Thanks for reporting! The leak would only be meaningful if the caller is doing mac-then-encrypt and is attempting to proceed with the mac-check in constant-time following a call to EVP_DecryptInit_ex. It also doesn't affect TLS mac-then-encrypt because TLS uses a different padding scheme, and a different, constant-time code path in OpenSSL.
We also don't have evidence that the leak is large enough to be exploitable. However, it's best to be careful so I've rewritten the code to do the padding check in constant time. See commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
