diff -up ./cmd/pk11mode/pk11mode.c.disable_dsa ./cmd/pk11mode/pk11mode.c --- ./cmd/pk11mode/pk11mode.c.disable_dsa 2024-06-17 09:39:06.137190654 -0700 +++ ./cmd/pk11mode/pk11mode.c 2024-06-17 09:39:12.265257501 -0700 @@ -578,7 +578,7 @@ main(int argc, char **argv) } /* - * PKM_KeyTest creates RSA,DSA public keys + * PKM_KeyTest creates RSA,ECDSA public keys * and AES, DES3 secret keys. * then does digest, hmac, encrypt/decrypt, signing operations. */ @@ -793,19 +793,14 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct CK_RV crv = CKR_OK; - /*** DSA Key ***/ - CK_MECHANISM dsaParamGenMech; - CK_ULONG primeBits = 1024; - CK_ATTRIBUTE dsaParamGenTemplate[1]; - CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE; - CK_BYTE DSA_P[128]; - CK_BYTE DSA_Q[20]; - CK_BYTE DSA_G[128]; - CK_MECHANISM dsaKeyPairGenMech; - CK_ATTRIBUTE dsaPubKeyTemplate[5]; - CK_ATTRIBUTE dsaPrivKeyTemplate[5]; - CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE; + /*** ECDSA Key ***/ + CK_BYTE ECDSA_P256_PARAMS[] = + { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; + CK_MECHANISM ecdsaKeyPairGenMech; + CK_ATTRIBUTE ecdsaPubKeyTemplate[3]; + CK_ATTRIBUTE ecdsaPrivKeyTemplate[5]; + CK_OBJECT_HANDLE hECDSApubKey = CK_INVALID_HANDLE; + CK_OBJECT_HANDLE hECDSAprivKey = CK_INVALID_HANDLE; /**** RSA Key ***/ CK_KEY_TYPE rsatype = CKK_RSA; @@ -840,8 +835,8 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct CK_ATTRIBUTE sDES3KeyTemplate[9]; CK_OBJECT_HANDLE hDES3SecKey; - CK_MECHANISM dsaWithSha1Mech = { - CKM_DSA_SHA1, NULL, 0 + CK_MECHANISM ecdsaWithSha256Mech = { + CKM_ECDSA_SHA256, NULL, 0 }; CK_BYTE IV[16]; @@ -888,45 +883,33 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct NUMTESTS++; /* increment NUMTESTS */ /* DSA key init */ - dsaParamGenMech.mechanism = CKM_DSA_PARAMETER_GEN; - dsaParamGenMech.pParameter = NULL_PTR; - dsaParamGenMech.ulParameterLen = 0; - dsaParamGenTemplate[0].type = CKA_PRIME_BITS; - dsaParamGenTemplate[0].pValue = &primeBits; - dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits); - dsaPubKeyTemplate[0].type = CKA_PRIME; - dsaPubKeyTemplate[0].pValue = DSA_P; - dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P); - dsaPubKeyTemplate[1].type = CKA_SUBPRIME; - dsaPubKeyTemplate[1].pValue = DSA_Q; - dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q); - dsaPubKeyTemplate[2].type = CKA_BASE; - dsaPubKeyTemplate[2].pValue = DSA_G; - dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G); - dsaPubKeyTemplate[3].type = CKA_TOKEN; - dsaPubKeyTemplate[3].pValue = &true; - dsaPubKeyTemplate[3].ulValueLen = sizeof(true); - dsaPubKeyTemplate[4].type = CKA_VERIFY; - dsaPubKeyTemplate[4].pValue = &true; - dsaPubKeyTemplate[4].ulValueLen = sizeof(true); - dsaKeyPairGenMech.mechanism = CKM_DSA_KEY_PAIR_GEN; - dsaKeyPairGenMech.pParameter = NULL_PTR; - dsaKeyPairGenMech.ulParameterLen = 0; - dsaPrivKeyTemplate[0].type = CKA_TOKEN; - dsaPrivKeyTemplate[0].pValue = &true; - dsaPrivKeyTemplate[0].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[1].type = CKA_PRIVATE; - dsaPrivKeyTemplate[1].pValue = &true; - dsaPrivKeyTemplate[1].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[2].type = CKA_SENSITIVE; - dsaPrivKeyTemplate[2].pValue = &true; - dsaPrivKeyTemplate[2].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[3].type = CKA_SIGN, - dsaPrivKeyTemplate[3].pValue = &true; - dsaPrivKeyTemplate[3].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE; - dsaPrivKeyTemplate[4].pValue = &true; - dsaPrivKeyTemplate[4].ulValueLen = sizeof(true); + ecdsaPubKeyTemplate[0].type = CKA_EC_PARAMS; + ecdsaPubKeyTemplate[0].pValue = ECDSA_P256_PARAMS; + ecdsaPubKeyTemplate[0].ulValueLen = sizeof(ECDSA_P256_PARAMS); + ecdsaPubKeyTemplate[1].type = CKA_TOKEN; + ecdsaPubKeyTemplate[1].pValue = &true; + ecdsaPubKeyTemplate[1].ulValueLen = sizeof(true); + ecdsaPubKeyTemplate[2].type = CKA_VERIFY; + ecdsaPubKeyTemplate[2].pValue = &true; + ecdsaPubKeyTemplate[2].ulValueLen = sizeof(true); + ecdsaKeyPairGenMech.mechanism = CKM_ECDSA_KEY_PAIR_GEN; + ecdsaKeyPairGenMech.pParameter = NULL_PTR; + ecdsaKeyPairGenMech.ulParameterLen = 0; + ecdsaPrivKeyTemplate[0].type = CKA_TOKEN; + ecdsaPrivKeyTemplate[0].pValue = &true; + ecdsaPrivKeyTemplate[0].ulValueLen = sizeof(true); + ecdsaPrivKeyTemplate[1].type = CKA_PRIVATE; + ecdsaPrivKeyTemplate[1].pValue = &true; + ecdsaPrivKeyTemplate[1].ulValueLen = sizeof(true); + ecdsaPrivKeyTemplate[2].type = CKA_SENSITIVE; + ecdsaPrivKeyTemplate[2].pValue = &true; + ecdsaPrivKeyTemplate[2].ulValueLen = sizeof(true); + ecdsaPrivKeyTemplate[3].type = CKA_SIGN, + ecdsaPrivKeyTemplate[3].pValue = &true; + ecdsaPrivKeyTemplate[3].ulValueLen = sizeof(true); + ecdsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE; + ecdsaPrivKeyTemplate[4].pValue = &true; + ecdsaPrivKeyTemplate[4].ulValueLen = sizeof(true); /* RSA key init */ rsaKeyPairGenMech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; @@ -1148,52 +1131,18 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct return crv; } - PKM_LogIt("Generate DSA PQG domain parameters ... \n"); - /* Generate DSA domain parameters PQG */ - crv = pFunctionList->C_GenerateKey(hRwSession, &dsaParamGenMech, - dsaParamGenTemplate, - 1, - &hDsaParams); + PKM_LogIt("Generate a ECDSA key pair ... \n"); + /* Generate a persistent ECDSA key pair */ + crv = pFunctionList->C_GenerateKeyPair(hRwSession, &ecdsaKeyPairGenMech, + ecdsaPubKeyTemplate, + NUM_ELEM(ecdsaPubKeyTemplate), + ecdsaPrivKeyTemplate, + NUM_ELEM(ecdsaPrivKeyTemplate), + &hECDSApubKey, &hECDSAprivKey); if (crv == CKR_OK) { - PKM_LogIt("DSA domain parameter generation succeeded\n"); + PKM_LogIt("ECDSA key pair generation succeeded\n"); } else { - PKM_Error("DSA domain parameter generation failed " - "with 0x%08X, %-26s\n", - crv, PKM_CK_RVtoStr(crv)); - return crv; - } - crv = pFunctionList->C_GetAttributeValue(hRwSession, hDsaParams, - dsaPubKeyTemplate, 3); - if (crv == CKR_OK) { - PKM_LogIt("Getting DSA domain parameters succeeded\n"); - } else { - PKM_Error("Getting DSA domain parameters failed " - "with 0x%08X, %-26s\n", - crv, PKM_CK_RVtoStr(crv)); - return crv; - } - crv = pFunctionList->C_DestroyObject(hRwSession, hDsaParams); - if (crv == CKR_OK) { - PKM_LogIt("Destroying DSA domain parameters succeeded\n"); - } else { - PKM_Error("Destroying DSA domain parameters failed " - "with 0x%08X, %-26s\n", - crv, PKM_CK_RVtoStr(crv)); - return crv; - } - - PKM_LogIt("Generate a DSA key pair ... \n"); - /* Generate a persistent DSA key pair */ - crv = pFunctionList->C_GenerateKeyPair(hRwSession, &dsaKeyPairGenMech, - dsaPubKeyTemplate, - NUM_ELEM(dsaPubKeyTemplate), - dsaPrivKeyTemplate, - NUM_ELEM(dsaPrivKeyTemplate), - &hDSApubKey, &hDSAprivKey); - if (crv == CKR_OK) { - PKM_LogIt("DSA key pair generation succeeded\n"); - } else { - PKM_Error("DSA key pair generation failed " + PKM_Error("ECDSA key pair generation failed " "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; @@ -1414,10 +1363,10 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct } /* end of RSA for loop */ crv = PKM_PubKeySign(pFunctionList, hRwSession, - hDSApubKey, hDSAprivKey, - &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT)); + hECDSApubKey, hECDSAprivKey, + &ecdsaWithSha256Mech, PLAINTEXT, sizeof(PLAINTEXT)); if (crv == CKR_OK) { - PKM_LogIt("PKM_PubKeySign for DSAwithSHA1 succeeded \n\n"); + PKM_LogIt("PKM_PubKeySign for ECDSAwithSHA256 succeeded \n\n"); } else { PKM_Error("PKM_PubKeySign failed " "with 0x%08X, %-26s\n", @@ -1425,8 +1374,8 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct return crv; } crv = PKM_DualFuncSign(pFunctionList, hRwSession, - hDSApubKey, hDSAprivKey, - &dsaWithSha1Mech, + hECDSApubKey, hECDSAprivKey, + &ecdsaWithSha256Mech, hAESSecKey, &mech_AES_CBC, PLAINTEXT, sizeof(PLAINTEXT)); if (crv == CKR_OK) { @@ -1439,44 +1388,44 @@ PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunct return crv; } crv = PKM_DualFuncSign(pFunctionList, hRwSession, - hDSApubKey, hDSAprivKey, - &dsaWithSha1Mech, + hECDSApubKey, hECDSAprivKey, + &ecdsaWithSha256Mech, hDES3SecKey, &mech_DES3_CBC, PLAINTEXT, sizeof(PLAINTEXT)); if (crv == CKR_OK) { PKM_LogIt("PKM_DualFuncSign with DES3 secret key succeeded " - "for DSAWithSHA1\n\n"); + "for ECDSAWithSHA256\n\n"); } else { PKM_Error("PKM_DualFuncSign with DES3 secret key failed " - "for DSAWithSHA1 with 0x%08X, %-26s\n", + "for ECDSAWithSHA256 with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } crv = PKM_DualFuncSign(pFunctionList, hRwSession, - hDSApubKey, hDSAprivKey, - &dsaWithSha1Mech, + hECDSApubKey, hECDSAprivKey, + &ecdsaWithSha256Mech, hAESSecKey, &mech_AES_CBC_PAD, PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD)); if (crv == CKR_OK) { PKM_LogIt("PKM_DualFuncSign with AES secret key CBC_PAD succeeded " - "for DSAWithSHA1\n\n"); + "for DSAWithSHA256\n\n"); } else { PKM_Error("PKM_DualFuncSign with AES secret key CBC_PAD failed " - "for DSAWithSHA1 with 0x%08X, %-26s\n", + "for DSAWithSHA256 with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } crv = PKM_DualFuncSign(pFunctionList, hRwSession, - hDSApubKey, hDSAprivKey, - &dsaWithSha1Mech, + hECDSApubKey, hECDSAprivKey, + &ecdsaWithSha256Mech, hDES3SecKey, &mech_DES3_CBC_PAD, PLAINTEXT_PAD, sizeof(PLAINTEXT_PAD)); if (crv == CKR_OK) { PKM_LogIt("PKM_DualFuncSign with DES3 secret key CBC_PAD succeeded " - "for DSAWithSHA1\n\n"); + "for ECDSAWithSHA256\n\n"); } else { PKM_Error("PKM_DualFuncSign with DES3 secret key CBC_PAD failed " - "for DSAWithSHA1 with 0x%08X, %-26s\n", + "for ECDSAWithSHA256 with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } @@ -3029,7 +2978,7 @@ PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFun } /* Check that the mechanism is Multi-part */ - if (signMech->mechanism == CKM_DSA || + if (signMech->mechanism == CKM_ECDSA || signMech->mechanism == CKM_RSA_PKCS) { return crv; } @@ -3083,6 +3032,7 @@ PKM_PubKeySign(CK_FUNCTION_LIST_PTR pFun return crv; } +#define SHA256_LENGTH 32 CK_RV PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID *pSlotList, @@ -3092,19 +3042,14 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc CK_SESSION_HANDLE hSession; CK_RV crv = CKR_OK; - /*** DSA Key ***/ - CK_MECHANISM dsaParamGenMech; - CK_ULONG primeBits = 1024; - CK_ATTRIBUTE dsaParamGenTemplate[1]; - CK_OBJECT_HANDLE hDsaParams = CK_INVALID_HANDLE; - CK_BYTE DSA_P[128]; - CK_BYTE DSA_Q[20]; - CK_BYTE DSA_G[128]; - CK_MECHANISM dsaKeyPairGenMech; - CK_ATTRIBUTE dsaPubKeyTemplate[5]; - CK_ATTRIBUTE dsaPrivKeyTemplate[5]; - CK_OBJECT_HANDLE hDSApubKey = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE hDSAprivKey = CK_INVALID_HANDLE; + /*** ECDSA Key ***/ + CK_MECHANISM ecdsaKeyPairGenMech; + CK_ATTRIBUTE ecdsaPubKeyTemplate[3]; + CK_ATTRIBUTE ecdsaPrivKeyTemplate[5]; + CK_OBJECT_HANDLE hECDSApubKey = CK_INVALID_HANDLE; + CK_OBJECT_HANDLE hECDSAprivKey = CK_INVALID_HANDLE; + CK_BYTE ECDSA_P256_PARAMS[] = + { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; /* From SHA1ShortMsg.req, Len = 136 */ CK_BYTE MSG[] = { @@ -3115,69 +3060,57 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc 0x44 }; CK_BYTE MD[] = { - 0xf7, 0x5d, 0x92, 0xa4, - 0xbb, 0x4d, 0xec, 0xc3, - 0x7c, 0x5c, 0x72, 0xfa, - 0x04, 0x75, 0x71, 0x0a, - 0x06, 0x75, 0x8c, 0x1d + 0x88, 0x78, 0xe1, 0x1e, + 0x63, 0x74, 0xa9, 0xd9, + 0x90, 0xd0, 0xeb, 0x2c, + 0xeb, 0x62, 0x2b, 0x04, + 0x53, 0x9f, 0xa0, 0xfc }; - CK_BYTE sha1Digest[20]; - CK_ULONG sha1DigestLen; - CK_BYTE dsaSig[40]; - CK_ULONG dsaSigLen; - CK_MECHANISM sha1Mech = { - CKM_SHA_1, NULL, 0 + CK_BYTE sha256Digest[SHA256_LENGTH]; + CK_ULONG sha256DigestLen; + CK_BYTE ecdsaSig[SHA256_LENGTH*2+1]; + CK_ULONG ecdsaSigLen; + CK_MECHANISM sha256Mech = { + CKM_SHA256, NULL, 0 }; - CK_MECHANISM dsaMech = { - CKM_DSA, NULL, 0 + CK_MECHANISM ecdsaMech = { + CKM_ECDSA, NULL, 0 }; - CK_MECHANISM dsaWithSha1Mech = { - CKM_DSA_SHA1, NULL, 0 + CK_MECHANISM ecdsaWithSha256Mech = { + CKM_ECDSA_SHA256, NULL, 0 }; NUMTESTS++; /* increment NUMTESTS */ - /* DSA key init */ - dsaParamGenMech.mechanism = CKM_DSA_PARAMETER_GEN; - dsaParamGenMech.pParameter = NULL_PTR; - dsaParamGenMech.ulParameterLen = 0; - dsaParamGenTemplate[0].type = CKA_PRIME_BITS; - dsaParamGenTemplate[0].pValue = &primeBits; - dsaParamGenTemplate[0].ulValueLen = sizeof(primeBits); - dsaPubKeyTemplate[0].type = CKA_PRIME; - dsaPubKeyTemplate[0].pValue = DSA_P; - dsaPubKeyTemplate[0].ulValueLen = sizeof(DSA_P); - dsaPubKeyTemplate[1].type = CKA_SUBPRIME; - dsaPubKeyTemplate[1].pValue = DSA_Q; - dsaPubKeyTemplate[1].ulValueLen = sizeof(DSA_Q); - dsaPubKeyTemplate[2].type = CKA_BASE; - dsaPubKeyTemplate[2].pValue = DSA_G; - dsaPubKeyTemplate[2].ulValueLen = sizeof(DSA_G); - dsaPubKeyTemplate[3].type = CKA_TOKEN; - dsaPubKeyTemplate[3].pValue = &true; - dsaPubKeyTemplate[3].ulValueLen = sizeof(true); - dsaPubKeyTemplate[4].type = CKA_VERIFY; - dsaPubKeyTemplate[4].pValue = &true; - dsaPubKeyTemplate[4].ulValueLen = sizeof(true); - dsaKeyPairGenMech.mechanism = CKM_DSA_KEY_PAIR_GEN; - dsaKeyPairGenMech.pParameter = NULL_PTR; - dsaKeyPairGenMech.ulParameterLen = 0; - dsaPrivKeyTemplate[0].type = CKA_TOKEN; - dsaPrivKeyTemplate[0].pValue = &true; - dsaPrivKeyTemplate[0].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[1].type = CKA_PRIVATE; - dsaPrivKeyTemplate[1].pValue = &true; - dsaPrivKeyTemplate[1].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[2].type = CKA_SENSITIVE; - dsaPrivKeyTemplate[2].pValue = &true; - dsaPrivKeyTemplate[2].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[3].type = CKA_SIGN, - dsaPrivKeyTemplate[3].pValue = &true; - dsaPrivKeyTemplate[3].ulValueLen = sizeof(true); - dsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE; - dsaPrivKeyTemplate[4].pValue = &true; - dsaPrivKeyTemplate[4].ulValueLen = sizeof(true); + /* ECDSA key init */ + ecdsaPubKeyTemplate[0].type = CKA_EC_PARAMS; + ecdsaPubKeyTemplate[0].pValue = ECDSA_P256_PARAMS; + ecdsaPubKeyTemplate[0].ulValueLen = sizeof(ECDSA_P256_PARAMS); + ecdsaPubKeyTemplate[1].type = CKA_TOKEN; + ecdsaPubKeyTemplate[1].pValue = &true; + ecdsaPubKeyTemplate[1].ulValueLen = sizeof(true); + ecdsaPubKeyTemplate[2].type = CKA_VERIFY; + ecdsaPubKeyTemplate[2].pValue = &true; + ecdsaPubKeyTemplate[2].ulValueLen = sizeof(true); + ecdsaKeyPairGenMech.mechanism = CKM_ECDSA_KEY_PAIR_GEN; + ecdsaKeyPairGenMech.pParameter = NULL_PTR; + ecdsaKeyPairGenMech.ulParameterLen = 0; + ecdsaPrivKeyTemplate[0].type = CKA_TOKEN; + ecdsaPrivKeyTemplate[0].pValue = &true; + ecdsaPrivKeyTemplate[0].ulValueLen = sizeof(true); + ecdsaPrivKeyTemplate[1].type = CKA_PRIVATE; + ecdsaPrivKeyTemplate[1].pValue = &true; + ecdsaPrivKeyTemplate[1].ulValueLen = sizeof(true); + ecdsaPrivKeyTemplate[2].type = CKA_SENSITIVE; + ecdsaPrivKeyTemplate[2].pValue = &true; + ecdsaPrivKeyTemplate[2].ulValueLen = sizeof(true); + ecdsaPrivKeyTemplate[3].type = CKA_SIGN, + ecdsaPrivKeyTemplate[3].pValue = &true; + ecdsaPrivKeyTemplate[3].ulValueLen = sizeof(true); + ecdsaPrivKeyTemplate[4].type = CKA_EXTRACTABLE; + ecdsaPrivKeyTemplate[4].pValue = &true; + ecdsaPrivKeyTemplate[4].ulValueLen = sizeof(true); crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_RW_SESSION | CKF_SERIAL_SESSION, @@ -3198,88 +3131,60 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc return crv; } - PKM_LogIt("Generate DSA PQG domain parameters ... \n"); - /* Generate DSA domain parameters PQG */ - crv = pFunctionList->C_GenerateKey(hSession, &dsaParamGenMech, - dsaParamGenTemplate, - 1, - &hDsaParams); - if (crv == CKR_OK) { - PKM_LogIt("DSA domain parameter generation succeeded\n"); - } else { - PKM_Error("DSA domain parameter generation failed " - "with 0x%08X, %-26s\n", - crv, PKM_CK_RVtoStr(crv)); - return crv; - } - crv = pFunctionList->C_GetAttributeValue(hSession, hDsaParams, - dsaPubKeyTemplate, 3); - if (crv == CKR_OK) { - PKM_LogIt("Getting DSA domain parameters succeeded\n"); - } else { - PKM_Error("Getting DSA domain parameters failed " - "with 0x%08X, %-26s\n", - crv, PKM_CK_RVtoStr(crv)); - return crv; - } - crv = pFunctionList->C_DestroyObject(hSession, hDsaParams); - if (crv == CKR_OK) { - PKM_LogIt("Destroying DSA domain parameters succeeded\n"); - } else { - PKM_Error("Destroying DSA domain parameters failed " - "with 0x%08X, %-26s\n", - crv, PKM_CK_RVtoStr(crv)); - return crv; - } - - PKM_LogIt("Generate a DSA key pair ... \n"); - /* Generate a persistent DSA key pair */ - crv = pFunctionList->C_GenerateKeyPair(hSession, &dsaKeyPairGenMech, - dsaPubKeyTemplate, - NUM_ELEM(dsaPubKeyTemplate), - dsaPrivKeyTemplate, - NUM_ELEM(dsaPrivKeyTemplate), - &hDSApubKey, &hDSAprivKey); + PKM_LogIt("Generate a ECDSA key pair ... \n"); + /* Generate a persistent ECDSA key pair */ + crv = pFunctionList->C_GenerateKeyPair(hSession, &ecdsaKeyPairGenMech, + ecdsaPubKeyTemplate, + NUM_ELEM(ecdsaPubKeyTemplate), + ecdsaPrivKeyTemplate, + NUM_ELEM(ecdsaPrivKeyTemplate), + &hECDSApubKey, &hECDSAprivKey); if (crv == CKR_OK) { - PKM_LogIt("DSA key pair generation succeeded\n"); + PKM_LogIt("ECDSA key pair generation succeeded\n"); } else { - PKM_Error("DSA key pair generation failed " + PKM_Error("ECDSA key pair generation failed " "with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } /* Compute SHA-1 digest */ - crv = pFunctionList->C_DigestInit(hSession, &sha1Mech); + crv = pFunctionList->C_DigestInit(hSession, &sha256Mech); if (crv != CKR_OK) { PKM_Error("C_DigestInit failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } - sha1DigestLen = sizeof(sha1Digest); + sha256DigestLen = sizeof(sha256Digest); crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG), - sha1Digest, &sha1DigestLen); + sha256Digest, &sha256DigestLen); if (crv != CKR_OK) { PKM_Error("C_Digest failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } - if (sha1DigestLen != sizeof(sha1Digest)) { - PKM_Error("sha1DigestLen is %lu\n", sha1DigestLen); + if (sha256DigestLen != sizeof(sha256Digest)) { + PKM_Error("sha1DigestLen is %lu\n", sha256DigestLen); return crv; } - if (memcmp(sha1Digest, MD, sizeof(MD)) == 0) { - PKM_LogIt("SHA-1 SHA1ShortMsg test case Len = 136 passed\n"); + if (memcmp(sha256Digest, MD, sizeof(MD)) == 0) { + PKM_LogIt("SHA-256 SHA256ShortMsg test case Len = 136 passed\n"); } else { - PKM_Error("SHA-1 SHA1ShortMsg test case Len = 136 failed\n"); + int i; + PKM_Error("SHA-256 SHA256ShortMsg test case Len = 136 failed\n"); + fprintf(stderr, "sha256Digest: "); + for (i=0; i < sizeof(MD); i++) fprintf(stderr, " 0x%02x", sha256Digest[i]); + fprintf(stderr, "\nMD: "); + for (i=0; i < sizeof(MD); i++) fprintf(stderr, " 0x%02x", MD[i]); + fprintf(stderr, "\n"); } crv = PKM_PubKeySign(pFunctionList, hSession, - hDSApubKey, hDSAprivKey, - &dsaMech, sha1Digest, sizeof(sha1Digest)); + hECDSApubKey, hECDSAprivKey, + &ecdsaMech, sha256Digest, sizeof(sha256Digest)); if (crv == CKR_OK) { - PKM_LogIt("PKM_PubKeySign CKM_DSA succeeded \n"); + PKM_LogIt("PKM_PubKeySign CKM_ECDSA succeeded \n"); } else { PKM_Error("PKM_PubKeySign failed " "with 0x%08X, %-26s\n", @@ -3287,10 +3192,10 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc return crv; } crv = PKM_PubKeySign(pFunctionList, hSession, - hDSApubKey, hDSAprivKey, - &dsaWithSha1Mech, PLAINTEXT, sizeof(PLAINTEXT)); + hECDSApubKey, hECDSAprivKey, + &ecdsaWithSha256Mech, PLAINTEXT, sizeof(PLAINTEXT)); if (crv == CKR_OK) { - PKM_LogIt("PKM_PubKeySign CKM_DSA_SHA1 succeeded \n"); + PKM_LogIt("PKM_PubKeySign CKM_DSA_SHA256 succeeded \n"); } else { PKM_Error("PKM_PubKeySign failed " "with 0x%08X, %-26s\n", @@ -3298,16 +3203,16 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc return crv; } - /* Sign with DSA */ - crv = pFunctionList->C_SignInit(hSession, &dsaMech, hDSAprivKey); + /* Sign with ECDSA */ + crv = pFunctionList->C_SignInit(hSession, &ecdsaMech, hECDSAprivKey); if (crv != CKR_OK) { PKM_Error("C_SignInit failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } - dsaSigLen = sizeof(dsaSig); - crv = pFunctionList->C_Sign(hSession, sha1Digest, sha1DigestLen, - dsaSig, &dsaSigLen); + ecdsaSigLen = sizeof(ecdsaSig); + crv = pFunctionList->C_Sign(hSession, sha256Digest, sha256DigestLen, + ecdsaSig, &ecdsaSigLen); if (crv != CKR_OK) { PKM_Error("C_Sign failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); @@ -3315,14 +3220,14 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc } /* Verify the DSA signature */ - crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey); + crv = pFunctionList->C_VerifyInit(hSession, &ecdsaMech, hECDSApubKey); if (crv != CKR_OK) { PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } - crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen, - dsaSig, dsaSigLen); + crv = pFunctionList->C_Verify(hSession, sha256Digest, sha256DigestLen, + ecdsaSig, ecdsaSigLen); if (crv == CKR_OK) { PKM_LogIt("C_Verify succeeded\n"); } else { @@ -3332,8 +3237,8 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc } /* Verify the signature in a different way */ - crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech, - hDSApubKey); + crv = pFunctionList->C_VerifyInit(hSession, &ecdsaWithSha256Mech, + hECDSApubKey); if (crv != CKR_OK) { PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); @@ -3351,7 +3256,7 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc PKM_CK_RVtoStr(crv)); return crv; } - crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen); + crv = pFunctionList->C_VerifyFinal(hSession, ecdsaSig, ecdsaSigLen); if (crv == CKR_OK) { PKM_LogIt("C_VerifyFinal succeeded\n"); } else { @@ -3361,8 +3266,8 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc } /* Verify the signature in a different way */ - crv = pFunctionList->C_VerifyInit(hSession, &dsaWithSha1Mech, - hDSApubKey); + crv = pFunctionList->C_VerifyInit(hSession, &ecdsaWithSha256Mech, + hECDSApubKey); if (crv != CKR_OK) { PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); @@ -3380,7 +3285,7 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc crv, PKM_CK_RVtoStr(crv)); return crv; } - crv = pFunctionList->C_VerifyFinal(hSession, dsaSig, dsaSigLen); + crv = pFunctionList->C_VerifyFinal(hSession, ecdsaSig, ecdsaSigLen); if (crv == CKR_OK) { PKM_LogIt("C_VerifyFinal of multi update succeeded.\n"); } else { @@ -3391,28 +3296,28 @@ PKM_PublicKey(CK_FUNCTION_LIST_PTR pFunc /* Now modify the data */ MSG[0] += 1; /* Compute SHA-1 digest */ - crv = pFunctionList->C_DigestInit(hSession, &sha1Mech); + crv = pFunctionList->C_DigestInit(hSession, &sha256Mech); if (crv != CKR_OK) { PKM_Error("C_DigestInit failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } - sha1DigestLen = sizeof(sha1Digest); + sha256DigestLen = sizeof(sha256Digest); crv = pFunctionList->C_Digest(hSession, MSG, sizeof(MSG), - sha1Digest, &sha1DigestLen); + sha256Digest, &sha256DigestLen); if (crv != CKR_OK) { PKM_Error("C_Digest failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } - crv = pFunctionList->C_VerifyInit(hSession, &dsaMech, hDSApubKey); + crv = pFunctionList->C_VerifyInit(hSession, &ecdsaMech, hECDSApubKey); if (crv != CKR_OK) { PKM_Error("C_VerifyInit failed with 0x%08X, %-26s\n", crv, PKM_CK_RVtoStr(crv)); return crv; } - crv = pFunctionList->C_Verify(hSession, sha1Digest, sha1DigestLen, - dsaSig, dsaSigLen); + crv = pFunctionList->C_Verify(hSession, sha256Digest, sha256DigestLen, + ecdsaSig, ecdsaSigLen); if (crv != CKR_SIGNATURE_INVALID) { PKM_Error("C_Verify of modified data succeeded\n"); return crv; @@ -5020,7 +4925,7 @@ PKM_DualFuncSign(CK_FUNCTION_LIST_PTR pF NUMTESTS++; /* increment NUMTESTS */ /* Check that the mechanism is Multi-part */ - if (sigMech->mechanism == CKM_DSA || sigMech->mechanism == CKM_RSA_PKCS) { + if (sigMech->mechanism == CKM_ECDSA || sigMech->mechanism == CKM_RSA_PKCS) { PKM_Error("PKM_DualFuncSign must be called with a Multi-part " "operation mechanism\n"); return CKR_DEVICE_ERROR; diff -up ./coreconf/config.mk.disable_dsa ./coreconf/config.mk --- ./coreconf/config.mk.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./coreconf/config.mk 2024-06-17 09:38:50.438019407 -0700 @@ -183,6 +183,10 @@ ifdef NSS_DISABLE_DBM DEFINES += -DNSS_DISABLE_DBM endif +ifdef NSS_DISABLE_DSA +DEFINES += -DNSS_DISABLE_DSA +endif + ifdef NSS_DISABLE_AVX2 DEFINES += -DNSS_DISABLE_AVX2 endif diff -up ./gtests/pk11_gtest/manifest.mn.disable_dsa ./gtests/pk11_gtest/manifest.mn --- ./gtests/pk11_gtest/manifest.mn.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./gtests/pk11_gtest/manifest.mn 2024-06-17 09:38:50.438019407 -0700 @@ -6,6 +6,10 @@ CORE_DEPTH = ../.. DEPTH = ../.. MODULE = nss +ifndef NSS_DISABLE_DSA + DSA_UNIT_TESTS=pk11_dsa_unittest.cc +endif + CPPSRCS = \ json_reader.cc \ pk11_aes_gcm_unittest.cc \ @@ -17,7 +21,7 @@ CPPSRCS = \ pk11_curve25519_unittest.cc \ pk11_der_private_key_import_unittest.cc \ pk11_des_unittest.cc \ - pk11_dsa_unittest.cc \ + ${DSA_UNIT_TESTS} \ pk11_ecdsa_unittest.cc \ pk11_eddsa_unittest.cc \ pk11_ecdh_unittest.cc \ diff -up ./gtests/pk11_gtest/pk11_import_unittest.cc.disable_dsa ./gtests/pk11_gtest/pk11_import_unittest.cc --- ./gtests/pk11_gtest/pk11_import_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./gtests/pk11_gtest/pk11_import_unittest.cc 2024-06-17 09:38:50.438019407 -0700 @@ -261,7 +261,9 @@ TEST_P(Pk11KeyImportTest, GenerateExport INSTANTIATE_TEST_SUITE_P(Pk11KeyImportTest, Pk11KeyImportTest, ::testing::Values(CKM_RSA_PKCS_KEY_PAIR_GEN, +#ifndef NSS_DISABLE_DSA CKM_DSA_KEY_PAIR_GEN, +#endif CKM_DH_PKCS_KEY_PAIR_GEN)); class Pk11KeyImportTestEC : public Pk11KeyImportTestBase, diff -up ./gtests/ssl_gtest/ssl_auth_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_auth_unittest.cc --- ./gtests/ssl_gtest/ssl_auth_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./gtests/ssl_gtest/ssl_auth_unittest.cc 2024-06-17 09:38:50.438019407 -0700 @@ -532,6 +532,7 @@ TEST_P(TlsConnectTls12, AutoClientSelect EXPECT_TRUE(ecc.hookCalled); } +#ifndef NSS_DISABLE_DSA TEST_P(TlsConnectTls12, AutoClientSelectDsa) { AutoClientResults dsa = {{SECFailure, TlsAgent::kClient}, {SECFailure, TlsAgent::kClient}, @@ -548,6 +549,7 @@ TEST_P(TlsConnectTls12, AutoClientSelect Connect(); EXPECT_TRUE(dsa.hookCalled); } +#endif TEST_P(TlsConnectClientAuthStream13, PostHandshakeAuthMultiple) { client_->SetupClientAuth(std::get<2>(GetParam()), true); @@ -1841,7 +1843,7 @@ TEST_F(TlsAgentStreamTestServer, Configu // A server should refuse to even start a handshake with // misconfigured certificate and signature scheme. TEST_P(TlsConnectTls12Plus, MisconfiguredCertScheme) { - Reset(TlsAgent::kServerDsa); + Reset(TlsAgent::kServerRsaSign); static const SSLSignatureScheme kScheme[] = {ssl_sig_ecdsa_secp256r1_sha256}; server_->SetSignatureSchemes(kScheme, PR_ARRAY_SIZE(kScheme)); ConnectExpectAlert(server_, kTlsAlertHandshakeFailure); @@ -1882,6 +1884,9 @@ TEST_P(TlsConnectTls13, Tls13DsaOnlyClie client_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); } +#ifndef NSS_DISABLE_DSA +// can't test a dsa only server becasue we can't generate a server +// DSA certificate TEST_P(TlsConnectTls13, Tls13DsaOnlyServer) { Reset(TlsAgent::kServerDsa); static const SSLSignatureScheme kDsa[] = {ssl_sig_dsa_sha256}; @@ -1890,6 +1895,7 @@ TEST_P(TlsConnectTls13, Tls13DsaOnlyServ server_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP); } +#endif TEST_P(TlsConnectTls13, Tls13Pkcs1OnlyClient) { static const SSLSignatureScheme kPkcs1[] = {ssl_sig_rsa_pkcs1_sha256}; diff -up ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc --- ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./gtests/ssl_gtest/ssl_ciphersuite_unittest.cc 2024-06-17 09:38:50.438019407 -0700 @@ -383,8 +383,10 @@ INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V kDummySignatureSchemesParams, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, +#ifndef NSS_DISABLE_DSA TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, +#endif TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12, kDummyNamedGroupParams, @@ -395,16 +397,20 @@ INSTANTIATE_CIPHER_TEST_P(AEAD, All, V12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256); + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); INSTANTIATE_CIPHER_TEST_P( CBC12, All, V12, kDummyNamedGroupParams, kDummySignatureSchemesParams, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256); + TLS_RSA_WITH_AES_128_CBC_SHA256 +#ifndef NSS_DISABLE_DSA + , TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 +#endif + ); INSTANTIATE_CIPHER_TEST_P( CBCStream, Stream, V10ToV12, kDummyNamedGroupParams, kDummySignatureSchemesParams, TLS_ECDH_ECDSA_WITH_NULL_SHA, @@ -431,8 +437,12 @@ INSTANTIATE_CIPHER_TEST_P( TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256); + TLS_RSA_WITH_AES_128_CBC_SHA256 +#ifndef NSS_DISABLE_DSA + , TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 +#endif + ); #ifndef NSS_DISABLE_TLS_1_3 INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13, ::testing::ValuesIn(kFasterDHEGroups), diff -up ./gtests/ssl_gtest/ssl_dhe_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_dhe_unittest.cc --- ./gtests/ssl_gtest/ssl_dhe_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./gtests/ssl_gtest/ssl_dhe_unittest.cc 2024-06-17 09:45:33.575416837 -0700 @@ -622,6 +622,7 @@ class TlsDheSkeChangeSignature : public size_t len_; }; +#ifndef NSS_DISABLE_DSA TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) { const uint8_t kBogusDheSignature[] = { 0x30, 0x69, 0x3c, 0x02, 0x1c, 0x7d, 0x0b, 0x2f, 0x64, 0x00, 0x27, @@ -642,6 +643,7 @@ TEST_P(TlsConnectGenericPre13, InvalidDE ConnectExpectAlert(client_, kTlsAlertDecryptError); client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE); } +#endif TEST_P(TlsConnectTls12, ConnectInconsistentSigAlgDHE) { EnableOnlyDheCiphers(); diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.disable_dsa ./gtests/ssl_gtest/ssl_extension_unittest.cc --- ./gtests/ssl_gtest/ssl_extension_unittest.cc.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./gtests/ssl_gtest/ssl_extension_unittest.cc 2024-06-17 09:38:50.438019407 -0700 @@ -651,7 +651,10 @@ TEST_P(TlsExtensionTest12, SignatureAlgo } } +#ifndef NSS_DISABLE_DSA // This only works on TLS 1.2, since it relies on DSA. +// and doesn't work if we've disabled DSA (Reset(TlsAgent:kServerDSA) fail +// because we don't have a DSA certificate) TEST_P(TlsExtensionTest12, SignatureAlgorithmDisableDSA) { const std::vector schemes = { ssl_sig_dsa_sha1, ssl_sig_dsa_sha256, ssl_sig_dsa_sha384, @@ -700,6 +703,7 @@ TEST_P(TlsExtensionTest12, SignatureAlgo EXPECT_TRUE(ext2.Read(2, 2, &v)); EXPECT_EQ(ssl_sig_rsa_pss_rsae_sha256, v); } +#endif // Temporary test to verify that we choke on an empty ClientKeyShare. // This test will fail when we implement HelloRetryRequest. diff -up ./lib/softoken/pkcs11c.c.disable_dsa ./lib/softoken/pkcs11c.c --- ./lib/softoken/pkcs11c.c.disable_dsa 2024-06-17 09:38:50.434019363 -0700 +++ ./lib/softoken/pkcs11c.c 2024-06-17 09:38:50.439019418 -0700 @@ -2665,6 +2665,7 @@ sftk_RSASignPSS(SFTKPSSSignInfo *info, u return rv; } +#ifndef NSS_DISABLE_DSA static SECStatus nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen, void *dataBuf, unsigned int dataLen) @@ -2690,6 +2691,7 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu *sigLen = signature.len; return rv; } +#endif static SECStatus nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, @@ -2905,6 +2907,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession, context->maxLen = nsslowkey_PrivateModulusLen(pinfo->key); break; +#ifndef NSS_DISABLE_DSA #define INIT_DSA_SIG_MECH(mmm) \ case CKM_DSA_##mmm: \ context->multi = PR_TRUE; \ @@ -2933,6 +2936,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession, context->maxLen = DSA_MAX_SIGNATURE_LEN; break; +#endif #define INIT_ECDSA_SIG_MECH(mmm) \ case CKM_ECDSA_##mmm: \ @@ -3717,6 +3721,7 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio context->verify = (SFTKVerify)sftk_RSACheckSignPSS; break; +#ifndef NSS_DISABLE_DSA INIT_DSA_SIG_MECH(SHA1) INIT_DSA_SIG_MECH(SHA224) INIT_DSA_SIG_MECH(SHA256) @@ -3736,6 +3741,7 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio context->verify = (SFTKVerify)nsc_DSA_Verify_Stub; context->destroy = sftk_Null; break; +#endif INIT_ECDSA_SIG_MECH(SHA1) INIT_ECDSA_SIG_MECH(SHA224) @@ -4753,12 +4759,16 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi key_gen_type = nsc_pbe; crv = nsc_SetupPBEKeyGen(pMechanism, &pbe_param, &key_type, &key_length); break; +/*#ifndef NSS_DISABLE_DSA */ +/* some applications use CKM_DSA_PARAMTER_GEN for week DH keys... + * most notably tests... continue to allow it for now */ case CKM_DSA_PARAMETER_GEN: key_gen_type = nsc_param; key_type = CKK_DSA; objclass = CKO_DOMAIN_PARAMETERS; crv = CKR_OK; break; +/* #endif */ case CKM_NSS_JPAKE_ROUND1_SHA1: hashType = HASH_AlgSHA1; goto jpake1; @@ -5121,11 +5131,13 @@ sftk_PairwiseConsistencyCheck(CK_SESSION signature_length = modulusLen; mech.mechanism = CKM_RSA_PKCS; break; +#ifndef NSS_DISABLE_DSA case CKK_DSA: signature_length = DSA_MAX_SIGNATURE_LEN; pairwise_digest_length = subPrimeLen; mech.mechanism = CKM_DSA; break; +#endif case CKK_EC: signature_length = MAX_ECKEY_LEN * 2; mech.mechanism = CKM_ECDSA; @@ -5373,10 +5385,12 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS SECItem pubExp; RSAPrivateKey *rsaPriv; + DHParams dhParam; +#ifndef NSS_DISABLE_DSA /* DSA */ PQGParams pqgParam; - DHParams dhParam; DSAPrivateKey *dsaPriv; +#endif /* Diffie Hellman */ DHPrivateKey *dhPriv; @@ -5552,6 +5566,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS /* Should zeroize the contents first, since this func doesn't. */ PORT_FreeArena(rsaPriv->arena, PR_TRUE); break; +#ifndef NSS_DISABLE_DSA case CKM_DSA_KEY_PAIR_GEN: sftk_DeleteAttributeType(publicKey, CKA_VALUE); sftk_DeleteAttributeType(privateKey, CKA_NSS_DB); @@ -5663,6 +5678,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS /* should zeroize, since this function doesn't. */ PORT_FreeArena(dsaPriv->params.arena, PR_TRUE); break; +#endif case CKM_DH_PKCS_KEY_PAIR_GEN: sftk_DeleteAttributeType(privateKey, CKA_PRIME); diff -up ./lib/softoken/pkcs11.c.disable_dsa ./lib/softoken/pkcs11.c --- ./lib/softoken/pkcs11.c.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./lib/softoken/pkcs11.c 2024-06-17 09:38:50.439019418 -0700 @@ -359,6 +359,7 @@ static const struct mechanismList mechan { CKM_SHA384_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, { CKM_SHA512_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, /* ------------------------- DSA Operations --------------------------- */ +#ifndef NSS_DISABLE_DSA { CKM_DSA_KEY_PAIR_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, { CKM_DSA, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, { CKM_DSA_PARAMETER_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE }, PR_TRUE }, @@ -367,6 +368,7 @@ static const struct mechanismList mechan { CKM_DSA_SHA256, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, { CKM_DSA_SHA384, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, { CKM_DSA_SHA512, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, +#endif /* -------------------- Diffie Hellman Operations --------------------- */ /* no diffie hellman yet */ { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, diff -up ./tests/cert/cert.sh.disable_dsa ./tests/cert/cert.sh --- ./tests/cert/cert.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./tests/cert/cert.sh 2024-06-17 09:38:50.440019429 -0700 @@ -288,12 +288,14 @@ cert_create_cert() return $RET fi + if [ -z "$NSS_DISABLE_DSA" ]; then CU_ACTION="Import DSA Root CA for $CERTNAME" certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \ -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1 if [ "$RET" -ne 0 ]; then return $RET fi + fi CU_ACTION="Import EC Root CA for $CERTNAME" @@ -342,6 +344,7 @@ cert_add_cert() # # Generate and add DSA cert # + if [ -z "$NSS_DISABLE_DSA" ]; then CU_ACTION="Generate DSA Cert Request for $CERTNAME" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \ @@ -392,6 +395,7 @@ cert_add_cert() return $RET fi cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created" + fi # # Generate and add EC cert @@ -504,6 +508,7 @@ cert_all_CA() # in the chain + if [ -z "$NSS_DISABLE_DSA" ]; then # # Create DSA version of TestCA ALL_CU_SUBJECT="CN=NSS Test CA (DSA), O=BOGUS NSS, L=Mountain View, ST=California, C=US" @@ -527,6 +532,7 @@ cert_all_CA() rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert # dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last # in the chain + fi # # Create RSA-PSS version of TestCA @@ -988,6 +994,7 @@ cert_extended_ssl() certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \ -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1 + if [ -z "$NSS_DISABLE_DSA" ]; then # # Repeat the above for DSA certs # @@ -1031,6 +1038,7 @@ cert_extended_ssl() # certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \ # -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \ # 2>&1 + fi # # Repeat the above for EC certs @@ -1084,18 +1092,18 @@ cert_extended_ssl() # we'll use one of the longer nicknames for testing. # (Because "grep -w hostname" matches "grep -w hostname-dsamixed") MYDBPASS="-d ${PROFILEDIR} -f ${R_PWFILE}" - TESTNAME="Ensure there's exactly one match for ${CERTNAME}-dsamixed" - cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}" + TESTNAME="Ensure there's exactly one match for ${CERTNAME}-ecmixed" + cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-ecmixed" 0 1 "${TESTNAME}" - CU_ACTION="Repeated import of $CERTNAME's mixed DSA Cert with different nickname" - certu -A -n "${CERTNAME}-repeated-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \ - -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1 + CU_ACTION="Repeated import of $CERTNAME's mixed EC Cert with different nickname" + certu -A -n "${CERTNAME}-repeated-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \ + -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1 - TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-dsamixed" - cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-dsamixed" 0 1 "${TESTNAME}" + TESTNAME="Ensure there's still exactly one match for ${CERTNAME}-ecmixed" + cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-ecmixed" 0 1 "${TESTNAME}" - TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-dsamixed" - cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-dsamixed" 0 0 "${TESTNAME}" + TESTNAME="Ensure there's zero matches for ${CERTNAME}-repeated-ecmixed" + cert_check_nickname_exists "$MYDBPASS" "${CERTNAME}-repeated-ecmixed" 0 0 "${TESTNAME}" echo "Importing all the server's own CA chain into the servers DB" for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ; @@ -1140,6 +1148,7 @@ cert_extended_ssl() # # Repeat the above for DSA certs # + if [ -z "$NSS_DISABLE_DSA" ]; then CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)" CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \ @@ -1183,6 +1192,7 @@ cert_extended_ssl() # # done with mixed DSA certs # + fi # # Repeat the above for EC certs @@ -1273,8 +1283,10 @@ cert_ssl() CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC" certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" + if [ -z "$NSS_DISABLE_DSA" ]; then CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC" certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" + fi CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC" certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}" @@ -1383,9 +1395,14 @@ MODSCRIPT certu -G -k rsa -g 2048 -y 17 -d "${PROFILEDIR}" -z ${R_NOISE_FILE} -f "${R_FIPSPWFILE}" RETEXPECTED=0 + if [ -z "$NSS_DISABLE_DSA" ]; then + FIPS_KEY="-k dsa" + else + FIPS_KEY="-k ec -q nistp256" + fi CU_ACTION="Generate Certificate for ${CERTNAME}" CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US" - certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 + certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" ${FIPS_KEY} -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 if [ "$RET" -eq 0 ]; then cert_log "SUCCESS: FIPS passed" fi @@ -1817,6 +1834,7 @@ EOF_CRLINI chmod 600 ${CRL_FILE_GRP_1}_or + if [ -z "$NSS_DISABLE_DSA" ]; then CU_ACTION="Generating CRL (DSA) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-dsa authority" # Until Bug 292285 is resolved, do not encode x400 Addresses. After @@ -1831,6 +1849,7 @@ addext issuerAltNames 0 "rfc822Name:ca-d EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` chmod 600 ${CRL_FILE_GRP_1}_or-dsa + fi @@ -1867,6 +1886,7 @@ EOF_CRLINI TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or" + if [ -z "$NSS_DISABLE_DSA" ]; then CU_ACTION="Modify CRL (DSA) by adding one more cert" crlu -d $CADIR -M -n "TestCA-dsa" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1-dsa \ -i ${CRL_FILE_GRP_1}_or-dsa <
" >> ${PERFRESULTS} fi +if [ -z "${NSS_DISABLE_DSA}" ]; then if [ $TESTSET = "all" -o $TESTSET = "dsa" ]; then while read mode keysize bufsize reps cxreps @@ -124,6 +125,7 @@ done < ${DSAPERFOUT} echo "
" >> ${PERFRESULTS} fi +fi if [ $TESTSET = "all" -o $TESTSET = "hash" ]; then while read mode bufsize reps diff -up ./tests/dbtests/dbtests.sh.disable_dsa ./tests/dbtests/dbtests.sh --- ./tests/dbtests/dbtests.sh.disable_dsa 2024-06-17 09:38:50.412019123 -0700 +++ ./tests/dbtests/dbtests.sh 2024-06-17 09:38:50.440019429 -0700 @@ -257,7 +257,13 @@ dbtest_main() fi # import a token private key and make sure the corresponding public key is # created - ${BINDIR}/pk11importtest -d ${CONFLICT_DIR} -f ${R_PWFILE} + IMPORT_OPTIONS="" + if [ -n "$NSS_DISABLE_DSA" ]; then + IMPORT_OPTIONS="-D noDSA" + fi + Echo "Importing Token Private Key" + echo "pk11importtest ${IMPORT_OPTIONS} -d ${CONFLICT_DIR} -f ${R_PWFILE}" + ${BINDIR}/pk11importtest ${IMPORT_OPTIONS} -d ${CONFLICT_DIR} -f ${R_PWFILE} ret=$? if [ $ret -ne 0 ]; then html_failed "Importing Token Private Key does not create the corrresponding Public Key" diff -up ./tests/ssl_gtests/ssl_gtests.sh.disable_dsa ./tests/ssl_gtests/ssl_gtests.sh --- ./tests/ssl_gtests/ssl_gtests.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./tests/ssl_gtests/ssl_gtests.sh 2024-06-17 09:38:50.440019429 -0700 @@ -56,7 +56,9 @@ ssl_gtest_certs() { make_cert rsa_pss_chain rsapss_chain sign make_cert rsa_ca_rsa_pss_chain rsa_ca_rsapss_chain sign make_cert ecdh_rsa ecdh_rsa kex - make_cert dsa dsa sign + if [ -z "${NSS_DISABLE_DSA}" ]; then + make_cert dsa dsa sign + fi make_cert delegator_ecdsa256 delegator_p256 sign make_cert delegator_rsae2048 delegator_rsae2048 sign make_cert delegator_rsa_pss2048 delegator_rsa_pss2048 sign diff -up ./tests/ssl/sslcov.txt.disable_dsa ./tests/ssl/sslcov.txt --- ./tests/ssl/sslcov.txt.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./tests/ssl/sslcov.txt 2024-06-17 09:38:50.440019429 -0700 @@ -16,7 +16,6 @@ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA noECC SSL3 z SSL3_RSA_WITH_NULL_SHA noECC TLS12 :009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - noECC TLS12 :00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 noECC TLS12 :009D TLS_RSA_WITH_AES_256_GCM_SHA384 # noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA # noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA @@ -51,20 +50,15 @@ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA noECC TLS12 z TLS12_RSA_WITH_NULL_SHA noECC TLS12 :0016 TLS12_DHE_RSA_WITH_3DES_EDE_CBC_SHA - noECC TLS12 :0032 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA noECC TLS12 :0033 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA - noECC TLS12 :0038 TLS12_DHE_DSS_WITH_AES_256_CBC_SHA noECC TLS12 :0039 TLS12_DHE_RSA_WITH_AES_256_CBC_SHA noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 - noECC TLS12 :0040 TLS12_DHE_DSS_WITH_AES_128_CBC_SHA256 noECC TLS12 :0067 TLS12_DHE_RSA_WITH_AES_128_CBC_SHA256 - noECC TLS12 :006A TLS12_DHE_DSS_WITH_AES_256_CBC_SHA256 noECC TLS12 :006B TLS12_DHE_RSA_WITH_AES_256_CBC_SHA256 noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256 - noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256 noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 noECC TLS13 :1301 TLS13_DHE_WITH_AES_128_GCM_SHA256 noECC TLS13 :1302 TLS13_DHE_WITH_AES_256_GCM_SHA384 diff -up ./tests/ssl/ssl.sh.disable_dsa ./tests/ssl/ssl.sh --- ./tests/ssl/ssl.sh.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./tests/ssl/ssl.sh 2024-06-17 09:38:50.440019429 -0700 @@ -251,20 +251,26 @@ start_selfserv() else RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss" fi + if [ -z "$NSS_DISABLE_DSA" ]; then + DSA_OPTIONS="-S ${HOSTADDR}-dsa" + else + DSA_OPTIONS="" + fi + SERVER_VMIN=${SERVER_VMIN-ssl3} SERVER_VMAX=${SERVER_VMAX-tls1.2} echo "selfserv starting at `date`" echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\" - echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\" + echo " ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID}\\" echo " -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 &" if [ ${fileout} -eq 1 ]; then ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \ + ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 \ > ${SERVEROUTFILE} 2>&1 & RET=$? else ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ - ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 & + ${ECC_OPTIONS} ${DSA_OPTIONS} -w nss "$@" -i ${R_SERVERPID} -V ${SERVER_VMIN}:${SERVER_VMAX} $verbose -H 1 & RET=$? fi diff -up ./tests/ssl/sslstress.txt.disable_dsa ./tests/ssl/sslstress.txt --- ./tests/ssl/sslstress.txt.disable_dsa 2024-06-07 09:26:03.000000000 -0700 +++ ./tests/ssl/sslstress.txt 2024-06-17 09:38:50.440019429 -0700 @@ -55,15 +55,6 @@ noECC 0 -c_:0039 -V_ssl3:tls1.2_-c_100_-C_:0039_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA (no reuse) - noECC 0 -c_:0040 -V_ssl3:tls1.2_-c_100_-C_:0040_-N Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA256 (no reuse) - -# noECC 0 -c_:0038_-u -V_ssl3:tls1.2_-c_1000_-C_:0038_-u Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (session ticket) -# use the above session ticket test, once session tickets with DHE_DSS are working - noECC 0 -c_:0038 -V_ssl3:tls1.2_-c_1000_-C_:0038_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA (no reuse) - -# noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 -# use the above reuse test, once the session cache with DHE_DSS is working - noECC 0 -c_:006A -V_ssl3:tls1.2_-c_1000_-C_:006A_-N Stress TLS DHE_DSS_WITH_AES_256_CBC_SHA256 (no reuse noECC 0 -c_:006B -V_ssl3:tls1.2_-c_100_-C_:006B_-N Stress TLS DHE_RSA_WITH_AES_256_CBC_SHA256 (no reuse) noECC 0 -c_:009E -V_ssl3:tls1.2_-c_100_-C_:009E_-N Stress TLS DHE_RSA_WITH_AES_128_GCM_SHA256 (no reuse) @@ -71,11 +62,3 @@ # # add client auth versions here... # - noECC 0 -r_-r_-c_:0032 -V_ssl3:tls1.2_-c_100_-C_:0032_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_CBC_SHA (no reuse, client auth) - noECC 0 -r_-r_-c_:0067 -V_ssl3:tls1.2_-c_1000_-C_:0067_-n_TestUser-dsamixed Stress TLS DHE_RSA_WITH_AES_128_CBC_SHA256 (client auth) - -# noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (session ticket, client auth) -# noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-n_TestUser-dsa_-u Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (session ticket, client auth) -# use the above session ticket test, once session tickets with DHE_DSS are working - noECC 0 -r_-r_-c_:00A2_-u -V_ssl3:tls1.2_-c_1000_-C_:00A2_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_128_GCM_SHA256 (no reuse, client auth) - noECC 0 -r_-r_-c_:00A3_-u -V_ssl3:tls1.2_-c_1000_-C_:00A3_-N_-n_TestUser-dsa Stress TLS DHE_DSS_WITH_AES_256_GCM_SHA384 (no reuse, client auth)