----- Original Message ----- > From: "Conrad Meyer" <c...@freebsd.org> > To: "Emeric POUPON" <emeric.pou...@stormshield.eu> > Cc: svn-src-head@freebsd.org, svn-src-...@freebsd.org, "src-committers" > <src-committ...@freebsd.org> > Sent: Wednesday, 23 May, 2018 18:47:57 > Subject: Re: svn commit: r334054 - in head: sys/kern sys/netipsec > tools/tools/crypto usr.bin/netstat
> On Wed, May 23, 2018 at 12:23 AM, Emeric POUPON > <emeric.pou...@stormshield.eu> wrote: >>> From: "Conrad Meyer" <c...@freebsd.org> >> >>> Can users control arbitrary key_allocsp() calls? If so, it seems >>> concerning to expose hit/miss stats on cached security keys. >> >> I am not sure to understand, could you please tell more about what you mean? > > If users can insert arbitrary keys into the cache, they can check the > hit/miss statistics to tell if that key was already present -- > revealing key contents. This would be a major problem. > > https://security.stackexchange.com/questions/10617/what-is-a-cryptographic-oracle Actually we just store traffic profiles and the associated security policy (SP). A SP is basically just a bunch of traffic selectors, there is no key or other sensitive information involved. > > Best, > Conrad _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
