Fix a SCA leak in BN_generate_dsa_nonce

        goto err;

    /* We copy |priv| into a local buffer to avoid exposing its length. */

    todo = sizeof(priv->d[0]) * priv->top;

    if (todo > sizeof(private_bytes)) {

    if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {

        /*

         * No reasonable DSA or ECDSA key should have a private key this

         * large and we don't handle this case in order to avoid leaking the

        BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);

        goto err;

    }

    memcpy(private_bytes, priv->d, todo);

    memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);

    for (done = 0; done < num_k_bytes;) {

        if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1)