Remove the blinding later to avoid leaking information on the length

of ckinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
author: tb <> 2019-06-04 18:13:44 +0000
committer: tb <> 2019-06-04 18:13:44 +0000
commit: 456515ed90f16ab8aa4ced14331060ff27ad4559 (patch)
tree: d4eff2d4d06e570ab32848f8f375af23bf3d482e /src
parent: 87dbb526f232b17e7e9adaee586422b38a388b0a (diff)
download: openbsd-456515ed90f16ab8aa4ced14331060ff27ad4559.tar.gz
openbsd-456515ed90f16ab8aa4ced14331060ff27ad4559.tar.bz2
openbsd-456515ed90f16ab8aa4ced14331060ff27ad4559.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 791a5c48e1..c9d23013a9 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.18 2019/01/19 01:12:48 tb Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.19 2019/06/04 18:13:44 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project
 */
@@ -369,11 +369,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                        ECDSAerror(ERR_R_BN_LIB);
                        goto err;
                }
-                if (!BN_mod_mul(s, s, binv, order, ctx)) { /* s = m + xr */
+                if (!BN_mod_mul(s, s, ckinv, order, ctx)) { /* s = b(m + xr)k^-1 */
                        ECDSAerror(ERR_R_BN_LIB);
                        goto err;
                }
-                if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
+                if (!BN_mod_mul(s, s, binv, order, ctx)) { /* s = (m + xr)k^-1 */
                        ECDSAerror(ERR_R_BN_LIB);
                        goto err;
                }
author	tb <>	2019-06-04 18:13:44 +0000
committer	tb <>	2019-06-04 18:13:44 +0000
commit	456515ed90f16ab8aa4ced14331060ff27ad4559 (patch)
tree	d4eff2d4d06e570ab32848f8f375af23bf3d482e /src
parent	87dbb526f232b17e7e9adaee586422b38a388b0a (diff)
download	openbsd-456515ed90f16ab8aa4ced14331060ff27ad4559.tar.gz openbsd-456515ed90f16ab8aa4ced14331060ff27ad4559.tar.bz2 openbsd-456515ed90f16ab8aa4ced14331060ff27ad4559.zip

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 791a5c48e1..c9d23013a9 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ecs_ossl.c,v 1.18 2019/01/19 01:12:48 tb Exp $ */	1	/* $OpenBSD: ecs_ossl.c,v 1.19 2019/06/04 18:13:44 tb Exp $ */
2	/*	2	/*
3	* Written by Nils Larsch for the OpenSSL project	3	* Written by Nils Larsch for the OpenSSL project
4	*/	4	*/
@@ -369,11 +369,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
369	ECDSAerror(ERR_R_BN_LIB);	369	ECDSAerror(ERR_R_BN_LIB);
370	goto err;	370	goto err;
371	}	371	}
372	if (!BN_mod_mul(s, s, binv, order, ctx)) { /* s = m + xr */	372	if (!BN_mod_mul(s, s, ckinv, order, ctx)) { /* s = b(m + xr)k^-1 */
373	ECDSAerror(ERR_R_BN_LIB);	373	ECDSAerror(ERR_R_BN_LIB);
374	goto err;	374	goto err;
375	}	375	}
376	if (!BN_mod_mul(s, s, ckinv, order, ctx)) {	376	if (!BN_mod_mul(s, s, binv, order, ctx)) { /* s = (m + xr)k^-1 */
377	ECDSAerror(ERR_R_BN_LIB);	377	ECDSAerror(ERR_R_BN_LIB);
378	goto err;	378	goto err;
379	}	379	}