Hi Gilles,
We observed this issue with clang for Thumb1, x86 and x86_64, for most optimisation levels. We also observed it with IAR. We were not able to reproduce this with gcc, but since generated code could change with compiler version, optimisation settings, etc, we cannot guarantee that any particular combination is unaffected.
Sorry for the slow response.
Dave
From: Gilles Piret via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Thursday, 26 October 2023 at 17:29 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Re: [Mbed-tls-announce] New Mbed TLS releases : 3.5.0 and 2.28.5
Hi,
Regarding the vulnerability below that is corrected in these releases:
"Improve padding calculations in CBC decryption, NIST key unwrapping and RSA OAEP decryption. With the previous implementation, some compilers (notably recent versions of Clang and IAR) could produce non-constant time code, which could allow a padding oracle attack if the attacker has access to precise timing measurements."
Do we have any idea if gcc compilers are impacted (and if it is the case, which versions)?
Thanks!
___________
Gilles Piret
Cryptography Engineer
-- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org