[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #22197 [Obfuscation]: Audit all of our Go code that uses `crypto/aes`.

Subject: [tor-bugs] #22197 [Obfuscation]: Audit all of our Go code that uses `crypto/aes`.
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 08 May 2017 18:16:28 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 08 May 2017 14:16:37 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#22197: Audit all of our Go code that uses `crypto/aes`.
-----------------------------+-----------------
     Reporter:  yawning      |      Owner:
         Type:  defect       |     Status:  new
     Priority:  Medium       |  Milestone:
    Component:  Obfuscation  |    Version:
     Severity:  Normal       |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |   Reviewer:
      Sponsor:               |
-----------------------------+-----------------
 The implementation is not constant time (and neither is the GHASH provided
 by `crypto/cipher`) without AES-NI/PCLMULQDQ or equivalent.  I do not
 believe that we use either in a situation where it matters, but we should
 double check to confirm this.  This affects any uses of the raw primitive,
 when wrapped in the various block cipher modes, and when used via TLS.

 Known uses:

  * obfs2
  * obfs3
  * scramblesuit
  * meek without a helper

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22197>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #22197 [Obfuscation]: Audit all of our Go code that uses `crypto/aes`.
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #20685 [Applications/Tor Browser]: Make sure the first party isolation patches in ESR52 behave as they should
Next by Author: Re: [tor-bugs] #1922 [Core Tor/Tor]: torrc.d-style configuration directories
Previous by thread: Re: [tor-bugs] #22196 [Metrics/metrics-lib]: Configure descriptor sources using method chaining
Next by thread: Re: [tor-bugs] #22197 [Obfuscation]: Audit all of our Go code that uses `crypto/aes`.
Index(es):
- Author
- Thread