Error codes aren't part of the API. It's a bit of a grey area in some cases, but for EVP_DecryptFinal_ex, you really should be checking the return value and not relying on errors left on stack. In particular, reporting detailed decryption errors was a historical mistake that has led to serious attacks; it's a coding pattern we should eradicate. This particular change was made to avoid a timing leak and provide callers an opportunity to proceed in constant time. (But most callers won't care, it only affects mac-then-encrypt.)
In your case, it sounds like the right thing to do is fix the unittest to be more robust. I'm going to reject this for now; I'll revisit if we get reports that this is causing more widespread problems, though. Cheers, Emilia ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org