On Wed, May 23, 2018 at 12:23 AM, Emeric POUPON <emeric.pou...@stormshield.eu> wrote: >> From: "Conrad Meyer" <c...@freebsd.org> > >> Can users control arbitrary key_allocsp() calls? If so, it seems >> concerning to expose hit/miss stats on cached security keys. > > I am not sure to understand, could you please tell more about what you mean?
If users can insert arbitrary keys into the cache, they can check the hit/miss statistics to tell if that key was already present -- revealing key contents. This would be a major problem. https://security.stackexchange.com/questions/10617/what-is-a-cryptographic-oracle Best, Conrad _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
