Date: Thu, 24 May 2018 14:30:02 +0200 (CEST) From: Emeric POUPON <emeric.poupon@stormshield.eu> To: cem@freebsd.org Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers <src-committers@freebsd.org> Subject: Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat Message-ID: <1236617318.14311730.1527165002236.JavaMail.zimbra@stormshield.eu> In-Reply-To: <CAG6CVpWv7sEzMhSoZ-yZ-NbpqbMq1i5me2e=6m2J6n1D_=mFpQ@mail.gmail.com> References: <201805221554.w4MFsPQA083334@repo.freebsd.org> <CAG6CVpXGbyEs1owe5YMTPntj%2BoiwgY6ArmS8WeV84opkN68bVA@mail.gmail.com> <822609135.13913713.1527060223167.JavaMail.zimbra@stormshield.eu> <CAG6CVpWv7sEzMhSoZ-yZ-NbpqbMq1i5me2e=6m2J6n1D_=mFpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- > From: "Conrad Meyer" <cem@freebsd.org> > To: "Emeric POUPON" <emeric.poupon@stormshield.eu> > Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, "src-committers" <src-committers@freebsd.org> > Sent: Wednesday, 23 May, 2018 18:47:57 > Subject: Re: svn commit: r334054 - in head: sys/kern sys/netipsec tools/tools/crypto usr.bin/netstat > On Wed, May 23, 2018 at 12:23 AM, Emeric POUPON > <emeric.poupon@stormshield.eu> wrote: >>> From: "Conrad Meyer" <cem@freebsd.org> >> >>> Can users control arbitrary key_allocsp() calls? If so, it seems >>> concerning to expose hit/miss stats on cached security keys. >> >> I am not sure to understand, could you please tell more about what you mean? > > If users can insert arbitrary keys into the cache, they can check the > hit/miss statistics to tell if that key was already present -- > revealing key contents. This would be a major problem. > > https://security.stackexchange.com/questions/10617/what-is-a-cryptographic-oracle Actually we just store traffic profiles and the associated security policy (SP). A SP is basically just a bunch of traffic selectors, there is no key or other sensitive information involved. > > Best, > Conrad
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1236617318.14311730.1527165002236.JavaMail.zimbra>