aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-12-08 19:23:18 -0500
committerJack Lloyd <[email protected]>2016-12-08 19:23:18 -0500
commit59a71779ad7c644fcaefd3582ea244f1ff60349a (patch)
tree3354cf95d4d239ad602f3c6fbdf719bca89ae0db /src/lib
parent41e7cade5889d238ca695806451db227b9792cd9 (diff)
Fix off by one in PKCS #1 v1.5 decryption decoding
When the code was changed in b8966d0f89e, the offset was not changed, so it would reject ciphertexts with exactly 8 bytes of random padding (the required minimum). Found by pkcs1 fuzzer which also had problems due to not having been updated at the same time. Add a test suite for decoding of PK decryption padding to cover the problem cases.
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
index b14808da0..2b5ee4ba0 100644
--- a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
+++ b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
@@ -69,7 +69,7 @@ secure_vector<byte> EME_PKCS1v15::unpad(byte& valid_mask,
delim_idx += CT::select<byte>(~seen_zero_m, 1, 0);
- bad_input_m |= is_zero_m & CT::expand_mask<byte>(i < 9);
+ bad_input_m |= is_zero_m & CT::expand_mask<byte>(i < 10);
seen_zero_m |= is_zero_m;
}