Fix off by one in PKCS #1 v1.5 decryption decoding

When the code was changed in b8966d0f89e, the offset was not changed, so it would reject ciphertexts with exactly 8 bytes of random padding (the required minimum). Found by pkcs1 fuzzer which also had problems due to not having been updated at the same time. Add a test suite for decoding of PK decryption padding to cover the problem cases.
author: Jack Lloyd <[email protected]> 2016-12-08 19:23:18 -0500
committer: Jack Lloyd <[email protected]> 2016-12-08 19:23:18 -0500
commit: 59a71779ad7c644fcaefd3582ea244f1ff60349a (patch)
tree: 3354cf95d4d239ad602f3c6fbdf719bca89ae0db /src/lib/pk_pad
parent: 41e7cade5889d238ca695806451db227b9792cd9 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
index b14808da0..2b5ee4ba0 100644
--- a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
+++ b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
@@ -69,7 +69,7 @@ secure_vector<byte> EME_PKCS1v15::unpad(byte& valid_mask,
 
       delim_idx += CT::select<byte>(~seen_zero_m, 1, 0);
 
-      bad_input_m |= is_zero_m & CT::expand_mask<byte>(i < 9);
+      bad_input_m |= is_zero_m & CT::expand_mask<byte>(i < 10);
       seen_zero_m |= is_zero_m;
       }
author	Jack Lloyd <[email protected]>	2016-12-08 19:23:18 -0500
committer	Jack Lloyd <[email protected]>	2016-12-08 19:23:18 -0500
commit	59a71779ad7c644fcaefd3582ea244f1ff60349a (patch)
tree	3354cf95d4d239ad602f3c6fbdf719bca89ae0db /src/lib/pk_pad
parent	41e7cade5889d238ca695806451db227b9792cd9 (diff)