Hi Gilles,

 

We observed this issue with clang for Thumb1, x86 and x86_64, for most optimisation levels. We also observed it with IAR. We were not able to reproduce this with gcc, but since generated code could change with compiler version, optimisation settings, etc, we cannot guarantee that any particular combination is unaffected.

 

Sorry for the slow response.

 

Dave

 

 

From: Gilles Piret via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Date: Thursday, 26 October 2023 at 17:29
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] Re: [Mbed-tls-announce] New Mbed TLS releases : 3.5.0 and 2.28.5


Hi,

Regarding the vulnerability below that is corrected in these releases:

"Improve padding calculations in CBC decryption, NIST key unwrapping and
RSA OAEP decryption. With the previous implementation, some compilers
(notably recent versions of Clang and IAR) could produce non-constant
time code, which could allow a padding oracle attack if the attacker
has access to precise timing measurements."

Do we have any idea if gcc compilers are impacted (and if it is the
case, which versions)?

Thanks!

___________

Gilles Piret

Cryptography Engineer


--
mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org