From a23b4d931c9340b198ce07c0b475a4757eb86a37 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 4 Jun 2019 18:10:11 +0000
Subject: Remove the blinding later to avoid leaking information on the length
 of kinv.

Pointed out and fix suggested by David Schrammel and Samuel Weiser

ok jsing
---
 src/lib/libcrypto/dsa/dsa_ossl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index fd56e8feee..50a73c0fa9 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.40 2018/11/06 07:02:33 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.41 2019/06/04 18:10:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -165,9 +165,9 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 		goto err;
 	if (!BN_mod_add(s, &bxr, &bm, dsa->q, ctx))		/* s = bm + bxr */
 		goto err;
-	if (!BN_mod_mul(s, s, &binv, dsa->q, ctx))		/* s = m + xr */
+	if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))	/* s = b(m + xr)k^-1 */
 		goto err;
-	if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
+	if (!BN_mod_mul(s, s, &binv, dsa->q, ctx))	/* s = (m + xr)k^-1 */
 		goto err;
 
 	/*
-- 
cgit v1.2.3-55-g6feb