From 071792528ca0cae75abd5ab411ce3728c0729158 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 4 Jun 2019 18:13:44 +0000
Subject: Remove the blinding later to avoid leaking information on the length
 of ckinv.

Pointed out and fix suggested by David Schrammel and Samuel Weiser

ok jsing
---
 src/lib/libcrypto/ecdsa/ecs_ossl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 791a5c48e1..c9d23013a9 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.18 2019/01/19 01:12:48 tb Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.19 2019/06/04 18:13:44 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project
  */
@@ -369,11 +369,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 			ECDSAerror(ERR_R_BN_LIB);
 			goto err;
 		}
-		if (!BN_mod_mul(s, s, binv, order, ctx)) { /* s = m + xr */
+		if (!BN_mod_mul(s, s, ckinv, order, ctx)) { /* s = b(m + xr)k^-1 */
 			ECDSAerror(ERR_R_BN_LIB);
 			goto err;
 		}
-		if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
+		if (!BN_mod_mul(s, s, binv, order, ctx)) { /* s = (m + xr)k^-1 */
 			ECDSAerror(ERR_R_BN_LIB);
 			goto err;
 		}
-- 
cgit v1.2.3-55-g6feb