fix: guard RsaUnPad_PSS masking when bits==0

When the RSA modulus bit count is congruent to 1 mod 8 (e.g. a 2041-bit
or 3073-bit key), (mp_count_bits(n) - 1) & 0x7 == 0, so the leading
zero byte has already been consumed and the pointer advanced. In that
case (1<<0)-1 == 0, zeroing tmp[0] and pkcsBlock[0] and corrupting
maskedDB[0] before the XOR separator comparison.

RsaPad_PSS guards the equivalent step with 'if (hiBits)'. Add the same
guard to RsaUnPad_PSS.

Standard power-of-two key sizes (1024, 2048, 4096-bit) are unaffected
as their bit counts give bits==7 after the recomputation. The bug
affects non-standard key sizes loaded from external DER where
mp_count_bits(n) % 8 == 1.

Author: MarkAtwood

wolfcrypt/src/rsa.c

@@ -1882,8 +1882,15 @@ static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
         return ret;
     }
 
-    tmp[0] &= (byte)((1 << bits) - 1);
-    pkcsBlock[0] &= (byte)((1 << bits) - 1);
+    /* When bits==0 the key size is an exact multiple of 8 and pkcsBlock was
+     * already advanced past the leading 0x00 byte (see above); no masking is
+     * needed.  (1<<0)-1 == 0 would zero both bytes and corrupt the XOR
+     * separator check below.  RsaPad_PSS guards the same step with
+     * "if (hiBits)" for the same reason. */
+    if (bits) {
+        tmp[0] &= (byte)((1 << bits) - 1);
+        pkcsBlock[0] &= (byte)((1 << bits) - 1);
+    }
 #ifdef WOLFSSL_PSS_SALT_LEN_DISCOVER
     if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
         for (i = 0; i < maskLen - 1; i++) {