> I've received the attached patch to make EVP_DecryptFinal_ex call > EVPerr() in case of an error.
I think that unless Emilia (or other constant-time expert) agrees, then the current behavior makes the right trade-off. It sacrifies some level of error detail in favor of protecting against a timing sidechannel. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz :��I"Ϯ��r�m���� (����Z+�7�zZ)���1���x��h����W^��^��%�� ��&jם.+-1�ځ��j:+v�������h�