[ / / / / / / / / / / / / / ] [ dir / baphomet / caco / choroy / christ / dbv / dempart / gfl / leandro ][Options][ watchlist ]

/tech/ - Technology

You can now write text to your AI-generated image at https://aiproto.com It is currently free to use for Proto members.
Email
Comment *
Verification *
File
Select/drop/paste files here
Password (Randomized for file and post deletion; you may also set your own.)
* = required field[▶ Show post options & limits]
Confused? See the FAQ.
Expand all images

File (hide): 2cb6e7138efd297⋯.png (39.87 KB, 300x441, 100:147, gopher BIG BRAIN.png) (h) (u)

[–]

 No.1043976>>1044797 [Watch Thread][Show All Posts]

BREAKING NEWS: Vulnerability in golang.org/x/crypto/salsa20

>Hello gophers,

>Commit b7391e95 (https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d) fixes a vulnerability in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages that affects large message sizes or high counter values.

>If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

>The issue might affect uses of golang.org/x/crypto/nacl with extremely large messages.

>Architectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream invocation are unaffected.

>The vulnerable code is derived from the amd64-xmm5 and amd64-xmm6 implementations that are distributed with SUPERCOP, NaCl and at https://cr.yp.to/snuffle.html. The issue is present in those upstreams, but is not considered a problem by their author because of the policy at https://nacl.cr.yp.to/valid.html, and because support for counters larger than 32 bits is an incomplete experiment. We attach a patch that applies to the amd64-xmm5 and amd64-xmm6 salsa20.s files for any downstream that might want to fix this issue.

>This issue was discovered and reported by Michael McLoughlin.

>Cheers, Filippo for the Go team

https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ

Daniel J. Bernstein responds

>"Let's take code from the SUPERCOP benchmarking framework. Does this file supercop/crypto_stream/salsa20/e/amd64-xmm6/warning-256gb mean anything? Probably not." [Time passes] "BREAKING NEWS: We found that this implementation doesn't work after 256GB!"

https://twitter.com/hashbreaker/status/1108637226089496577

tl;dr Gophers copy Salsa20 code from SUPERCOP, ignore warning that shit breaks after 256GiB

 No.1043980>>1043981 >>1043992 >>1044029

Imagine having to recompile your software because you found a vulnerability in a dependency

This post made by dynamic linking gang


 No.1043981>>1043992

>>1043980

Imagine having shit performance because you split up your program into multiple parts that get linked together at runtime. LISP machines don't have this problem thanks to the power of JIT

This post made by static linking gang


 No.1043992>>1044005

File (hide): d7e9eacddbb3e0f⋯.gif (36.55 KB, 250x250, 1:1, 1468865100000.gif) (h) (u)

>>1043980

>>1043981

Imagine using normalfag memes on /tech/


 No.1044005

File (hide): 591edb96c8295c4⋯.jpg (17.03 KB, 320x292, 80:73, shock.jpg) (h) (u)

>>1043992

IMAGINE MY SHOCK!


 No.1044029>>1044793

>>1043980

Imagine all your software breaking because of a regression in a dependency.

Your next line will be "no that doesn't count because regressions don't exist in my head"


 No.1044683>>1044755

>gophers can't into cryptography

LOL


 No.1044755>>1044764

>>1044683

haha, stupid

gobergamers

gamergobers

gogaters


 No.1044764

>>1044755

LMAOOOO XDDDDDDDD

based TBQH


 No.1044793

>>1044029

I don't agree about that kind of outcome being likely in actual practice. "no that doesn't count because regressions don't exist in my head"


 No.1044797

>>1043976 (OP)

sounds like something that would never happen in normal use


 No.1052204

>(((Bernstein)))

Go is just so cucked.



[Return][Go to top][Catalog][Screencap][Nerve Center][Cancer][Update] ( Scroll to new posts) ( Auto) 5
11 replies | 2 images | Page ?
[Post a Reply]
[ / / / / / / / / / / / / / ] [ dir / baphomet / caco / choroy / christ / dbv / dempart / gfl / leandro ][ watchlist ]