RT 3493: fix RSA test

- Pass in the right ciphertext length to ensure we're indeed testing
  ciphertext corruption (and not truncation).
- Only test one mutation per byte to not make the test too slow.
- Add a separate test for truncated ciphertexts.

(Imported from upstream's 5f623eb61655688501cb1817a7ad0592299d894a.)

Change-Id: I425a77668beac9d391387e3afad8d15ae387468f
Reviewed-on: https://boringssl-review.googlesource.com/5945
Reviewed-by: Adam Langley <agl@google.com>

crypto/rsa/rsa_test.cc

@@ -554,20 +554,24 @@ static bool TestRSA(const uint8_t *der, size_t der_len,
   // Try decrypting corrupted ciphertexts.
   memcpy(ciphertext, oaep_ciphertext, oaep_ciphertext_len);
   for (size_t i = 0; i < oaep_ciphertext_len; i++) {
-    uint8_t saved = ciphertext[i];
-    for (unsigned b = 0; b < 256; b++) {
-      if (b == saved) {
-        continue;
-      }
-      ciphertext[i] = b;
-      num = RSA_private_decrypt(num, ciphertext, plaintext, key.get(),
-                                RSA_PKCS1_OAEP_PADDING);
-      if (num > 0) {
-        fprintf(stderr, "Corrupt data decrypted!\n");
-        return false;
-      }
+    ciphertext[i] ^= 1;
+    num = RSA_private_decrypt(oaep_ciphertext_len, ciphertext, plaintext,
+                              key.get(), RSA_PKCS1_OAEP_PADDING);
+    if (num > 0) {
+      fprintf(stderr, "Corrupt data decrypted!\n");
+      return false;
+    }
+    ciphertext[i] ^= 1;
+  }
+
+  // Test truncated ciphertexts.
+  for (size_t len = 0; len < oaep_ciphertext_len; len++) {
+    num = RSA_private_decrypt(len, ciphertext, plaintext, key.get(),
+                              RSA_PKCS1_OAEP_PADDING);
+    if (num > 0) {
+      fprintf(stderr, "Corrupt data decrypted!\n");
+      return false;
     }
-    ciphertext[i] = saved;
   }
 
   return true;