

Goto fail - eik3_de
http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c?search-for=goto_fail

======
harry8
If you missed it the 35th and 36th occurance of goto fail that really does go
directly to fail.

    
    
        if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
            goto fail;
            goto fail;
    
    

Compulsory bracing of blocks following if/while etc is a piece of syntax Perl
got 100% right. Python also got it right in a different way with whitespace.

C and C++ really don't have an excuse for not MANDATING compiler warnings at a
minimum. The use of lack of bracing is "I'm too lazy and much too cool to type
2 characters." This is major fuckup number 4,294,967,294 So that muppets who
keep claiming "We need backwards compatibility with brittle and broken code."
Should probably spend about a decade in the room full of mirrors HAVING A GOOD
LONG, HARD LOOK AT THEMSELVES. (Caps used advisedly, in this case, we need to
do a bit of yelling at these standards committee weenies refusing to, you
know, fix the damn bugs in the standard).

Edit to point out this how how the NSA MITM'd you when you were using OSX, in
case you missed what the file is too.

~~~
codeka
> If you missed it the 35th and 36th occurance of goto fail that really does
> go directly to fail

Whoa, that was entirely unclear from the submission that this was the point.
But then, I guess I still don't see what is the point. Why post this here and
not file a bug or something?

~~~
harry8
Not obvious is it. It's only ssl so it's not like it's important. The non-
obviousness of it and the spectacularness of the goto fail is, well, in my
view, the whole point. C should not still suck this bad. One line un-braced
blocks are a standard bug. Why no fixy? Why? What do we have to do?

------
gilgoomesh
What's the point of this post? If you're unfamiliar with "goto fail" in C
code... it's a very common error handling pattern.

I'm working on some ffmpeg code at the moment. ffmpeg 2.0 contains 554
occurrences of "goto fail".

Edit: okay, it appears that the point of OP's post is that someone appears to
have copy/pasted an extra "goto fail" at line 631, short circuiting the
remainder of the SSLVerifySignedServerKeyExchange function and needlessly
jumping to fail. I assume this was the code that Apple needed to patch in iOS
7.0.6 today?

~~~
nhtenc
Apparently that was it.

[http://www.reuters.com/article/2014/02/22/us-apple-flaw-
idUS...](http://www.reuters.com/article/2014/02/22/us-apple-flaw-
idUSBREA1L01Y20140222)

[http://www.zdnet.com/major-apple-security-flaw-patch-
issued-...](http://www.zdnet.com/major-apple-security-flaw-patch-issued-users-
open-to-mitm-attacks-7000026624/)

------
mackwic
You know, sometimes there is legitimate usage of the goto.

This file is one of them: multiple branches that can end to the same leaf.

Another would be break in interlocked loops, or clean failing when the
software detect an hard failure and no memory can be used anymore.

For this last case, you can also prepare some error handling frames at the
init, and longjump (like a goto, but with already allocated stack memory) when
it's time to fail.

------
exDM69
What is the point of this post?

In the C programming language, "goto fail" is a perfectly acceptable means of
(function local) error handling because of the absence of any kind of
exceptions (setjmp doesn't count). Just look at any significant C program, and
you'll see that this is used a lot. The alternative for "goto fail" is
duplicating the clean up code for each and every error condition that happens
in the function.

Blindly following advice like "goto is bad" and applying it everywhere is a
bad idea. You should try to understand the reasoning behind it.

You should not use goto for control flow if possible, but it's not bad
practice to use "goto fail" for cleaning up on error conditions.

------
JosephHatfield
Two consecutive goto fail statements, but no unreachable code warning in the
builds?

~~~
deletes
I'm convinced the warnings are there, but were ignored.

EDIT: The compiler I use( based on lcc ), gives an _Unreachable code_ warning.

~~~
kalleboo
I wonder if the goto confuses the compiler

>
> [https://www.imperialviolet.org/2014/02/22/applebug.html](https://www.imperialviolet.org/2014/02/22/applebug.html)

> If I compile with -Wall (enable all warnings), neither GCC 4.8.2 or Clang
> 3.3 from Xcode make a peep about the dead code.

------
0xfaded
Reminds me of the inverse of the goto error
pattern.[http://computationallyendowed.com/blog/2012/12/03/ifs-and-
an...](http://computationallyendowed.com/blog/2012/12/03/ifs-and-ands-and-
plan-9s-source-code.html)

------
eik3_de
patio11 says[1] 'I hereby propose "goto fail;" as a meme for unfortunate
security mistakes. (Not singling out Apple -- we all make them.)'

[1]
[https://twitter.com/patio11/status/437182770754752513](https://twitter.com/patio11/status/437182770754752513)

------
codeka
I feel like there should be something obvious here that I'm missing...

~~~
jalada
Search the file for 'goto fail'

~~~
codeka
Yes, then?

~~~
freerobby
Upvote!

------
IBM
What does the title mean?

------
M_Nek
how come all the includes are commented out in this file?

------
oliver_g
That's a nice bug pattern for Underhanded C...

------
illuminated
Goto lives!

~~~
nissehulth
Long live the goto. and the Fail.

