svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat
Emeric POUPON
emeric.poupon at stormshield.eu
Thu May 24 12:30:20 UTC 2018
----- Original Message -----
> From: "Conrad Meyer" <cem at freebsd.org>
> To: "Emeric POUPON" <emeric.poupon at stormshield.eu>
> Cc: svn-src-head at freebsd.org, svn-src-all at freebsd.org, "src-committers" <src-committers at freebsd.org>
> Sent: Wednesday, 23 May, 2018 18:47:57
> Subject: Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat
> On Wed, May 23, 2018 at 12:23 AM, Emeric POUPON
> <emeric.poupon at stormshield.eu> wrote:
>>> From: "Conrad Meyer" <cem at freebsd.org>
>>
>>> Can users control arbitrary key_allocsp() calls? If so, it seems
>>> concerning to expose hit/miss stats on cached security keys.
>>
>> I am not sure to understand, could you please tell more about what you mean?
>
> If users can insert arbitrary keys into the cache, they can check the
> hit/miss statistics to tell if that key was already present --
> revealing key contents. This would be a major problem.
>
> https://security.stackexchange.com/questions/10617/what-is-a-cryptographic-oracle
Actually we just store traffic profiles and the associated security policy (SP).
A SP is basically just a bunch of traffic selectors, there is no key or other sensitive information involved.
>
> Best,
> Conrad
More information about the svn-src-head
mailing list