This is from OS X 9 if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; Heh, maybe there is a reason for braces in even the simplest if statements. Chuck
On Mar 3, 2014 3:16 AM, "Charles R Harris" <charlesr.harris@gmail.com> wrote:
This is from OS X 9
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;
Heh, maybe there is a reason for braces in even the simplest if
statements.
Chuck
Not to mention static code analyzers.
Todd <toddrjen@gmail.com> Wrote in message:
_______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
use modern programming languages with well designed exception handling -- ----Android NewsGroup Reader---- http://www.piaohong.tk/newsgroup
And, you know... unit tests to actually know if a the code would reject a spoofed certificate?
And significant indentation! really, no one beat me to that? ;-) There was a nice Blog post about this from a Google Chrome developer -- less critical than I'd think, who pointed out that it's really hard to write unit tests for this sort of thing, due to the need for a LOT of scaffolding -- but why integration tests didn't find it is beyond me.... Also -- code review anyone? (not that my code is well reviewed or thoroughly tested -- but I'm not writting security code used my millions of people...) The other oddity is that Apple is saying that they don't know when or how this got into the code -- do they REALY not have a decent version control system???? Or maybe they are being nice to whoever did make this mistake... -Chris On Mon, Mar 3, 2014 at 6:51 AM, Benjamin Root <ben.root@ou.edu> wrote:
And, you know... unit tests to actually know if a the code would reject a spoofed certificate?
_______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
-- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception Chris.Barker@noaa.gov
On Mar 3, 2014, at 11:59 AM, Chris Barker <chris.barker@noaa.gov> wrote:
And significant indentation!
really, no one beat me to that?
;-)
There was a nice Blog post about this from a Google Chrome developer -- less critical than I'd think, who pointed out that it's really hard to write unit tests for this sort of thing, due to the need for a LOT of scaffolding -- but why integration tests didn't find it is beyond me....
Also -- code review anyone?
(not that my code is well reviewed or thoroughly tested -- but I'm not writting security code used my millions of people...)
The other oddity is that Apple is saying that they don't know when or how this got into the code -- do they REALY not have a decent version control system???? Or maybe they are being nice to whoever did make this mistake...
-Chris
Apple has been known to contract out and/or buy some of its software from third parties. I wouldn’t be a bit surprised to discover that this was part of such a package. It represents such a common and fundamental library that it might well be the sort of thing they found it cheaper to buy. Of course, that begs a follow-on question or two - who else might be using it, and was the cost savings worth the loss of reputation? Bill
On 03/03/14 03:15, Charles R Harris wrote:
This is from OS X 9
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;
Heh, maybe there is a reason for braces in even the simplest if statements.
It is quite evident in an editor with syntax highlighting. This is almost too good to be a coincidental coding error. If there ever were a deliberate backdoor attempt in an OS, it would be something like this. At least Apple shows us their Darwin code. Nobody get to scrutinize Microsoft's Windows code in public. I also amazed that the bugfix was a 500 MB download. Sturla
participants (7)
-
Benjamin Root -
Charles R Harris -
Chris Barker -
Neal Becker -
Sturla Molden -
Todd -
William Ray Wing