1. 48
  1.  

  2. 39

    Bernstein’s response is something. Here’s a story.

    The fastest assembly implementations (amd64-xmm5 and amd64-xmm6) of Salsa20 available from its homepage still have a vulnerability such that they will loop and leak plaintext after 256 GiB of keystream.

    This was reported to the Go project last year because our assembly was derived from it. We fixed it in Go, and published a patch for the upstream.

    He declared it WONTFIX because there is an empty file called “warning-256gb” in a benchmarks tarball hosted elsewhere. He tweeted we should have seen it. The file was added 4 years after the Go port was made.

    1. 15

      Filippo! Thanks for your two recent posts on OpenSSH keys from U2F tokens. It’s been nice to see you up to yet more interesting crypto lately, in addition to all the public go crypto work.

      You probably know as much (it was all discussed here a few months ago), but qmail itself is a similar long-arc story and a lost opportunity. Even today it has one of the better security designs in a mail server, and back then, it inspired a series of really great patterns and tools, such as those that ship with runit. But, DJB was never willing to take on a traditional open source maintainer role, nor to let anyone else do that with the upstream source. So it never was allowed to ship as distro-specific binary packages, it never got updated to do SMTP auth, it required outside patches to work with linux because of a war on errno.h, etc. (Even so, Artifex.org used it for roughly fifteen years before moving finally to OpenSMTPD. . . and I never had to scramble to patch a CVE for it, unlike the latter.)

      So I feel conflicted about it all. On the one hand, DJB’s done more for open cryptography than just about anyone, he’s done fairly reliable software development, and he hasn’t gone off into some sort of St. Ignutius weird place like Richard Stallman, either. But on the other, does it really take that much generosity of spirit to admit fault and accept a patch? If Linus can learn to be less of a jerk on email, then maybe a cryptographer can learn to accept bug reports for the helpful things that they are.

      1. 6

        djb’s personality is the worst thing about djb’s software.

      2. 5

        We’ve shipped notqmail 1.08, addressing these vulnerabilities (among other things). Lobste.rs discussion of notqmail 1.08

        1. 4

          I have a lot of respect for djb’s coding ability and his mathematical ability, but he drives me up the wall. I’ve filed a few bugs in his programs and gotten much the same response as the others. He’s always touted that nobody has ever found a bug in his programs, but then when you actually do find a bug, he just says “You’re doing it wrong” and continues to say that no-one has ever found a bug. It’s annoying and, in the end, counterproductive. It’s super-annoying because he’s written some really good, ground-breaking software that no-one ever uses, because dealing with him is such a pain

          Edit: hblanks says it better in another comment, but my beef still stands…

          1. 5

            He’s always touted that nobody has ever found a bug in his programs

            When Matthew Dempsky found a vulnerability in axfrdns, DJB admitted the hole, issued a patch, and paid Dempsky $1000:

            Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

            https://marc.info/?l=djbdns&m=123613000920446&w=2