From fc4b2bf9ff2c98bd9dde487e41e0eb26664c08ff Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Tue, 12 Jun 2018 16:28:25 +0300 Subject: [PATCH] Warn against nonce reuse in DSA_sign_setup() doc Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6465) --- doc/crypto/DSA_do_sign.pod | 4 ++-- doc/crypto/DSA_sign.pod | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/crypto/DSA_do_sign.pod b/doc/crypto/DSA_do_sign.pod index 5dfc733b20..340d19524f 100644 --- a/doc/crypto/DSA_do_sign.pod +++ b/doc/crypto/DSA_do_sign.pod @@ -20,8 +20,8 @@ digest B using the private key B and returns it in a newly allocated B structure. L may be used to precompute part -of the signing operation in case signature generation is -time-critical. +of the signing operation for each signature in case signature generation +is time-critical. DSA_do_verify() verifies that the signature B matches a given message digest B of size B. B is the signer's public diff --git a/doc/crypto/DSA_sign.pod b/doc/crypto/DSA_sign.pod index 97389e8ec8..cd45ec542b 100644 --- a/doc/crypto/DSA_sign.pod +++ b/doc/crypto/DSA_sign.pod @@ -31,6 +31,10 @@ in newly allocated Bs at *B and *B, after freeing the old ones unless *B and *B are NULL. These values may be passed to DSA_sign() in Bkinv> and Br>. B is a pre-allocated B or NULL. +The precomputed values from DSA_sign_setup() B for +more than one signature: using the same Bkinv> and +Br> pair twice under the same private key on different +plaintexts will result in permanently exposing the DSA private key. DSA_verify() verifies that the signature B of size B matches a given message digest B of size B. -- 2.25.1