Fix off by one in PKCS #1 v1.5 decryption decoding

When the code was changed in b8966d0f89e, the offset was not changed,
so it would reject ciphertexts with exactly 8 bytes of random padding
(the required minimum).

Found by pkcs1 fuzzer which also had problems due to not having been
updated at the same time.

Add a test suite for decoding of PK decryption padding to cover the
problem cases.

1 files changed, 46 insertions, 0 deletions

diff --git a/src/tests/data/pk_pad_eme/pkcs1.vec b/src/tests/data/pk_pad_eme/pkcs1.vec
new file mode 100644
index 000000000..48b732d95
--- /dev/null
+++ b/src/tests/data/pk_pad_eme/pkcs1.vec
@@ -0,0 +1,46 @@
+[PKCS1v15]
+RawCiphertext =
+ValidInput = false
+
+RawCiphertext = 00
+ValidInput = false
+
+RawCiphertext = 0000
+ValidInput = false
+
+RawCiphertext = FF
+ValidInput = false
+
+RawCiphertext = FF02
+ValidInput = false
+
+RawCiphertext = 0002DEDE24212121DEDEDE5EDEDEDEDE0A5EDE00000000DEDEDE010000000000
+Plaintext = 000000DEDEDE010000000000
+ValidInput = true
+
+RawCiphertext = 022C2C4018181818181818181818183A18181818181818180000002C022C00010A2C2C2C2C2C022C
+ValidInput = false
+
+RawCiphertext = 00022C2C4018181818181818181818183A18181818181818180000002C022C00010A2C2C2C2C2C022C
+Plaintext = 00002C022C00010A2C2C2C2C2C022C
+ValidInput = true
+
+RawCiphertext = 0002FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010100000021FFFFFFFFFFFFBC
+Plaintext = 000021FFFFFFFFFFFFBC
+ValidInput = true
+
+RawCiphertext = 0002F9CCFFFFCCCCCCCCCCCCCCCC4E0000CCFFFFCCCCCCCCCCCCCCCCCCCCCCCCCC06
+Plaintext = 00CCFFFFCCCCCCCCCCCCCCCCCCCCCCCCCC06
+ValidInput = true
+
+RawCiphertext = 000253FFC43B5253FF0A53DE0000FD
+Plaintext = 00FD
+ValidInput = true
+
+RawCiphertext = 0002FFFF06FFFFFFFFFF00000000000000000000000000000000000000000000000000000000FF0A
+Plaintext = 000000000000000000000000000000000000000000000000000000FF0A
+ValidInput = true
+
+# Padding only 7 bytes
+RawCiphertext = 0002FFFFFFFFFFFFFF000113131313131388
+ValidInput = false