Add a missing bn_restore_invariant in RSA blinding code.

We were inventing a random number by starting with a long zero bignum and then setting bits at random, which left an opportunity for the result to be a non-normalised representation (with a leading zero word) and hence fail an assertion in bignum_cmp. [originally from svn r10147]
2025-07-06 05:52:48 -05:00 · 2014-02-24 23:35:55 +00:00
parent e2a5c6b679
commit b8e5f74d4a
1 changed files with 1 additions and 0 deletions
--- a/sshrsa.c
+++ b/sshrsa.c
@ -264,6 +264,7 @@ static Bignum rsa_privkey_op(Bignum input, struct RSAKey *key)
 	    bitsleft--;
 	    bignum_set_bit(random, bits, v);
 	}
+        bn_restore_invariant(random);

 	/*
 	 * Now check that this number is strictly greater than