Fix off by one in PKCS #1 v1.5 decryption decoding

When the code was changed in b8966d0f89e, the offset was not changed,
so it would reject ciphertexts with exactly 8 bytes of random padding
(the required minimum).

Found by pkcs1 fuzzer which also had problems due to not having been
updated at the same time.

Add a test suite for decoding of PK decryption padding to cover the
problem cases.

3 files changed, 24 insertions, 19 deletions

diff --git a/src/extra_tests/fuzzers/GNUmakefile b/src/extra_tests/fuzzers/GNUmakefile
index 3ebe64be7..aa45eb040 100644
--- a/src/extra_tests/fuzzers/GNUmakefile
+++ b/src/extra_tests/fuzzers/GNUmakefile
@@ -40,11 +40,11 @@ dirs:
 
 afl-build:
 	../../../configure.py $(CFG_FLAGS) --with-build-dir=afl-build --cc=$(AFL_CXX_TYPE) --cc-bin=$(AFL_CXX)
-	make -f afl-build/Makefile afl-build/libbotan-1.11.a -j8
+	make -j$(nproc) -f afl-build/Makefile afl-build/libbotan-1.11.a
 
 llvm-build:
 	../../../configure.py $(CFG_FLAGS) --with-build-dir=llvm-build --cc=clang --cc-bin=$(CLANG_CXX) --cc-abi-flags="$(CLANG_SAN_FLAGS)"
-	make -f llvm-build/Makefile llvm-build/libbotan-1.11.a -j8
+	make -j$(nproc) -f llvm-build/Makefile llvm-build/libbotan-1.11.a
 
 # libFuzzer default is max_len 64 this sets 140 but allows override via args=
 run_llvm_%: bin/llvm_fuzz_%
diff --git a/src/extra_tests/fuzzers/jigs/pkcs1.cpp b/src/extra_tests/fuzzers/jigs/pkcs1.cpp
index 889308f0e..8a16d17e5 100644
--- a/src/extra_tests/fuzzers/jigs/pkcs1.cpp
+++ b/src/extra_tests/fuzzers/jigs/pkcs1.cpp
@@ -13,14 +13,14 @@ secure_vector<byte> simple_pkcs1_unpad(const byte in[], size_t len)
    if(len < 10)
       throw Botan::Decoding_Error("bad len");
 
-   if(in[0] != 2)
-      throw Botan::Decoding_Error("bad field");
+   if(in[0] != 0 || in[1] != 2)
+      throw Botan::Decoding_Error("bad header field");
 
-   for(size_t i = 1; i < len; ++i)
+   for(size_t i = 2; i < len; ++i)
       {
       if(in[i] == 0)
          {
-         if(i < 9)
+         if(i < 10) // at least 8 padding bytes required
             throw Botan::Decoding_Error("insufficient padding bytes");
          return secure_vector<byte>(in + i + 1, in + len);
          }
@@ -42,9 +42,9 @@ void fuzz(const uint8_t in[], size_t len)
       secure_vector<byte> decoded = ((EME*)&pkcs1)->unpad(valid_mask, in, len);
 
       if(valid_mask == 0)
-         lib_rejected = false;
-      else if(valid_mask == 0xFF)
          lib_rejected = true;
+      else if(valid_mask == 0xFF)
+         lib_rejected = false;
       else
          abort();
       }
@@ -54,15 +54,24 @@ void fuzz(const uint8_t in[], size_t len)
       {
       ref_result = simple_pkcs1_unpad(in, len);
       }
-   catch(Botan::Decoding_Error&) { ref_rejected = true; }
+   catch(Botan::Decoding_Error& e) { ref_rejected = true; /*printf("%s\n", e.what());*/ }
 
-   FUZZER_ASSERT_EQUAL(lib_rejected, ref_rejected);
+   if(lib_rejected == ref_rejected)
+      {
+      return; // ok, they agree
+      }
 
-   if(lib_result != ref_result)
+   // otherwise: incorrect result, log info and crash
+   if(lib_rejected == true && ref_rejected == false)
+      {
+      std::cerr << "Library rejected input accepted by ref\n";
+      std::cerr << "Ref decoded " << hex_encode(ref_result) << "\n";
+      }
+   else if(ref_rejected == true && lib_rejected == false)
       {
-      std::cerr << hex_encode(lib_result) << " != ref \n"
-                << hex_encode(ref_result) << std::endl;
-      abort();
+      std::cerr << "Library accepted input reject by ref\n";
+      std::cerr << "Lib decoded " << hex_encode(lib_result) << "\n";
       }
 
+   abort();
    }
diff --git a/src/extra_tests/fuzzers/jigs/tls_client_hello.cpp b/src/extra_tests/fuzzers/jigs/tls_client_hello.cpp
index 5705dca91..33b6f941a 100644
--- a/src/extra_tests/fuzzers/jigs/tls_client_hello.cpp
+++ b/src/extra_tests/fuzzers/jigs/tls_client_hello.cpp
@@ -12,10 +12,6 @@ void fuzz(const uint8_t in[], size_t len)
       {
       std::vector<uint8_t> v(in, in + len);
       Botan::TLS::Client_Hello ch(v);
-
-      printf("%s\n", ch.version().to_string().c_str());
-      if(ch.version() == Botan::TLS::Protocol_Version::TLS_V12)
-         abort();
       }
-   catch(Botan::Exception& e) {printf("%s\n", e.what()); }
+   catch(Botan::Exception& e) {}
    }