From c3cb97896b7869f6587ed6537f7deaea8a124c88 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 21 Sep 2023 10:25:01 +0100 Subject: [PATCH 1/2] Changelog for padding CT fixes Signed-off-by: Dave Rodgman --- ChangeLog.d/padding-ct-changelog.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/padding-ct-changelog.txt diff --git a/ChangeLog.d/padding-ct-changelog.txt b/ChangeLog.d/padding-ct-changelog.txt new file mode 100644 index 0000000000..f89f479a7a --- /dev/null +++ b/ChangeLog.d/padding-ct-changelog.txt @@ -0,0 +1,6 @@ +Security + * Fix non-constant-time behaviour in padding calculations in CBC + decryption, NIST SP 800-38F key wrapping, and RSAAES-OAEP decryption. + For CBC and RSAAES-OAEP, this may have been exploitable in a + padding oracle for a privileged local attacker with the ability to + observe memory access timings. From d162c662b0451598937c5bb0de0d364bb52b65b0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 22 Sep 2023 16:33:12 +0100 Subject: [PATCH 2/2] Update changelog text Signed-off-by: Dave Rodgman --- ChangeLog.d/padding-ct-changelog.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/padding-ct-changelog.txt b/ChangeLog.d/padding-ct-changelog.txt index f89f479a7a..e3d3424a98 100644 --- a/ChangeLog.d/padding-ct-changelog.txt +++ b/ChangeLog.d/padding-ct-changelog.txt @@ -1,6 +1,6 @@ Security - * Fix non-constant-time behaviour in padding calculations in CBC - decryption, NIST SP 800-38F key wrapping, and RSAAES-OAEP decryption. - For CBC and RSAAES-OAEP, this may have been exploitable in a - padding oracle for a privileged local attacker with the ability to - observe memory access timings. + * Improve padding calculations in CBC decryption, NIST key unwrapping and + RSA OAEP decryption. With the previous implementation, some compilers + (notably recent versions of Clang) could produce non-constant time code, + which could allow a padding oracle attack if the attacker has access to + precise timing measurements.