From fc4b2bf9ff2c98bd9dde487e41e0eb26664c08ff Mon Sep 17 00:00:00 2001
From: Nicola Tuveri <nic.tuv@gmail.com>
Date: Tue, 12 Jun 2018 16:28:25 +0300
Subject: [PATCH] Warn against nonce reuse in DSA_sign_setup() doc

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6465)
---
 doc/crypto/DSA_do_sign.pod | 4 ++--
 doc/crypto/DSA_sign.pod    | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/crypto/DSA_do_sign.pod b/doc/crypto/DSA_do_sign.pod
index 5dfc733b20..340d19524f 100644
--- a/doc/crypto/DSA_do_sign.pod
+++ b/doc/crypto/DSA_do_sign.pod
@@ -20,8 +20,8 @@ digest B<dgst> using the private key B<dsa> and returns it in a
 newly allocated B<DSA_SIG> structure.
 
 L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part
-of the signing operation in case signature generation is
-time-critical.
+of the signing operation for each signature in case signature generation
+is time-critical.
 
 DSA_do_verify() verifies that the signature B<sig> matches a given
 message digest B<dgst> of size B<len>.  B<dsa> is the signer's public
diff --git a/doc/crypto/DSA_sign.pod b/doc/crypto/DSA_sign.pod
index 97389e8ec8..cd45ec542b 100644
--- a/doc/crypto/DSA_sign.pod
+++ b/doc/crypto/DSA_sign.pod
@@ -31,6 +31,10 @@ in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing
 the old ones unless *B<kinvp> and *B<rp> are NULL. These values may
 be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>.
 B<ctx> is a pre-allocated B<BN_CTX> or NULL.
+The precomputed values from DSA_sign_setup() B<MUST NOT be used> for
+more than one signature: using the same B<dsa-E<gt>kinv> and
+B<dsa-E<gt>r> pair twice under the same private key on different
+plaintexts will result in permanently exposing the DSA private key.
 
 DSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
 matches a given message digest B<dgst> of size B<len>.
-- 
2.34.1