目前MACOS的這個BUG仍未修複,使用Safari瀏覽器開啟上文的BUG的測試頁面會出現下面的提示,但使用firefox或Chrome開啟頁面卻不會成功。
Safari開啟頁面的情況
Chrome開啟頁面的情況
Firefox開啟頁面的情況
該漏洞出現的原因是因為位於http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c中的一處SSLHashSHA1判斷下方多出了一個goto語句導致了執行SSLVerifySignedServerKeyExchange函數時必定跳轉到fail標號處,會return err並觸發BUG。
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen){ OSStatus err; SSLBuffer hashOut, hashCtx, clientRandom, serverRandom; uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN]; SSLBuffer signedHashes; uint8_t*dataToSign;size_tdataToSignLen;signedHashes.data = 0; hashCtx.data = 0; clientRandom.data = ctx->clientRandom; clientRandom.length = SSL_CLIENT_SRVR_RAND_SIZE; serverRandom.data = ctx->serverRandom; serverRandom.length = SSL_CLIENT_SRVR_RAND_SIZE;if(isRsa) {/* skip this if signing with DSA */dataToSign = hashes;dataToSignLen = SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN;hashOut.data = hashes;hashOut.length = SSL_MD5_DIGEST_LEN;if ((err = ReadyHash(&SSLHashMD5, &hashCtx)) != 0)goto fail;if ((err = SSLHashMD5.update(&hashCtx, &clientRandom)) != 0)goto fail;if ((err = SSLHashMD5.update(&hashCtx, &serverRandom)) != 0)goto fail;if ((err = SSLHashMD5.update(&hashCtx, &signedParams)) != 0)goto fail;if ((err = SSLHashMD5.final(&hashCtx, &hashOut)) != 0)goto fail;}else {/* DSA, ECDSA - just use the SHA1 hash */dataToSign = &hashes[SSL_MD5_DIGEST_LEN];dataToSignLen = SSL_SHA1_DIGEST_LEN;}hashOut.data = hashes + SSL_MD5_DIGEST_LEN; hashOut.length = SSL_SHA1_DIGEST_LEN; if ((err = SSLFreeBuffer(&hashCtx)) != 0) goto fail; if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; // 多出來的goto fail if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign,/* plaintext */ dataToSignLen,/* plaintext length */ signature, signatureLen);if(err) {sslErrorLog("SSLDecodeSignedServerKeyExchange: sslRawVerify " "returned %d\n", (int)err);goto fail;}fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err;}
-update-
OSX10.9.2更新後此BUG消失。
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
