Add a missing bn_restore_invariant in RSA blinding code.

We were inventing a random number by starting with a long zero bignum
and then setting bits at random, which left an opportunity for the
result to be a non-normalised representation (with a leading zero
word) and hence fail an assertion in bignum_cmp.

[originally from svn r10147]

diff --git a/sshrsa.c b/sshrsa.c
index 4ec95f23749178484da893361a86b45638dd2c22..25f9cf7e63b9a6cf8c2fa49a3387f77d06337cfa 100644 (file)
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -264,6 +264,7 @@ static Bignum rsa_privkey_op(Bignum input, struct RSAKey *key)
            bitsleft--;
            bignum_set_bit(random, bits, v);
        }
+        bn_restore_invariant(random);
 
        /*
         * Now check that this number is strictly greater than