It appears that we have a bug in the pad/unpad methods of the Crypto.Buffer object. Where all padding standards (ANSI X.923, ISO 10126, PKCS7) have the last byte of the last block be the number of padded bytes, Pike sets it to 1 less than that (i.e. the number of padded bytes in addition to the length byte).
I think these functions are used directly in SSL. However fixing it may create a bit of a compatibility issue in other places.
