| The TWL_FIRM RSA sig padding check code used for all TWL RSA sig-checks has issues, see [[FIRM|here]].
| The TWL_FIRM RSA sig padding check code used for all TWL RSA sig-checks has issues, see [[FIRM|here]].
+
The main 3DS RSA padding check code(non-certificate) uses the function used with the above to extract PKCS padding + the actual hash from the message. This is not an issue when it's verifying signatures *where* the attacker *doesn't* have the private key for the input modulus.