7 files changed, 34 insertions, 36 deletions

diff --git a/src/lib/pk_pad/eme.h b/src/lib/pk_pad/eme.h
index f4c85da70..9c72cb023 100644
--- a/src/lib/pk_pad/eme.h
+++ b/src/lib/pk_pad/eme.h
@@ -65,8 +65,8 @@ class BOTAN_DLL EME
       */
       virtual secure_vector<byte> unpad(byte& valid_mask,
                                         const byte in[],
-                                        size_t in_len,
-                                        size_t key_length) const = 0;
+                                        size_t in_len) const = 0;
+
       /**
       * Encode an input
       * @param in the plaintext
diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp
index 894368e2d..0ae0d8554 100644
--- a/src/lib/pk_pad/eme_oaep/oaep.cpp
+++ b/src/lib/pk_pad/eme_oaep/oaep.cpp
@@ -61,8 +61,7 @@ secure_vector<byte> OAEP::pad(const byte in[], size_t in_length,
 * OAEP Unpad Operation
 */
 secure_vector<byte> OAEP::unpad(byte& valid_mask,
-                                const byte in[], size_t in_length,
-                                size_t key_length) const
+                                const byte in[], size_t in_length) const
    {
    /*
    Must be careful about error messages here; if an attacker can
@@ -75,15 +74,13 @@ secure_vector<byte> OAEP::unpad(byte& valid_mask,
    Strenzke.
    */
 
-   key_length /= 8;
-
-   // Invalid input: truncate to zero length input, causing later
-   // checks to fail
-   if(in_length > key_length)
-      in_length = 0;
+   if(in[0] == 0)
+      {
+      in += 1;
+      in_length -= 1;
+      }
 
-   secure_vector<byte> input(key_length);
-   buffer_insert(input, key_length - in_length, in, in_length);
+   secure_vector<byte> input(in, in + in_length);
 
    CT::poison(input.data(), input.size());
 
diff --git a/src/lib/pk_pad/eme_oaep/oaep.h b/src/lib/pk_pad/eme_oaep/oaep.h
index dce706613..8b21ea81d 100644
--- a/src/lib/pk_pad/eme_oaep/oaep.h
+++ b/src/lib/pk_pad/eme_oaep/oaep.h
@@ -36,8 +36,7 @@ class BOTAN_DLL OAEP final : public EME
 
       secure_vector<byte> unpad(byte& valid_mask,
                                 const byte in[],
-                                size_t in_len,
-                                size_t key_length) const override;
+                                size_t in_len) const override;
 
       secure_vector<byte> m_Phash;
       std::unique_ptr<HashFunction> m_hash;
diff --git a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
index 4780fe43b..8148b7bc9 100644
--- a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
+++ b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.cpp
@@ -1,6 +1,6 @@
 /*
 * PKCS #1 v1.5 Type 2 (encryption) padding
-* (C) 1999-2007,2015 Jack Lloyd
+* (C) 1999-2007,2015,2016 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -27,8 +27,16 @@ secure_vector<byte> EME_PKCS1v15::pad(const byte in[], size_t inlen,
    secure_vector<byte> out(olen);
 
    out[0] = 0x02;
+   rng.randomize(out.data() + 1, (olen - inlen - 2));
+
    for(size_t j = 1; j != olen - inlen - 1; ++j)
-      out[j] = rng.next_nonzero_byte();
+      {
+      if(out[j] == 0)
+         {
+         out[j] = rng.next_nonzero_byte();
+         }
+      }
+
    buffer_insert(out, olen - inlen, in, inlen);
 
    return out;
@@ -38,21 +46,18 @@ secure_vector<byte> EME_PKCS1v15::pad(const byte in[], size_t inlen,
 * PKCS1 Unpad Operation
 */
 secure_vector<byte> EME_PKCS1v15::unpad(byte& valid_mask,
-                                        const byte in[], size_t inlen,
-                                        size_t key_len) const
+                                        const byte in[], size_t inlen) const
    {
-   if(inlen != key_len / 8 || inlen < 10)
-      throw Decoding_Error("PKCS1::unpad");
-
    CT::poison(in, inlen);
 
    byte bad_input_m = 0;
    byte seen_zero_m = 0;
    size_t delim_idx = 0;
 
-   bad_input_m |= ~CT::is_equal<byte>(in[0], 2);
+   bad_input_m |= ~CT::is_equal<byte>(in[0], 0);
+   bad_input_m |= ~CT::is_equal<byte>(in[1], 2);
 
-   for(size_t i = 1; i != inlen; ++i)
+   for(size_t i = 2; i < inlen; ++i)
       {
       const byte is_zero_m = CT::is_zero<byte>(in[i]);
 
@@ -63,12 +68,13 @@ secure_vector<byte> EME_PKCS1v15::unpad(byte& valid_mask,
       }
 
    bad_input_m |= ~seen_zero_m;
+   bad_input_m |= CT::is_less<size_t>(delim_idx, 8);
 
    CT::unpoison(in, inlen);
    CT::unpoison(bad_input_m);
    CT::unpoison(delim_idx);
 
-   secure_vector<byte> output(&in[delim_idx + 1], &in[inlen]);
+   secure_vector<byte> output(&in[delim_idx + 2], &in[inlen]);
    CT::cond_zero_mem(bad_input_m, output.data(), output.size());
    valid_mask = ~bad_input_m;
    return output;
diff --git a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.h b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.h
index d5f8879d6..006b39997 100644
--- a/src/lib/pk_pad/eme_pkcs1/eme_pkcs.h
+++ b/src/lib/pk_pad/eme_pkcs1/eme_pkcs.h
@@ -25,8 +25,7 @@ class BOTAN_DLL EME_PKCS1v15 final : public EME
 
       secure_vector<byte> unpad(byte& valid_mask,
                                 const byte in[],
-                                size_t in_len,
-                                size_t key_length) const override;
+                                size_t in_len) const override;
    };
 
 }
diff --git a/src/lib/pk_pad/eme_raw/eme_raw.cpp b/src/lib/pk_pad/eme_raw/eme_raw.cpp
index 5c5dd6e40..84fd6f545 100644
--- a/src/lib/pk_pad/eme_raw/eme_raw.cpp
+++ b/src/lib/pk_pad/eme_raw/eme_raw.cpp
@@ -1,29 +1,27 @@
 /*
-* (C) 2015 Jack Lloyd
+* (C) 2015,2016 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
 
-#include <botan/internal/bit_ops.h>
 #include <botan/eme_raw.h>
+#include <botan/internal/bit_ops.h>
+#include <botan/internal/ct_utils.h>
 
 namespace Botan {
 
 secure_vector<byte> EME_Raw::pad(const byte in[], size_t in_length,
-                                 size_t key_bits,
+                                 size_t,
                                  RandomNumberGenerator&) const
    {
-   if(in_length > 0 && (8*(in_length - 1) + high_bit(in[0]) > key_bits))
-      throw Invalid_Argument("EME_Raw: Input is too large");
    return secure_vector<byte>(in, in + in_length);
    }
 
 secure_vector<byte> EME_Raw::unpad(byte& valid_mask,
-                                   const byte in[], size_t in_length,
-                                   size_t) const
+                                   const byte in[], size_t in_length) const
    {
    valid_mask = 0xFF;
-   return secure_vector<byte>(in, in + in_length);
+   return CT::strip_leading_zeros(in, in_length);
    }
 
 size_t EME_Raw::maximum_input_size(size_t keybits) const
diff --git a/src/lib/pk_pad/eme_raw/eme_raw.h b/src/lib/pk_pad/eme_raw/eme_raw.h
index 60d23323c..fa30c684e 100644
--- a/src/lib/pk_pad/eme_raw/eme_raw.h
+++ b/src/lib/pk_pad/eme_raw/eme_raw.h
@@ -23,8 +23,7 @@ class BOTAN_DLL EME_Raw final : public EME
 
       secure_vector<byte> unpad(byte& valid_mask,
                                 const byte in[],
-                                size_t in_len,
-                                size_t key_length) const override;
+                                size_t in_len) const override;
    };
 
 }