Thanks for reporting!
The leak would only be meaningful if the caller is doing mac-then-encrypt and
is attempting to proceed with the mac-check in constant-time following a call
to EVP_DecryptInit_ex. It also doesn't affect TLS mac-then-encrypt because TLS
uses a different padding scheme, and a
Its timing too. Not just return values. Early exit.
BBB
Not sure what you're pointing out. That there are different return values?
This
is a local API, so warning users to not expose detail errors would address
this, right?
__
Emilia is looking at this - assigning this ticket to her.
Matt
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List
Not sure what you're pointing out. That there are different return values? This
is a local API, so warning users to not expose detail errors would address
this, right?
__
OpenSSL Project
Around line 519 in evp_enc.c:
// Line 519 below
if (b 1)
{
if (ctx-buf_len || !ctx-final_used)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
return(0);
}
OPENSSL_assert(b = sizeof ctx-final);
