At some point in the past, I believe the GCD algorithm was setting d to
be negative. The RSA code has been correcting that ever since but, now,
it appears to have changed and the correction isn't needed.

Having d be too large is harmless, it's just a little odd and I
happened to notice.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/7948044