From b8e5f74d4a7790ccf1e77b9e37fa964e508b552d Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 24 Feb 2014 23:35:55 +0000
Subject: [PATCH] Add a missing bn_restore_invariant in RSA blinding code.

We were inventing a random number by starting with a long zero bignum
and then setting bits at random, which left an opportunity for the
result to be a non-normalised representation (with a leading zero
word) and hence fail an assertion in bignum_cmp.

[originally from svn r10147]
---
 sshrsa.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sshrsa.c b/sshrsa.c
index 4ec95f23..25f9cf7e 100644
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -264,6 +264,7 @@ static Bignum rsa_privkey_op(Bignum input, struct RSAKey *key)
 	    bitsleft--;
 	    bignum_set_bit(random, bits, v);
 	}
+        bn_restore_invariant(random);
 
 	/*
 	 * Now check that this number is strictly greater than