Merged PR 11930336: Ensure PS is terminated with 0x01 in RSA OAEP decryption

## Description:

The OAEP data block is formatted `Hash(L) || PS || 0x01 || M`, where `PS` is all zero padding. If SymCrypt decrypts an OAEP-padded ciphertext, with a data block of the form `Hash(L) || PS`, it will succeed and return an empty plaintext. According to [RFC 8017](https://datatracker.ietf.org/doc/html/rfc8017#section-5.1.2), this should fail since the `0x01` separator is missing. This is an edge case that shouldn't cause any real-world issues, but the current behavior does fail a set of wycheproof tests and is not strictly correct.

This PR just checks that `PS` is terminated by `0x01`, even if `M` is empty.

## Admin Checklist:
- [x] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [x] You have updated CHANGELOG.md to reflect any changes in behavior
- [x] You have updated symcryptunittest to exercise any new functionality
- [x] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [x] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [x] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [x] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary

Related work items: #55346521

Author: Maxwell Moyer-McKee

lib/rsa_padding.c

@@ -602,6 +602,12 @@ SymCryptRsaOaepRemoveEncryptionPadding(
         }
     }
 
+    if (pbDB[cnt - 1] != 0x01)
+    {
+        scError = SYMCRYPT_INVALID_ARGUMENT;
+        goto cleanup;
+    }
+
     // the rest is data
     *pcbPlaintext = cbDB - cnt;