RSA PSS: fix first byte check for keys of size 8N+1

For a key of size 8N+1, check that the first byte after applying the
public key operation is 0 (it could have been 1 instead). The code was
incorrectly doing a no-op check instead, which led to invalid
signatures being accepted. Not a security flaw, since you would need the
private key to craft such an invalid signature, but a bug nonetheless.
diff --git a/library/rsa.c b/library/rsa.c
index 6b720a4..923294f 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1376,6 +1376,9 @@
     //
     msb = mpi_msb( &ctx->N ) - 1;
 
+    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
+        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
+
     // Compensate for boundary condition when applying mask
     //
     if( msb % 8 == 0 )
@@ -1383,9 +1386,6 @@
         p++;
         siglen -= 1;
     }
-    else
-    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     if( siglen < hlen + 2 )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );