You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
nss/SOURCES/nss-3.101-disable_dsa.patch

1348 lines
58 KiB

diff -up ./cmd/pk11mode/pk11mode.c.disable_dsa ./cmd/pk11mode/pk11mode.c
--- ./cmd/pk11mode/pk11mode.c.disable_dsa 2024-06-17 09:39:06.137190654 -0700
+++ ./cmd/pk11mode/pk11mode.c 2024-06-17 09:39:12.265257501 -0700
@@ -578,7 +578,7 @@ main(int argc, char **argv)
}
/*
- * PKM_KeyTest creates RSA,DSA public keys
+ * PKM_KeyTest creates RSA,ECDSA public keys
* and AES, DES3 secret keys.
* then does digest, hmac, encrypt/decrypt, signing operations.
*/
@@ -793,19 +793,14 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
CK_RV crv = CKR_OK;
- /*** DSA Key ***/
- CK_MECHANISM dsaParamGenMech;
- CK_ULONG primeBits = 1024;
- CK_ATTRIBUTE dsaParamGenTemplate[1];
- CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE;
- CK_BYTE DSA_P[128];
- CK_BYTE DSA_Q[20];
- CK_BYTE DSA_G[128];
- CK_MECHANISM dsaKeyPairGenMech;
- CK_ATTRIBUTE dsaPubKeyTemplate[5];
- CK_ATTRIBUTE dsaPrivKeyTemplate[5];
- CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
- CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
+ /*** ECDSA Key ***/
+ CK_BYTE ECDSA_P256_PARAMS[] =
+ { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 };
+ CK_MECHANISM ecdsaKeyPairGenMech;
+ CK_ATTRIBUTE ecdsaPubKeyTemplate[3];
+ CK_ATTRIBUTE ecdsaPrivKeyTemplate[5];
+ CK_OBJECT_HANDLE hECDSApubKey = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE hECDSAprivKey = CK_INVALID_HANDLE;
/**** RSA Key ***/
CK_KEY_TYPE rsatype = CKK_RSA;
@@ -840,8 +835,8 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
CK_ATTRIBUTE sDES3KeyTemplate[9];
CK_OBJECT_HANDLE hDES3SecKey;
- CK_MECHANISM dsaWithSha1Mech = {
- CKM_DSA_SHA1, NULL, 0
+ CK_MECHANISM ecdsaWithSha256Mech = {
+ CKM_ECDSA_SHA256, NULL, 0
};
CK_BYTE IV[16];
@@ -888,45 +883,33 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
NUMTESTS++; /* increment NUMTESTS */
/* DSA key init */
- dsaParamGenMech.mechanism = CKM_DSA_PARAMETER_GEN;
- dsaParamGenMech.pParameter = NULL_PTR;
- dsaParamGenMech.ulParameterLen = 0;
- dsaParamGenTemplate[0].type = CKA_PRIME_BITS;
- dsaParamGenTemplate[0].pValue = &primeBits;
- dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits);
- dsaPubKeyTemplate[0].type = CKA_PRIME;
- dsaPubKeyTemplate[0].pValue = DSA_P;
- dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P);
- dsaPubKeyTemplate[1].type = CKA_SUBPRIME;
- dsaPubKeyTemplate[1].pValue = DSA_Q;
- dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q);
- dsaPubKeyTemplate[2].type = CKA_BASE;
- dsaPubKeyTemplate[2].pValue = DSA_G;
- dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G);
- dsaPubKeyTemplate[3].type = CKA_TOKEN;
- dsaPubKeyTemplate[3].pValue = &true;
- dsaPubKeyTemplate[3].ulValueLen = sizeof(true);
- dsaPubKeyTemplate[4].type = CKA_VERIFY;
- dsaPubKeyTemplate[4].pValue = &true;
- dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
- dsaKeyPairGenMech.mechanism = CKM_DSA_KEY_PAIR_GEN;
- dsaKeyPairGenMech.pParameter = NULL_PTR;
- dsaKeyPairGenMech.ulParameterLen = 0;
- dsaPrivKeyTemplate[0].type = CKA_TOKEN;
- dsaPrivKeyTemplate[0].pValue = &true;
- dsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
- dsaPrivKeyTemplate[1].type = CKA_PRIVATE;
- dsaPrivKeyTemplate[1].pValue = &true;
- dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
- dsaPrivKeyTemplate[2].type = CKA_SENSITIVE;
- dsaPrivKeyTemplate[2].pValue = &true;
- dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
- dsaPrivKeyTemplate[3].type = CKA_SIGN,
- dsaPrivKeyTemplate[3].pValue = &true;
- dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
- dsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE;
- dsaPrivKeyTemplate[4].pValue = &true;
- dsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
+ ecdsaPubKeyTemplate[0].type = CKA_EC_PARAMS;
+ ecdsaPubKeyTemplate[0].pValue = ECDSA_P256_PARAMS;
+ ecdsaPubKeyTemplate[0].ulValueLen = sizeof(ECDSA_P256_PARAMS);
+ ecdsaPubKeyTemplate[1].type = CKA_TOKEN;
+ ecdsaPubKeyTemplate[1].pValue = &true;
+ ecdsaPubKeyTemplate[1].ulValueLen = sizeof(true);
+ ecdsaPubKeyTemplate[2].type = CKA_VERIFY;
+ ecdsaPubKeyTemplate[2].pValue = &true;
+ ecdsaPubKeyTemplate[2].ulValueLen = sizeof(true);
+ ecdsaKeyPairGenMech.mechanism = CKM_ECDSA_KEY_PAIR_GEN;
+ ecdsaKeyPairGenMech.pParameter = NULL_PTR;
+ ecdsaKeyPairGenMech.ulParameterLen = 0;
+ ecdsaPrivKeyTemplate[0].type = CKA_TOKEN;
+ ecdsaPrivKeyTemplate[0].pValue = &true;
+ ecdsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
+ ecdsaPrivKeyTemplate[1].type = CKA_PRIVATE;
+ ecdsaPrivKeyTemplate[1].pValue = &true;
+ ecdsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
+ ecdsaPrivKeyTemplate[2].type = CKA_SENSITIVE;
+ ecdsaPrivKeyTemplate[2].pValue = &true;
+ ecdsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
+ ecdsaPrivKeyTemplate[3].type = CKA_SIGN,
+ ecdsaPrivKeyTemplate[3].pValue = &true;
+ ecdsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
+ ecdsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE;
+ ecdsaPrivKeyTemplate[4].pValue = &true;
+ ecdsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
/* RSA key init */
rsaKeyPairGenMech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
@@ -1148,52 +1131,18 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
return crv;
}
- PKM_LogIt("Generate DSA PQG domain parameters ... \n");
- /* Generate DSA domain parameters PQG */
- crv = pFunctionList->C_GenerateKey(hRwSession, &dsaParamGenMech,
- dsaParamGenTemplate,
- 1,
- &hDsaParams);
+ PKM_LogIt("Generate a ECDSA key pair ... \n");
+ /* Generate a persistent ECDSA key pair */
+ crv = pFunctionList->C_GenerateKeyPair(hRwSession, &ecdsaKeyPairGenMech,
+ ecdsaPubKeyTemplate,
+ NUM_ELEM(ecdsaPubKeyTemplate),
+ ecdsaPrivKeyTemplate,
+ NUM_ELEM(ecdsaPrivKeyTemplate),
+ &hECDSApubKey, &hECDSAprivKey);
if (crv == CKR_OK) {
- PKM_LogIt("DSA domain parameter generation succeeded\n");
+ PKM_LogIt("ECDSA key pair generation succeeded\n");
} else {
- PKM_Error("DSA domain parameter generation failed "
- "with 0x%08X, %-26s\n",
- crv, PKM_CK_RVtoStr(crv));
- return crv;
- }
- crv = pFunctionList->C_GetAttributeValue(hRwSession, hDsaParams,
- dsaPubKeyTemplate, 3);
- if (crv == CKR_OK) {
- PKM_LogIt("Getting DSA domain parameters succeeded\n");
- } else {
- PKM_Error("Getting DSA domain parameters failed "
- "with 0x%08X, %-26s\n",
- crv, PKM_CK_RVtoStr(crv));
- return crv;
- }
- crv = pFunctionList->C_DestroyObject(hRwSession, hDsaParams);
- if (crv == CKR_OK) {
- PKM_LogIt("Destroying DSA domain parameters succeeded\n");
- } else {
- PKM_Error("Destroying DSA domain parameters failed "
- "with 0x%08X, %-26s\n",
- crv, PKM_CK_RVtoStr(crv));
- return crv;
- }
-
- PKM_LogIt("Generate a DSA key pair ... \n");
- /* Generate a persistent DSA key pair */
- crv = pFunctionList->C_GenerateKeyPair(hRwSession, &dsaKeyPairGenMech,
- dsaPubKeyTemplate,
- NUM_ELEM(dsaPubKeyTemplate),
- dsaPrivKeyTemplate,
- NUM_ELEM(dsaPrivKeyTemplate),
- &hDSApubKey, &hDSAprivKey);
- if (crv == CKR_OK) {
- PKM_LogIt("DSA key pair generation succeeded\n");
- } else {
- PKM_Error("DSA key pair generation failed "
+ PKM_Error("ECDSA key pair generation failed "
"with 0x%08X, %-26s\n",
crv, PKM_CK_RVtoStr(crv));
return crv;
@@ -1414,10 +1363,10 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
} /* end of RSA for loop */
crv = PKM_PubKeySign(pFunctionList, hRwSession,
- hDSApubKey, hDSAprivKey,
- &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT));
+ hECDSApubKey, hECDSAprivKey,
+ &ecdsaWithSha256Mech, PLAINTEXT, sizeof(PLAINTEXT));
if (crv == CKR_OK) {
- PKM_LogIt("PKM_PubKeySign for DSAwithSHA1 succeeded \n\n");
+ PKM_LogIt("PKM_PubKeySign for ECDSAwithSHA256 succeeded \n\n");
} else {
PKM_Error("PKM_PubKeySign failed "
"with 0x%08X, %-26s\n",
@@ -1425,8 +1374,8 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
return crv;
}
crv = PKM_DualFuncSign(pFunctionList, hRwSession,
- hDSApubKey, hDSAprivKey,
- &dsaWithSha1Mech,
+ hECDSApubKey, hECDSAprivKey,
+ &ecdsaWithSha256Mech,
hAESSecKey, &mech_AES_CBC,
PLAINTEXT, sizeof(PLAINTEXT));
if (crv == CKR_OK) {
@@ -1439,44 +1388,44 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct
return crv;
}
crv = PKM_DualFuncSign(pFunctionList, hRwSession,
- hDSApubKey, hDSAprivKey,
- &dsaWithSha1Mech,
+ hECDSApubKey, hECDSAprivKey,
+ &ecdsaWithSha256Mech,
hDES3SecKey, &mech_DES3_CBC,
PLAINTEXT, sizeof(PLAINTEXT));
if (crv == CKR_OK) {
PKM_LogIt("PKM_DualFuncSign with DES3 secret key succeeded "
- "for DSAWithSHA1\n\n");
+ "for ECDSAWithSHA256\n\n");
} else {
PKM_Error("PKM_DualFuncSign with DES3 secret key failed "
- "for DSAWithSHA1 with 0x%08X, %-26s\n",
+ "for ECDSAWithSHA256 with 0x%08X, %-26s\n",
crv, PKM_CK_RVtoStr(crv));
return crv;
}
crv = PKM_DualFuncSign(pFunctionList, hRwSession,
- hDSApubKey, hDSAprivKey,
- &dsaWithSha1Mech,
+ hECDSApubKey, hECDSAprivKey,
+ &ecdsaWithSha256Mech,
hAESSecKey, &mech_AES_CBC_PAD,
PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
if (crv == CKR_OK) {
PKM_LogIt("PKM_DualFuncSign with AES secret key CBC_PAD succeeded "
- "for DSAWithSHA1\n\n");
+ "for DSAWithSHA256\n\n");
} else {
PKM_Error("PKM_DualFuncSign with AES secret key CBC_PAD failed "
- "for DSAWithSHA1 with 0x%08X, %-26s\n",
+ "for DSAWithSHA256 with 0x%08X, %-26s\n",
crv, PKM_CK_RVtoStr(crv));
return crv;
}
crv = PKM_DualFuncSign(pFunctionList, hRwSession,
- hDSApubKey, hDSAprivKey,
- &dsaWithSha1Mech,
+ hECDSApubKey, hECDSAprivKey,
+ &ecdsaWithSha256Mech,
hDES3SecKey, &mech_DES3_CBC_PAD,
PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD));
if (crv == CKR_OK) {
PKM_LogIt("PKM_DualFuncSign with DES3 secret key CBC_PAD succeeded "
- "for DSAWithSHA1\n\n");
+ "for ECDSAWithSHA256\n\n");
} else {
PKM_Error("PKM_DualFuncSign with DES3 secret key CBC_PAD failed "
- "for DSAWithSHA1 with 0x%08X, %-26s\n",
+ "for ECDSAWithSHA256 with 0x%08X, %-26s\n",
crv, PKM_CK_RVtoStr(crv));
return crv;
}
@@ -3029,7 +2978,7 @@ PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFun
}
/* Check that the mechanism is Multi-part */
- if (signMech->mechanism == CKM_DSA ||
+ if (signMech->mechanism == CKM_ECDSA ||
signMech->mechanism == CKM_RSA_PKCS) {
return crv;
}
@@ -3083,6 +3032,7 @@ PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFun
return crv;
}
+#define SHA256_LENGTH 32
CK_RV
PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunctionList,
CK_SLOT_ID *pSlotList,
@@ -3092,19 +3042,14 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
CK_SESSION_HANDLE hSession;
CK_RV crv = CKR_OK;
- /*** DSA Key ***/
- CK_MECHANISM dsaParamGenMech;
- CK_ULONG primeBits = 1024;
- CK_ATTRIBUTE dsaParamGenTemplate[1];
- CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE;
- CK_BYTE DSA_P[128];
- CK_BYTE DSA_Q[20];
- CK_BYTE DSA_G[128];
- CK_MECHANISM dsaKeyPairGenMech;
- CK_ATTRIBUTE dsaPubKeyTemplate[5];
- CK_ATTRIBUTE dsaPrivKeyTemplate[5];
- CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE;
- CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE;
+ /*** ECDSA Key ***/
+ CK_MECHANISM ecdsaKeyPairGenMech;
+ CK_ATTRIBUTE ecdsaPubKeyTemplate[3];
+ CK_ATTRIBUTE ecdsaPrivKeyTemplate[5];
+ CK_OBJECT_HANDLE hECDSApubKey = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE hECDSAprivKey = CK_INVALID_HANDLE;
+ CK_BYTE ECDSA_P256_PARAMS[] =
+ { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 };
/* From SHA1ShortMsg.req, Len = 136 */
CK_BYTE MSG[] = {
@@ -3115,69 +3060,57 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
0x44
};
CK_BYTE MD[] = {
- 0xf7, 0x5d, 0x92, 0xa4,
- 0xbb, 0x4d, 0xec, 0xc3,
- 0x7c, 0x5c, 0x72, 0xfa,
- 0x04, 0x75, 0x71, 0x0a,
- 0x06, 0x75, 0x8c, 0x1d
+ 0x88, 0x78, 0xe1, 0x1e,
+ 0x63, 0x74, 0xa9, 0xd9,
+ 0x90, 0xd0, 0xeb, 0x2c,
+ 0xeb, 0x62, 0x2b, 0x04,
+ 0x53, 0x9f, 0xa0, 0xfc
};
- CK_BYTE sha1Digest[20];
- CK_ULONG sha1DigestLen;
- CK_BYTE dsaSig[40];
- CK_ULONG dsaSigLen;
- CK_MECHANISM sha1Mech = {
- CKM_SHA_1, NULL, 0
+ CK_BYTE sha256Digest[SHA256_LENGTH];
+ CK_ULONG sha256DigestLen;
+ CK_BYTE ecdsaSig[SHA256_LENGTH*2+1];
+ CK_ULONG ecdsaSigLen;
+ CK_MECHANISM sha256Mech = {
+ CKM_SHA256, NULL, 0
};
- CK_MECHANISM dsaMech = {
- CKM_DSA, NULL, 0
+ CK_MECHANISM ecdsaMech = {
+ CKM_ECDSA, NULL, 0
};
- CK_MECHANISM dsaWithSha1Mech = {
- CKM_DSA_SHA1, NULL, 0
+ CK_MECHANISM ecdsaWithSha256Mech = {
+ CKM_ECDSA_SHA256, NULL, 0
};
NUMTESTS++; /* increment NUMTESTS */
- /* DSA key init */
- dsaParamGenMech.mechanism = CKM_DSA_PARAMETER_GEN;
- dsaParamGenMech.pParameter = NULL_PTR;
- dsaParamGenMech.ulParameterLen = 0;
- dsaParamGenTemplate[0].type = CKA_PRIME_BITS;
- dsaParamGenTemplate[0].pValue = &primeBits;
- dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits);
- dsaPubKeyTemplate[0].type = CKA_PRIME;
- dsaPubKeyTemplate[0].pValue = DSA_P;
- dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P);
- dsaPubKeyTemplate[1].type = CKA_SUBPRIME;
- dsaPubKeyTemplate[1].pValue = DSA_Q;
- dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q);
- dsaPubKeyTemplate[2].type = CKA_BASE;
- dsaPubKeyTemplate[2].pValue = DSA_G;
- dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G);
- dsaPubKeyTemplate[3].type = CKA_TOKEN;
- dsaPubKeyTemplate[3].pValue = &true;
- dsaPubKeyTemplate[3].ulValueLen = sizeof(true);
- dsaPubKeyTemplate[4].type = CKA_VERIFY;
- dsaPubKeyTemplate[4].pValue = &true;
- dsaPubKeyTemplate[4].ulValueLen = sizeof(true);
- dsaKeyPairGenMech.mechanism = CKM_DSA_KEY_PAIR_GEN;
- dsaKeyPairGenMech.pParameter = NULL_PTR;
- dsaKeyPairGenMech.ulParameterLen = 0;
- dsaPrivKeyTemplate[0].type = CKA_TOKEN;
- dsaPrivKeyTemplate[0].pValue = &true;
- dsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
- dsaPrivKeyTemplate[1].type = CKA_PRIVATE;
- dsaPrivKeyTemplate[1].pValue = &true;
- dsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
- dsaPrivKeyTemplate[2].type = CKA_SENSITIVE;
- dsaPrivKeyTemplate[2].pValue = &true;
- dsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
- dsaPrivKeyTemplate[3].type = CKA_SIGN,
- dsaPrivKeyTemplate[3].pValue = &true;
- dsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
- dsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE;
- dsaPrivKeyTemplate[4].pValue = &true;
- dsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
+ /* ECDSA key init */
+ ecdsaPubKeyTemplate[0].type = CKA_EC_PARAMS;
+ ecdsaPubKeyTemplate[0].pValue = ECDSA_P256_PARAMS;
+ ecdsaPubKeyTemplate[0].ulValueLen = sizeof(ECDSA_P256_PARAMS);
+ ecdsaPubKeyTemplate[1].type = CKA_TOKEN;
+ ecdsaPubKeyTemplate[1].pValue = &true;
+ ecdsaPubKeyTemplate[1].ulValueLen = sizeof(true);
+ ecdsaPubKeyTemplate[2].type = CKA_VERIFY;
+ ecdsaPubKeyTemplate[2].pValue = &true;
+ ecdsaPubKeyTemplate[2].ulValueLen = sizeof(true);
+ ecdsaKeyPairGenMech.mechanism = CKM_ECDSA_KEY_PAIR_GEN;
+ ecdsaKeyPairGenMech.pParameter = NULL_PTR;
+ ecdsaKeyPairGenMech.ulParameterLen = 0;
+ ecdsaPrivKeyTemplate[0].type = CKA_TOKEN;
+ ecdsaPrivKeyTemplate[0].pValue = &true;
+ ecdsaPrivKeyTemplate[0].ulValueLen = sizeof(true);
+ ecdsaPrivKeyTemplate[1].type = CKA_PRIVATE;
+ ecdsaPrivKeyTemplate[1].pValue = &true;
+ ecdsaPrivKeyTemplate[1].ulValueLen = sizeof(true);
+ ecdsaPrivKeyTemplate[2].type = CKA_SENSITIVE;
+ ecdsaPrivKeyTemplate[2].pValue = &true;
+ ecdsaPrivKeyTemplate[2].ulValueLen = sizeof(true);
+ ecdsaPrivKeyTemplate[3].type = CKA_SIGN,
+ ecdsaPrivKeyTemplate[3].pValue = &true;
+ ecdsaPrivKeyTemplate[3].ulValueLen = sizeof(true);
+ ecdsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE;
+ ecdsaPrivKeyTemplate[4].pValue = &true;
+ ecdsaPrivKeyTemplate[4].ulValueLen = sizeof(true);
crv = pFunctionList->C_OpenSession(pSlotList[slotID],
CKF_RW_SESSION | CKF_SERIAL_SESSION,
@@ -3198,88 +3131,60 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
return crv;
}
- PKM_LogIt("Generate DSA PQG domain parameters ... \n");
- /* Generate DSA domain parameters PQG */
- crv = pFunctionList->C_GenerateKey(hSession, &dsaParamGenMech,
- dsaParamGenTemplate,
- 1,
- &hDsaParams);
- if (crv == CKR_OK) {
- PKM_LogIt("DSA domain parameter generation succeeded\n");
- } else {
- PKM_Error("DSA domain parameter generation failed "
- "with 0x%08X, %-26s\n",
- crv, PKM_CK_RVtoStr(crv));
- return crv;
- }
- crv = pFunctionList->C_GetAttributeValue(hSession, hDsaParams,
- dsaPubKeyTemplate, 3);
- if (crv == CKR_OK) {
- PKM_LogIt("Getting DSA domain parameters succeeded\n");
- } else {
- PKM_Error("Getting DSA domain parameters failed "
- "with 0x%08X, %-26s\n",
- crv, PKM_CK_RVtoStr(crv));
- return crv;
- }
- crv = pFunctionList->C_DestroyObject(hSession, hDsaParams);
- if (crv == CKR_OK) {
- PKM_LogIt("Destroying DSA domain parameters succeeded\n");
- } else {
- PKM_Error("Destroying DSA domain parameters failed "
- "with 0x%08X, %-26s\n",
- crv, PKM_CK_RVtoStr(crv));
- return crv;
- }
-
- PKM_LogIt("Generate a DSA key pair ... \n");
- /* Generate a persistent DSA key pair */
- crv = pFunctionList->C_GenerateKeyPair(hSession, &dsaKeyPairGenMech,
- dsaPubKeyTemplate,
- NUM_ELEM(dsaPubKeyTemplate),
- dsaPrivKeyTemplate,
- NUM_ELEM(dsaPrivKeyTemplate),
- &hDSApubKey, &hDSAprivKey);
+ PKM_LogIt("Generate a ECDSA key pair ... \n");
+ /* Generate a persistent ECDSA key pair */
+ crv = pFunctionList->C_GenerateKeyPair(hSession, &ecdsaKeyPairGenMech,
+ ecdsaPubKeyTemplate,
+ NUM_ELEM(ecdsaPubKeyTemplate),
+ ecdsaPrivKeyTemplate,
+ NUM_ELEM(ecdsaPrivKeyTemplate),
+ &hECDSApubKey, &hECDSAprivKey);
if (crv == CKR_OK) {
- PKM_LogIt("DSA key pair generation succeeded\n");
+ PKM_LogIt("ECDSA key pair generation succeeded\n");
} else {
- PKM_Error("DSA key pair generation failed "
+ PKM_Error("ECDSA key pair generation failed "
"with 0x%08X, %-26s\n",
crv, PKM_CK_RVtoStr(crv));
return crv;
}
/* Compute SHA-1 digest */
- crv = pFunctionList->C_DigestInit(hSession, &sha1Mech);
+ crv = pFunctionList->C_DigestInit(hSession, &sha256Mech);
if (crv != CKR_OK) {
PKM_Error("C_DigestInit failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
return crv;
}
- sha1DigestLen = sizeof(sha1Digest);
+ sha256DigestLen = sizeof(sha256Digest);
crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG),
- sha1Digest, &sha1DigestLen);
+ sha256Digest, &sha256DigestLen);
if (crv != CKR_OK) {
PKM_Error("C_Digest failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
return crv;
}
- if (sha1DigestLen != sizeof(sha1Digest)) {
- PKM_Error("sha1DigestLen is %lu\n", sha1DigestLen);
+ if (sha256DigestLen != sizeof(sha256Digest)) {
+ PKM_Error("sha1DigestLen is %lu\n", sha256DigestLen);
return crv;
}
- if (memcmp(sha1Digest, MD, sizeof(MD)) == 0) {
- PKM_LogIt("SHA-1 SHA1ShortMsg test case Len = 136 passed\n");
+ if (memcmp(sha256Digest, MD, sizeof(MD)) == 0) {
+ PKM_LogIt("SHA-256 SHA256ShortMsg test case Len = 136 passed\n");
} else {
- PKM_Error("SHA-1 SHA1ShortMsg test case Len = 136 failed\n");
+ int i;
+ PKM_Error("SHA-256 SHA256ShortMsg test case Len = 136 failed\n");
+ fprintf(stderr, "sha256Digest: ");
+ for (i=0; i < sizeof(MD); i++) fprintf(stderr, " 0x%02x", sha256Digest[i]);
+ fprintf(stderr, "\nMD: ");
+ for (i=0; i < sizeof(MD); i++) fprintf(stderr, " 0x%02x", MD[i]);
+ fprintf(stderr, "\n");
}
crv = PKM_PubKeySign(pFunctionList, hSession,
- hDSApubKey, hDSAprivKey,
- &dsaMech, sha1Digest, sizeof(sha1Digest));
+ hECDSApubKey, hECDSAprivKey,
+ &ecdsaMech, sha256Digest, sizeof(sha256Digest));
if (crv == CKR_OK) {
- PKM_LogIt("PKM_PubKeySign CKM_DSA succeeded \n");
+ PKM_LogIt("PKM_PubKeySign CKM_ECDSA succeeded \n");
} else {
PKM_Error("PKM_PubKeySign failed "
"with 0x%08X, %-26s\n",
@@ -3287,10 +3192,10 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
return crv;
}
crv = PKM_PubKeySign(pFunctionList, hSession,
- hDSApubKey, hDSAprivKey,
- &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT));
+ hECDSApubKey, hECDSAprivKey,
+ &ecdsaWithSha256Mech, PLAINTEXT, sizeof(PLAINTEXT));
if (crv == CKR_OK) {
- PKM_LogIt("PKM_PubKeySign CKM_DSA_SHA1 succeeded \n");
+ PKM_LogIt("PKM_PubKeySign CKM_DSA_SHA256 succeeded \n");
} else {
PKM_Error("PKM_PubKeySign failed "
"with 0x%08X, %-26s\n",
@@ -3298,16 +3203,16 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
return crv;
}
- /* Sign with DSA */
- crv = pFunctionList->C_SignInit(hSession, &dsaMech, hDSAprivKey);
+ /* Sign with ECDSA */
+ crv = pFunctionList->C_SignInit(hSession, &ecdsaMech, hECDSAprivKey);
if (crv != CKR_OK) {
PKM_Error("C_SignInit failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
return crv;
}
- dsaSigLen = sizeof(dsaSig);
- crv = pFunctionList->C_Sign(hSession, sha1Digest, sha1DigestLen,
- dsaSig, &dsaSigLen);
+ ecdsaSigLen = sizeof(ecdsaSig);
+ crv = pFunctionList->C_Sign(hSession, sha256Digest, sha256DigestLen,
+ ecdsaSig, &ecdsaSigLen);
if (crv != CKR_OK) {
PKM_Error("C_Sign failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
@@ -3315,14 +3220,14 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
}
/* Verify the DSA signature */
- crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey);
+ crv = pFunctionList->C_VerifyInit(hSession, &ecdsaMech, hECDSApubKey);
if (crv != CKR_OK) {
PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
return crv;
}
- crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen,
- dsaSig, dsaSigLen);
+ crv = pFunctionList->C_Verify(hSession, sha256Digest, sha256DigestLen,
+ ecdsaSig, ecdsaSigLen);
if (crv == CKR_OK) {
PKM_LogIt("C_Verify succeeded\n");
} else {
@@ -3332,8 +3237,8 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
}
/* Verify the signature in a different way */
- crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech,
- hDSApubKey);
+ crv = pFunctionList->C_VerifyInit(hSession, &ecdsaWithSha256Mech,
+ hECDSApubKey);
if (crv != CKR_OK) {
PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
@@ -3351,7 +3256,7 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
PKM_CK_RVtoStr(crv));
return crv;
}
- crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen);
+ crv = pFunctionList->C_VerifyFinal(hSession, ecdsaSig, ecdsaSigLen);
if (crv == CKR_OK) {
PKM_LogIt("C_VerifyFinal succeeded\n");
} else {
@@ -3361,8 +3266,8 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
}
/* Verify the signature in a different way */
- crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech,
- hDSApubKey);
+ crv = pFunctionList->C_VerifyInit(hSession, &ecdsaWithSha256Mech,
+ hECDSApubKey);
if (crv != CKR_OK) {
PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n",
crv, PKM_CK_RVtoStr(crv));
@@ -3380,7 +3285,7 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
crv, PKM_CK_RVtoStr(crv));
return crv;
}
- crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen);
+ crv = pFunctionList->C_VerifyFinal(hSession, ecdsaSig, ecdsaSigLen);
if (crv == CKR_OK) {
PKM_LogIt("C_VerifyFinal of multi update succeeded.\n");
} else {
@@ -3391,28 +3296,28 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc
/* Now modify the data */
MSG[0] += 1;
/* Compute SHA-1 digest */
- crv = pFunctionList->C_DigestInit(hSession, &sha1Mech);
+ crv = pFunctionList->C_DigestInit(hSession, &sha256Mech);
if (crv != CKR_OK) {
PKM_Error("C_DigestInit failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
return crv;
}
- sha1DigestLen = sizeof(sha1Digest);
+ sha256DigestLen = sizeof(sha256Digest);
crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG),
- sha1Digest, &sha1DigestLen);
+ sha256Digest, &sha256DigestLen);
if (crv != CKR_OK) {
PKM_Error("C_Digest failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
return crv;
}
- crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey);
+ crv = pFunctionList->C_VerifyInit(hSession, &ecdsaMech, hECDSApubKey);
if (crv != CKR_OK) {
PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
return crv;
}
- crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen,
- dsaSig, dsaSigLen);
+ crv = pFunctionList->C_Verify(hSession, sha256Digest, sha256DigestLen,
+ ecdsaSig, ecdsaSigLen);
if (crv != CKR_SIGNATURE_INVALID) {
PKM_Error("C_Verify of modified data succeeded\n");
return crv;
@@ -5020,7 +4925,7 @@ PKM_DualFuncSign(CK_FUNCTION_LIST_PTR pF
NUMTESTS++; /* increment NUMTESTS */
/* Check that the mechanism is Multi-part */
- if (sigMech->mechanism == CKM_DSA || sigMech->mechanism == CKM_RSA_PKCS) {
+ if (sigMech->mechanism == CKM_ECDSA || sigMech->mechanism == CKM_RSA_PKCS) {
PKM_Error("PKM_DualFuncSign must be called with a Multi-part "
"operation mechanism\n");
return CKR_DEVICE_ERROR;
diff -up ./coreconf/config.mk.disable_dsa ./coreconf/config.mk
--- ./coreconf/config.mk.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./coreconf/config.mk 2024-06-17 09:38:50.438019407 -0700
@@ -183,6 +183,10 @@ ifdef NSS_DISABLE_DBM
DEFINES += -DNSS_DISABLE_DBM
endif
+ifdef NSS_DISABLE_DSA
+DEFINES += -DNSS_DISABLE_DSA
+endif
+
ifdef NSS_DISABLE_AVX2
DEFINES += -DNSS_DISABLE_AVX2
endif
diff -up ./gtests/pk11_gtest/manifest.mn.disable_dsa ./gtests/pk11_gtest/manifest.mn
--- ./gtests/pk11_gtest/manifest.mn.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./gtests/pk11_gtest/manifest.mn 2024-06-17 09:38:50.438019407 -0700
@@ -6,6 +6,10 @@ CORE_DEPTH = ../..
DEPTH = ../..
MODULE = nss
+ifndef NSS_DISABLE_DSA
+ DSA_UNIT_TESTS=pk11_dsa_unittest.cc
+endif
+
CPPSRCS = \
json_reader.cc \
pk11_aes_gcm_unittest.cc \
@@ -17,7 +21,7 @@ CPPSRCS = \
pk11_curve25519_unittest.cc \
pk11_der_private_key_import_unittest.cc \
pk11_des_unittest.cc \
- pk11_dsa_unittest.cc \
+ ${DSA_UNIT_TESTS} \
pk11_ecdsa_unittest.cc \
pk11_eddsa_unittest.cc \
pk11_ecdh_unittest.cc \
diff -up ./gtests/pk11_gtest/pk11_import_unittest.cc.disable_dsa ./gtests/pk11_gtest/pk11_import_unittest.cc
--- ./gtests/pk11_gtest/pk11_import_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./gtests/pk11_gtest/pk11_import_unittest.cc 2024-06-17 09:38:50.438019407 -0700
@@ -261,7 +261,9 @@ TEST_P(Pk11KeyImportTest, GenerateExport
INSTANTIATE_TEST_SUITE_P(Pk11KeyImportTest, Pk11KeyImportTest,
::testing::Values(CKM_RSA_PKCS_KEY_PAIR_GEN,
+#ifndef NSS_DISABLE_DSA
CKM_DSA_KEY_PAIR_GEN,
+#endif
CKM_DH_PKCS_KEY_PAIR_GEN));
class Pk11KeyImportTestEC : public Pk11KeyImportTestBase,
diff -up ./gtests/ssl_gtest/ssl_auth_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_auth_unittest.cc
--- ./gtests/ssl_gtest/ssl_auth_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./gtests/ssl_gtest/ssl_auth_unittest.cc 2024-06-17 09:38:50.438019407 -0700
@@ -532,6 +532,7 @@ TEST_P(TlsConnectTls12, AutoClientSelect
EXPECT_TRUE(ecc.hookCalled);
}
+#ifndef NSS_DISABLE_DSA
TEST_P(TlsConnectTls12, AutoClientSelectDsa) {
AutoClientResults dsa = {{SECFailure, TlsAgent::kClient},
{SECFailure, TlsAgent::kClient},
@@ -548,6 +549,7 @@ TEST_P(TlsConnectTls12, AutoClientSelect
Connect();
EXPECT_TRUE(dsa.hookCalled);
}
+#endif
TEST_P(TlsConnectClientAuthStream13, PostHandshakeAuthMultiple) {
client_->SetupClientAuth(std::get<2>(GetParam()), true);
@@ -1841,7 +1843,7 @@ TEST_F(TlsAgentStreamTestServer, Configu
// A server should refuse to even start a handshake with
// misconfigured certificate and signature scheme.
TEST_P(TlsConnectTls12Plus, MisconfiguredCertScheme) {
- Reset(TlsAgent::kServerDsa);
+ Reset(TlsAgent::kServerRsaSign);
static const SSLSignatureScheme kScheme[] = {ssl_sig_ecdsa_secp256r1_sha256};
server_->SetSignatureSchemes(kScheme, PR_ARRAY_SIZE(kScheme));
ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
@@ -1882,6 +1884,9 @@ TEST_P(TlsConnectTls13, Tls13DsaOnlyClie
client_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
}
+#ifndef NSS_DISABLE_DSA
+// can't test a dsa only server becasue we can't generate a server
+// DSA certificate
TEST_P(TlsConnectTls13, Tls13DsaOnlyServer) {
Reset(TlsAgent::kServerDsa);
static const SSLSignatureScheme kDsa[] = {ssl_sig_dsa_sha256};
@@ -1890,6 +1895,7 @@ TEST_P(TlsConnectTls13, Tls13DsaOnlyServ
server_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
+#endif
TEST_P(TlsConnectTls13, Tls13Pkcs1OnlyClient) {
static const SSLSignatureScheme kPkcs1[] = {ssl_sig_rsa_pkcs1_sha256};
diff -up ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
--- ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc 2024-06-17 09:38:50.438019407 -0700
@@ -383,8 +383,10 @@ INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V
kDummySignatureSchemesParams,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
+#ifndef NSS_DISABLE_DSA
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+#endif
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384);
INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12, kDummyNamedGroupParams,
@@ -395,16 +397,20 @@ INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
INSTANTIATE_CIPHER_TEST_P(
CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
- TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
+ TLS_RSA_WITH_AES_128_CBC_SHA256
+#ifndef NSS_DISABLE_DSA
+ , TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
+#endif
+ );
INSTANTIATE_CIPHER_TEST_P(
CBCStream, Stream, V10ToV12, kDummyNamedGroupParams,
kDummySignatureSchemesParams, TLS_ECDH_ECDSA_WITH_NULL_SHA,
@@ -431,8 +437,12 @@ INSTANTIATE_CIPHER_TEST_P(
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
- TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
+ TLS_RSA_WITH_AES_128_CBC_SHA256
+#ifndef NSS_DISABLE_DSA
+ , TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
+#endif
+ );
#ifndef NSS_DISABLE_TLS_1_3
INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
::testing::ValuesIn(kFasterDHEGroups),
diff -up ./gtests/ssl_gtest/ssl_dhe_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_dhe_unittest.cc
--- ./gtests/ssl_gtest/ssl_dhe_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./gtests/ssl_gtest/ssl_dhe_unittest.cc 2024-06-17 09:45:33.575416837 -0700
@@ -622,6 +622,7 @@ class TlsDheSkeChangeSignature : public
size_t len_;
};
+#ifndef NSS_DISABLE_DSA
TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) {
const uint8_t kBogusDheSignature[] = {
0x30, 0x69, 0x3c, 0x02, 0x1c, 0x7d, 0x0b, 0x2f, 0x64, 0x00, 0x27,
@@ -642,6 +643,7 @@ TEST_P(TlsConnectGenericPre13, InvalidDE
ConnectExpectAlert(client_, kTlsAlertDecryptError);
client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
}
+#endif
TEST_P(TlsConnectTls12, ConnectInconsistentSigAlgDHE) {
EnableOnlyDheCiphers();
diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_extension_unittest.cc
--- ./gtests/ssl_gtest/ssl_extension_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./gtests/ssl_gtest/ssl_extension_unittest.cc 2024-06-17 09:38:50.438019407 -0700
@@ -651,7 +651,10 @@ TEST_P(TlsExtensionTest12, SignatureAlgo
}
}
+#ifndef NSS_DISABLE_DSA
// This only works on TLS 1.2, since it relies on DSA.
+// and doesn't work if we've disabled DSA (Reset(TlsAgent:kServerDSA) fail
+// because we don't have a DSA certificate)
TEST_P(TlsExtensionTest12, SignatureAlgorithmDisableDSA) {
const std::vector<SSLSignatureScheme> schemes = {
ssl_sig_dsa_sha1, ssl_sig_dsa_sha256, ssl_sig_dsa_sha384,
@@ -700,6 +703,7 @@ TEST_P(TlsExtensionTest12, SignatureAlgo
EXPECT_TRUE(ext2.Read(2, 2, &v));
EXPECT_EQ(ssl_sig_rsa_pss_rsae_sha256, v);
}
+#endif
// Temporary test to verify that we choke on an empty ClientKeyShare.
// This test will fail when we implement HelloRetryRequest.
diff -up ./lib/softoken/pkcs11c.c.disable_dsa ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.disable_dsa 2024-06-17 09:38:50.434019363 -0700
+++ ./lib/softoken/pkcs11c.c 2024-06-17 09:38:50.439019418 -0700
@@ -2665,6 +2665,7 @@ sftk_RSASignPSS(SFTKPSSSignInfo *info, u
return rv;
}
+#ifndef NSS_DISABLE_DSA
static SECStatus
nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
@@ -2690,6 +2691,7 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
*sigLen = signature.len;
return rv;
}
+#endif
static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
@@ -2905,6 +2907,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
context->maxLen = nsslowkey_PrivateModulusLen(pinfo->key);
break;
+#ifndef NSS_DISABLE_DSA
#define INIT_DSA_SIG_MECH(mmm) \
case CKM_DSA_##mmm: \
context->multi = PR_TRUE; \
@@ -2933,6 +2936,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
context->maxLen = DSA_MAX_SIGNATURE_LEN;
break;
+#endif
#define INIT_ECDSA_SIG_MECH(mmm) \
case CKM_ECDSA_##mmm: \
@@ -3717,6 +3721,7 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
context->verify = (SFTKVerify)sftk_RSACheckSignPSS;
break;
+#ifndef NSS_DISABLE_DSA
INIT_DSA_SIG_MECH(SHA1)
INIT_DSA_SIG_MECH(SHA224)
INIT_DSA_SIG_MECH(SHA256)
@@ -3736,6 +3741,7 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
context->verify = (SFTKVerify)nsc_DSA_Verify_Stub;
context->destroy = sftk_Null;
break;
+#endif
INIT_ECDSA_SIG_MECH(SHA1)
INIT_ECDSA_SIG_MECH(SHA224)
@@ -4753,12 +4759,16 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
key_gen_type = nsc_pbe;
crv = nsc_SetupPBEKeyGen(pMechanism, &pbe_param, &key_type, &key_length);
break;
+/*#ifndef NSS_DISABLE_DSA */
+/* some applications use CKM_DSA_PARAMTER_GEN for week DH keys...
+ * most notably tests... continue to allow it for now */
case CKM_DSA_PARAMETER_GEN:
key_gen_type = nsc_param;
key_type = CKK_DSA;
objclass = CKO_DOMAIN_PARAMETERS;
crv = CKR_OK;
break;
+/* #endif */
case CKM_NSS_JPAKE_ROUND1_SHA1:
hashType = HASH_AlgSHA1;
goto jpake1;
@@ -5121,11 +5131,13 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
signature_length = modulusLen;
mech.mechanism = CKM_RSA_PKCS;
break;
+#ifndef NSS_DISABLE_DSA
case CKK_DSA:
signature_length = DSA_MAX_SIGNATURE_LEN;
pairwise_digest_length = subPrimeLen;
mech.mechanism = CKM_DSA;
break;
+#endif
case CKK_EC:
signature_length = MAX_ECKEY_LEN * 2;
mech.mechanism = CKM_ECDSA;
@@ -5373,10 +5385,12 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
SECItem pubExp;
RSAPrivateKey *rsaPriv;
+ DHParams dhParam;
+#ifndef NSS_DISABLE_DSA
/* DSA */
PQGParams pqgParam;
- DHParams dhParam;
DSAPrivateKey *dsaPriv;
+#endif
/* Diffie Hellman */
DHPrivateKey *dhPriv;
@@ -5552,6 +5566,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
/* Should zeroize the contents first, since this func doesn't. */
PORT_FreeArena(rsaPriv->arena, PR_TRUE);
break;
+#ifndef NSS_DISABLE_DSA
case CKM_DSA_KEY_PAIR_GEN:
sftk_DeleteAttributeType(publicKey, CKA_VALUE);
sftk_DeleteAttributeType(privateKey, CKA_NSS_DB);
@@ -5663,6 +5678,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
/* should zeroize, since this function doesn't. */
PORT_FreeArena(dsaPriv->params.arena, PR_TRUE);
break;
+#endif
case CKM_DH_PKCS_KEY_PAIR_GEN:
sftk_DeleteAttributeType(privateKey, CKA_PRIME);
diff -up ./lib/softoken/pkcs11.c.disable_dsa ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/softoken/pkcs11.c 2024-06-17 09:38:50.439019418 -0700
@@ -359,6 +359,7 @@ static const struct mechanismList mechan
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
/* ------------------------- DSA Operations --------------------------- */
+#ifndef NSS_DISABLE_DSA
{ CKM_DSA_KEY_PAIR_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
{ CKM_DSA, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
{ CKM_DSA_PARAMETER_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE }, PR_TRUE },
@@ -367,6 +368,7 @@ static const struct mechanismList mechan
{ CKM_DSA_SHA256, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
{ CKM_DSA_SHA384, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
{ CKM_DSA_SHA512, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
+#endif
/* -------------------- Diffie Hellman Operations --------------------- */
/* no diffie hellman yet */
{ CKM_DH_PKCS_KEY_PAIR_GEN, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
diff -up ./tests/cert/cert.sh.disable_dsa ./tests/cert/cert.sh
--- ./tests/cert/cert.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/cert/cert.sh 2024-06-17 09:38:50.440019429 -0700
@@ -288,12 +288,14 @@ cert_create_cert()
return $RET
fi
+ if [ -z "$NSS_DISABLE_DSA" ]; then
CU_ACTION="Import DSA Root CA for $CERTNAME"
certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \
-d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
+ fi
CU_ACTION="Import EC Root CA for $CERTNAME"
@@ -342,6 +344,7 @@ cert_add_cert()
#
# Generate and add DSA cert
#
+ if [ -z "$NSS_DISABLE_DSA" ]; then
CU_ACTION="Generate DSA Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
@@ -392,6 +395,7 @@ cert_add_cert()
return $RET
fi
cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
+ fi
#
# Generate and add EC cert
@@ -504,6 +508,7 @@ cert_all_CA()
# in the chain
+ if [ -z "$NSS_DISABLE_DSA" ]; then
#
# Create DSA version of TestCA
ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
@@ -527,6 +532,7 @@ cert_all_CA()
rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert
# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
+ fi
#
# Create RSA-PSS version of TestCA
@@ -988,6 +994,7 @@ cert_extended_ssl()
certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
-i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
+ if [ -z "$NSS_DISABLE_DSA" ]; then
#
# Repeat the above for DSA certs
#
@@ -1031,6 +1038,7 @@ cert_extended_ssl()
# certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
# 2>&1
+ fi
#
# Repeat the above for EC certs
@@ -1084,18 +1092,18 @@ cert_extended_ssl()
# we'll use one of the longer nicknames for testing.
# (Because "grep -w hostname" matches "grep -w hostname-dsamixed")
MYDBPASS="-d ${PROFILEDIR} -f ${R_PWFILE}"
- TESTNAME="Ensure there's exactly one match for ${CERTNAME}-dsamixed"
- cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}"
+ TESTNAME="Ensure there's exactly one match for ${CERTNAME}-ecmixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-ecmixed" 0 1 "${TESTNAME}"
- CU_ACTION="Repeated import of $CERTNAME's mixed DSA Cert with different nickname"
- certu -A -n "${CERTNAME}-repeated-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
- -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
+ CU_ACTION="Repeated import of $CERTNAME's mixed EC Cert with different nickname"
+ certu -A -n "${CERTNAME}-repeated-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
+ -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
- TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-dsamixed"
- cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}"
+ TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-ecmixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-ecmixed" 0 1 "${TESTNAME}"
- TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-dsamixed"
- cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-dsamixed" 0 0 "${TESTNAME}"
+ TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-ecmixed"
+ cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-ecmixed" 0 0 "${TESTNAME}"
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
@@ -1140,6 +1148,7 @@ cert_extended_ssl()
#
# Repeat the above for DSA certs
#
+ if [ -z "$NSS_DISABLE_DSA" ]; then
CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
@@ -1183,6 +1192,7 @@ cert_extended_ssl()
#
# done with mixed DSA certs
#
+ fi
#
# Repeat the above for EC certs
@@ -1273,8 +1283,10 @@ cert_ssl()
CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+ if [ -z "$NSS_DISABLE_DSA" ]; then
CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
+ fi
CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
@@ -1383,9 +1395,14 @@ MODSCRIPT
certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}"
RETEXPECTED=0
+ if [ -z "$NSS_DISABLE_DSA" ]; then
+ FIPS_KEY="-k dsa"
+ else
+ FIPS_KEY="-k ec -q nistp256"
+ fi
CU_ACTION="Generate Certificate for ${CERTNAME}"
CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
- certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
+ certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" ${FIPS_KEY} -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
if [ "$RET" -eq 0 ]; then
cert_log "SUCCESS: FIPS passed"
fi
@@ -1817,6 +1834,7 @@ EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}_or
+ if [ -z "$NSS_DISABLE_DSA" ]; then
CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority"
# Until Bug 292285 is resolved, do not encode x400 Addresses. After
@@ -1831,6 +1849,7 @@ addext issuerAltNames 0 "rfc822Name:ca-d
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or-dsa
+ fi
@@ -1867,6 +1886,7 @@ EOF_CRLINI
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
+ if [ -z "$NSS_DISABLE_DSA" ]; then
CU_ACTION="Modify CRL (DSA) by adding one more cert"
crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1-dsa \
-i ${CRL_FILE_GRP_1}_or-dsa <<EOF_CRLINI
@@ -1876,6 +1896,7 @@ EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or1-dsa
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
+ fi
CU_ACTION="Modify CRL (ECC) by adding one more cert"
@@ -1902,6 +1923,7 @@ EOF_CRLINI
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
+ if [ -z "$NSS_DISABLE_DSA" ]; then
CU_ACTION="Modify CRL (DSA) by removing one cert"
sleep 2
CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
@@ -1912,6 +1934,7 @@ rmcert ${UNREVOKED_CERT_GRP_1}
EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa"
+ fi
diff -up ./tests/chains/scenarios/scenarios.disable_dsa ./tests/chains/scenarios/scenarios
--- ./tests/chains/scenarios/scenarios.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/chains/scenarios/scenarios 2024-06-17 09:38:50.440019429 -0700
@@ -16,7 +16,7 @@ bridgewithaia.cfg
bridgewithhalfaia.cfg
bridgewithpolicyextensionandmapping.cfg
realcerts.cfg
-dsa.cfg
+#dsa.cfg
revoc.cfg
ocsp.cfg
crldp.cfg
diff -up ./tests/cipher/performance.sh.disable_dsa ./tests/cipher/performance.sh
--- ./tests/cipher/performance.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/cipher/performance.sh 2024-06-17 09:38:50.440019429 -0700
@@ -95,6 +95,7 @@ done < ${RSAPERFOUT}
echo "</TABLE><BR>" >> ${PERFRESULTS}
fi
+if [ -z "${NSS_DISABLE_DSA}" ]; then
if [ $TESTSET = "all" -o $TESTSET = "dsa" ]; then
while read mode keysize bufsize reps cxreps
@@ -124,6 +125,7 @@ done < ${DSAPERFOUT}
echo "</TABLE><BR>" >> ${PERFRESULTS}
fi
+fi
if [ $TESTSET = "all" -o $TESTSET = "hash" ]; then
while read mode bufsize reps
diff -up ./tests/dbtests/dbtests.sh.disable_dsa ./tests/dbtests/dbtests.sh
--- ./tests/dbtests/dbtests.sh.disable_dsa 2024-06-17 09:38:50.412019123 -0700
+++ ./tests/dbtests/dbtests.sh 2024-06-17 09:38:50.440019429 -0700
@@ -257,7 +257,13 @@ dbtest_main()
fi
# import a token private key and make sure the corresponding public key is
# created
- ${BINDIR}/pk11importtest -d ${CONFLICT_DIR} -f ${R_PWFILE}
+ IMPORT_OPTIONS=""
+ if [ -n "$NSS_DISABLE_DSA" ]; then
+ IMPORT_OPTIONS="-D noDSA"
+ fi
+ Echo "Importing Token Private Key"
+ echo "pk11importtest ${IMPORT_OPTIONS} -d ${CONFLICT_DIR} -f ${R_PWFILE}"
+ ${BINDIR}/pk11importtest ${IMPORT_OPTIONS} -d ${CONFLICT_DIR} -f ${R_PWFILE}
ret=$?
if [ $ret -ne 0 ]; then
html_failed "Importing Token Private Key does not create the corrresponding Public Key"
diff -up ./tests/ssl_gtests/ssl_gtests.sh.disable_dsa ./tests/ssl_gtests/ssl_gtests.sh
--- ./tests/ssl_gtests/ssl_gtests.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/ssl_gtests/ssl_gtests.sh 2024-06-17 09:38:50.440019429 -0700
@@ -56,7 +56,9 @@ ssl_gtest_certs() {
make_cert rsa_pss_chain rsapss_chain sign
make_cert rsa_ca_rsa_pss_chain rsa_ca_rsapss_chain sign
make_cert ecdh_rsa ecdh_rsa kex
- make_cert dsa dsa sign
+ if [ -z "${NSS_DISABLE_DSA}" ]; then
+ make_cert dsa dsa sign
+ fi
make_cert delegator_ecdsa256 delegator_p256 sign
make_cert delegator_rsae2048 delegator_rsae2048 sign
make_cert delegator_rsa_pss2048 delegator_rsa_pss2048 sign
diff -up ./tests/ssl/sslcov.txt.disable_dsa ./tests/ssl/sslcov.txt
--- ./tests/ssl/sslcov.txt.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/ssl/sslcov.txt 2024-06-17 09:38:50.440019429 -0700
@@ -16,7 +16,6 @@
noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384
# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
@@ -51,20 +50,15 @@
noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA
noECC TLS12 z TLS12_RSA_WITH_NULL_SHA
noECC TLS12 :0016 TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- noECC TLS12 :0032 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA
noECC TLS12 :0033 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA
- noECC TLS12 :0038 TLS12_DHE_DSS_WITH_AES_256_CBC_SHA
noECC TLS12 :0039 TLS12_DHE_RSA_WITH_AES_256_CBC_SHA
noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256
noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256
noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256
- noECC TLS12 :0040 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256
noECC TLS12 :0067 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256
- noECC TLS12 :006A TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256
noECC TLS12 :006B TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256
noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
- noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256
noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
noECC TLS13 :1301 TLS13_DHE_WITH_AES_128_GCM_SHA256
noECC TLS13 :1302 TLS13_DHE_WITH_AES_256_GCM_SHA384
diff -up ./tests/ssl/ssl.sh.disable_dsa ./tests/ssl/ssl.sh
--- ./tests/ssl/ssl.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/ssl/ssl.sh 2024-06-17 09:38:50.440019429 -0700
@@ -251,20 +251,26 @@ start_selfserv()
else
RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss"
fi
+ if [ -z "$NSS_DISABLE_DSA" ]; then
+ DSA_OPTIONS="-S ${HOSTADDR}-dsa"
+ else
+ DSA_OPTIONS=""
+ fi
+
SERVER_VMIN=${SERVER_VMIN-ssl3}
SERVER_VMAX=${SERVER_VMAX-tls1.2}
echo "selfserv starting at `date`"
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\"
- echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\"
+ echo " ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID}\\"
echo " -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &"
if [ ${fileout} -eq 1 ]; then
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \
+ ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \
> ${SERVEROUTFILE} 2>&1 &
RET=$?
else
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &
+ ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &
RET=$?
fi
diff -up ./tests/ssl/sslstress.txt.disable_dsa ./tests/ssl/sslstress.txt
--- ./tests/ssl/sslstress.txt.disable_dsa 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/ssl/sslstress.txt 2024-06-17 09:38:50.440019429 -0700
@@ -55,15 +55,6 @@
noECC 0 -c_:0039 -V_ssl3:tls1.2_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse)
- noECC 0 -c_:0040 -V_ssl3:tls1.2_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse)
-
-# noECC 0 -c_:0038_-u -V_ssl3:tls1.2_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket)
-# use the above session ticket test, once session tickets with DHE_DSS are working
- noECC 0 -c_:0038 -V_ssl3:tls1.2_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse)
-
-# noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256
-# use the above reuse test, once the session cache with DHE_DSS is working
- noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse
noECC 0 -c_:006B -V_ssl3:tls1.2_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse)
noECC 0 -c_:009E -V_ssl3:tls1.2_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse)
@@ -71,11 +62,3 @@
#
# add client auth versions here...
#
- noECC 0 -r_-r_-c_:0032 -V_ssl3:tls1.2_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth)
- noECC 0 -r_-r_-c_:0067 -V_ssl3:tls1.2_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth)
-
-# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth)
-# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth)
-# use the above session ticket test, once session tickets with DHE_DSS are working
- noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth)
- noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (no reuse, client auth)