[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Mon Jun 18 09:36:35 UTC 2018 

The branch OpenSSL_1_0_2-stable has been updated
       via  fc4b2bf9ff2c98bd9dde487e41e0eb26664c08ff (commit)
      from  949ff36623eafc3523a9f91784992965018ffb05 (commit)


- Log -----------------------------------------------------------------
commit fc4b2bf9ff2c98bd9dde487e41e0eb26664c08ff
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date:   Tue Jun 12 16:28:25 2018 +0300

    Warn against nonce reuse in DSA_sign_setup() doc
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6465)

-----------------------------------------------------------------------

Summary of changes:
 doc/crypto/DSA_do_sign.pod | 4 ++--
 doc/crypto/DSA_sign.pod    | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/crypto/DSA_do_sign.pod b/doc/crypto/DSA_do_sign.pod
index 5dfc733..340d195 100644
--- a/doc/crypto/DSA_do_sign.pod
+++ b/doc/crypto/DSA_do_sign.pod
@@ -20,8 +20,8 @@ digest B<dgst> using the private key B<dsa> and returns it in a
 newly allocated B<DSA_SIG> structure.
 
 L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part
-of the signing operation in case signature generation is
-time-critical.
+of the signing operation for each signature in case signature generation
+is time-critical.
 
 DSA_do_verify() verifies that the signature B<sig> matches a given
 message digest B<dgst> of size B<len>.  B<dsa> is the signer's public
diff --git a/doc/crypto/DSA_sign.pod b/doc/crypto/DSA_sign.pod
index 97389e8..cd45ec5 100644
--- a/doc/crypto/DSA_sign.pod
+++ b/doc/crypto/DSA_sign.pod
@@ -31,6 +31,10 @@ in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing
 the old ones unless *B<kinvp> and *B<rp> are NULL. These values may
 be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>.
 B<ctx> is a pre-allocated B<BN_CTX> or NULL.
+The precomputed values from DSA_sign_setup() B<MUST NOT be used> for
+more than one signature: using the same B<dsa-E<gt>kinv> and
+B<dsa-E<gt>r> pair twice under the same private key on different
+plaintexts will result in permanently exposing the DSA private key.
 
 DSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
 matches a given message digest B<dgst> of size B<len>.

More information about the openssl-commits mailing list