Remove the blinding later to avoid leaking information on the length

of kinv. Pointed out and fix suggested by David Schrammel and Samuel Weiser ok jsing
author: tb <tb@openbsd.org> 2019-06-04 18:10:11 +0000
committer: tb <tb@openbsd.org> 2019-06-04 18:10:11 +0000
commit: 39378f3ca05f1ceb22bf495c59de61594ada6fa2 (patch)
tree: 42346c6422c957035f886b7cd16d1dd4615598ef /lib/libcrypto/dsa/dsa_ossl.c
parent: Add missing NULL check for the protocol control block (pcb) pointer in (diff)
download: wireguard-openbsd-39378f3ca05f1ceb22bf495c59de61594ada6fa2.tar.xz
wireguard-openbsd-39378f3ca05f1ceb22bf495c59de61594ada6fa2.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/libcrypto/dsa/dsa_ossl.c b/lib/libcrypto/dsa/dsa_ossl.c
index fd56e8feeea..50a73c0fa9e 100644
--- a/lib/libcrypto/dsa/dsa_ossl.c
+++ b/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.40 2018/11/06 07:02:33 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.41 2019/06/04 18:10:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -165,9 +165,9 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 		goto err;
 	if (!BN_mod_add(s, &bxr, &bm, dsa->q, ctx))		/* s = bm + bxr */
 		goto err;
-	if (!BN_mod_mul(s, s, &binv, dsa->q, ctx))		/* s = m + xr */
+	if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))	/* s = b(m + xr)k^-1 */
 		goto err;
-	if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
+	if (!BN_mod_mul(s, s, &binv, dsa->q, ctx))	/* s = (m + xr)k^-1 */
 		goto err;
 
 	/*
author	tb <tb@openbsd.org>	2019-06-04 18:10:11 +0000
committer	tb <tb@openbsd.org>	2019-06-04 18:10:11 +0000
commit	39378f3ca05f1ceb22bf495c59de61594ada6fa2 (patch)
tree	42346c6422c957035f886b7cd16d1dd4615598ef /lib/libcrypto/dsa/dsa_ossl.c
parent	Add missing NULL check for the protocol control block (pcb) pointer in (diff)
download	wireguard-openbsd-39378f3ca05f1ceb22bf495c59de61594ada6fa2.tar.xz wireguard-openbsd-39378f3ca05f1ceb22bf495c59de61594ada6fa2.zip