Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE.

ChangeLog

 2018-11-25  Niels Möller  <nisse@lysator.liu.se>
 
+	* rsa-decrypt-tr.c (rsa_decrypt_tr): Use
+	NETTLE_OCTET_SIZE_TO_LIMB_SIZE.
+
 	* testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak
 	valgrind marking, and document potential leakage of lowest and
 	highest bits of p and q.

rsa-decrypt-tr.c

@@ -49,16 +49,19 @@ rsa_decrypt_tr(const struct rsa_public_key *pub,
 {
   TMP_GMP_DECL (m, mp_limb_t);
   TMP_GMP_DECL (em, uint8_t);
+  mp_size_t key_limb_size;
   int res;
 
-  TMP_GMP_ALLOC (m, mpz_size(pub->n));
+  key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+
+  TMP_GMP_ALLOC (m, key_limb_size);
   TMP_GMP_ALLOC (em, key->size);
 
   res = rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
                                  mpz_limbs_read(gibberish),
                                  mpz_size(gibberish));
 
-  mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
+  mpn_get_base256 (em, key->size, m, key_limb_size);
 
   res &= _pkcs1_sec_decrypt_variable (length, message, key->size, em);