diff options
author | Jack Lloyd <[email protected]> | 2016-12-08 19:23:18 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-12-08 19:23:18 -0500 |
commit | 59a71779ad7c644fcaefd3582ea244f1ff60349a (patch) | |
tree | 3354cf95d4d239ad602f3c6fbdf719bca89ae0db /src/lib | |
parent | 41e7cade5889d238ca695806451db227b9792cd9 (diff) |
Fix off by one in PKCS #1 v1.5 decryption decoding
When the code was changed in b8966d0f89e, the offset was not changed,
so it would reject ciphertexts with exactly 8 bytes of random padding
(the required minimum).
Found by pkcs1 fuzzer which also had problems due to not having been
updated at the same time.
Add a test suite for decoding of PK decryption padding to cover the
problem cases.
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp index b14808da0..2b5ee4ba0 100644 --- a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp +++ b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp @@ -69,7 +69,7 @@ secure_vector<byte> EME_PKCS1v15::unpad(byte& valid_mask, delim_idx += CT::select<byte>(~seen_zero_m, 1, 0); - bad_input_m |= is_zero_m & CT::expand_mask<byte>(i < 9); + bad_input_m |= is_zero_m & CT::expand_mask<byte>(i < 10); seen_zero_m |= is_zero_m; } |