Add a comment noting the padding oracle.

Reviewed-by: Andy Polyakov <appro@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2014-12-17 12:25:28 +0100
committer: Emilia Kasper <emilia@openssl.org> 2014-12-17 14:55:04 +0100
commit: 03af843039af758fc9bbb4ae6c09ec2bc715f2c5 (patch)
tree: 349676b8e55cc572e063268ad3c03c33e425b72d /crypto/evp/evp_enc.c
parent: 4ad2d3ac0ef338a064c6df3b5437d974def538ba (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 4314b43719..2b62bf64d2 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -524,6 +524,11 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
+
+		/*
+		 * The following assumes that the ciphertext has been authenticated.
+		 * Otherwise it provides a padding oracle.
+		 */
 		n=ctx->final[b-1];
 		if (n == 0 || n > (int)b)
 			{
author	Emilia Kasper <emilia@openssl.org>	2014-12-17 12:25:28 +0100
committer	Emilia Kasper <emilia@openssl.org>	2014-12-17 14:55:04 +0100
commit	03af843039af758fc9bbb4ae6c09ec2bc715f2c5 (patch)
tree	349676b8e55cc572e063268ad3c03c33e425b72d /crypto/evp/evp_enc.c
parent	4ad2d3ac0ef338a064c6df3b5437d974def538ba (diff)