svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat
Conrad Meyer
cem at freebsd.org
Wed May 23 17:20:03 UTC 2018
On Wed, May 23, 2018 at 12:23 AM, Emeric POUPON
<emeric.poupon at stormshield.eu> wrote:
>> From: "Conrad Meyer" <cem at freebsd.org>
>
>> Can users control arbitrary key_allocsp() calls? If so, it seems
>> concerning to expose hit/miss stats on cached security keys.
>
> I am not sure to understand, could you please tell more about what you mean?
If users can insert arbitrary keys into the cache, they can check the
hit/miss statistics to tell if that key was already present --
revealing key contents. This would be a major problem.
https://security.stackexchange.com/questions/10617/what-is-a-cryptographic-oracle
Best,
Conrad
More information about the svn-src-head
mailing list