diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0ae3b3c6..7fec19ea 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -19,7 +19,7 @@ stages:
stage: build
variables:
CMAKE_DEFAULT_OPTIONS: "-DCMAKE_BUILD_TYPE=RelWithDebInfo -DPICKY_DEVELOPER=ON"
- CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON -DWITH_DSA=ON"
+ CMAKE_BUILD_OPTIONS: "-DWITH_BLOWFISH_CIPHER=ON -DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DEBUG_PACKET=ON -DWITH_DEBUG_CALLTRACE=ON"
CMAKE_TEST_OPTIONS: "-DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DWITH_BENCHMARKS=ON"
CMAKE_OPTIONS: $CMAKE_DEFAULT_OPTIONS $CMAKE_BUILD_OPTIONS $CMAKE_TEST_OPTIONS
before_script: &build
@@ -156,7 +156,6 @@ fedora/openssl_3.0.x/x86_64/minimal:
-DWITH_SERVER=OFF
-DWITH_ZLIB=OFF
-DWITH_PCAP=OFF
- -DWITH_DSA=OFF
-DUNIT_TESTING=ON
-DCLIENT_TESTING=ON
-DWITH_GEX=OFF .. &&
@@ -220,7 +219,7 @@ fedora/libgcrypt/x86_64:
fedora/mbedtls/x86_64:
extends: .fedora
variables:
- CMAKE_ADDITIONAL_OPTIONS: "-DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON -DWITH_DSA=OFF"
+ CMAKE_ADDITIONAL_OPTIONS: "-DWITH_MBEDTLS=ON -DWITH_DEBUG_CRYPTO=ON "
# Unit testing only, no client and pkd testing, because cwrap is not available
# for MinGW
@@ -291,7 +290,7 @@ fedora/csbuild/openssl_3.0.x:
script:
- csbuild
--build-dir=obj-csbuild
- --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)"
+ --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON @SRCDIR@ && make clean && make -j$(nproc)"
--git-commit-range $CI_COMMIT_RANGE
--color
--print-current --print-fixed
@@ -301,7 +300,7 @@ fedora/csbuild/libgcrypt:
script:
- csbuild
--build-dir=obj-csbuild
- --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_GCRYPT=ON -DWITH_DSA=ON @SRCDIR@ && make clean && make -j$(nproc)"
+ --build-cmd "rm -rf CMakeFiles CMakeCache.txt && cmake -DCMAKE_BUILD_TYPE=Debug -DPICKY_DEVELOPER=ON -DUNIT_TESTING=ON -DCLIENT_TESTING=ON -DSERVER_TESTING=ON -DFUZZ_TESTING=ON -DWITH_GCRYPT=ON @SRCDIR@ && make clean && make -j$(nproc)"
--git-commit-range $CI_COMMIT_RANGE
--color
--print-current --print-fixed
@@ -360,7 +359,6 @@ tumbleweed/openssl_1.1.x/x86/gcc:
-DWITH_SERVER=ON
-DWITH_ZLIB=ON
-DWITH_PCAP=ON
- -DWITH_DSA=ON
-DUNIT_TESTING=ON ..
tumbleweed/openssl_1.1.x/x86_64/gcc7:
@@ -376,7 +374,6 @@ tumbleweed/openssl_1.1.x/x86/gcc7:
-DCMAKE_C_COMPILER=gcc-7 -DCMAKE_CXX_COMPILER=g++-7
$CMAKE_DEFAULT_OPTIONS
-DWITH_SFTP=ON -DWITH_SERVER=ON -DWITH_ZLIB=ON -DWITH_PCAP=ON
- -DWITH_DSA=ON
-DUNIT_TESTING=ON .. &&
make -j$(nproc) &&
ctest --output-on-failure
diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index 1fa2a0b4..72f79997 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -143,12 +143,6 @@ if (NOT WITH_GCRYPT AND NOT WITH_MBEDTLS)
endif ()
-if (WITH_DSA)
- if (NOT WITH_MBEDTLS)
- set(HAVE_DSA 1)
- endif (NOT WITH_MBEDTLS)
-endif()
-
# FUNCTIONS
check_function_exists(isblank HAVE_ISBLANK)
@@ -469,13 +463,6 @@ if (WITH_PKCS11_URI)
endif()
endif()
-if (WITH_MBEDTLS)
- if (WITH_DSA)
- message(FATAL_ERROR "DSA is not supported with mbedTLS crypto")
- set(HAVE_DSA 0)
- endif()
-endif()
-
# ENDIAN
if (NOT WIN32)
test_big_endian(WORDS_BIGENDIAN)
diff --git a/DefineOptions.cmake b/DefineOptions.cmake
index 6881b9a2..0608ade4 100644
--- a/DefineOptions.cmake
+++ b/DefineOptions.cmake
@@ -5,7 +5,6 @@ option(WITH_SERVER "Build with SSH server support" ON)
option(WITH_DEBUG_CRYPTO "Build with crypto debug output" OFF)
option(WITH_DEBUG_PACKET "Build with packet debug output" OFF)
option(WITH_DEBUG_CALLTRACE "Build with calltrace debug output" ON)
-option(WITH_DSA "Build with DSA" OFF)
option(WITH_GCRYPT "Compile against libgcrypt" OFF)
option(WITH_MBEDTLS "Compile against libmbedtls" OFF)
option(WITH_BLOWFISH_CIPHER "Compile with blowfish support" OFF)
diff --git a/config.h.cmake b/config.h.cmake
index 26a582f2..a1cd3cc7 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -91,9 +91,6 @@
/* Define to 1 if you have elliptic curve cryptography */
#cmakedefine HAVE_ECC 1
-/* Define to 1 if you have DSA */
-#cmakedefine HAVE_DSA 1
-
/* Define to 1 if you have gl_flags as a glob_t sturct member */
#cmakedefine HAVE_GLOB_GL_FLAGS_MEMBER 1
diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox
index 69576f18..904a739e 100644
--- a/doc/guided_tour.dox
+++ b/doc/guided_tour.dox
@@ -5,7 +5,7 @@
A SSH session goes through the following steps:
- Before connecting to the server, you can set up if you wish one or other
- server public key authentication, i.e. DSA or RSA. You can choose
+ server public key authentication, i.e. RSA, ED25519 or ECDSA. You can choose
cryptographic algorithms you trust and compression algorithms if any. You
must of course set up the hostname.
@@ -15,7 +15,7 @@ A SSH session goes through the following steps:
file.
- The client must authenticate: the classical ways are password, or
- public keys (from dsa and rsa key-pairs generated by openssh).
+ public keys (from ecdsa, ed25519 and rsa key-pairs generated by openssh).
If a SSH agent is running, it is possible to use it.
- Now that the user has been authenticated, you must open one or several
diff --git a/doc/mainpage.dox b/doc/mainpage.dox
index eba140dc..3bd2975f 100644
--- a/doc/mainpage.dox
+++ b/doc/mainpage.dox
@@ -20,7 +20,7 @@ the interesting functions as you go.
The libssh library provides:
- Key Exchange Methods: curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
- - Public Key Algorithms: ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-rsa, rsa-sha2-512, rsa-sha2-256,ssh-dss
+ - Public Key Algorithms: ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-rsa, rsa-sha2-512, rsa-sha2-256
- Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc (rijndael-cbc@lysator.liu.se), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc
- Compression Schemes: zlib, zlib@openssh.com, none
- MAC hashes: hmac-sha1, hmac-sha2-256, hmac-sha2-512, hmac-md5
diff --git a/examples/keygen2.c b/examples/keygen2.c
index 82aae7e9..bbe15e0e 100644
--- a/examples/keygen2.c
+++ b/examples/keygen2.c
@@ -52,7 +52,6 @@ static struct argp_option options[] = {
"Accepted values are: "
"1024, 2048, 3072 (default), 4096, and 8192 for TYPE=\"rsa\"; "
"256 (default), 384, and 521 for TYPE=\"ecdsa\"; "
- "1024 (default) and 2048 for TYPE=\"dsa\"; "
"can be omitted for TYPE=\"ed25519\" "
"(it will be ignored if provided).\n",
.group = 0
@@ -86,7 +85,7 @@ static struct argp_option options[] = {
.flags = 0,
.doc = "The type of the key to be generated. "
"Accepted values are: "
- "\"rsa\", \"ecdsa\", \"ed25519\", and \"dsa\".\n",
+ "\"rsa\", \"ecdsa\", and \"ed25519\".\n",
.group = 0
},
{
@@ -153,9 +152,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state)
if (!strcmp(arg, "rsa")) {
arguments->type = SSH_KEYTYPE_RSA;
}
- else if (!strcmp(arg, "dsa")) {
- arguments->type = SSH_KEYTYPE_DSS;
- }
else if (!strcmp(arg, "ecdsa")) {
arguments->type = SSH_KEYTYPE_ECDSA;
}
@@ -253,29 +249,6 @@ static int validate_args(struct arguments_st *args)
}
}
- break;
- case SSH_KEYTYPE_DSS:
- switch (args->bits) {
- case 0:
- /* If not provided, use default value */
- args->bits = 1024;
- break;
- case 1024:
- case 2048:
- break;
- default:
- fprintf(stderr, "Error: Invalid bits parameter provided\n");
- rc = EINVAL;
- break;
- }
- if (args->file == NULL) {
- args->file = strdup("id_dsa");
- if (args->file == NULL) {
- rc = ENOMEM;
- break;
- }
- }
-
break;
case SSH_KEYTYPE_ED25519:
/* Ignore value and overwrite with a zero */
diff --git a/examples/proxy.c b/examples/proxy.c
index 159a37e5..f6cbfbd0 100644
--- a/examples/proxy.c
+++ b/examples/proxy.c
@@ -142,14 +142,6 @@ static struct argp_option options[] = {
.doc = "Set the host key.",
.group = 0
},
- {
- .name = "dsakey",
- .key = 'd',
- .arg = "FILE",
- .flags = 0,
- .doc = "Set the dsa key.",
- .group = 0
- },
{
.name = "rsakey",
.key = 'r',
@@ -180,9 +172,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
case 'p':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
break;
- case 'd':
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
- break;
case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
break;
diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c
index e5b48994..5809701c 100644
--- a/examples/samplesshd-cb.c
+++ b/examples/samplesshd-cb.c
@@ -172,14 +172,6 @@ static struct argp_option options[] = {
.doc = "Set the host key.",
.group = 0
},
- {
- .name = "dsakey",
- .key = 'd',
- .arg = "FILE",
- .flags = 0,
- .doc = "Set the dsa key.",
- .group = 0
- },
{
.name = "rsakey",
.key = 'r',
@@ -218,9 +210,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
case 'p':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
break;
- case 'd':
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
- break;
case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
break;
@@ -278,7 +267,6 @@ int main(int argc, char **argv){
sshbind=ssh_bind_new();
session=ssh_new();
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, KEYS_FOLDER "ssh_host_dsa_key");
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key");
#ifdef HAVE_ARGP_H
diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c
index 6608306c..1ae2e374 100644
--- a/examples/samplesshd-kbdint.c
+++ b/examples/samplesshd-kbdint.c
@@ -112,14 +112,6 @@ static struct argp_option options[] = {
.doc = "Set the host key.",
.group = 0
},
- {
- .name = "dsakey",
- .key = 'd',
- .arg = "FILE",
- .flags = 0,
- .doc = "Set the dsa key.",
- .group = 0
- },
{
.name = "rsakey",
.key = 'r',
@@ -151,9 +143,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
port = atoi(arg);
break;
- case 'd':
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
- break;
case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
break;
@@ -306,8 +295,6 @@ int main(int argc, char **argv){
sshbind=ssh_bind_new();
session=ssh_new();
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY,
- KEYS_FOLDER "ssh_host_dsa_key");
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY,
KEYS_FOLDER "ssh_host_rsa_key");
diff --git a/examples/ssh_client.c b/examples/ssh_client.c
index aaf0cb5b..b0b44aa2 100644
--- a/examples/ssh_client.c
+++ b/examples/ssh_client.c
@@ -94,7 +94,6 @@ static void usage(void)
"Options :\n"
" -l user : log in as user\n"
" -p port : connect to port\n"
- " -d : use DSS to verify host public key\n"
" -r : use RSA to verify host public key\n"
" -F file : parse configuration file instead of default one\n"
#ifdef WITH_PCAP
diff --git a/examples/ssh_server.c b/examples/ssh_server.c
index 85eb1689..08878e1a 100644
--- a/examples/ssh_server.c
+++ b/examples/ssh_server.c
@@ -58,16 +58,11 @@ The goal is to show the API in action.
static void set_default_keys(ssh_bind sshbind,
int rsa_already_set,
- int dsa_already_set,
int ecdsa_already_set) {
if (!rsa_already_set) {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY,
KEYS_FOLDER "ssh_host_rsa_key");
}
- if (!dsa_already_set) {
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY,
- KEYS_FOLDER "ssh_host_dsa_key");
- }
if (!ecdsa_already_set) {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_ECDSAKEY,
KEYS_FOLDER "ssh_host_ecdsa_key");
@@ -109,14 +104,6 @@ static struct argp_option options[] = {
"Implies no default keys.",
.group = 0
},
- {
- .name = "dsakey",
- .key = 'd',
- .arg = "FILE",
- .flags = 0,
- .doc = "Set the dsa key.",
- .group = 0
- },
{
.name = "rsakey",
.key = 'r',
@@ -182,7 +169,7 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
* know is a pointer to our arguments structure. */
ssh_bind sshbind = state->input;
static int no_default_keys = 0;
- static int rsa_already_set = 0, dsa_already_set = 0, ecdsa_already_set = 0;
+ static int rsa_already_set = 0, ecdsa_already_set = 0;
switch (key) {
case 'n':
@@ -191,10 +178,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
case 'p':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
break;
- case 'd':
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
- dsa_already_set = 1;
- break;
case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
/* We can't track the types of keys being added with this
@@ -239,7 +222,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
if (!no_default_keys) {
set_default_keys(sshbind,
rsa_already_set,
- dsa_already_set,
ecdsa_already_set);
}
@@ -256,18 +238,14 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
static int parse_opt(int argc, char **argv, ssh_bind sshbind) {
int no_default_keys = 0;
int rsa_already_set = 0;
- int dsa_already_set = 0;
int ecdsa_already_set = 0;
int key;
- while((key = getopt(argc, argv, "a:d:e:k:np:P:r:u:v")) != -1) {
+ while((key = getopt(argc, argv, "a:e:k:np:P:r:u:v")) != -1) {
if (key == 'n') {
no_default_keys = 1;
} else if (key == 'p') {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, optarg);
- } else if (key == 'd') {
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, optarg);
- dsa_already_set = 1;
} else if (key == 'k') {
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, optarg);
/* We can't track the types of keys being added with this
@@ -299,7 +277,6 @@ static int parse_opt(int argc, char **argv, ssh_bind sshbind) {
"libssh %s -- a Secure Shell protocol implementation\n"
"\n"
" -a, --authorizedkeys=FILE Set the authorized keys file.\n"
- " -d, --dsakey=FILE Set the dsa key.\n"
" -e, --ecdsakey=FILE Set the ecdsa key.\n"
" -k, --hostkey=FILE Set a host key. Can be used multiple times.\n"
" Implies no default keys.\n"
@@ -329,7 +306,6 @@ static int parse_opt(int argc, char **argv, ssh_bind sshbind) {
if (!no_default_keys) {
set_default_keys(sshbind,
rsa_already_set,
- dsa_already_set,
ecdsa_already_set);
}
diff --git a/examples/sshd_direct-tcpip.c b/examples/sshd_direct-tcpip.c
index b0e29796..2f287466 100644
--- a/examples/sshd_direct-tcpip.c
+++ b/examples/sshd_direct-tcpip.c
@@ -15,7 +15,7 @@ clients must be made or how a client should react.
/*
Example:
- ./sshd_direct-tcpip -v -p 2022 -d serverkey.dsa -r serverkey.rsa 127.0.0.1
+ ./sshd_direct-tcpip -v -p 2022 -r serverkey.rsa 127.0.0.1
*/
#include "config.h"
@@ -586,14 +586,6 @@ static struct argp_option options[] = {
.doc = "Set the host key.",
.group = 0
},
- {
- .name = "dsakey",
- .key = 'd',
- .arg = "FILE",
- .flags = 0,
- .doc = "Set the dsa key.",
- .group = 0
- },
{
.name = "rsakey",
.key = 'r',
@@ -626,9 +618,6 @@ parse_opt (int key, char *arg, struct argp_state *state)
case 'p':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_BINDPORT_STR, arg);
break;
- case 'd':
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, arg);
- break;
case 'k':
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HOSTKEY, arg);
break;
@@ -685,7 +674,6 @@ main(int argc, char **argv)
session = ssh_new();
mainloop = ssh_event_new();
- ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_DSAKEY, KEYS_FOLDER "ssh_host_dsa_key");
ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, KEYS_FOLDER "ssh_host_rsa_key");
#ifdef HAVE_ARGP_H
diff --git a/include/libssh/bind.h b/include/libssh/bind.h
index 56f97f27..cd9199b6 100644
--- a/include/libssh/bind.h
+++ b/include/libssh/bind.h
@@ -39,11 +39,9 @@ struct ssh_bind_struct {
char *wanted_methods[SSH_KEX_METHODS];
char *banner;
char *ecdsakey;
- char *dsakey;
char *rsakey;
char *ed25519key;
ssh_key ecdsa;
- ssh_key dsa;
ssh_key rsa;
ssh_key ed25519;
char *bindaddr;
diff --git a/include/libssh/keys.h b/include/libssh/keys.h
index 79bba747..1379539e 100644
--- a/include/libssh/keys.h
+++ b/include/libssh/keys.h
@@ -29,26 +29,22 @@ struct ssh_public_key_struct {
int type;
const char *type_c; /* Don't free it ! it is static */
#if defined(HAVE_LIBGCRYPT)
- gcry_sexp_t dsa_pub;
gcry_sexp_t rsa_pub;
#elif defined(HAVE_LIBCRYPTO)
EVP_PKEY *key_pub;
#elif defined(HAVE_LIBMBEDCRYPTO)
mbedtls_pk_context *rsa_pub;
- void *dsa_pub;
#endif
};
struct ssh_private_key_struct {
int type;
#if defined(HAVE_LIBGCRYPT)
- gcry_sexp_t dsa_priv;
gcry_sexp_t rsa_priv;
#elif defined(HAVE_LIBCRYPTO)
EVP_PKEY *key_priv;
#elif defined(HAVE_LIBMBEDCRYPTO)
mbedtls_pk_context *rsa_priv;
- void *dsa_priv;
#endif
};
diff --git a/include/libssh/libcrypto.h b/include/libssh/libcrypto.h
index 4c4dd2a6..2a7343fc 100644
--- a/include/libssh/libcrypto.h
+++ b/include/libssh/libcrypto.h
@@ -26,7 +26,6 @@
#ifdef HAVE_LIBCRYPTO
#include "libssh/libssh.h"
-#include
#include
#include
#include
diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
index 5bd5babb..50dcc794 100644
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@@ -272,12 +272,12 @@ enum ssh_error_types_e {
/* some types for keys */
enum ssh_keytypes_e{
SSH_KEYTYPE_UNKNOWN=0,
- SSH_KEYTYPE_DSS=1,
+ SSH_KEYTYPE_DSS=1, /* deprecated */
SSH_KEYTYPE_RSA,
SSH_KEYTYPE_RSA1,
SSH_KEYTYPE_ECDSA, /* deprecated */
SSH_KEYTYPE_ED25519,
- SSH_KEYTYPE_DSS_CERT01,
+ SSH_KEYTYPE_DSS_CERT01, /* deprecated */
SSH_KEYTYPE_RSA_CERT01,
SSH_KEYTYPE_ECDSA_P256,
SSH_KEYTYPE_ECDSA_P384,
diff --git a/include/libssh/pki.h b/include/libssh/pki.h
index d38392c8..096a645f 100644
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -57,13 +57,11 @@ struct ssh_key_struct {
const char *type_c; /* Don't free it ! it is static */
int ecdsa_nid;
#if defined(HAVE_LIBGCRYPT)
- gcry_sexp_t dsa;
gcry_sexp_t rsa;
gcry_sexp_t ecdsa;
#elif defined(HAVE_LIBMBEDCRYPTO)
mbedtls_pk_context *rsa;
mbedtls_ecdsa_context *ecdsa;
- void *dsa;
#elif defined(HAVE_LIBCRYPTO)
/* This holds either ENGINE key for PKCS#11 support or just key in
* high-level format */
@@ -85,7 +83,6 @@ struct ssh_signature_struct {
enum ssh_digest_e hash_type;
const char *type_c;
#if defined(HAVE_LIBGCRYPT)
- gcry_sexp_t dsa_sig;
gcry_sexp_t rsa_sig;
gcry_sexp_t ecdsa_sig;
#elif defined(HAVE_LIBMBEDCRYPTO)
@@ -124,12 +121,11 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name);
((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521)
#define is_cert_type(kt)\
- ((kt) == SSH_KEYTYPE_DSS_CERT01 ||\
- (kt) == SSH_KEYTYPE_RSA_CERT01 ||\
- (kt) == SSH_KEYTYPE_SK_ECDSA_CERT01 ||\
- (kt) == SSH_KEYTYPE_SK_ED25519_CERT01 ||\
- ((kt) >= SSH_KEYTYPE_ECDSA_P256_CERT01 &&\
- (kt) <= SSH_KEYTYPE_ED25519_CERT01))
+ ((kt) == SSH_KEYTYPE_RSA_CERT01 ||\
+ (kt) == SSH_KEYTYPE_SK_ECDSA_CERT01 ||\
+ (kt) == SSH_KEYTYPE_SK_ED25519_CERT01 ||\
+ ((kt) >= SSH_KEYTYPE_ECDSA_P256_CERT01 &&\
+ (kt) <= SSH_KEYTYPE_ED25519_CERT01))
/* SSH Signature Functions */
ssh_signature ssh_signature_new(void);
diff --git a/include/libssh/pki_priv.h b/include/libssh/pki_priv.h
index 96dd5a04..c63e129d 100644
--- a/include/libssh/pki_priv.h
+++ b/include/libssh/pki_priv.h
@@ -38,8 +38,6 @@ int bcrypt_pbkdf(const char *pass,
#define RSA_HEADER_BEGIN "-----BEGIN RSA PRIVATE KEY-----"
#define RSA_HEADER_END "-----END RSA PRIVATE KEY-----"
-#define DSA_HEADER_BEGIN "-----BEGIN DSA PRIVATE KEY-----"
-#define DSA_HEADER_END "-----END DSA PRIVATE KEY-----"
#define ECDSA_HEADER_BEGIN "-----BEGIN EC PRIVATE KEY-----"
#define ECDSA_HEADER_END "-----END EC PRIVATE KEY-----"
#define OPENSSH_HEADER_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----"
@@ -65,7 +63,6 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
/* SSH Key Functions */
ssh_key pki_key_dup(const ssh_key key, int demote);
int pki_key_generate_rsa(ssh_key key, int parameter);
-int pki_key_generate_dss(ssh_key key, int parameter);
int pki_key_generate_ecdsa(ssh_key key, int parameter);
int pki_key_generate_ed25519(ssh_key key);
@@ -91,11 +88,6 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type,
ssh_key *pkey);
/* SSH Public Key Functions */
-int pki_pubkey_build_dss(ssh_key key,
- ssh_string p,
- ssh_string q,
- ssh_string g,
- ssh_string pubkey);
int pki_pubkey_build_rsa(ssh_key key,
ssh_string e,
ssh_string n);
@@ -103,12 +95,6 @@ int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e);
ssh_string pki_publickey_to_blob(const ssh_key key);
/* SSH Private Key Functions */
-int pki_privkey_build_dss(ssh_key key,
- ssh_string p,
- ssh_string q,
- ssh_string g,
- ssh_string pubkey,
- ssh_string privkey);
int pki_privkey_build_rsa(ssh_key key,
ssh_string n,
ssh_string e,
diff --git a/include/libssh/server.h b/include/libssh/server.h
index 80f74e1a..c2cc1fd4 100644
--- a/include/libssh/server.h
+++ b/include/libssh/server.h
@@ -40,7 +40,7 @@ enum ssh_bind_options_e {
SSH_BIND_OPTIONS_BINDPORT,
SSH_BIND_OPTIONS_BINDPORT_STR,
SSH_BIND_OPTIONS_HOSTKEY,
- SSH_BIND_OPTIONS_DSAKEY,
+ SSH_BIND_OPTIONS_DSAKEY, /* deprecated */
SSH_BIND_OPTIONS_RSAKEY,
SSH_BIND_OPTIONS_BANNER,
SSH_BIND_OPTIONS_LOG_VERBOSITY,
diff --git a/include/libssh/session.h b/include/libssh/session.h
index 9ccdb6d6..8961d3ad 100644
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@@ -191,7 +191,6 @@ struct ssh_session_struct {
/* server host keys */
struct {
ssh_key rsa_key;
- ssh_key dsa_key;
ssh_key ecdsa_key;
ssh_key ed25519_key;
/* The type of host key wanted by client */
diff --git a/src/auth.c b/src/auth.c
index 7a6a90a1..b41198e5 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -1502,7 +1502,6 @@ int ssh_userauth_agent_pubkey(ssh_session session,
key->type_c = ssh_key_type_to_char(key->type);
key->flags = SSH_KEY_FLAG_PUBLIC;
#ifndef HAVE_LIBCRYPTO
- key->dsa = publickey->dsa_pub;
key->rsa = publickey->rsa_pub;
#else
key->key = publickey->key_pub;
@@ -1511,7 +1510,6 @@ int ssh_userauth_agent_pubkey(ssh_session session,
rc = ssh_userauth_agent_publickey(session, username, key);
#ifndef HAVE_LIBCRYPTO
- key->dsa = NULL;
key->rsa = NULL;
#else
key->key = NULL;
diff --git a/src/bind.c b/src/bind.c
index 226e217c..d150933c 100644
--- a/src/bind.c
+++ b/src/bind.c
@@ -150,11 +150,10 @@ static int ssh_bind_import_keys(ssh_bind sshbind) {
int rc;
if (sshbind->ecdsakey == NULL &&
- sshbind->dsakey == NULL &&
sshbind->rsakey == NULL &&
sshbind->ed25519key == NULL) {
ssh_set_error(sshbind, SSH_FATAL,
- "ECDSA, ED25519, DSA, or RSA host key file must be set");
+ "ECDSA, ED25519, or RSA host key file must be set");
return SSH_ERROR;
}
@@ -181,30 +180,6 @@ static int ssh_bind_import_keys(ssh_bind sshbind) {
}
#endif
-#ifdef HAVE_DSA
- if (sshbind->dsa == NULL && sshbind->dsakey != NULL) {
- rc = ssh_pki_import_privkey_file(sshbind->dsakey,
- NULL,
- NULL,
- NULL,
- &sshbind->dsa);
- if (rc == SSH_ERROR || rc == SSH_EOF) {
- ssh_set_error(sshbind, SSH_FATAL,
- "Failed to import private DSA host key");
- return SSH_ERROR;
- }
-
- if (ssh_key_type(sshbind->dsa) != SSH_KEYTYPE_DSS) {
- ssh_set_error(sshbind, SSH_FATAL,
- "The DSA host key has the wrong type: %d",
- ssh_key_type(sshbind->dsa));
- ssh_key_free(sshbind->dsa);
- sshbind->dsa = NULL;
- return SSH_ERROR;
- }
- }
-#endif
-
if (sshbind->rsa == NULL && sshbind->rsakey != NULL) {
rc = ssh_pki_import_privkey_file(sshbind->rsakey,
NULL,
@@ -256,7 +231,6 @@ int ssh_bind_listen(ssh_bind sshbind) {
int rc;
if (sshbind->rsa == NULL &&
- sshbind->dsa == NULL &&
sshbind->ecdsa == NULL &&
sshbind->ed25519 == NULL) {
rc = ssh_bind_import_keys(sshbind);
@@ -273,8 +247,6 @@ int ssh_bind_listen(ssh_bind sshbind) {
fd = bind_socket(sshbind, host, sshbind->bindport);
if (fd == SSH_INVALID_SOCKET) {
- ssh_key_free(sshbind->dsa);
- sshbind->dsa = NULL;
ssh_key_free(sshbind->rsa);
sshbind->rsa = NULL;
/* XXX should this clear also other structures that were allocated */
@@ -287,8 +259,6 @@ int ssh_bind_listen(ssh_bind sshbind) {
"Listening to socket %d: %s",
fd, ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX));
CLOSE_SOCKET(fd);
- ssh_key_free(sshbind->dsa);
- sshbind->dsa = NULL;
ssh_key_free(sshbind->rsa);
sshbind->rsa = NULL;
/* XXX should this clear also other structures that were allocated */
@@ -401,13 +371,10 @@ void ssh_bind_free(ssh_bind sshbind){
SAFE_FREE(sshbind->config_dir);
SAFE_FREE(sshbind->pubkey_accepted_key_types);
- SAFE_FREE(sshbind->dsakey);
SAFE_FREE(sshbind->rsakey);
SAFE_FREE(sshbind->ecdsakey);
SAFE_FREE(sshbind->ed25519key);
- ssh_key_free(sshbind->dsa);
- sshbind->dsa = NULL;
ssh_key_free(sshbind->rsa);
sshbind->rsa = NULL;
ssh_key_free(sshbind->ecdsa);
@@ -531,7 +498,6 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
* only using ssh_bind_accept_fd to manage sockets ourselves.
*/
if (sshbind->rsa == NULL &&
- sshbind->dsa == NULL &&
sshbind->ecdsa == NULL &&
sshbind->ed25519 == NULL) {
rc = ssh_bind_import_keys(sshbind);
@@ -548,15 +514,6 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd)
return SSH_ERROR;
}
}
-#endif
-#ifdef HAVE_DSA
- if (sshbind->dsa) {
- session->srv.dsa_key = ssh_key_dup(sshbind->dsa);
- if (session->srv.dsa_key == NULL) {
- ssh_set_error_oom(sshbind);
- return SSH_ERROR;
- }
- }
#endif
if (sshbind->rsa) {
session->srv.rsa_key = ssh_key_dup(sshbind->rsa);
diff --git a/src/curve25519.c b/src/curve25519.c
index 851c2a28..a485e52c 100644
--- a/src/curve25519.c
+++ b/src/curve25519.c
@@ -381,7 +381,7 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
ssh_string q_s_string = NULL;
ssh_string server_pubkey_blob = NULL;
- /* SSH host keys (rsa,dsa,ecdsa) */
+ /* SSH host keys (rsa, ed25519 and ecdsa) */
ssh_key privkey = NULL;
enum ssh_digest_e digest = SSH_DIGEST_AUTO;
ssh_string sig_blob = NULL;
diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
index 2ffb8ef3..91c26240 100644
--- a/src/ecdh_crypto.c
+++ b/src/ecdh_crypto.c
@@ -431,7 +431,7 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init)
/* ECDH keys */
ssh_string q_c_string = NULL;
ssh_string q_s_string = NULL;
- /* SSH host keys (rsa,dsa,ecdsa) */
+ /* SSH host keys (rsa, ed25519 and ecdsa) */
ssh_key privkey;
enum ssh_digest_e digest = SSH_DIGEST_AUTO;
ssh_string sig_blob = NULL;
diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
index 8b0280af..76e24873 100644
--- a/src/ecdh_gcrypt.c
+++ b/src/ecdh_gcrypt.c
@@ -271,7 +271,7 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
ssh_string q_s_string;
gcry_sexp_t param = NULL;
gcry_sexp_t key = NULL;
- /* SSH host keys (rsa,dsa,ecdsa) */
+ /* SSH host keys (rsa, ed25519 and ecdsa) */
ssh_key privkey;
enum ssh_digest_e digest = SSH_DIGEST_AUTO;
ssh_string sig_blob = NULL;
diff --git a/src/kex.c b/src/kex.c
index 240ddf39..a240f757 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -118,14 +118,6 @@
#define EC_PUBLIC_KEY_ALGORITHMS ""
#endif /* HAVE_ECC */
-#ifdef HAVE_DSA
-#define DSA_HOSTKEYS ",ssh-dss"
-#define DSA_PUBLIC_KEY_ALGORITHMS ",ssh-dss-cert-v01@openssh.com"
-#else
-#define DSA_HOSTKEYS ""
-#define DSA_PUBLIC_KEY_ALGORITHMS ""
-#endif /* HAVE_DSA */
-
#ifdef WITH_INSECURE_NONE
#define NONE ",none"
#else
@@ -138,8 +130,7 @@
EC_SK_HOSTKEYS \
"rsa-sha2-512," \
"rsa-sha2-256," \
- "ssh-rsa" \
- DSA_HOSTKEYS
+ "ssh-rsa"
#define DEFAULT_HOSTKEYS "ssh-ed25519," \
EC_HOSTKEYS \
"sk-ssh-ed25519@openssh.com," \
@@ -152,8 +143,7 @@
EC_PUBLIC_KEY_ALGORITHMS \
"rsa-sha2-512-cert-v01@openssh.com," \
"rsa-sha2-256-cert-v01@openssh.com," \
- "ssh-rsa-cert-v01@openssh.com" \
- DSA_PUBLIC_KEY_ALGORITHMS "," \
+ "ssh-rsa-cert-v01@openssh.com," \
HOSTKEYS
#define DEFAULT_PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \
EC_PUBLIC_KEY_ALGORITHMS \
diff --git a/src/known_hosts.c b/src/known_hosts.c
index 84e15572..a1d9a432 100644
--- a/src/known_hosts.c
+++ b/src/known_hosts.c
@@ -70,7 +70,7 @@
* @param[out] found_type A pointer to a string to be set with the found key
* type.
*
- * @returns The found_type type of key (ie "dsa","ssh-rsa"). Don't
+ * @returns The found_type type of key (ie "ssh-rsa"). Don't
* free that value. NULL if no match was found or the file
* was not found.
*/
@@ -152,7 +152,7 @@ static int check_public_key(ssh_session session, char **tokens) {
char *pubkey_64;
int rc;
- /* ssh-dss or ssh-rsa */
+ /* ssh-rsa, ssh-ed25519, .. */
pubkey_64 = tokens[2];
pubkey_buffer = base64_to_bin(pubkey_64);
diff --git a/src/knownhosts.c b/src/knownhosts.c
index b3b963bd..c073b266 100644
--- a/src/knownhosts.c
+++ b/src/knownhosts.c
@@ -482,13 +482,6 @@ static const char *ssh_known_host_sigs_from_hostkey_type(enum ssh_keytypes_e typ
return "ssh-ed25519";
case SSH_KEYTYPE_SK_ED25519:
return "sk-ssh-ed25519@openssh.com";
-#ifdef HAVE_DSA
- case SSH_KEYTYPE_DSS:
- return "ssh-dss";
-#else
- SSH_LOG(SSH_LOG_WARN, "DSS keys are not supported by this build");
- break;
-#endif
#ifdef HAVE_ECC
case SSH_KEYTYPE_ECDSA_P256:
return "ecdsa-sha2-nistp256";
diff --git a/src/legacy.c b/src/legacy.c
index 4c2c0052..72ff7f36 100644
--- a/src/legacy.c
+++ b/src/legacy.c
@@ -84,7 +84,6 @@ int ssh_userauth_pubkey(ssh_session session,
key->type_c = ssh_key_type_to_char(key->type);
key->flags = SSH_KEY_FLAG_PRIVATE|SSH_KEY_FLAG_PUBLIC;
#ifndef HAVE_LIBCRYPTO
- key->dsa = privatekey->dsa_priv;
key->rsa = privatekey->rsa_priv;
#else
key->key = privatekey->key_priv;
@@ -92,7 +91,6 @@ int ssh_userauth_pubkey(ssh_session session,
rc = ssh_userauth_publickey(session, username, key);
#ifndef HAVE_LIBCRYPTO
- key->dsa = NULL;
key->rsa = NULL;
#else
key->key = NULL;
@@ -358,13 +356,6 @@ void publickey_free(ssh_public_key key) {
}
switch(key->type) {
- case SSH_KEYTYPE_DSS:
-#ifdef HAVE_LIBGCRYPT
- gcry_sexp_release(key->dsa_pub);
-#elif defined HAVE_LIBCRYPTO
- EVP_PKEY_free(key->key_pub);
-#endif /* HAVE_LIBGCRYPT */
- break;
case SSH_KEYTYPE_RSA:
#ifdef HAVE_LIBGCRYPT
gcry_sexp_release(key->rsa_pub);
@@ -396,7 +387,6 @@ ssh_public_key publickey_from_privatekey(ssh_private_key prv) {
privkey->type_c = ssh_key_type_to_char(privkey->type);
privkey->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC;
#ifndef HAVE_LIBCRYPTO
- privkey->dsa = prv->dsa_priv;
privkey->rsa = prv->rsa_priv;
#else
privkey->key = prv->key_priv;
@@ -404,7 +394,6 @@ ssh_public_key publickey_from_privatekey(ssh_private_key prv) {
rc = ssh_pki_export_privkey_to_pubkey(privkey, &pubkey);
#ifndef HAVE_LIBCRYPTO
- privkey->dsa = NULL;
privkey->rsa = NULL;
#else
privkey->key = NULL;
@@ -455,10 +444,8 @@ ssh_private_key privatekey_from_file(ssh_session session,
privkey->type = key->type;
#ifndef HAVE_LIBCRYPTO
- privkey->dsa_priv = key->dsa;
privkey->rsa_priv = key->rsa;
- key->dsa = NULL;
key->rsa = NULL;
#else
privkey->key_priv = key->key;
@@ -483,7 +470,6 @@ void privatekey_free(ssh_private_key prv) {
}
#ifdef HAVE_LIBGCRYPT
- gcry_sexp_release(prv->dsa_priv);
gcry_sexp_release(prv->rsa_priv);
#elif defined HAVE_LIBCRYPTO
EVP_PKEY_free(prv->key_priv);
@@ -552,8 +538,6 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) {
pubkey->type_c = key->type_c;
#ifndef HAVE_LIBCRYPTO
- pubkey->dsa_pub = key->dsa;
- key->dsa = NULL;
pubkey->rsa_pub = key->rsa;
key->rsa = NULL;
#else
@@ -584,7 +568,6 @@ ssh_string publickey_to_string(ssh_public_key pubkey) {
key->type_c = pubkey->type_c;
#ifndef HAVE_LIBCRYPTO
- key->dsa = pubkey->dsa_pub;
key->rsa = pubkey->rsa_pub;
#else
key->key = pubkey->key_pub;
@@ -596,7 +579,6 @@ ssh_string publickey_to_string(ssh_public_key pubkey) {
}
#ifndef HAVE_LIBCRYPTO
- key->dsa = NULL;
key->rsa = NULL;
#else
key->key = NULL;
diff --git a/src/libcrypto.c b/src/libcrypto.c
index 6a274501..216fc5ef 100644
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -45,7 +45,6 @@
#include
#include
#if OPENSSL_VERSION_NUMBER < 0x30000000L
-#include
#include
#include
#else
@@ -1566,11 +1565,6 @@ evp_dup_pkey(const char *name, const ssh_key key, int demote, ssh_key new_key)
return SSH_OK;
}
-int evp_dup_dsa_pkey(const ssh_key key, ssh_key new_key, int demote)
-{
- return evp_dup_pkey("DSA", key, demote, new_key);
-}
-
int evp_dup_rsa_pkey(const ssh_key key, ssh_key new_key, int demote)
{
return evp_dup_pkey("RSA", key, demote, new_key);
diff --git a/src/options.c b/src/options.c
index 79699a75..3a19cd42 100644
--- a/src/options.c
+++ b/src/options.c
@@ -419,7 +419,7 @@ int ssh_options_set_algo(ssh_session session,
* - SSH_OPTIONS_HOSTKEYS:
* Set the preferred server host key types (const char *,
* comma-separated list). ex:
- * "ssh-rsa,ssh-dss,ecdh-sha2-nistp256". The list can be
+ * "ssh-rsa,ecdh-sha2-nistp256". The list can be
* prepended by +,-,^ which will append, remove or move to
* the beginning (prioritizing) of the default list
* respectively. Giving an empty list after + and ^ will
@@ -428,7 +428,7 @@ int ssh_options_set_algo(ssh_session session,
* - SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES:
* Set the preferred public key algorithms to be used for
* authentication (const char *, comma-separated list). ex:
- * "ssh-rsa,rsa-sha2-256,ssh-dss,ecdh-sha2-nistp256"
+ * "ssh-rsa,rsa-sha2-256,ecdh-sha2-nistp256"
* The list can be prepended by +,-,^ which will append,
* remove or move to the beginning (prioritizing) of the
* default list respectively. Giving an empty list
@@ -1353,7 +1353,6 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
int argc = *argcptr;
int debuglevel = 0;
int usersa = 0;
- int usedss = 0;
int compress = 0;
int cont = 1;
size_t current = 0;
@@ -1367,7 +1366,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
}
opterr = 0; /* shut up getopt */
- while((opt = getopt(argc, argv, "c:i:Cl:p:vb:rd12")) != -1) {
+ while((opt = getopt(argc, argv, "c:i:Cl:p:vb:r12")) != -1) {
switch(opt) {
case 'l':
user = optarg;
@@ -1381,9 +1380,6 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
case 'r':
usersa++;
break;
- case 'd':
- usedss++;
- break;
case 'c':
cipher = optarg;
break;
@@ -1446,11 +1442,6 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
optind++;
}
- if (usersa && usedss) {
- ssh_set_error(session, SSH_FATAL, "Either RSA or DSS must be chosen");
- cont = 0;
- }
-
ssh_set_log_level(debuglevel);
optind = saveoptind;
@@ -1742,8 +1733,8 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
*
* - SSH_BIND_OPTIONS_HOSTKEY:
* Set the path to an ssh host key, regardless
- * of type. Only one key from each key type
- * (RSA, DSA, ECDSA) is allowed in an ssh_bind
+ * of type. Only one key from per key type
+ * (RSA, ED25519 and ECDSA) is allowed in an ssh_bind
* at a time, and later calls to this function
* with this option for the same key type will
* override prior calls (const char *).
@@ -1779,10 +1770,6 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
* SSH_BIND_OPTIONS_LOG_VERBOSITY above (const
* char *).
*
- * - SSH_BIND_OPTIONS_DSAKEY:
- * Set the path to the ssh host dsa key, SSHv2
- * only (const char *).
- *
* - SSH_BIND_OPTIONS_RSAKEY:
* Set the path to the ssh host rsa key, SSHv2
* only (const char *).
@@ -1794,6 +1781,9 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
* - SSH_BIND_OPTIONS_BANNER:
* Set the server banner sent to clients (const char *).
*
+ * - SSH_BIND_OPTIONS_DSAKEY:
+ * This is DEPRECATED, please do not use
+ *
* - SSH_BIND_OPTIONS_IMPORT_KEY:
* Set the Private Key for the server directly (ssh_key)
*
@@ -1905,17 +1895,6 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
key_type = ssh_key_type(key);
switch (key_type) {
- case SSH_KEYTYPE_DSS:
-#ifdef HAVE_DSA
- bind_key_loc = &sshbind->dsa;
- bind_key_path_loc = &sshbind->dsakey;
-#else
- ssh_set_error(sshbind,
- SSH_FATAL,
- "DSS key used and libssh compiled "
- "without DSA support");
-#endif
- break;
case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521:
@@ -1979,16 +1958,6 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
key_type = ssh_key_type(key);
switch (key_type) {
- case SSH_KEYTYPE_DSS:
-#ifdef HAVE_DSA
- bind_key_loc = &sshbind->dsa;
-#else
- ssh_set_error(sshbind,
- SSH_FATAL,
- "DSA key used and libssh compiled "
- "without DSA support");
-#endif
- break;
case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521:
@@ -2085,12 +2054,6 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
ssh_set_log_level(i & 0xffffU);
}
break;
- case SSH_BIND_OPTIONS_DSAKEY:
- rc = ssh_bind_set_key(sshbind, &sshbind->dsakey, value);
- if (rc < 0) {
- return -1;
- }
- break;
case SSH_BIND_OPTIONS_RSAKEY:
rc = ssh_bind_set_key(sshbind, &sshbind->rsakey, value);
if (rc < 0) {
diff --git a/src/pki.c b/src/pki.c
index a4baef1a..3886514c 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -77,13 +77,6 @@ enum ssh_keytypes_e pki_privatekey_type_from_string(const char *privkey)
{
char *start = NULL;
-#ifdef HAVE_DSA
- start = strstr(privkey, DSA_HEADER_BEGIN);
- if (start != NULL) {
- return SSH_KEYTYPE_DSS;
- }
-#endif /* HAVE_DSA */
-
start = strstr(privkey, RSA_HEADER_BEGIN);
if (start != NULL) {
return SSH_KEYTYPE_RSA;
@@ -208,9 +201,9 @@ void ssh_key_free (ssh_key key)
/**
* @brief returns the type of a ssh key
* @param[in] key the ssh_key handle
- * @returns one of SSH_KEYTYPE_RSA, SSH_KEYTYPE_DSS,
+ * @returns one of SSH_KEYTYPE_RSA,
* SSH_KEYTYPE_ECDSA_P256, SSH_KEYTYPE_ECDSA_P384,
- * SSH_KEYTYPE_ECDSA_P521, SSH_KEYTYPE_ED25519, SSH_KEYTYPE_DSS_CERT01,
+ * SSH_KEYTYPE_ECDSA_P521, SSH_KEYTYPE_ED25519,
* SSH_KEYTYPE_RSA_CERT01, SSH_KEYTYPE_ECDSA_P256_CERT01,
* SSH_KEYTYPE_ECDSA_P384_CERT01, SSH_KEYTYPE_ECDSA_P521_CERT01, or
* SSH_KEYTYPE_ED25519_CERT01.
@@ -281,8 +274,6 @@ ssh_key_signature_to_char(enum ssh_keytypes_e type,
*/
const char *ssh_key_type_to_char(enum ssh_keytypes_e type) {
switch (type) {
- case SSH_KEYTYPE_DSS:
- return "ssh-dss";
case SSH_KEYTYPE_RSA:
return "ssh-rsa";
case SSH_KEYTYPE_ECDSA:
@@ -295,8 +286,6 @@ const char *ssh_key_type_to_char(enum ssh_keytypes_e type) {
return "ecdsa-sha2-nistp521";
case SSH_KEYTYPE_ED25519:
return "ssh-ed25519";
- case SSH_KEYTYPE_DSS_CERT01:
- return "ssh-dss-cert-v01@openssh.com";
case SSH_KEYTYPE_RSA_CERT01:
return "ssh-rsa-cert-v01@openssh.com";
case SSH_KEYTYPE_ECDSA_P256_CERT01:
@@ -315,7 +304,9 @@ const char *ssh_key_type_to_char(enum ssh_keytypes_e type) {
return "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com";
case SSH_KEYTYPE_SK_ED25519_CERT01:
return "sk-ssh-ed25519-cert-v01@openssh.com";
+ case SSH_KEYTYPE_DSS: /* deprecated */
case SSH_KEYTYPE_RSA1:
+ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_UNKNOWN:
return NULL;
}
@@ -333,8 +324,6 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name)
if (strcmp(name, "ssh-rsa") == 0) {
return SSH_DIGEST_SHA1;
- } else if (strcmp(name, "ssh-dss") == 0) {
- return SSH_DIGEST_SHA1;
} else if (strcmp(name, "rsa-sha2-256") == 0) {
return SSH_DIGEST_SHA256;
} else if (strcmp(name, "rsa-sha2-512") == 0) {
@@ -450,9 +439,6 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
enum ssh_keytypes_e type)
{
switch (type) {
- case SSH_KEYTYPE_DSS_CERT01:
- case SSH_KEYTYPE_DSS:
- return SSH_DIGEST_SHA1;
case SSH_KEYTYPE_RSA_CERT01:
/* If we are talking to an old OpenSSH version which does not support
* SHA2 in certificates */
@@ -494,6 +480,8 @@ enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
case SSH_KEYTYPE_ED25519:
return SSH_DIGEST_AUTO;
case SSH_KEYTYPE_RSA1:
+ case SSH_KEYTYPE_DSS: /* deprecated */
+ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_ECDSA:
case SSH_KEYTYPE_UNKNOWN:
default:
@@ -576,12 +564,8 @@ enum ssh_keytypes_e ssh_key_type_from_name(const char *name)
if (strcmp(name, "rsa") == 0) {
return SSH_KEYTYPE_RSA;
- } else if (strcmp(name, "dsa") == 0) {
- return SSH_KEYTYPE_DSS;
} else if (strcmp(name, "ssh-rsa") == 0) {
return SSH_KEYTYPE_RSA;
- } else if (strcmp(name, "ssh-dss") == 0) {
- return SSH_KEYTYPE_DSS;
} else if (strcmp(name, "ssh-ecdsa") == 0
|| strcmp(name, "ecdsa") == 0
|| strcmp(name, "ecdsa-sha2-nistp256") == 0) {
@@ -592,8 +576,6 @@ enum ssh_keytypes_e ssh_key_type_from_name(const char *name)
return SSH_KEYTYPE_ECDSA_P521;
} else if (strcmp(name, "ssh-ed25519") == 0){
return SSH_KEYTYPE_ED25519;
- } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
- return SSH_KEYTYPE_DSS_CERT01;
} else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) {
return SSH_KEYTYPE_RSA_CERT01;
} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) {
@@ -627,8 +609,6 @@ enum ssh_keytypes_e ssh_key_type_from_name(const char *name)
enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type)
{
switch (type) {
- case SSH_KEYTYPE_DSS_CERT01:
- return SSH_KEYTYPE_DSS;
case SSH_KEYTYPE_RSA_CERT01:
return SSH_KEYTYPE_RSA;
case SSH_KEYTYPE_ECDSA_P256_CERT01:
@@ -747,11 +727,6 @@ void ssh_signature_free(ssh_signature sig)
}
switch(sig->type) {
- case SSH_KEYTYPE_DSS:
-#ifdef HAVE_LIBGCRYPT
- gcry_sexp_release(sig->dsa_sig);
-#endif /* HAVE_LIBGCRYPT */
- break;
case SSH_KEYTYPE_RSA:
#ifdef HAVE_LIBGCRYPT
gcry_sexp_release(sig->rsa_sig);
@@ -777,7 +752,8 @@ void ssh_signature_free(ssh_signature sig)
SAFE_FREE(sig->ed25519_sig);
#endif /* HAVE_LIBCRYPTO */
break;
- case SSH_KEYTYPE_DSS_CERT01:
+ case SSH_KEYTYPE_DSS: /* deprecated */
+ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -1115,8 +1091,6 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key)
pub->type_c = tmp->type_c;
#ifndef HAVE_LIBCRYPTO
- pub->dsa_pub = tmp->dsa;
- tmp->dsa = NULL;
pub->rsa_pub = tmp->rsa;
tmp->rsa = NULL;
#else
@@ -1141,7 +1115,6 @@ ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key)
privkey->type = key->type;
#ifndef HAVE_LIBCRYPTO
- privkey->dsa_priv = key->dsa;
privkey->rsa_priv = key->rsa;
#else
privkey->key_priv = key->key;
@@ -1167,46 +1140,6 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type,
key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC;
switch (type) {
- case SSH_KEYTYPE_DSS:
- {
- ssh_string p = NULL;
- ssh_string q = NULL;
- ssh_string g = NULL;
- ssh_string pubkey = NULL;
- ssh_string privkey = NULL;
-
- rc = ssh_buffer_unpack(buffer, "SSSSS", &p, &q, &g,
- &pubkey, &privkey);
- if (rc != SSH_OK) {
- SSH_LOG(SSH_LOG_TRACE, "Unpack error");
- goto fail;
- }
-
- rc = pki_privkey_build_dss(key, p, q, g, pubkey, privkey);
-#ifdef DEBUG_CRYPTO
- ssh_log_hexdump("p", ssh_string_data(p), ssh_string_len(p));
- ssh_log_hexdump("q", ssh_string_data(q), ssh_string_len(q));
- ssh_log_hexdump("g", ssh_string_data(g), ssh_string_len(g));
- ssh_log_hexdump("pubkey", ssh_string_data(pubkey),
- ssh_string_len(pubkey));
- ssh_log_hexdump("privkey", ssh_string_data(privkey),
- ssh_string_len(privkey));
-#endif /* DEBUG_CRYPTO */
- ssh_string_burn(p);
- SSH_STRING_FREE(p);
- ssh_string_burn(q);
- SSH_STRING_FREE(q);
- ssh_string_burn(g);
- SSH_STRING_FREE(g);
- ssh_string_burn(pubkey);
- SSH_STRING_FREE(pubkey);
- ssh_string_burn(privkey);
- SSH_STRING_FREE(privkey);
- if (rc == SSH_ERROR) {
- goto fail;
- }
- }
- break;
case SSH_KEYTYPE_RSA:
{
ssh_string n = NULL;
@@ -1309,7 +1242,6 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type,
}
}
break;
- case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -1351,39 +1283,6 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer,
key->flags = SSH_KEY_FLAG_PUBLIC;
switch (type) {
- case SSH_KEYTYPE_DSS:
- {
- ssh_string p = NULL;
- ssh_string q = NULL;
- ssh_string g = NULL;
- ssh_string pubkey = NULL;
-
- rc = ssh_buffer_unpack(buffer, "SSSS", &p, &q, &g, &pubkey);
- if (rc != SSH_OK) {
- SSH_LOG(SSH_LOG_TRACE, "Unpack error");
- goto fail;
- }
-
- rc = pki_pubkey_build_dss(key, p, q, g, pubkey);
-#ifdef DEBUG_CRYPTO
- ssh_log_hexdump("p", ssh_string_data(p), ssh_string_len(p));
- ssh_log_hexdump("q", ssh_string_data(q), ssh_string_len(q));
- ssh_log_hexdump("g", ssh_string_data(g), ssh_string_len(g));
-#endif /* DEBUG_CRYPTO */
- ssh_string_burn(p);
- SSH_STRING_FREE(p);
- ssh_string_burn(q);
- SSH_STRING_FREE(q);
- ssh_string_burn(g);
- SSH_STRING_FREE(g);
- ssh_string_burn(pubkey);
- SSH_STRING_FREE(pubkey);
- if (rc == SSH_ERROR) {
- SSH_LOG(SSH_LOG_TRACE, "Failed to build DSA public key");
- goto fail;
- }
- }
- break;
case SSH_KEYTYPE_RSA:
{
ssh_string e = NULL;
@@ -1494,7 +1393,6 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer,
}
}
break;
- case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -1562,9 +1460,6 @@ static int pki_import_cert_buffer(ssh_buffer buffer,
SSH_STRING_FREE(tmp_s);
switch (type) {
- case SSH_KEYTYPE_DSS_CERT01:
- rc = pki_import_pubkey_buffer(buffer, SSH_KEYTYPE_DSS, &key);
- break;
case SSH_KEYTYPE_RSA_CERT01:
rc = pki_import_pubkey_buffer(buffer, SSH_KEYTYPE_RSA, &key);
break;
@@ -1977,7 +1872,6 @@ int ssh_pki_import_cert_file(const char *filename, ssh_key *pkey)
*
* @param[in] parameter Parameter to the creation of key:
* rsa : length of the key in bits (e.g. 1024, 2048, 4096)
- * dsa : length of the key in bits (e.g. 1024, 2048, 3072)
* @param[out] pkey A pointer to store the allocated private key. You need
* to free the memory using ssh_key_free().
*
@@ -2007,11 +1901,6 @@ int ssh_pki_generate(enum ssh_keytypes_e type, int parameter,
if(rc == SSH_ERROR)
goto error;
break;
- case SSH_KEYTYPE_DSS:
- rc = pki_key_generate_dss(key, parameter);
- if(rc == SSH_ERROR)
- goto error;
- break;
#ifdef HAVE_ECC
case SSH_KEYTYPE_ECDSA: /* deprecated */
rc = pki_key_generate_ecdsa(key, parameter);
@@ -2047,7 +1936,6 @@ int ssh_pki_generate(enum ssh_keytypes_e type, int parameter,
goto error;
}
break;
- case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -2441,17 +2329,6 @@ int pki_key_check_hash_compatible(ssh_key key,
}
switch(key->type) {
- case SSH_KEYTYPE_DSS_CERT01:
- case SSH_KEYTYPE_DSS:
- if (hash_type == SSH_DIGEST_SHA1) {
- if (ssh_fips_mode()) {
- SSH_LOG(SSH_LOG_TRACE, "SHA1 is not allowed in FIPS mode");
- return SSH_ERROR;
- } else {
- return SSH_OK;
- }
- }
- break;
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_RSA:
if (hash_type == SSH_DIGEST_SHA1) {
@@ -2497,6 +2374,8 @@ int pki_key_check_hash_compatible(ssh_key key,
return SSH_OK;
}
break;
+ case SSH_KEYTYPE_DSS: /* deprecated */
+ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_ECDSA:
case SSH_KEYTYPE_UNKNOWN:
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 72fc72dd..59a8648c 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -411,97 +411,6 @@ ssh_key pki_key_dup(const ssh_key key, int demote)
}
switch (key->type) {
- case SSH_KEYTYPE_DSS: {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- const BIGNUM *p = NULL, *q = NULL, *g = NULL,
- *pub_key = NULL, *priv_key = NULL;
- BIGNUM *np, *nq, *ng, *npub_key, *npriv_key;
- DSA *new_dsa = DSA_new();
- const DSA *key_dsa = EVP_PKEY_get0_DSA(key->key);
- if (new_dsa == NULL) {
- goto fail;
- }
-
- /*
- * p = public prime number
- * q = public 160-bit subprime, q | p-1
- * g = public generator of subgroup
- * pub_key = public key y = g^x
- * priv_key = private key x
- */
- DSA_get0_pqg(key_dsa, &p, &q, &g);
- np = BN_dup(p);
- nq = BN_dup(q);
- ng = BN_dup(g);
- if (np == NULL || nq == NULL || ng == NULL) {
- DSA_free(new_dsa);
- BN_free(np);
- BN_free(nq);
- BN_free(ng);
- goto fail;
- }
-
- /* Memory management of np, nq and ng is transferred to DSA object */
- rc = DSA_set0_pqg(new_dsa, np, nq, ng);
- if (rc == 0) {
- DSA_free(new_dsa);
- BN_free(np);
- BN_free(nq);
- BN_free(ng);
- goto fail;
- }
-
- DSA_get0_key(key_dsa, &pub_key, &priv_key);
- npub_key = BN_dup(pub_key);
- if (npub_key == NULL) {
- DSA_free(new_dsa);
- goto fail;
- }
-
- /* Memory management of npubkey is transferred to DSA object */
- rc = DSA_set0_key(new_dsa, npub_key, NULL);
- if (rc == 0) {
- DSA_free(new_dsa);
- goto fail;
- }
-
- if (!demote && (key->flags & SSH_KEY_FLAG_PRIVATE)) {
- npriv_key = BN_dup(priv_key);
- if (npriv_key == NULL) {
- DSA_free(new_dsa);
- goto fail;
- }
-
- /* Memory management of npriv_key is transferred to DSA object */
- rc = DSA_set0_key(new_dsa, NULL, npriv_key);
- if (rc == 0) {
- DSA_free(new_dsa);
- goto fail;
- }
- }
-
- new->key = EVP_PKEY_new();
- if (new->key == NULL) {
- DSA_free(new_dsa);
- goto fail;
- }
-
- rc = EVP_PKEY_assign_DSA(new->key, new_dsa);
- if (rc != 1) {
- EVP_PKEY_free(new->key);
- DSA_free(new_dsa);
- goto fail;
- }
-
- new_dsa = NULL;
-#else
- rc = evp_dup_dsa_pkey(key, new, demote);
- if (rc != SSH_OK) {
- goto fail;
- }
-#endif /* OPENSSL_VERSION_NUMBER */
- break;
- }
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
@@ -805,107 +714,6 @@ int pki_key_generate_rsa(ssh_key key, int parameter){
return SSH_OK;
}
-int pki_key_generate_dss(ssh_key key, int parameter){
- int rc;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- DSA *key_dsa = DSA_new();
- if (key_dsa == NULL) {
- return SSH_ERROR;
- }
- rc = DSA_generate_parameters_ex(key_dsa,
- parameter,
- NULL, /* seed */
- 0, /* seed_len */
- NULL, /* counter_ret */
- NULL, /* h_ret */
- NULL); /* cb */
- if (rc != 1) {
- DSA_free(key_dsa);
- return SSH_ERROR;
- }
- rc = DSA_generate_key(key_dsa);
- if (rc != 1) {
- DSA_free(key_dsa);
- return SSH_ERROR;
- }
-
- key->key = EVP_PKEY_new();
- if (key->key == NULL) {
- DSA_free(key_dsa);
- return SSH_ERROR;
- }
-
- rc = EVP_PKEY_assign_DSA(key->key, key_dsa);
- if (rc != 1) {
- DSA_free(key_dsa);
- EVP_PKEY_free(key->key);
- return SSH_ERROR;
- }
-
- key_dsa = NULL;
-#else
- OSSL_PARAM params[3];
- EVP_PKEY *param_key = NULL;
- EVP_PKEY_CTX *pctx = NULL;
- EVP_PKEY_CTX *gctx = NULL;
- int qbits = parameter < 2048 ? 160 : 256;
-
- key->key = EVP_PKEY_new();
- if (key->key == NULL) {
- return SSH_ERROR;
- }
- pctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
- if (pctx == NULL) {
- return SSH_ERROR;
- }
-
- rc = EVP_PKEY_paramgen_init(pctx);
- if (rc != 1) {
- EVP_PKEY_CTX_free(pctx);
- return SSH_ERROR;
- }
- params[0] = OSSL_PARAM_construct_int("pbits", ¶meter);
- params[1] = OSSL_PARAM_construct_int("qbits", &qbits);
- params[2] = OSSL_PARAM_construct_end();
- rc = EVP_PKEY_CTX_set_params(pctx, params);
- if (rc != 1) {
- EVP_PKEY_CTX_free(pctx);
- return SSH_ERROR;
- }
- /* generating the domain parameters */
- rc = EVP_PKEY_generate(pctx, ¶m_key);
- if (rc != 1) {
- EVP_PKEY_CTX_free(pctx);
- EVP_PKEY_free(param_key);
- return SSH_ERROR;
- }
- EVP_PKEY_CTX_free(pctx);
-
- gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL);
- if (gctx == NULL) {
- EVP_PKEY_free(param_key);
- return SSH_ERROR;
- }
-
- EVP_PKEY_free(param_key);
- rc = EVP_PKEY_keygen_init(gctx);
- if (rc != 1) {
- EVP_PKEY_CTX_free(gctx);
- return SSH_ERROR;
- }
- /* generating the key from the domain parameters */
- rc = EVP_PKEY_generate(gctx, &key->key);
- if (rc != 1) {
- EVP_PKEY_free(key->key);
- key->key = NULL;
- EVP_PKEY_CTX_free(gctx);
- return SSH_ERROR;
- }
- EVP_PKEY_CTX_free(gctx);
-#endif /* OPENSSL_VERSION_NUMBER */
- return SSH_OK;
-}
-
#ifdef HAVE_OPENSSL_ECC
int pki_key_generate_ecdsa(ssh_key key, int parameter)
{
@@ -1033,7 +841,6 @@ int pki_key_compare(const ssh_key k1,
}
#endif /* HAVE_OPENSSL_ECC */
#endif /* OPENSSL_VERSION_NUMBER */
- case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
rc = EVP_PKEY_eq(k1->key, k2->key);
@@ -1068,7 +875,6 @@ ssh_string pki_private_key_to_pem(const ssh_key key,
}
switch (key->type) {
- case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_ECDSA_P256:
@@ -1101,7 +907,6 @@ ssh_string pki_private_key_to_pem(const ssh_key key,
/* Mark the operation as successful as for the other key types */
rc = 1;
break;
- case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01:
@@ -1204,9 +1009,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
return NULL;
}
switch (EVP_PKEY_base_id(pkey)) {
- case EVP_PKEY_DSA:
- type = SSH_KEYTYPE_DSS;
- break;
case EVP_PKEY_RSA:
type = SSH_KEYTYPE_RSA;
break;
@@ -1307,199 +1109,6 @@ fail:
return NULL;
}
-int pki_privkey_build_dss(ssh_key key,
- ssh_string p,
- ssh_string q,
- ssh_string g,
- ssh_string pubkey,
- ssh_string privkey)
-{
- int rc;
- BIGNUM *bp, *bq, *bg, *bpub_key, *bpriv_key;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
- if (param_bld == NULL) {
- return SSH_ERROR;
- }
-#else
- DSA *key_dsa = DSA_new();
- if (key_dsa == NULL) {
- return SSH_ERROR;
- }
-#endif /* OPENSSL_VERSION_NUMBER */
-
- bp = ssh_make_string_bn(p);
- bq = ssh_make_string_bn(q);
- bg = ssh_make_string_bn(g);
- bpub_key = ssh_make_string_bn(pubkey);
- bpriv_key = ssh_make_string_bn(privkey);
- if (bp == NULL || bq == NULL ||
- bg == NULL || bpub_key == NULL) {
- rc = SSH_ERROR;
- goto fail;
- }
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- /* Memory management of bp, qq and bg is transferred to DSA object */
- rc = DSA_set0_pqg(key_dsa, bp, bq, bg);
- if (rc == 0) {
- goto fail;
- }
-
- /* Memory management of bpub_key and bpriv_key is transferred to DSA object */
- rc = DSA_set0_key(key_dsa, bpub_key, bpriv_key);
- if (rc == 0) {
- goto fail;
- }
-
- key->key = EVP_PKEY_new();
- if (key->key == NULL) {
- goto fail;
- }
-
- rc = EVP_PKEY_assign_DSA(key->key, key_dsa);
- if (rc != 1) {
- goto fail;
- }
-
- return SSH_OK;
-fail:
- EVP_PKEY_free(key->key);
- DSA_free(key_dsa);
- return SSH_ERROR;
-#else
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, bpriv_key);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
-
- rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_KEYPAIR);
-
-fail:
- OSSL_PARAM_BLD_free(param_bld);
- bignum_safe_free(bp);
- bignum_safe_free(bq);
- bignum_safe_free(bg);
- bignum_safe_free(bpub_key);
- bignum_safe_free(bpriv_key);
-
- return rc;
-#endif /* OPENSSL_VERSION_NUMBER */
-}
-
-int pki_pubkey_build_dss(ssh_key key,
- ssh_string p,
- ssh_string q,
- ssh_string g,
- ssh_string pubkey) {
- int rc;
- BIGNUM *bp = NULL, *bq = NULL, *bg = NULL, *bpub_key = NULL;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
- if (param_bld == NULL) {
- return SSH_ERROR;
- }
-#else
- DSA *key_dsa = DSA_new();
- if (key_dsa == NULL) {
- return SSH_ERROR;
- }
-#endif /* OPENSSL_VERSION_NUMBER */
-
- bp = ssh_make_string_bn(p);
- bq = ssh_make_string_bn(q);
- bg = ssh_make_string_bn(g);
- bpub_key = ssh_make_string_bn(pubkey);
- if (bp == NULL || bq == NULL ||
- bg == NULL || bpub_key == NULL) {
- rc = SSH_ERROR;
- goto fail;
- }
-
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- /* Memory management of bp, bq and bg is transferred to DSA object */
- rc = DSA_set0_pqg(key_dsa, bp, bq, bg);
- if (rc == 0) {
- goto fail;
- }
-
- /* Memory management of npub_key is transferred to DSA object */
- rc = DSA_set0_key(key_dsa, bpub_key, NULL);
- if (rc == 0) {
- goto fail;
- }
-
- key->key = EVP_PKEY_new();
- if (key->key == NULL) {
- goto fail;
- }
-
- rc = EVP_PKEY_assign_DSA(key->key, key_dsa);
- if (rc != 1) {
- goto fail;
- }
-
- return SSH_OK;
-fail:
- EVP_PKEY_free(key->key);
- DSA_free(key_dsa);
- return SSH_ERROR;
-#else
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, bp);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, bq);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, bg);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
- rc = OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, bpub_key);
- if (rc != 1) {
- rc = SSH_ERROR;
- goto fail;
- }
-
- rc = evp_build_pkey("DSA", param_bld, &(key->key), EVP_PKEY_PUBLIC_KEY);
-
-fail:
- OSSL_PARAM_BLD_free(param_bld);
- bignum_safe_free(bp);
- bignum_safe_free(bq);
- bignum_safe_free(bg);
- bignum_safe_free(bpub_key);
-
- return rc;
-#endif /* OPENSSL_VERSION_NUMBER */
-}
-
int pki_privkey_build_rsa(ssh_key key,
ssh_string n,
ssh_string e,
@@ -1730,110 +1339,6 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
}
switch (key->type) {
- case SSH_KEYTYPE_DSS: {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- const BIGNUM *bp, *bq, *bg, *bpub_key;
- const DSA *key_dsa = EVP_PKEY_get0_DSA(key->key);
- DSA_get0_pqg(key_dsa, &bp, &bq, &bg);
- DSA_get0_key(key_dsa, &bpub_key, NULL);
-#else
- const OSSL_PARAM *out_param = NULL;
- rc = EVP_PKEY_todata(key->key, EVP_PKEY_PUBLIC_KEY, ¶ms);
- if (rc != 1) {
- goto fail;
- }
- out_param = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_P);
- if (out_param == NULL) {
- SSH_LOG(SSH_LOG_TRACE, "DSA: No param P has been found");
- goto fail;
- }
- rc = OSSL_PARAM_get_BN(out_param, &bp);
- if (rc != 1) {
- goto fail;
- }
- out_param = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_Q);
- if (out_param == NULL) {
- SSH_LOG(SSH_LOG_TRACE, "DSA: No param Q has been found");
- goto fail;
- }
- rc = OSSL_PARAM_get_BN(out_param, &bq);
- if (rc != 1) {
- goto fail;
- }
- out_param = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_G);
- if (out_param == NULL) {
- SSH_LOG(SSH_LOG_TRACE, "DSA: No param G has been found");
- goto fail;
- }
- rc = OSSL_PARAM_get_BN(out_param, &bg);
- if (rc != 1) {
- goto fail;
- }
- out_param = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
- if (out_param == NULL) {
- SSH_LOG(SSH_LOG_TRACE, "DSA: No param PUB_KEY has been found");
- goto fail;
- }
- rc = OSSL_PARAM_get_BN(out_param, &bpub_key);
- if (rc != 1) {
- goto fail;
- }
-#endif /* OPENSSL_VERSION_NUMBER */
- p = ssh_make_bignum_string((BIGNUM *)bp);
- if (p == NULL) {
- goto fail;
- }
-
- q = ssh_make_bignum_string((BIGNUM *)bq);
- if (q == NULL) {
- goto fail;
- }
-
- g = ssh_make_bignum_string((BIGNUM *)bg);
- if (g == NULL) {
- goto fail;
- }
-
- n = ssh_make_bignum_string((BIGNUM *)bpub_key);
- if (n == NULL) {
- goto fail;
- }
-
- if (ssh_buffer_add_ssh_string(buffer, p) < 0) {
- goto fail;
- }
- if (ssh_buffer_add_ssh_string(buffer, q) < 0) {
- goto fail;
- }
- if (ssh_buffer_add_ssh_string(buffer, g) < 0) {
- goto fail;
- }
- if (ssh_buffer_add_ssh_string(buffer, n) < 0) {
- goto fail;
- }
-
- ssh_string_burn(p);
- SSH_STRING_FREE(p);
- p = NULL;
- ssh_string_burn(g);
- SSH_STRING_FREE(g);
- g = NULL;
- ssh_string_burn(q);
- SSH_STRING_FREE(q);
- q = NULL;
- ssh_string_burn(n);
- SSH_STRING_FREE(n);
- n = NULL;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- bignum_safe_free(bp);
- bignum_safe_free(bq);
- bignum_safe_free(bg);
- bignum_safe_free(bpub_key);
- OSSL_PARAM_free(params);
-#endif /* OPENSSL_VERSION_NUMBER */
-
- break;
- }
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
@@ -2057,92 +1562,6 @@ fail:
return NULL;
}
-static ssh_string pki_dsa_signature_to_blob(const ssh_signature sig)
-{
- char buffer[40] = { 0 };
- ssh_string sig_blob = NULL;
- const BIGNUM *pr = NULL, *ps = NULL;
-
- ssh_string r = NULL;
- size_t r_len, r_offset_in, r_offset_out;
-
- ssh_string s = NULL;
- size_t s_len, s_offset_in, s_offset_out;
-
- const unsigned char *raw_sig_data = NULL;
- size_t raw_sig_len;
- int rc;
-
- DSA_SIG *dsa_sig;
-
- if (sig == NULL || sig->raw_sig == NULL) {
- return NULL;
- }
- raw_sig_data = ssh_string_data(sig->raw_sig);
- if (raw_sig_data == NULL) {
- return NULL;
- }
- raw_sig_len = ssh_string_len(sig->raw_sig);
-
- dsa_sig = d2i_DSA_SIG(NULL, &raw_sig_data, raw_sig_len);
- if (dsa_sig == NULL) {
- return NULL;
- }
-
- DSA_SIG_get0(dsa_sig, &pr, &ps);
- if (pr == NULL || ps == NULL) {
- goto error;
- }
-
- r = ssh_make_bignum_string((BIGNUM *)pr);
- if (r == NULL) {
- goto error;
- }
-
- s = ssh_make_bignum_string((BIGNUM *)ps);
- if (s == NULL) {
- goto error;
- }
-
- r_len = ssh_string_len(r);
- r_offset_in = (r_len > 20) ? (r_len - 20) : 0;
- r_offset_out = (r_len < 20) ? (20 - r_len) : 0;
-
- s_len = ssh_string_len(s);
- s_offset_in = (s_len > 20) ? (s_len - 20) : 0;
- s_offset_out = (s_len < 20) ? (20 - s_len) : 0;
-
- memcpy(buffer + r_offset_out,
- ((char *)ssh_string_data(r)) + r_offset_in,
- r_len - r_offset_in);
- memcpy(buffer + 20 + s_offset_out,
- ((char *)ssh_string_data(s)) + s_offset_in,
- s_len - s_offset_in);
-
- DSA_SIG_free(dsa_sig);
- SSH_STRING_FREE(r);
- SSH_STRING_FREE(s);
-
- sig_blob = ssh_string_new(40);
- if (sig_blob == NULL) {
- return NULL;
- }
-
- rc = ssh_string_fill(sig_blob, buffer, 40);
- if (rc < 0) {
- SSH_STRING_FREE(sig_blob);
- return NULL;
- }
-
- return sig_blob;
-
-error:
- DSA_SIG_free(dsa_sig);
- SSH_STRING_FREE(r);
- SSH_STRING_FREE(s);
- return NULL;
-}
-
static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig)
{
ssh_string r = NULL;
@@ -2235,9 +1654,6 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
ssh_string sig_blob = NULL;
switch(sig->type) {
- case SSH_KEYTYPE_DSS:
- sig_blob = pki_dsa_signature_to_blob(sig);
- break;
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
sig_blob = ssh_string_copy(sig->raw_sig);
@@ -2341,133 +1757,6 @@ errout:
return SSH_ERROR;
}
-static int pki_signature_from_dsa_blob(UNUSED_PARAM(const ssh_key pubkey),
- const ssh_string sig_blob,
- ssh_signature sig)
-{
- DSA_SIG *dsa_sig = NULL;
- BIGNUM *pr = NULL, *ps = NULL;
-
- ssh_string r;
- ssh_string s = NULL;
-
- size_t len;
-
- size_t raw_sig_len = 0;
- unsigned char *raw_sig_data = NULL;
- unsigned char *temp_raw_sig = NULL;
-
- int rc;
-
- len = ssh_string_len(sig_blob);
-
- /* 40 is the dual signature blob len. */
- if (len != 40) {
- SSH_LOG(SSH_LOG_TRACE,
- "Signature has wrong size: %lu",
- (unsigned long)len);
- goto error;
- }
-
-#ifdef DEBUG_CRYPTO
- ssh_log_hexdump("r", ssh_string_data(sig_blob), 20);
- ssh_log_hexdump("s", (unsigned char *)ssh_string_data(sig_blob) + 20, 20);
-#endif /* DEBUG_CRYPTO */
-
- r = ssh_string_new(20);
- if (r == NULL) {
- goto error;
- }
- rc = ssh_string_fill(r, ssh_string_data(sig_blob), 20);
- if (rc < 0) {
- SSH_STRING_FREE(r);
- goto error;
- }
-
- pr = ssh_make_string_bn(r);
- ssh_string_burn(r);
- SSH_STRING_FREE(r);
- if (pr == NULL) {
- goto error;
- }
-
- s = ssh_string_new(20);
- if (s == NULL) {
- goto error;
- }
- rc = ssh_string_fill(s, (char *)ssh_string_data(sig_blob) + 20, 20);
- if (rc < 0) {
- SSH_STRING_FREE(s);
- goto error;
- }
-
- ps = ssh_make_string_bn(s);
- ssh_string_burn(s);
- SSH_STRING_FREE(s);
- if (ps == NULL) {
- goto error;
- }
-
- dsa_sig = DSA_SIG_new();
- if (dsa_sig == NULL) {
- goto error;
- }
-
- /* Memory management of pr and ps is transferred to DSA signature
- * object */
- rc = DSA_SIG_set0(dsa_sig, pr, ps);
- if (rc == 0) {
- goto error;
- }
- ps = NULL;
- pr = NULL;
-
- /* Get the expected size of the buffer */
- rc = i2d_DSA_SIG(dsa_sig, NULL);
- if (rc <= 0) {
- goto error;
- }
- raw_sig_len = rc;
-
- raw_sig_data = (unsigned char *)calloc(1, raw_sig_len);
- if (raw_sig_data == NULL) {
- goto error;
- }
- temp_raw_sig = raw_sig_data;
-
- /* It is necessary to use a temporary pointer as i2d_* "advances" the
- * pointer */
- raw_sig_len = i2d_DSA_SIG(dsa_sig, &temp_raw_sig);
- if (raw_sig_len <= 0) {
- goto error;
- }
-
- sig->raw_sig = ssh_string_new(raw_sig_len);
- if (sig->raw_sig == NULL) {
- explicit_bzero(raw_sig_data, raw_sig_len);
- goto error;
- }
-
- rc = ssh_string_fill(sig->raw_sig, raw_sig_data, raw_sig_len);
- if (rc < 0) {
- explicit_bzero(raw_sig_data, raw_sig_len);
- goto error;
- }
-
- explicit_bzero(raw_sig_data, raw_sig_len);
- SAFE_FREE(raw_sig_data);
- DSA_SIG_free(dsa_sig);
-
- return SSH_OK;
-
-error:
- bignum_safe_free(ps);
- bignum_safe_free(pr);
- SAFE_FREE(raw_sig_data);
- DSA_SIG_free(dsa_sig);
- return SSH_ERROR;
-}
-
static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey),
const ssh_string sig_blob,
ssh_signature sig)
@@ -2632,12 +1921,6 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
sig->hash_type = hash_type;
switch(type) {
- case SSH_KEYTYPE_DSS:
- rc = pki_signature_from_dsa_blob(pubkey, sig_blob, sig);
- if (rc != SSH_OK) {
- goto error;
- }
- break;
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
rc = pki_signature_from_rsa_blob(pubkey, sig_blob, sig);
@@ -2715,8 +1998,6 @@ static EVP_PKEY *pki_key_to_pkey(ssh_key key)
int rc = 0;
switch (key->type) {
- case SSH_KEYTYPE_DSS:
- case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_RSA_CERT01:
@@ -3017,8 +2298,6 @@ int ssh_key_size(ssh_key key)
EVP_PKEY *pkey = NULL;
switch (key->type) {
- case SSH_KEYTYPE_DSS:
- case SSH_KEYTYPE_DSS_CERT01:
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_RSA1:
@@ -3043,6 +2322,8 @@ int ssh_key_size(ssh_key key)
case SSH_KEYTYPE_SK_ED25519_CERT01:
/* ed25519 keys have fixed size */
return 255;
+ case SSH_KEYTYPE_DSS: /* deprecated */
+ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_UNKNOWN:
default:
return SSH_ERROR;
diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index b68a1701..a1674900 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -45,8 +45,6 @@
#define MAXLINESIZE 80
#define RSA_HEADER_BEGIN "-----BEGIN RSA PRIVATE KEY-----"
#define RSA_HEADER_END "-----END RSA PRIVATE KEY-----"
-#define DSA_HEADER_BEGIN "-----BEGIN DSA PRIVATE KEY-----"
-#define DSA_HEADER_END "-----END DSA PRIVATE KEY-----"
#define ECDSA_HEADER_BEGIN "-----BEGIN EC PRIVATE KEY-----"
#define ECDSA_HEADER_END "-----END EC PRIVATE KEY-----"
@@ -288,14 +286,11 @@ void pki_key_clean(ssh_key key)
if (key == NULL)
return;
- if (key->dsa)
- gcry_sexp_release(key->dsa);
if (key->rsa)
gcry_sexp_release(key->rsa);
if (key->ecdsa)
gcry_sexp_release(key->ecdsa);
- key->dsa = NULL;
key->rsa = NULL;
key->ecdsa = NULL;
}
@@ -436,10 +431,6 @@ static ssh_buffer privatekey_string_to_buffer(const char *pkey, int type,
}
switch(type) {
- case SSH_KEYTYPE_DSS:
- header_begin = DSA_HEADER_BEGIN;
- header_end = DSA_HEADER_END;
- break;
case SSH_KEYTYPE_RSA:
header_begin = RSA_HEADER_BEGIN;
header_end = RSA_HEADER_END;
@@ -643,79 +634,6 @@ error:
return rc;
}
-static int b64decode_dsa_privatekey(const char *pkey, gcry_sexp_t *r, ssh_auth_callback cb,
- void *userdata, const char *desc) {
- const unsigned char *data;
- ssh_buffer buffer = NULL;
- ssh_string p = NULL;
- ssh_string q = NULL;
- ssh_string g = NULL;
- ssh_string y = NULL;
- ssh_string x = NULL;
- ssh_string v = NULL;
- int rc = 1;
-
- buffer = privatekey_string_to_buffer(pkey, SSH_KEYTYPE_DSS, cb, userdata, desc);
- if (buffer == NULL) {
- return 0;
- }
-
- if (!asn1_check_sequence(buffer)) {
- SSH_BUFFER_FREE(buffer);
- return 0;
- }
-
- v = asn1_get_int(buffer);
- if (v == NULL) {
- SSH_BUFFER_FREE(buffer);
- return 0;
- }
-
- data = ssh_string_data(v);
- if (ssh_string_len(v) != 1 || data[0] != 0) {
- SSH_STRING_FREE(v);
- SSH_BUFFER_FREE(buffer);
- return 0;
- }
-
- p = asn1_get_int(buffer);
- q = asn1_get_int(buffer);
- g = asn1_get_int(buffer);
- y = asn1_get_int(buffer);
- x = asn1_get_int(buffer);
- SSH_BUFFER_FREE(buffer);
-
- if (p == NULL || q == NULL || g == NULL || y == NULL || x == NULL) {
- rc = 0;
- goto error;
- }
-
- if (gcry_sexp_build(r, NULL,
- "(private-key(dsa(p %b)(q %b)(g %b)(y %b)(x %b)))",
- ssh_string_len(p), ssh_string_data(p),
- ssh_string_len(q), ssh_string_data(q),
- ssh_string_len(g), ssh_string_data(g),
- ssh_string_len(y), ssh_string_data(y),
- ssh_string_len(x), ssh_string_data(x))) {
- rc = 0;
- }
-
-error:
- ssh_string_burn(p);
- SSH_STRING_FREE(p);
- ssh_string_burn(q);
- SSH_STRING_FREE(q);
- ssh_string_burn(g);
- SSH_STRING_FREE(g);
- ssh_string_burn(y);
- SSH_STRING_FREE(y);
- ssh_string_burn(x);
- SSH_STRING_FREE(x);
- SSH_STRING_FREE(v);
-
- return rc;
-}
-
#ifdef HAVE_GCRYPT_ECC
static int pki_key_ecdsa_to_nid(gcry_sexp_t k)
{
@@ -965,7 +883,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
ssh_auth_callback auth_fn,
void *auth_data)
{
- gcry_sexp_t dsa = NULL;
gcry_sexp_t rsa = NULL;
gcry_sexp_t ecdsa = NULL;
ssh_key key = NULL;
@@ -979,25 +896,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
}
switch (type) {
- case SSH_KEYTYPE_DSS:
- if (passphrase == NULL) {
- if (auth_fn) {
- valid = b64decode_dsa_privatekey(b64_key, &dsa, auth_fn,
- auth_data, "Passphrase for private key:");
- } else {
- valid = b64decode_dsa_privatekey(b64_key, &dsa, NULL, NULL,
- NULL);
- }
- } else {
- valid = b64decode_dsa_privatekey(b64_key, &dsa, NULL, (void *)
- passphrase, NULL);
- }
-
- if (!valid) {
- SSH_LOG(SSH_LOG_TRACE, "Error parsing private key");
- goto fail;
- }
- break;
case SSH_KEYTYPE_RSA:
if (passphrase == NULL) {
if (auth_fn) {
@@ -1074,7 +972,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
key->type = type;
key->type_c = ssh_key_type_to_char(type);
key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC;
- key->dsa = dsa;
key->rsa = rsa;
key->ecdsa = ecdsa;
#ifdef HAVE_GCRYPT_ECC
@@ -1086,52 +983,12 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
return key;
fail:
ssh_key_free(key);
- gcry_sexp_release(dsa);
gcry_sexp_release(rsa);
gcry_sexp_release(ecdsa);
return NULL;
}
-int pki_privkey_build_dss(ssh_key key,
- ssh_string p,
- ssh_string q,
- ssh_string g,
- ssh_string pubkey,
- ssh_string privkey)
-{
- gcry_sexp_build(&key->dsa, NULL,
- "(private-key(dsa(p %b)(q %b)(g %b)(y %b)(x %b)))",
- ssh_string_len(p), ssh_string_data(p),
- ssh_string_len(q), ssh_string_data(q),
- ssh_string_len(g), ssh_string_data(g),
- ssh_string_len(pubkey), ssh_string_data(pubkey),
- ssh_string_len(privkey), ssh_string_data(privkey));
- if (key->dsa == NULL) {
- return SSH_ERROR;
- }
-
- return SSH_OK;
-}
-
-int pki_pubkey_build_dss(ssh_key key,
- ssh_string p,
- ssh_string q,
- ssh_string g,
- ssh_string pubkey) {
- gcry_sexp_build(&key->dsa, NULL,
- "(public-key(dsa(p %b)(q %b)(g %b)(y %b)))",
- ssh_string_len(p), ssh_string_data(p),
- ssh_string_len(q), ssh_string_data(q),
- ssh_string_len(g), ssh_string_data(g),
- ssh_string_len(pubkey), ssh_string_data(pubkey));
- if (key->dsa == NULL) {
- return SSH_ERROR;
- }
-
- return SSH_OK;
-}
-
int pki_privkey_build_rsa(ssh_key key,
ssh_string n,
ssh_string e,
@@ -1243,32 +1100,6 @@ ssh_key pki_key_dup(const ssh_key key, int demote)
}
switch(key->type) {
- case SSH_KEYTYPE_DSS:
- err = gcry_sexp_extract_param(key->dsa,
- NULL,
- "pqgyx?",
- &p,
- &q,
- &g,
- &y,
- &x,
- NULL);
- if (err != 0) {
- break;
- }
-
- if (!demote && (key->flags & SSH_KEY_FLAG_PRIVATE)) {
- err = gcry_sexp_build(&new->dsa,
- NULL,
- "(private-key(dsa(p %m)(q %m)(g %m)(y %m)(x %m)))",
- p, q, g, y, x);
- } else {
- err = gcry_sexp_build(&new->dsa,
- NULL,
- "(public-key(dsa(p %m)(q %m)(g %m)(y %m)))",
- p, q, g, y);
- }
- break;
case SSH_KEYTYPE_RSA:
err = gcry_sexp_extract_param(key->rsa,
NULL,
@@ -1383,9 +1214,6 @@ static int pki_key_generate(ssh_key key, int parameter, const char *type_s, int
case SSH_KEYTYPE_RSA:
rc = gcry_pk_genkey(&key->rsa, params);
break;
- case SSH_KEYTYPE_DSS:
- rc = gcry_pk_genkey(&key->dsa, params);
- break;
case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521:
@@ -1403,9 +1231,6 @@ static int pki_key_generate(ssh_key key, int parameter, const char *type_s, int
int pki_key_generate_rsa(ssh_key key, int parameter){
return pki_key_generate(key, parameter, "rsa", SSH_KEYTYPE_RSA);
}
-int pki_key_generate_dss(ssh_key key, int parameter){
- return pki_key_generate(key, parameter, "dsa", SSH_KEYTYPE_DSS);
-}
#ifdef HAVE_GCRYPT_ECC
int pki_key_generate_ecdsa(ssh_key key, int parameter) {
@@ -1472,29 +1297,6 @@ int pki_key_compare(const ssh_key k1,
enum ssh_keycmp_e what)
{
switch (k1->type) {
- case SSH_KEYTYPE_DSS:
- if (_bignum_cmp(k1->dsa, k2->dsa, "p") != 0) {
- return 1;
- }
-
- if (_bignum_cmp(k1->dsa, k2->dsa, "q") != 0) {
- return 1;
- }
-
- if (_bignum_cmp(k1->dsa, k2->dsa, "g") != 0) {
- return 1;
- }
-
- if (_bignum_cmp(k1->dsa, k2->dsa, "y") != 0) {
- return 1;
- }
-
- if (what == SSH_KEY_CMP_PRIVATE) {
- if (_bignum_cmp(k1->dsa, k2->dsa, "x") != 0) {
- return 1;
- }
- }
- break;
case SSH_KEYTYPE_RSA:
if (_bignum_cmp(k1->rsa, k2->rsa, "e") != 0) {
return 1;
@@ -1546,7 +1348,8 @@ int pki_key_compare(const ssh_key k1,
}
break;
#endif
- case SSH_KEYTYPE_DSS_CERT01:
+ case SSH_KEYTYPE_DSS: /* deprecated */
+ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_ECDSA:
case SSH_KEYTYPE_ECDSA_P256_CERT01:
@@ -1603,66 +1406,6 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
}
switch (key->type) {
- case SSH_KEYTYPE_DSS:
- p = ssh_sexp_extract_mpi(key->dsa,
- "p",
- GCRYMPI_FMT_USG,
- GCRYMPI_FMT_STD);
- if (p == NULL) {
- goto fail;
- }
-
- q = ssh_sexp_extract_mpi(key->dsa,
- "q",
- GCRYMPI_FMT_USG,
- GCRYMPI_FMT_STD);
- if (q == NULL) {
- goto fail;
- }
-
- g = ssh_sexp_extract_mpi(key->dsa,
- "g",
- GCRYMPI_FMT_USG,
- GCRYMPI_FMT_STD);
- if (g == NULL) {
- goto fail;
- }
-
- n = ssh_sexp_extract_mpi(key->dsa,
- "y",
- GCRYMPI_FMT_USG,
- GCRYMPI_FMT_STD);
- if (n == NULL) {
- goto fail;
- }
-
- rc = ssh_buffer_add_ssh_string(buffer, p);
- if (rc < 0) {
- goto fail;
- }
- rc = ssh_buffer_add_ssh_string(buffer, q);
- if (rc < 0) {
- goto fail;
- }
- rc = ssh_buffer_add_ssh_string(buffer, g);
- if (rc < 0) {
- goto fail;
- }
- rc = ssh_buffer_add_ssh_string(buffer, n);
- if (rc < 0) {
- goto fail;
- }
-
- ssh_string_burn(p);
- SSH_STRING_FREE(p);
- ssh_string_burn(g);
- SSH_STRING_FREE(g);
- ssh_string_burn(q);
- SSH_STRING_FREE(q);
- ssh_string_burn(n);
- SSH_STRING_FREE(n);
-
- break;
case SSH_KEYTYPE_RSA:
e = ssh_sexp_extract_mpi(key->rsa,
"e",
@@ -1787,13 +1530,7 @@ fail:
ssh_string pki_signature_to_blob(const ssh_signature sig)
{
- char buffer[40] = { 0 };
-
- const char *r = NULL;
- size_t r_len, r_offset_in, r_offset_out;
-
- const char *s = NULL;
- size_t s_len, s_offset_in, s_offset_out;
+ const char *s = NULL; /* used in RSA */
gcry_sexp_t sexp;
size_t size = 0;
@@ -1801,57 +1538,6 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
int rc;
switch(sig->type) {
- case SSH_KEYTYPE_DSS:
- sexp = gcry_sexp_find_token(sig->dsa_sig, "r", 0);
- if (sexp == NULL) {
- return NULL;
- }
- r = gcry_sexp_nth_data(sexp, 1, &size);
- /* libgcrypt put 0 when first bit is set */
- if (*r == 0) {
- size--;
- r++;
- }
-
- r_len = size;
- r_offset_in = (r_len > 20) ? (r_len - 20) : 0;
- r_offset_out = (r_len < 20) ? (20 - r_len) : 0;
- memcpy(buffer + r_offset_out,
- r + r_offset_in,
- r_len - r_offset_in);
-
- gcry_sexp_release(sexp);
-
- sexp = gcry_sexp_find_token(sig->dsa_sig, "s", 0);
- if (sexp == NULL) {
- return NULL;
- }
- s = gcry_sexp_nth_data(sexp,1,&size);
- if (*s == 0) {
- size--;
- s++;
- }
-
- s_len = size;
- s_offset_in = (s_len > 20) ? (s_len - 20) : 0;
- s_offset_out = (s_len < 20) ? (20 - s_len) : 0;
- memcpy(buffer + 20 + s_offset_out,
- s + s_offset_in,
- s_len - s_offset_in);
-
- gcry_sexp_release(sexp);
-
- sig_blob = ssh_string_new(40);
- if (sig_blob == NULL) {
- return NULL;
- }
-
- rc = ssh_string_fill(sig_blob, buffer, 40);
- if (rc < 0) {
- SSH_STRING_FREE(sig_blob);
- return NULL;
- }
- break;
case SSH_KEYTYPE_RSA:
sexp = gcry_sexp_find_token(sig->rsa_sig, "s", 0);
if (sexp == NULL) {
@@ -1977,35 +1663,6 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
len = ssh_string_len(sig_blob);
switch(type) {
- case SSH_KEYTYPE_DSS:
- /* 40 is the dual signature blob len. */
- if (len != 40) {
- SSH_LOG(SSH_LOG_TRACE,
- "Signature has wrong size: %lu",
- (unsigned long)len);
- ssh_signature_free(sig);
- return NULL;
- }
-
-#ifdef DEBUG_CRYPTO
- SSH_LOG(SSH_LOG_DEBUG,
- "DSA signature len: %lu",
- (unsigned long)len);
- ssh_log_hexdump("DSA signature", ssh_string_data(sig_blob), len);
-#endif
-
- err = gcry_sexp_build(&sig->dsa_sig,
- NULL,
- "(sig-val(dsa(r %b)(s %b)))",
- 20,
- ssh_string_data(sig_blob),
- 20,
- (unsigned char *)ssh_string_data(sig_blob) + 20);
- if (err) {
- ssh_signature_free(sig);
- return NULL;
- }
- break;
case SSH_KEYTYPE_RSA:
rsalen = (gcry_pk_get_nbits(pubkey->rsa) + 7) / 8;
@@ -2141,7 +1798,6 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey,
size_t hlen,
enum ssh_digest_e hash_type)
{
- unsigned char ghash[hlen + 1];
const char *hash_c = NULL;
ssh_signature sig;
gcry_sexp_t sexp;
@@ -2155,28 +1811,6 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey,
sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type);
sig->hash_type = hash_type;
switch (privkey->type) {
- case SSH_KEYTYPE_DSS:
- /* That is to mark the number as positive */
- if(hash[0] >= 0x80) {
- memcpy(ghash + 1, hash, hlen);
- ghash[0] = 0;
- hash = ghash;
- hlen += 1;
- }
-
- err = gcry_sexp_build(&sexp, NULL, "%b", hlen, hash);
- if (err) {
- ssh_signature_free(sig);
- return NULL;
- }
-
- err = gcry_pk_sign(&sig->dsa_sig, sexp, privkey->dsa);
- gcry_sexp_release(sexp);
- if (err) {
- ssh_signature_free(sig);
- return NULL;
- }
- break;
case SSH_KEYTYPE_RSA:
switch (hash_type) {
case SSH_DIGEST_SHA1:
@@ -2409,32 +2043,6 @@ int pki_verify_data_signature(ssh_signature signature,
}
switch(pubkey->type) {
- case SSH_KEYTYPE_DSS:
- case SSH_KEYTYPE_DSS_CERT01:
- /* That is to mark the number as positive */
- if(hash[0] >= 0x80) {
- hash = ghash;
- hlen += 1;
- }
-
- err = gcry_sexp_build(&sexp, NULL, "%b", hlen, hash);
- if (err) {
- SSH_LOG(SSH_LOG_TRACE,
- "DSA hash error: %s", gcry_strerror(err));
- return SSH_ERROR;
- }
- err = gcry_pk_verify(signature->dsa_sig, sexp, pubkey->dsa);
- gcry_sexp_release(sexp);
- if (err) {
- SSH_LOG(SSH_LOG_TRACE, "Invalid DSA signature");
- if (gcry_err_code(err) != GPG_ERR_BAD_SIGNATURE) {
- SSH_LOG(SSH_LOG_TRACE,
- "DSA verify error: %s",
- gcry_strerror(err));
- }
- return SSH_ERROR;
- }
- break;
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA_CERT01:
err = gcry_sexp_build(&sexp,
@@ -2515,9 +2123,6 @@ int pki_verify_data_signature(ssh_signature signature,
int ssh_key_size(ssh_key key)
{
switch (key->type) {
- case SSH_KEYTYPE_DSS:
- case SSH_KEYTYPE_DSS_CERT01:
- return gcry_pk_get_nbits(key->dsa);
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA_CERT01:
case SSH_KEYTYPE_RSA1:
@@ -2537,6 +2142,8 @@ int ssh_key_size(ssh_key key)
case SSH_KEYTYPE_SK_ED25519_CERT01:
/* ed25519 keys have fixed size */
return 255;
+ case SSH_KEYTYPE_DSS: /* deprecated */
+ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_UNKNOWN:
default:
return SSH_ERROR;
diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
index 278ba3a2..86717ca7 100644
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -1874,36 +1874,6 @@ int pki_key_generate_ecdsa(ssh_key key, int parameter)
return SSH_OK;
}
-int pki_privkey_build_dss(ssh_key key, ssh_string p, ssh_string q, ssh_string g,
- ssh_string pubkey, ssh_string privkey)
-{
- (void) key;
- (void) p;
- (void) q;
- (void) g;
- (void) pubkey;
- (void) privkey;
- return SSH_ERROR;
-}
-
-int pki_pubkey_build_dss(ssh_key key, ssh_string p, ssh_string q, ssh_string g,
- ssh_string pubkey)
-{
- (void) key;
- (void) p;
- (void) q;
- (void) g;
- (void) pubkey;
- return SSH_ERROR;
-}
-
-int pki_key_generate_dss(ssh_key key, int parameter)
-{
- (void) key;
- (void) parameter;
- return SSH_ERROR;
-}
-
int ssh_key_size(ssh_key key)
{
switch (key->type) {
@@ -1928,8 +1898,8 @@ int ssh_key_size(ssh_key key)
case SSH_KEYTYPE_SK_ED25519_CERT01:
/* ed25519 keys have fixed size */
return 255;
- case SSH_KEYTYPE_DSS:
- case SSH_KEYTYPE_DSS_CERT01:
+ case SSH_KEYTYPE_DSS: /* deprecated */
+ case SSH_KEYTYPE_DSS_CERT01: /* deprecated */
case SSH_KEYTYPE_UNKNOWN:
default:
return SSH_ERROR;
diff --git a/src/server.c b/src/server.c
index 9ed2b0c8..2a879967 100644
--- a/src/server.c
+++ b/src/server.c
@@ -112,15 +112,6 @@ int server_set_kex(ssh_session session)
snprintf(hostkeys + len, sizeof(hostkeys) - len,
",%s", session->srv.ecdsa_key->type_c);
}
-#endif
-#ifdef HAVE_DSA
- if (session->srv.dsa_key != NULL) {
- len = strlen(hostkeys);
- keytype = ssh_key_type(session->srv.dsa_key);
-
- snprintf(hostkeys + len, sizeof(hostkeys) - len,
- ",%s", ssh_key_type_to_char(keytype));
- }
#endif
if (session->srv.rsa_key != NULL) {
/* We support also the SHA2 variants */
@@ -282,9 +273,6 @@ ssh_get_key_params(ssh_session session,
int rc;
switch(session->srv.hostkey) {
- case SSH_KEYTYPE_DSS:
- *privkey = session->srv.dsa_key;
- break;
case SSH_KEYTYPE_RSA:
*privkey = session->srv.rsa_key;
break;
diff --git a/src/session.c b/src/session.c
index ee803df3..e70edfe0 100644
--- a/src/session.c
+++ b/src/session.c
@@ -156,17 +156,6 @@ ssh_session ssh_new(void)
goto err;
}
-#ifdef HAVE_DSA
- id = strdup("%d/id_dsa");
- if (id == NULL) {
- goto err;
- }
- rc = ssh_list_append(session->opts.identity_non_exp, id);
- if (rc == SSH_ERROR) {
- goto err;
- }
-#endif
-
/* Explicitly initialize states */
session->session_state = SSH_SESSION_STATE_NONE;
session->pending_call_state = SSH_PENDING_CALL_NONE;
@@ -251,8 +240,6 @@ void ssh_free(ssh_session session)
ssh_agent_free(session->agent);
#endif /* _WIN32 */
- ssh_key_free(session->srv.dsa_key);
- session->srv.dsa_key = NULL;
ssh_key_free(session->srv.rsa_key);
session->srv.rsa_key = NULL;
ssh_key_free(session->srv.ecdsa_key);
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 76c023e9..1eab175c 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -99,7 +99,7 @@ if (SSH_EXECUTABLE)
set(OPENSSH_CIPHERS "aes128-ctr\naes192-ctr\naes256-ctr\narcfour256\narcfour128\naes128-gcm@openssh.com\naes256-gcm@openssh.com\naes128-cbc\n3des-cbc\nblowfish-cbc\ncast128-cbc\naes192-cbc\naes256-cbc\narcfour\nrijndael-cbc@lysator.liu.se\n")
set(OPENSSH_MACS "hmac-md5-etm@openssh.com\nhmac-sha1-etm@openssh.com\numac-64-etm@openssh.com\numac-128-etm@openssh.com\nhmac-sha2-256-etm@openssh.com\nhmac-sha2-512-etm@openssh.com\nhmac-ripemd160-etm@openssh.com\nhmac-sha1-96-etm@openssh.com\nhmac-md5-96-etm@openssh.com\nhmac-md5\nhmac-sha1\numac-64@openssh.com\numac-128@openssh.com\nhmac-sha2-256\nhmac-sha2-512\nhmac-ripemd160\nhmac-ripemd160@openssh.com\nhmac-sha1-96\nhmac-md5-96\n")
set(OPENSSH_KEX "ecdh-sha2-nistp256\necdh-sha2-nistp384\necdh-sha2-nistp521\ndiffie-hellman-group-exchange-sha256\ndiffie-hellman-group-exchange-sha1\ndiffie-hellman-group14-sha1\ndiffie-hellman-group1-sha1\n")
- set(OPENSSH_KEYS "ssh-rsa\nssh-dss\necdsa-sha2-nistp256\n")
+ set(OPENSSH_KEYS "ssh-rsa\necdsa-sha2-nistp256\n")
else()
execute_process(COMMAND ${SSH_EXECUTABLE} -Q cipher OUTPUT_VARIABLE OPENSSH_CIPHERS)
execute_process(COMMAND ${SSH_EXECUTABLE} -Q mac OUTPUT_VARIABLE OPENSSH_MACS)
@@ -126,9 +126,9 @@ if (SSH_EXECUTABLE)
diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
curve25519-sha256 curve25519-sha256@libssh.org
- ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa ssh-dss
+ ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa
ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
- ssh-rsa-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com
+ ssh-rsa-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
)
diff --git a/tests/client/torture_hostkey.c b/tests/client/torture_hostkey.c
index 574a8400..88b657b6 100644
--- a/tests/client/torture_hostkey.c
+++ b/tests/client/torture_hostkey.c
@@ -127,30 +127,6 @@ static void torture_hostkey_ed25519(void **state) {
assert_ssh_return_code(session, rc);
}
-#ifdef HAVE_DSA
-static void torture_hostkey_dss(void **state) {
- struct torture_state *s = *state;
- ssh_session session = s->ssh.session;
- char rsa[] = "ssh-dss";
-
- int rc;
-
- if (ssh_fips_mode()) {
- skip();
- }
-
- rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, &rsa);
- assert_ssh_return_code(session, rc);
-
- rc = ssh_connect(session);
- assert_ssh_return_code(session, rc);
- ssh_disconnect(session);
-
- rc = ssh_connect(session);
- assert_ssh_return_code(session, rc);
-}
-#endif /* HAVE_DSA */
-
#ifdef HAVE_ECC
static void torture_hostkey_ecdsa(void **state) {
struct torture_state *s = *state;
@@ -220,10 +196,6 @@ int torture_run_tests(void) {
#ifdef HAVE_ECC
cmocka_unit_test_setup_teardown(torture_hostkey_ecdsa, session_setup,
session_teardown),
-#endif
-#ifdef HAVE_DSA
- cmocka_unit_test_setup_teardown(torture_hostkey_dss, session_setup,
- session_teardown),
#endif
/* the client is able to handle SHA2 extension (if negotiated) */
cmocka_unit_test_setup_teardown(torture_hostkey_rsa_sha256,
diff --git a/tests/keys/ssh_host_dsa_key b/tests/keys/ssh_host_dsa_key
deleted file mode 100644
index 9ee8bd86..00000000
--- a/tests/keys/ssh_host_dsa_key
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBuwIBAAKBgQD7vBS+d/eJP6wK2VQw+8AIfgCw9IR50utLRkkrWbfDdiM7V+fp
-tJYKCyqZT9j9ANhqicB2tuqAI6WJBZMaGekxWfI30JxPkHZrrwbdFzlRbjav07lg
-IKqWgcz81iVPmfn5savEoobiSFjJNMmYcizjKZgGmyNUzlJjzF7u5qD08wIVAPFp
-6VKuv8VxNjENciUZCdEDRW/lAoGBAN/BFSBRSP9frsHID6e2NeKHqs8JDUWhCTE9
-/WQKqUUbxO2UU98CfHuf1mNlaSsrOxaBdvTeURcZZc1svhyGr1VG+NbNTDDlzTgA
-UlrzNML61TYcFXQVxgifUy+Tmh8FRGCa6Ko/EsX4ZWLTto5w1u5cPpgzSbLMco9T
-AeeNLgYNAoGAJRuawWN3+NezI7+bBe42Kjg4gVUlpS+8TTlYFbwrM1Esab7gvxHB
-/b2apbk9xIAkkqsnb+EPrXTLUdE2Y7XkEuGLLSTus2UlZKobBGBX/Ioysg5W9Fk/
-2MhI4YssRb2alar8d+gmAHPaT+D+NDd90PBfY3HqcXFEK+eDTWo1JNICFBLdsuoO
-6pObeFSOYbr38kJzZ0xG
------END DSA PRIVATE KEY-----
diff --git a/tests/keys/ssh_host_dsa_key.pub b/tests/keys/ssh_host_dsa_key.pub
deleted file mode 100644
index 5fcb413d..00000000
--- a/tests/keys/ssh_host_dsa_key.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-dss AAAAB3NzaC1kc3MAAACBAPu8FL5394k/rArZVDD7wAh+ALD0hHnS60tGSStZt8N2IztX5+m0lgoLKplP2P0A2GqJwHa26oAjpYkFkxoZ6TFZ8jfQnE+QdmuvBt0XOVFuNq/TuWAgqpaBzPzWJU+Z+fmxq8SihuJIWMk0yZhyLOMpmAabI1TOUmPMXu7moPTzAAAAFQDxaelSrr/FcTYxDXIlGQnRA0Vv5QAAAIEA38EVIFFI/1+uwcgPp7Y14oeqzwkNRaEJMT39ZAqpRRvE7ZRT3wJ8e5/WY2VpKys7FoF29N5RFxllzWy+HIavVUb41s1MMOXNOABSWvM0wvrVNhwVdBXGCJ9TL5OaHwVEYJroqj8SxfhlYtO2jnDW7lw+mDNJssxyj1MB540uBg0AAACAJRuawWN3+NezI7+bBe42Kjg4gVUlpS+8TTlYFbwrM1Esab7gvxHB/b2apbk9xIAkkqsnb+EPrXTLUdE2Y7XkEuGLLSTus2UlZKobBGBX/Ioysg5W9Fk/2MhI4YssRb2alar8d+gmAHPaT+D+NDd90PBfY3HqcXFEK+eDTWo1JNI= asn@magrathea
diff --git a/tests/pkd/pkd_daemon.c b/tests/pkd/pkd_daemon.c
index 70f441b2..a0295457 100644
--- a/tests/pkd/pkd_daemon.c
+++ b/tests/pkd/pkd_daemon.c
@@ -267,10 +267,6 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
opts = SSH_BIND_OPTIONS_RSAKEY;
} else if (type == PKD_ED25519) {
opts = SSH_BIND_OPTIONS_HOSTKEY;
-#ifdef HAVE_DSA
- } else if (type == PKD_DSA) {
- opts = SSH_BIND_OPTIONS_DSAKEY;
-#endif
} else if (type == PKD_ECDSA) {
opts = SSH_BIND_OPTIONS_ECDSAKEY;
} else {
diff --git a/tests/pkd/pkd_daemon.h b/tests/pkd/pkd_daemon.h
index 7470f67c..2745f11a 100644
--- a/tests/pkd/pkd_daemon.h
+++ b/tests/pkd/pkd_daemon.h
@@ -12,9 +12,6 @@
enum pkd_hostkey_type_e {
PKD_RSA,
-#ifdef HAVE_DSA
- PKD_DSA,
-#endif
PKD_ED25519,
PKD_ECDSA
};
diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c
index fad4a397..1df087ae 100644
--- a/tests/pkd/pkd_hello.c
+++ b/tests/pkd/pkd_hello.c
@@ -183,15 +183,6 @@ static int torture_pkd_setup_ed25519(void **state) {
return 0;
}
-#ifdef HAVE_DSA
-static int torture_pkd_setup_dsa(void **state) {
- setup_dsa_key();
- *state = (void *) torture_pkd_setup(PKD_DSA, LIBSSH_DSA_TESTKEY);
-
- return 0;
-}
-#endif
-
static int torture_pkd_setup_ecdsa_256(void **state) {
setup_ecdsa_keys();
*state = (void *) torture_pkd_setup(PKD_ECDSA, LIBSSH_ECDSA_256_TESTKEY);
@@ -223,16 +214,9 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_384_default, cmd, setup_ecdsa_384, teardown) \
f(client, ecdsa_521_default, cmd, setup_ecdsa_521, teardown)
-#ifdef HAVE_DSA
-#define PKDTESTS_DEFAULT(f, client, cmd) \
- /* Default passes by server key type. */ \
- PKDTESTS_DEFAULT_FIPS(f, client, cmd) \
- f(client, dsa_default, cmd, setup_dsa, teardown)
-#else
#define PKDTESTS_DEFAULT(f, client, cmd) \
/* Default passes by server key type. */ \
PKDTESTS_DEFAULT_FIPS(f, client, cmd)
-#endif
#define PKDTESTS_DEFAULT_OPENSSHONLY(f, client, cmd) \
/* Default passes by server key type. */ \
@@ -314,44 +298,7 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_521_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ecdsa_521, teardown)
-#if defined(HAVE_DSA) && defined(WITH_GEX)
- /* GEX_SHA256 with RSA and ECDSA is included in PKDTESTS_KEX_FIPS if available */
-#define PKDTESTS_KEX(f, client, kexcmd) \
- /* Kex algorithms. */ \
- PKDTESTS_KEX_COMMON(f, client, kexcmd) \
- f(client, rsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_rsa, teardown) \
- f(client, dsa_curve25519_sha256, kexcmd("curve25519-sha256"), setup_dsa, teardown) \
- f(client, dsa_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_dsa, teardown) \
- f(client, dsa_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256 "), setup_dsa, teardown) \
- f(client, dsa_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384 "), setup_dsa, teardown) \
- f(client, dsa_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521 "), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_dsa, teardown) \
- f(client, ecdsa_256_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_256, teardown) \
- f(client, ecdsa_384_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_384, teardown) \
- f(client, ecdsa_521_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_521, teardown)
-
-#elif defined(HAVE_DSA) /* && !defined(WITH_GEX) */
-#define PKDTESTS_KEX(f, client, kexcmd) \
- /* Kex algorithms. */ \
- PKDTESTS_KEX_COMMON(f, client, kexcmd) \
- f(client, dsa_curve25519_sha256, kexcmd("curve25519-sha256"), setup_dsa, teardown) \
- f(client, dsa_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_dsa, teardown) \
- f(client, dsa_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256 "), setup_dsa, teardown) \
- f(client, dsa_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384 "), setup_dsa, teardown) \
- f(client, dsa_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521 "), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group14_sha256, kexcmd("diffie-hellman-group14-sha256"), setup_dsa, teardown) \
- f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown)
-
-#elif defined(WITH_GEX) /* && !defined(HAVE_DSA) */
+#if defined(WITH_GEX)
/* GEX_SHA256 is included in PKDTESTS_KEX_FIPS if available */
#define PKDTESTS_KEX(f, client, kexcmd) \
/* Kex algorithms. */ \
@@ -397,7 +344,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ed25519_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ed25519, teardown)
#endif
-
#define PKDTESTS_CIPHER_COMMON(f, client, ciphercmd) \
f(client, rsa_aes128_ctr, ciphercmd("aes128-ctr"), setup_rsa, teardown) \
f(client, rsa_aes256_ctr, ciphercmd("aes256-ctr"), setup_rsa, teardown) \
@@ -445,7 +391,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_521_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_521, teardown)
-#ifdef HAVE_DSA
#define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
/* Ciphers. */ \
PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
@@ -455,14 +400,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, rsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_rsa, teardown) \
f(client, rsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_rsa, teardown) \
f(client, rsa_chacha20, ciphercmd(CHACHA20), setup_rsa, teardown) \
- f(client, dsa_3des_cbc, ciphercmd("3des-cbc"), setup_dsa, teardown) \
- f(client, dsa_aes128_cbc, ciphercmd("aes128-cbc"), setup_dsa, teardown) \
- f(client, dsa_aes192_cbc, ciphercmd("aes192-cbc"), setup_dsa, teardown) \
- f(client, dsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_dsa, teardown) \
- f(client, dsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_dsa, teardown) \
- f(client, dsa_chacha20, ciphercmd(CHACHA20), setup_dsa, teardown) \
- f(client, dsa_aes128_gcm, ciphercmd(AES128_GCM), setup_dsa, teardown) \
- f(client, dsa_aes256_gcm, ciphercmd(AES256_GCM), setup_dsa, teardown) \
f(client, ed25519_3des_cbc, ciphercmd("3des-cbc"), setup_ed25519, teardown) \
f(client, ed25519_aes128_cbc, ciphercmd("aes128-cbc"), setup_ed25519, teardown) \
f(client, ed25519_aes128_ctr, ciphercmd("aes128-ctr"), setup_ed25519, teardown) \
@@ -491,43 +428,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_521_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_521, teardown) \
f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown)
-#else
-#define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
- /* Ciphers. */ \
- PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
- f(client, rsa_3des_cbc, ciphercmd("3des-cbc"), setup_rsa, teardown) \
- f(client, rsa_aes128_cbc, ciphercmd("aes128-cbc"), setup_rsa, teardown) \
- f(client, rsa_aes192_cbc, ciphercmd("aes192-cbc"), setup_rsa, teardown) \
- f(client, rsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_rsa, teardown) \
- f(client, rsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_rsa, teardown) \
- f(client, rsa_chacha20, ciphercmd(CHACHA20), setup_rsa, teardown) \
- f(client, ed25519_3des_cbc, ciphercmd("3des-cbc"), setup_ed25519, teardown) \
- f(client, ed25519_aes128_cbc, ciphercmd("aes128-cbc"), setup_ed25519, teardown) \
- f(client, ed25519_aes128_ctr, ciphercmd("aes128-ctr"), setup_ed25519, teardown) \
- f(client, ed25519_aes256_cbc, ciphercmd("aes256-cbc"), setup_ed25519, teardown) \
- f(client, ed25519_aes256_ctr, ciphercmd("aes256-ctr"), setup_ed25519, teardown) \
- f(client, ed25519_aes192_cbc, ciphercmd("aes192-cbc"), setup_ed25519, teardown) \
- f(client, ed25519_aes192_ctr, ciphercmd("aes192-ctr"), setup_ed25519, teardown) \
- f(client, ed25519_chacha20, ciphercmd(CHACHA20), setup_ed25519, teardown) \
- f(client, ecdsa_256_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_256, teardown) \
- f(client, ecdsa_256_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_256, teardown) \
- f(client, ecdsa_256_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_256, teardown) \
- f(client, ecdsa_256_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_256, teardown) \
- f(client, ecdsa_256_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_256, teardown) \
- f(client, ecdsa_256_chacha20, ciphercmd(CHACHA20), setup_ecdsa_256, teardown) \
- f(client, ecdsa_384_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_384, teardown) \
- f(client, ecdsa_384_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_384, teardown) \
- f(client, ecdsa_384_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_384, teardown) \
- f(client, ecdsa_384_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_384, teardown) \
- f(client, ecdsa_384_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_384, teardown) \
- f(client, ecdsa_384_chacha20, ciphercmd(CHACHA20), setup_ecdsa_384, teardown) \
- f(client, ecdsa_521_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_521, teardown) \
- f(client, ecdsa_521_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_521, teardown) \
- f(client, ecdsa_521_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_521, teardown) \
- f(client, ecdsa_521_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_521, teardown) \
- f(client, ecdsa_521_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_521, teardown) \
- f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown)
-#endif
#define PKDTESTS_MAC_FIPS(f, client, maccmd) \
@@ -558,25 +458,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, rsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_rsa, teardown) \
f(client, rsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_rsa, teardown)
-#ifdef HAVE_DSA
-#define PKDTESTS_MAC(f, client, maccmd) \
- /* MACs. */ \
- PKDTESTS_MAC_FIPS(f, client, maccmd) \
- f(client, dsa_hmac_sha1, maccmd("hmac-sha1"), setup_dsa, teardown) \
- f(client, dsa_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_dsa, teardown)
-#define PKDTESTS_MAC_OPENSSHONLY(f, client, maccmd) \
- PKDTESTS_MAC_OPENSSHONLY_FIPS(f, client, maccmd) \
- f(client, dsa_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_dsa, teardown) \
- f(client, dsa_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_dsa, teardown) \
- f(client, dsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_dsa, teardown) \
- f(client, dsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_dsa, teardown) \
- f(client, ed25519_hmac_sha1, maccmd("hmac-sha1"), setup_ed25519, teardown) \
- f(client, ed25519_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ed25519, teardown) \
- f(client, ed25519_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ed25519, teardown) \
- f(client, ed25519_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ed25519, teardown) \
- f(client, ed25519_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ed25519, teardown) \
- f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown)
-#else
#define PKDTESTS_MAC(f, client, maccmd) \
/* MACs. */ \
PKDTESTS_MAC_FIPS(f, client, maccmd)
@@ -588,7 +469,6 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ed25519_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ed25519, teardown) \
f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown)
-#endif
#define PKDTESTS_HOSTKEY_OPENSSHONLY_FIPS(f, client, hkcmd) \
@@ -644,21 +524,6 @@ static void torture_pkd_runtest(const char *testname,
/*
* Actual test functions are emitted here.
*/
-
-#ifdef HAVE_DSA
-#define CLIENT_ID_FILE OPENSSH_DSA_TESTKEY
-PKDTESTS_DEFAULT(emit_keytest, openssh_dsa, OPENSSH_CMD)
-PKDTESTS_DEFAULT(emit_keytest, openssh_cert_dsa, OPENSSH_CERT_CMD)
-PKDTESTS_DEFAULT_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_CMD)
-PKDTESTS_KEX(emit_keytest, openssh_dsa, OPENSSH_KEX_CMD)
-PKDTESTS_KEX_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_KEX_CMD)
-PKDTESTS_CIPHER(emit_keytest, openssh_dsa, OPENSSH_CIPHER_CMD)
-PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_CIPHER_CMD)
-PKDTESTS_MAC(emit_keytest, openssh_dsa, OPENSSH_MAC_CMD)
-PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_dsa, OPENSSH_MAC_CMD)
-#undef CLIENT_ID_FILE
-#endif
-
#define CLIENT_ID_FILE OPENSSH_RSA_TESTKEY
PKDTESTS_DEFAULT(emit_keytest, openssh_rsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_keytest, openssh_cert_rsa, OPENSSH_CERT_CMD)
@@ -730,17 +595,6 @@ struct {
const struct CMUnitTest test;
} testmap[] = {
/* OpenSSH */
-#ifdef HAVE_DSA
- PKDTESTS_DEFAULT(emit_testmap, openssh_dsa, OPENSSH_CMD)
- PKDTESTS_DEFAULT(emit_testmap, openssh_cert_dsa, OPENSSH_CERT_CMD)
- PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_CMD)
- PKDTESTS_KEX(emit_testmap, openssh_dsa, OPENSSH_KEX_CMD)
- PKDTESTS_KEX_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_KEX_CMD)
- PKDTESTS_CIPHER(emit_testmap, openssh_dsa, OPENSSH_CIPHER_CMD)
- PKDTESTS_CIPHER_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_CIPHER_CMD)
- PKDTESTS_MAC(emit_testmap, openssh_dsa, OPENSSH_MAC_CMD)
- PKDTESTS_MAC_OPENSSHONLY(emit_testmap, openssh_dsa, OPENSSH_MAC_CMD)
-#endif
PKDTESTS_DEFAULT(emit_testmap, openssh_rsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_testmap, openssh_cert_rsa, OPENSSH_CERT_CMD)
@@ -795,16 +649,6 @@ static int pkd_run_tests(void) {
int tindex = 0;
const struct CMUnitTest openssh_tests[] = {
-#ifdef HAVE_DSA
- PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_dsa, OPENSSH_CMD)
- PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_dsa, OPENSSH_CERT_CMD)
- PKDTESTS_DEFAULT_OPENSSHONLY(emit_unit_test_comma, openssh_dsa, OPENSSH_CMD)
- PKDTESTS_KEX(emit_unit_test_comma, openssh_dsa, OPENSSH_KEX_CMD)
- PKDTESTS_CIPHER(emit_unit_test_comma, openssh_dsa, OPENSSH_CIPHER_CMD)
- PKDTESTS_CIPHER_OPENSSHONLY(emit_unit_test_comma, openssh_dsa, OPENSSH_CIPHER_CMD)
- PKDTESTS_MAC(emit_unit_test_comma, openssh_dsa, OPENSSH_MAC_CMD)
- PKDTESTS_MAC_OPENSSHONLY(emit_unit_test_comma, openssh_dsa, OPENSSH_MAC_CMD)
-#endif
PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD)
PKDTESTS_DEFAULT(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD)
@@ -948,9 +792,6 @@ static int pkd_run_tests(void) {
cleanup_ecdsa_keys();
if (!ssh_fips_mode()) {
cleanup_ed25519_key();
-#ifdef HAVE_DSA
- cleanup_dsa_key();
-#endif
}
return rc;
diff --git a/tests/pkd/pkd_keyutil.c b/tests/pkd/pkd_keyutil.c
index 533d2788..4e032f17 100644
--- a/tests/pkd/pkd_keyutil.c
+++ b/tests/pkd/pkd_keyutil.c
@@ -40,17 +40,6 @@ void setup_ed25519_key(void) {
assert_int_equal(rc, 0);
}
-#ifdef HAVE_DSA
-void setup_dsa_key(void) {
- int rc = 0;
- if (access(LIBSSH_DSA_TESTKEY, F_OK) != 0) {
- rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
- LIBSSH_DSA_TESTKEY);
- }
- assert_int_equal(rc, 0);
-}
-#endif
-
void setup_ecdsa_keys(void) {
int rc = 0;
@@ -79,12 +68,6 @@ void cleanup_ed25519_key(void) {
cleanup_key(LIBSSH_ED25519_TESTKEY);
}
-#ifdef HAVE_DSA
-void cleanup_dsa_key(void) {
- cleanup_key(LIBSSH_DSA_TESTKEY);
-}
-#endif
-
void cleanup_ecdsa_keys(void) {
cleanup_key(LIBSSH_ECDSA_256_TESTKEY);
cleanup_key(LIBSSH_ECDSA_384_TESTKEY);
@@ -156,19 +139,6 @@ void setup_openssh_client_keys(void) {
assert_int_equal(rc, 0);
if (!ssh_fips_mode()) {
-#ifdef HAVE_DSA
- if (access(OPENSSH_DSA_TESTKEY, F_OK) != 0) {
- rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
- OPENSSH_DSA_TESTKEY);
- }
- assert_int_equal(rc, 0);
-
- if (access(OPENSSH_DSA_TESTKEY "-cert.pub", F_OK) != 0) {
- rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY
- " " OPENSSH_DSA_TESTKEY ".pub 2>/dev/null");
- }
- assert_int_equal(rc, 0);
-#endif
if (access(OPENSSH_ED25519_TESTKEY, F_OK) != 0) {
rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
@@ -193,9 +163,6 @@ void cleanup_openssh_client_keys(void) {
cleanup_key(OPENSSH_ECDSA521_TESTKEY);
if (!ssh_fips_mode()) {
cleanup_key(OPENSSH_ED25519_TESTKEY);
-#ifdef HAVE_DSA
- cleanup_key(OPENSSH_DSA_TESTKEY);
-#endif
}
}
diff --git a/tests/pkd/pkd_keyutil.h b/tests/pkd/pkd_keyutil.h
index 7b189040..8e8f50ae 100644
--- a/tests/pkd/pkd_keyutil.h
+++ b/tests/pkd/pkd_keyutil.h
@@ -10,32 +10,20 @@
#include "config.h"
/* Server keys. */
-#ifdef HAVE_DSA
-#define LIBSSH_DSA_TESTKEY "libssh_testkey.id_dsa"
-#endif
#define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa"
#define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519"
#define LIBSSH_ECDSA_256_TESTKEY "libssh_testkey.id_ecdsa256"
#define LIBSSH_ECDSA_384_TESTKEY "libssh_testkey.id_ecdsa384"
#define LIBSSH_ECDSA_521_TESTKEY "libssh_testkey.id_ecdsa521"
-#ifdef HAVE_DSA
-void setup_dsa_key(void);
-#endif
void setup_rsa_key(void);
void setup_ed25519_key(void);
void setup_ecdsa_keys(void);
-#ifdef HAVE_DSA
-void cleanup_dsa_key(void);
-#endif
void cleanup_rsa_key(void);
void cleanup_ed25519_key(void);
void cleanup_ecdsa_keys(void);
/* Client keys. */
-#ifdef HAVE_DSA
-#define OPENSSH_DSA_TESTKEY "openssh_testkey.id_dsa"
-#endif
#define OPENSSH_RSA_TESTKEY "openssh_testkey.id_rsa"
#define OPENSSH_ECDSA256_TESTKEY "openssh_testkey.id_ecdsa256"
#define OPENSSH_ECDSA384_TESTKEY "openssh_testkey.id_ecdsa384"
diff --git a/tests/server/test_server/main.c b/tests/server/test_server/main.c
index b4676b4b..ff67dd9f 100644
--- a/tests/server/test_server/main.c
+++ b/tests/server/test_server/main.c
@@ -45,7 +45,6 @@ struct arguments_st {
char *port;
char *ecdsa_key;
- char *dsa_key;
char *ed25519_key;
char *rsa_key;
char *host_key;
@@ -74,7 +73,6 @@ static void free_arguments(struct arguments_st *arguments)
SAFE_FREE(arguments->port);
SAFE_FREE(arguments->ecdsa_key);
- SAFE_FREE(arguments->dsa_key);
SAFE_FREE(arguments->ed25519_key);
SAFE_FREE(arguments->rsa_key);
SAFE_FREE(arguments->host_key);
@@ -153,8 +151,6 @@ static void print_server_state(struct server_state_st *state)
printf("=================================================\n");
printf("ecdsa_key = %s\n",
state->ecdsa_key? state->ecdsa_key: "NULL");
- printf("dsa_key = %s\n",
- state->dsa_key? state->dsa_key: "NULL");
printf("ed25519_key = %s\n",
state->ed25519_key? state->ed25519_key: "NULL");
printf("rsa_key = %s\n",
@@ -218,13 +214,6 @@ static int init_server_state(struct server_state_st *state,
state->ecdsa_key = NULL;
}
- if (arguments->dsa_key) {
- state->dsa_key = arguments->dsa_key;
- arguments->dsa_key = NULL;
- } else {
- state->dsa_key = NULL;
- }
-
if (arguments->ed25519_key) {
state->ed25519_key = arguments->ed25519_key;
arguments->ed25519_key = NULL;
@@ -363,14 +352,6 @@ static struct argp_option options[] = {
.doc = "Set the ECDSA key.",
.group = 0
},
- {
- .name = "dsakey",
- .key = 'd',
- .arg = "FILE",
- .flags = 0,
- .doc = "Set the DSA key.",
- .group = 0
- },
{
.name = "ed25519key",
.key = 'e',
@@ -486,14 +467,6 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state)
goto end;
}
break;
- case 'd':
- arguments->dsa_key = strdup(arg);
- if (arguments->dsa_key == NULL) {
- fprintf(stderr, "Out of memory\n");
- rc = ENOMEM;
- goto end;
- }
- break;
case 'e':
arguments->ed25519_key = strdup(arg);
if (arguments->ed25519_key == NULL) {
diff --git a/tests/server/test_server/test_server.c b/tests/server/test_server/test_server.c
index 42d21495..649f7888 100644
--- a/tests/server/test_server/test_server.c
+++ b/tests/server/test_server/test_server.c
@@ -46,7 +46,6 @@ void free_server_state(struct server_state_st *state)
SAFE_FREE(state->address);
SAFE_FREE(state->ecdsa_key);
- SAFE_FREE(state->dsa_key);
SAFE_FREE(state->ed25519_key);
SAFE_FREE(state->rsa_key);
SAFE_FREE(state->host_key);
@@ -159,18 +158,6 @@ int run_server(struct server_state_st *state)
goto free_sshbind;
}
- if (state->dsa_key != NULL) {
- rc = ssh_bind_options_set(sshbind,
- SSH_BIND_OPTIONS_DSAKEY,
- state->dsa_key);
- if (rc != 0) {
- fprintf(stderr,
- "Error setting DSA key: %s\n",
- ssh_get_error(sshbind));
- goto free_sshbind;
- }
- }
-
if (state->rsa_key != NULL) {
rc = ssh_bind_options_set(sshbind,
SSH_BIND_OPTIONS_RSAKEY,
diff --git a/tests/server/test_server/test_server.h b/tests/server/test_server/test_server.h
index b53894bb..0854504f 100644
--- a/tests/server/test_server/test_server.h
+++ b/tests/server/test_server/test_server.h
@@ -36,7 +36,6 @@ struct server_state_st {
int port;
char *ecdsa_key;
- char *dsa_key;
char *ed25519_key;
char *rsa_key;
char *host_key;
diff --git a/tests/server/torture_server_config.c b/tests/server/torture_server_config.c
index 5f66f015..0bb11ec0 100644
--- a/tests/server/torture_server_config.c
+++ b/tests/server/torture_server_config.c
@@ -51,9 +51,6 @@ struct test_server_st {
char ecdsa_521_hostkey[1024];
char ecdsa_384_hostkey[1024];
char ecdsa_256_hostkey[1024];
-#ifdef HAVE_DSA
- char dsa_hostkey[1024];
-#endif /* HAVE_DSA */
};
static int setup_files(void **state)
@@ -117,14 +114,6 @@ static int setup_files(void **state)
torture_write_file(tss->ed25519_hostkey,
torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
-#ifdef HAVE_DSA
- snprintf(tss->dsa_hostkey,
- sizeof(tss->dsa_hostkey),
- "%s/sshd/ssh_host_dsa_key",
- s->socket_dir);
- torture_write_file(tss->dsa_hostkey,
- torture_get_testkey(SSH_KEYTYPE_DSS, 0));
-#endif /* HAVE_DSA */
}
tss->state = s;
@@ -372,10 +361,6 @@ static size_t setup_hostkey_files(struct test_server_st *tss)
if (!ssh_fips_mode()) {
hostkey_files[4] = tss->ed25519_hostkey;
num_hostkey_files++;
-#ifdef HAVE_DSA
- hostkey_files[5] = tss->dsa_hostkey;
- num_hostkey_files++;
-#endif
}
#endif /* TEST_ALL_CRYPTO_COMBINATIONS */
@@ -670,18 +655,6 @@ static void torture_server_config_hostkey_algorithms(void **state)
rc = try_config_content(state, config_content, false);
assert_int_equal(rc, 0);
-#ifdef HAVE_DSA
- if (!ssh_fips_mode()) {
- /* ssh-dss */
- snprintf(config_content,
- sizeof(config_content),
- "HostKey %s\nHostkeyAlgorithms %s\n",
- tss->dsa_hostkey, "ssh-dss");
-
- rc = try_config_content(state, config_content, false);
- assert_int_equal(rc, 0);
- }
-#endif
}
static void torture_server_config_unknown(void **state)
diff --git a/tests/ssh_ping.c b/tests/ssh_ping.c
index bdb3cea0..01754590 100644
--- a/tests/ssh_ping.c
+++ b/tests/ssh_ping.c
@@ -60,7 +60,7 @@ int main(int argc, char **argv)
goto out;
}
- /* Enable all supported algorithms (including DSA) */
+ /* Enable all supported algorithms */
hostkeys = ssh_kex_get_supported_method(SSH_HOSTKEYS);
rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, hostkeys);
if (rc < 0) {
diff --git a/tests/tests_config.h.cmake b/tests/tests_config.h.cmake
index a8147c44..eca69298 100644
--- a/tests/tests_config.h.cmake
+++ b/tests/tests_config.h.cmake
@@ -52,12 +52,10 @@
#cmakedefine OPENSSH_SSH_ED25519 1
#cmakedefine OPENSSH_SSH_ED25519_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_SSH_RSA 1
-#cmakedefine OPENSSH_SSH_DSS 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP256 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP384 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP521 1
#cmakedefine OPENSSH_SSH_RSA_CERT_V01_OPENSSH_COM 1
-#cmakedefine OPENSSH_SSH_DSS_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP256_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP384_CERT_V01_OPENSSH_COM 1
#cmakedefine OPENSSH_ECDSA_SHA2_NISTP521_CERT_V01_OPENSSH_COM 1
diff --git a/tests/torture.c b/tests/torture.c
index 6b2d5b7b..eee97a15 100644
--- a/tests/torture.c
+++ b/tests/torture.c
@@ -383,11 +383,6 @@ ssh_bind torture_ssh_bind(const char *addr,
}
switch (key_type) {
-#ifdef HAVE_DSA
- case SSH_KEYTYPE_DSS:
- opts = SSH_BIND_OPTIONS_DSAKEY;
- break;
-#endif /* HAVE_DSA */
case SSH_KEYTYPE_RSA:
opts = SSH_BIND_OPTIONS_RSAKEY;
break;
@@ -631,9 +626,6 @@ void torture_setup_create_libssh_config(void **state)
{
struct torture_state *s = *state;
char ed25519_hostkey[1024] = {0};
-#ifdef HAVE_DSA
- char dsa_hostkey[1024];
-#endif /* HAVE_DSA */
char rsa_hostkey[1024];
char ecdsa_hostkey[1024];
char sshd_config[2048];
@@ -647,9 +639,6 @@ void torture_setup_create_libssh_config(void **state)
"%s %s\n"
"%s %s\n"
"%s %s\n"
-#ifdef HAVE_DSA
- "%s %s\n"
-#endif /* HAVE_DSA */
"%s\n"; /* The space for test-specific options */
bool written = false;
int rc;
@@ -686,13 +675,6 @@ void torture_setup_create_libssh_config(void **state)
"%s/sshd/ssh_host_ecdsa_key",
s->socket_dir);
-#ifdef HAVE_DSA
- snprintf(dsa_hostkey,
- sizeof(dsa_hostkey),
- "%s/sshd/ssh_host_dsa_key",
- s->socket_dir);
-#endif /* HAVE_DSA */
-
if (!written) {
torture_write_file(ed25519_hostkey,
torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
@@ -700,10 +682,6 @@ void torture_setup_create_libssh_config(void **state)
torture_get_testkey(SSH_KEYTYPE_RSA, 0));
torture_write_file(ecdsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
-#ifdef HAVE_DSA
- torture_write_file(dsa_hostkey,
- torture_get_testkey(SSH_KEYTYPE_DSS, 0));
-#endif /* HAVE_DSA */
}
additional_config = (s->srv_additional_config != NULL ?
@@ -714,9 +692,6 @@ void torture_setup_create_libssh_config(void **state)
"HostKey", ed25519_hostkey,
"HostKey", rsa_hostkey,
"HostKey", ecdsa_hostkey,
-#ifdef HAVE_DSA
- "HostKey", dsa_hostkey,
-#endif /* HAVE_DSA */
additional_config);
torture_write_file(s->srv_config, sshd_config);
@@ -727,9 +702,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
{
struct torture_state *s = *state;
char ed25519_hostkey[1024] = {0};
-#ifdef HAVE_DSA
- char dsa_hostkey[1024];
-#endif /* HAVE_DSA */
char rsa_hostkey[1024];
char ecdsa_hostkey[1024];
char trusted_ca_pubkey[1024];
@@ -748,9 +720,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
"Port 22\n"
"ListenAddress 127.0.0.10\n"
"%s %s\n" /* ed25519 HostKey */
-#ifdef HAVE_DSA
- "%s %s\n" /* DSA HostKey */
-#endif /* HAVE_DSA */
"%s %s\n" /* RSA HostKey */
"%s %s\n" /* ECDSA HostKey */
"\n"
@@ -870,13 +839,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
"%s/sshd/ssh_host_ed25519_key",
s->socket_dir);
-#ifdef HAVE_DSA
- snprintf(dsa_hostkey,
- sizeof(dsa_hostkey),
- "%s/sshd/ssh_host_dsa_key",
- s->socket_dir);
-#endif /* HAVE_DSA */
-
snprintf(rsa_hostkey,
sizeof(rsa_hostkey),
"%s/sshd/ssh_host_rsa_key",
@@ -895,10 +857,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
if (!written) {
torture_write_file(ed25519_hostkey,
torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0));
-#ifdef HAVE_DSA
- torture_write_file(dsa_hostkey,
- torture_get_testkey(SSH_KEYTYPE_DSS, 0));
-#endif /* HAVE_DSA */
torture_write_file(rsa_hostkey,
torture_get_testkey(SSH_KEYTYPE_RSA, 0));
torture_write_file(ecdsa_hostkey,
@@ -935,9 +893,6 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
snprintf(sshd_config, sizeof(sshd_config),
config_string,
"HostKey", ed25519_hostkey,
-#ifdef HAVE_DSA
- "HostKey", dsa_hostkey,
-#endif /* HAVE_DSA */
"HostKey", rsa_hostkey,
"HostKey", ecdsa_hostkey,
trusted_ca_pubkey,
diff --git a/tests/unittests/CMakeLists.txt b/tests/unittests/CMakeLists.txt
index f85da72b..378013d6 100644
--- a/tests/unittests/CMakeLists.txt
+++ b/tests/unittests/CMakeLists.txt
@@ -45,6 +45,7 @@ if (UNIX AND NOT WIN32)
torture_keyfiles
torture_pki
torture_pki_rsa
+ torture_pki_dsa
torture_pki_ed25519
# requires /dev/null
torture_channel
@@ -62,14 +63,6 @@ if (UNIX AND NOT WIN32)
endif()
endif()
-
- if (HAVE_DSA)
- set(LIBSSH_UNIT_TESTS
- ${LIBSSH_UNIT_TESTS}
- torture_pki_dsa
- )
- endif()
-
if (WITH_PKCS11_URI)
set(LIBSSH_UNIT_TESTS
${LIBSSH_UNIT_TESTS}
diff --git a/tests/unittests/torture_bind_config.c b/tests/unittests/torture_bind_config.c
index f8e3d6ba..a2f9be06 100644
--- a/tests/unittests/torture_bind_config.c
+++ b/tests/unittests/torture_bind_config.c
@@ -54,9 +54,6 @@ extern LIBSSH_THREAD int ssh_log_level;
#define MACS "hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com"
#define MACS2 "hmac-sha1"
-#ifdef HAVE_DSA
-#define LIBSSH_DSA_TESTKEY "libssh_testkey.id_dsa"
-#endif
#define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa"
#define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519"
#ifdef HAVE_ECC
@@ -237,10 +234,6 @@ static int setup_config_files(void **state)
torture_write_file(LIBSSH_ECDSA_521_TESTKEY,
torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
#endif
-#ifdef HAVE_DSA
- torture_write_file(LIBSSH_DSA_TESTKEY,
- torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0));
-#endif
torture_write_file(LIBSSH_TEST_BIND_CONFIG_LISTENADDRESS,
LIBSSH_TEST_BIND_CONFIG_LISTENADDRESS_STRING);
diff --git a/tests/unittests/torture_keyfiles.c b/tests/unittests/torture_keyfiles.c
index 2f06e88b..2ce47b72 100644
--- a/tests/unittests/torture_keyfiles.c
+++ b/tests/unittests/torture_keyfiles.c
@@ -7,9 +7,6 @@
#include "legacy.c"
#define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa"
-#ifdef HAVE_DSA
-#define LIBSSH_DSA_TESTKEY "libssh_testkey.id_dsa"
-#endif
static int setup_rsa_key(void **state)
{
@@ -29,26 +26,6 @@ static int setup_rsa_key(void **state)
return 0;
}
-#ifdef HAVE_DSA
-static int setup_dsa_key(void **state)
-{
- ssh_session session;
-
- unlink(LIBSSH_DSA_TESTKEY);
- unlink(LIBSSH_DSA_TESTKEY ".pub");
-
- torture_write_file(LIBSSH_DSA_TESTKEY,
- torture_get_testkey(SSH_KEYTYPE_DSS, 0));
- torture_write_file(LIBSSH_DSA_TESTKEY ".pub",
- torture_get_testkey_pub(SSH_KEYTYPE_DSS));
-
- session = ssh_new();
- *state = session;
-
- return 0;
-}
-#endif
-
static int setup_both_keys(void **state) {
int rc;
@@ -56,11 +33,6 @@ static int setup_both_keys(void **state) {
if (rc != 0) {
return rc;
}
-#ifdef HAVE_DSA
- ssh_free(*state);
-
- rc = setup_dsa_key(state);
-#endif
return rc;
}
@@ -74,13 +46,6 @@ static int setup_both_keys_passphrase(void **state)
torture_write_file(LIBSSH_RSA_TESTKEY ".pub",
torture_get_testkey_pub(SSH_KEYTYPE_RSA));
-#ifdef HAVE_DSA
- torture_write_file(LIBSSH_DSA_TESTKEY,
- torture_get_testkey(SSH_KEYTYPE_DSS, 1));
- torture_write_file(LIBSSH_DSA_TESTKEY ".pub",
- torture_get_testkey_pub(SSH_KEYTYPE_DSS));
-#endif
-
session = ssh_new();
*state = session;
@@ -89,10 +54,6 @@ static int setup_both_keys_passphrase(void **state)
static int teardown(void **state)
{
-#ifdef HAVE_DSA
- unlink(LIBSSH_DSA_TESTKEY);
- unlink(LIBSSH_DSA_TESTKEY ".pub");
-#endif
unlink(LIBSSH_RSA_TESTKEY);
unlink(LIBSSH_RSA_TESTKEY ".pub");
@@ -235,15 +196,6 @@ static void torture_privatekey_from_file(void **state) {
key = NULL;
}
-#ifdef HAVE_DSA
- key = privatekey_from_file(session, LIBSSH_DSA_TESTKEY, SSH_KEYTYPE_DSS, NULL);
- assert_non_null(key);
- if (key != NULL) {
- privatekey_free(key);
- key = NULL;
- }
-#endif
-
/* Test the automatic type discovery */
key = privatekey_from_file(session, LIBSSH_RSA_TESTKEY, 0, NULL);
assert_non_null(key);
@@ -252,14 +204,6 @@ static void torture_privatekey_from_file(void **state) {
key = NULL;
}
-#ifdef HAVE_DSA
- key = privatekey_from_file(session, LIBSSH_DSA_TESTKEY, 0, NULL);
- assert_non_null(key);
- if (key != NULL) {
- privatekey_free(key);
- key = NULL;
- }
-#endif
}
/**
@@ -276,15 +220,6 @@ static void torture_privatekey_from_file_passphrase(void **state) {
key = NULL;
}
-#ifdef HAVE_DSA
- key = privatekey_from_file(session, LIBSSH_DSA_TESTKEY, SSH_KEYTYPE_DSS, TORTURE_TESTKEY_PASSWORD);
- assert_non_null(key);
- if (key != NULL) {
- privatekey_free(key);
- key = NULL;
- }
-#endif
-
/* Test the automatic type discovery */
key = privatekey_from_file(session, LIBSSH_RSA_TESTKEY, 0, TORTURE_TESTKEY_PASSWORD);
assert_non_null(key);
@@ -293,14 +228,6 @@ static void torture_privatekey_from_file_passphrase(void **state) {
key = NULL;
}
-#ifdef HAVE_DSA
- key = privatekey_from_file(session, LIBSSH_DSA_TESTKEY, 0, TORTURE_TESTKEY_PASSWORD);
- assert_non_null(key);
- if (key != NULL) {
- privatekey_free(key);
- key = NULL;
- }
-#endif
}
int torture_run_tests(void) {
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
index ea4ccfb3..79c3787d 100644
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -18,9 +18,6 @@
#include
#define LIBSSH_CUSTOM_BIND_CONFIG_FILE "my_bind_config"
#endif
-#ifdef HAVE_DSA
-#define LIBSSH_DSA_TESTKEY "libssh_testkey.id_dsa"
-#endif
#define LIBSSH_RSA_TESTKEY "libssh_testkey.id_rsa"
#define LIBSSH_ED25519_TESTKEY "libssh_testkey.id_ed25519"
#ifdef HAVE_ECC
@@ -958,8 +955,6 @@ static void torture_options_getopt(void **state)
"-vv", "-v", "-r", "-c", "aes128-ctr",
"-i", "id_rsa", "-C", "-2", "-1", NULL};
int argc = sizeof(argv)/sizeof(char *) - 1;
- const char *argv_invalid[] = {EXECUTABLE_NAME, "-r", "-d", NULL};
-
previous_level = ssh_get_log_level();
/* Test with all the supported options */
@@ -1049,17 +1044,6 @@ static void torture_options_getopt(void **state)
assert_string_equal(argv[4], "hmac-sha1");
assert_string_equal(argv[5], "example.com");
-
- /* Invalid configuration combination -d and -r (for some reason?) */
- argc = 3;
- rc = ssh_options_getopt(session, &argc, (char **)argv_invalid);
- assert_ssh_return_code_equal(session, rc, SSH_ERROR);
- assert_int_equal(argc, 3);
- assert_string_equal(argv_invalid[0], EXECUTABLE_NAME);
- assert_string_equal(argv_invalid[1], "-r");
- assert_string_equal(argv_invalid[2], "-d");
-
-
/* Corner case: only one argument */
argv[1] = "-C";
argv[2] = NULL;
@@ -1541,10 +1525,6 @@ static int ssh_bind_setup_files(void **state)
#ifdef HAVE_ECC
torture_write_file(LIBSSH_ECDSA_521_TESTKEY,
torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA_P521, 0));
-#endif
-#ifdef HAVE_DSA
- torture_write_file(LIBSSH_DSA_TESTKEY,
- torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0));
#endif
torture_write_file(LIBSSH_CUSTOM_BIND_CONFIG_FILE,
"Port 42\n");
@@ -1627,16 +1607,6 @@ static void torture_bind_options_import_key(void **state)
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY, key);
assert_int_equal(rc, 0);
-#ifdef HAVE_DSA
- /* set dsa key */
- base64_key = torture_get_testkey(SSH_KEYTYPE_DSS, 0);
- rc = ssh_pki_import_privkey_base64(base64_key, NULL, NULL, NULL, &key);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(key);
-
- rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY, key);
- assert_int_equal(rc, 0);
-#endif
#ifdef HAVE_ECC
/* set ecdsa key */
base64_key = torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0);
@@ -1686,15 +1656,6 @@ static void torture_bind_options_hostkey(void **state)
assert_non_null(bind->ecdsakey);
assert_string_equal(bind->ecdsakey, LIBSSH_ECDSA_521_TESTKEY);
#endif
-#ifdef HAVE_DSA
- /* Test DSA key */
- rc = ssh_bind_options_set(bind,
- SSH_BIND_OPTIONS_HOSTKEY,
- LIBSSH_DSA_TESTKEY);
- assert_int_equal(rc, 0);
- assert_non_null(bind->dsakey);
- assert_string_equal(bind->dsakey, LIBSSH_DSA_TESTKEY);
-#endif
}
static void torture_bind_options_bindaddr(void **state)
@@ -1803,28 +1764,6 @@ static void torture_bind_options_log_verbosity_str(void **state)
assert_int_equal(rc, SSH_OK);
}
-#ifdef HAVE_DSA
-static void torture_bind_options_dsakey(void **state)
-{
- struct bind_st *test_state;
- ssh_bind bind;
- int rc;
-
- assert_non_null(state);
- test_state = *((struct bind_st **)state);
- assert_non_null(test_state);
- assert_non_null(test_state->bind);
- bind = test_state->bind;
-
- rc = ssh_bind_options_set(bind,
- SSH_BIND_OPTIONS_DSAKEY,
- LIBSSH_DSA_TESTKEY);
- assert_int_equal(rc, 0);
- assert_non_null(bind->dsakey);
- assert_string_equal(bind->dsakey, LIBSSH_DSA_TESTKEY);
-}
-#endif
-
static void torture_bind_options_rsakey(void **state)
{
struct bind_st *test_state;
@@ -2315,10 +2254,6 @@ int torture_run_tests(void) {
sshbind_setup, sshbind_teardown),
cmocka_unit_test_setup_teardown(torture_bind_options_log_verbosity_str,
sshbind_setup, sshbind_teardown),
-#ifdef HAVE_DSA
- cmocka_unit_test_setup_teardown(torture_bind_options_dsakey,
- sshbind_setup, sshbind_teardown),
-#endif
cmocka_unit_test_setup_teardown(torture_bind_options_rsakey,
sshbind_setup, sshbind_teardown),
#ifdef HAVE_ECC
diff --git a/tests/unittests/torture_pki.c b/tests/unittests/torture_pki.c
index 008f29ad..c610e8a2 100644
--- a/tests/unittests/torture_pki.c
+++ b/tests/unittests/torture_pki.c
@@ -125,15 +125,7 @@ struct key_attrs key_attrs_list[][5] = {
{0, 0, "", 0, 0, "", 0}, /* UNKNOWN, SHA384 */
{0, 0, "", 0, 0, "", 0}, /* UNKNOWN, SHA512 */
},
-#ifdef HAVE_DSA
- {
- {1, 1, "ssh-dss", 1024, 0, "", 0}, /* DSS, AUTO */
- {1, 1, "ssh-dss", 1024, 20, "ssh-dss", 1}, /* DSS, SHA1 */
- {1, 1, "ssh-dss", 1024, 0, "", 0}, /* DSS, SHA256 */
- {1, 1, "ssh-dss", 1024, 0, "", 0}, /* DSS, SHA384 */
- {1, 1, "ssh-dss", 1024, 0, "", 0}, /* DSS, SHA512 */
- },
-#else
+ /* Cannot remove this as it will break the array indexing used */
{
{0, 0, "", 0, 0, "", 0}, /* DSS, AUTO */
{0, 0, "", 0, 0, "", 0}, /* DSS, SHA1 */
@@ -141,7 +133,6 @@ struct key_attrs key_attrs_list[][5] = {
{0, 0, "", 0, 0, "", 0}, /* DSS, SHA384 */
{0, 0, "", 0, 0, "", 0}, /* DSS, SHA512 */
},
-#endif /* HAVE_DSA */
{
{1, 1, "ssh-rsa", 2048, 0, "", 0}, /* RSA, AUTO */
{1, 1, "ssh-rsa", 2048, 20, "ssh-rsa", 1}, /* RSA, SHA1 */
@@ -170,15 +161,6 @@ struct key_attrs key_attrs_list[][5] = {
{1, 1, "ssh-ed25519", 255, 0, "", 0}, /* ED25519, SHA384 */
{1, 1, "ssh-ed25519", 255, 0, "", 0}, /* ED25519, SHA512 */
},
-#ifdef HAVE_DSA
- {
- {0, 1, "", 0, 0, "", 0}, /* DSS CERT, AUTO */
- {0, 1, "", 0, 0, "", 0}, /* DSS CERT, SHA1 */
- {0, 1, "", 0, 0, "", 0}, /* DSS CERT, SHA256 */
- {0, 1, "", 0, 0, "", 0}, /* DSS CERT, SHA384 */
- {0, 1, "", 0, 0, "", 0}, /* DSS CERT, SHA512 */
- },
-#else
{
{0, 0, "", 0, 0, "", 0}, /* DSS CERT, AUTO */
{0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA1 */
@@ -186,7 +168,6 @@ struct key_attrs key_attrs_list[][5] = {
{0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA384 */
{0, 0, "", 0, 0, "", 0}, /* DSS CERT, SHA512 */
},
-#endif /* HAVE_DSA */
{
{0, 1, "", 0, 0, "", 0}, /* RSA CERT, AUTO */
{0, 1, "", 0, 0, "", 0}, /* RSA CERT, SHA1 */
@@ -266,7 +247,7 @@ static void torture_pki_verify_mismatch(void **state)
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
- for (sig_type = SSH_KEYTYPE_DSS;
+ for (sig_type = SSH_KEYTYPE_RSA;
sig_type <= SSH_KEYTYPE_ED25519_CERT01;
sig_type++)
{
@@ -275,8 +256,7 @@ static void torture_pki_verify_mismatch(void **state)
hash++)
{
if (ssh_fips_mode()) {
- if (sig_type == SSH_KEYTYPE_DSS ||
- sig_type == SSH_KEYTYPE_ED25519 ||
+ if (sig_type == SSH_KEYTYPE_ED25519 ||
hash == SSH_DIGEST_SHA1)
{
/* In FIPS mode, skip unsupported algorithms */
@@ -341,13 +321,12 @@ static void torture_pki_verify_mismatch(void **state)
input_length);
assert_true(rc == SSH_OK);
- for (key_type = SSH_KEYTYPE_DSS;
+ for (key_type = SSH_KEYTYPE_RSA;
key_type <= SSH_KEYTYPE_ED25519_CERT01;
key_type++)
{
if (ssh_fips_mode()) {
- if (key_type == SSH_KEYTYPE_DSS ||
- key_type == SSH_KEYTYPE_ED25519)
+ if (key_type == SSH_KEYTYPE_ED25519)
{
/* In FIPS mode, skip unsupported algorithms */
continue;
@@ -428,7 +407,6 @@ static void torture_pki_verify_mismatch(void **state)
key = NULL;
}
}
-
ssh_free(session);
}
diff --git a/tests/unittests/torture_pki_dsa.c b/tests/unittests/torture_pki_dsa.c
index a98f1bb0..dfd59a64 100644
--- a/tests/unittests/torture_pki_dsa.c
+++ b/tests/unittests/torture_pki_dsa.c
@@ -129,10 +129,8 @@ static void torture_pki_dsa_import_pubkey_file(void **state)
/* The key doesn't have the hostname as comment after the key */
rc = ssh_pki_import_pubkey_file(LIBSSH_DSA_TESTKEY ".pub", &pubkey);
- assert_return_code(rc, errno);
- assert_non_null(pubkey);
-
- SSH_KEY_FREE(pubkey);
+ assert_int_equal(rc, SSH_ERROR);
+ assert_null(pubkey);
}
static void torture_pki_dsa_import_pubkey_from_openssh_privkey(void **state)
@@ -144,10 +142,8 @@ static void torture_pki_dsa_import_pubkey_from_openssh_privkey(void **state)
/* The key doesn't have the hostname as comment after the key */
rc = ssh_pki_import_pubkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE, &pubkey);
- assert_return_code(rc, errno);
- assert_non_null(pubkey);
-
- SSH_KEY_FREE(pubkey);
+ assert_int_equal(rc, SSH_ERROR);
+ assert_null(pubkey);
}
static void torture_pki_dsa_import_privkey_base64(void **state)
@@ -163,102 +159,11 @@ static void torture_pki_dsa_import_privkey_base64(void **state)
NULL,
NULL,
&key);
- assert_true(rc == 0);
-
- SSH_KEY_FREE(key);
+ assert_int_equal(rc, SSH_ERROR);
+ assert_null(key);
}
-static void torture_pki_dsa_import_privkey_base64_comment(void **state)
-{
- int rc, file_str_len;
- ssh_key key = NULL;
- const char *passphrase = torture_get_testkey_passphrase();
- const char *comment_str = "#this is line-comment\n#this is another\n";
- const char *key_str = NULL;
- char *file_str = NULL;
-
- (void) state; /* unused */
-
- key_str = torture_get_testkey(SSH_KEYTYPE_DSS, 0);
- assert_non_null(key_str);
-
- file_str_len = strlen(comment_str) + strlen(key_str) + 1;
- file_str = malloc(file_str_len);
- assert_non_null(file_str);
- rc = snprintf(file_str, file_str_len, "%s%s", comment_str, key_str);
- assert_int_equal(rc, file_str_len - 1);
-
- rc = ssh_pki_import_privkey_base64(file_str,
- passphrase,
- NULL,
- NULL,
- &key);
- assert_true(rc == 0);
-
- free(file_str);
- SSH_KEY_FREE(key);
-}
-
-static void torture_pki_dsa_import_privkey_base64_whitespace(void **state)
-{
- int rc, file_str_len;
- ssh_key key = NULL;
- const char *passphrase = torture_get_testkey_passphrase();
- const char *whitespace_str = " \n\t\t\t\t\t\n\n\n\n\n";
- const char *key_str = NULL;
- char *file_str = NULL;
-
- (void) state; /* unused */
-
- key_str = torture_get_testkey(SSH_KEYTYPE_DSS, 0);
- assert_non_null(key_str);
-
- file_str_len = strlen(whitespace_str) + strlen(key_str) + 1;
- file_str = malloc(file_str_len);
- assert_non_null(file_str);
- rc = snprintf(file_str, file_str_len, "%s%s", whitespace_str, key_str);
- assert_int_equal(rc, file_str_len - 1);
-
- rc = ssh_pki_import_privkey_base64(file_str,
- passphrase,
- NULL,
- NULL,
- &key);
- assert_true(rc == 0);
-
- free(file_str);
- SSH_KEY_FREE(key);
-}
-
-static int test_sign_verify_data(ssh_key key,
- enum ssh_digest_e hash_type,
- const unsigned char *input,
- size_t input_len)
-{
- ssh_signature sig;
- ssh_key pubkey = NULL;
- int rc;
-
- /* Get the public key to verify signature */
- rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(pubkey);
-
- /* Sign the buffer */
- sig = pki_sign_data(key, hash_type, input, input_len);
- assert_non_null(sig);
-
- /* Verify signature */
- rc = pki_verify_data_signature(sig, pubkey, input, input_len);
- assert_int_equal(rc, SSH_OK);
-
- ssh_signature_free(sig);
- SSH_KEY_FREE(pubkey);
-
- return rc;
-}
-
-static void torture_pki_sign_data_dsa(void **state)
+static void torture_pki_generate_dsa(void **state)
{
int rc;
ssh_key key = NULL;
@@ -267,619 +172,20 @@ static void torture_pki_sign_data_dsa(void **state)
/* Setup */
rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 2048, &key);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(key);
-
- /* Test using SHA1 */
- rc = test_sign_verify_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT));
- assert_int_equal(rc, SSH_OK);
-
- /* Cleanup */
- SSH_KEY_FREE(key);
-}
-
-static void torture_pki_fail_sign_with_incompatible_hash(void **state)
-{
- int rc;
- ssh_key key = NULL;
- ssh_key pubkey = NULL;
- ssh_signature sig, bad_sig;
-
- (void) state;
-
- /* Setup */
- rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 2048, &key);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(key);
-
- /* Get the public key to verify signature */
- rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(pubkey);
-
- /* Sign the buffer */
- sig = pki_sign_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT));
- assert_non_null(sig);
-
- /* Verify signature */
- rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
- assert_int_equal(rc, SSH_OK);
-
- /* Test if signature fails with SSH_DIGEST_AUTO */
- bad_sig = pki_sign_data(key, SSH_DIGEST_AUTO, INPUT, sizeof(INPUT));
- assert_null(bad_sig);
-
- /* Test if verification fails with SSH_DIGEST_AUTO */
- sig->hash_type = SSH_DIGEST_AUTO;
- rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
- assert_int_not_equal(rc, SSH_OK);
-
- /* Test if signature fails with SSH_DIGEST_SHA256 */
- bad_sig = pki_sign_data(key, SSH_DIGEST_SHA256, INPUT, sizeof(INPUT));
- assert_null(bad_sig);
-
- /* Test if verification fails with SSH_DIGEST_SHA256 */
- sig->hash_type = SSH_DIGEST_SHA256;
- rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
- assert_int_not_equal(rc, SSH_OK);
-
- /* Test if signature fails with SSH_DIGEST_SHA384 */
- bad_sig = pki_sign_data(key, SSH_DIGEST_SHA384, INPUT, sizeof(INPUT));
- assert_null(bad_sig);
-
- /* Test if verification fails with SSH_DIGEST_SHA384 */
- sig->hash_type = SSH_DIGEST_SHA384;
- rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
- assert_int_not_equal(rc, SSH_OK);
-
- /* Test if signature fails with SSH_DIGEST_SHA512 */
- bad_sig = pki_sign_data(key, SSH_DIGEST_SHA512, INPUT, sizeof(INPUT));
- assert_null(bad_sig);
-
- /* Test if verification fails with SSH_DIGEST_SHA512 */
- sig->hash_type = SSH_DIGEST_SHA512;
- rc = pki_verify_data_signature(sig, pubkey, INPUT, sizeof(INPUT));
- assert_int_not_equal(rc, SSH_OK);
-
- /* Cleanup */
- ssh_signature_free(sig);
- SSH_KEY_FREE(pubkey);
- SSH_KEY_FREE(key);
-}
-
-#ifdef HAVE_LIBCRYPTO
-static void torture_pki_dsa_write_privkey(void **state)
-{
- ssh_key origkey = NULL;
- ssh_key privkey = NULL;
- int rc;
-
- (void) state; /* unused */
-
- rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
- NULL,
- NULL,
- NULL,
- &origkey);
- assert_true(rc == 0);
- assert_non_null(origkey);
-
- unlink(LIBSSH_DSA_TESTKEY);
-
- rc = ssh_pki_export_privkey_file(origkey,
- NULL,
- NULL,
- NULL,
- LIBSSH_DSA_TESTKEY);
- assert_true(rc == 0);
-
- rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
- NULL,
- NULL,
- NULL,
- &privkey);
- assert_true(rc == 0);
- assert_non_null(privkey);
-
- rc = ssh_key_cmp(origkey, privkey, SSH_KEY_CMP_PRIVATE);
- assert_true(rc == 0);
-
- SSH_KEY_FREE(origkey);
- SSH_KEY_FREE(privkey);
-
- /* Test with passphrase */
- rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE,
- torture_get_testkey_passphrase(),
- NULL,
- NULL,
- &origkey);
- assert_true(rc == 0);
- assert_non_null(origkey);
-
- unlink(LIBSSH_DSA_TESTKEY_PASSPHRASE);
- rc = ssh_pki_export_privkey_file(origkey,
- torture_get_testkey_passphrase(),
- NULL,
- NULL,
- LIBSSH_DSA_TESTKEY_PASSPHRASE);
- assert_true(rc == 0);
-
- /* Test with invalid passphrase */
- rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE,
- "invalid secret",
- NULL,
- NULL,
- &privkey);
- assert_true(rc == SSH_ERROR);
- assert_null(privkey);
-
- rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY_PASSPHRASE,
- torture_get_testkey_passphrase(),
- NULL,
- NULL,
- &privkey);
- assert_true(rc == 0);
- assert_non_null(privkey);
-
- rc = ssh_key_cmp(origkey, privkey, SSH_KEY_CMP_PRIVATE);
- assert_true(rc == 0);
-
- SSH_KEY_FREE(origkey);
- SSH_KEY_FREE(privkey);
-}
-#endif
-
-static void torture_pki_dsa_import_privkey_base64_passphrase(void **state)
-{
- int rc;
- ssh_key key = NULL;
- const char *passphrase = torture_get_testkey_passphrase();
-
- (void) state; /* unused */
-
- rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
- passphrase,
- NULL,
- NULL,
- &key);
- assert_return_code(rc, errno);
- assert_non_null(key);
-
- rc = ssh_key_is_private(key);
- assert_true(rc == 1);
-
- SSH_KEY_FREE(key);
-
- /* test if it returns -1 if passphrase is wrong */
- rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
- "wrong passphrase !!",
- NULL,
- NULL,
- &key);
- assert_true(rc == -1);
+ assert_int_equal(rc, SSH_ERROR);
assert_null(key);
-
- /* test if it returns -1 if passphrase is NULL */
- /* libcrypto asks for a passphrase, so skip this test */
-#ifndef HAVE_LIBCRYPTO
- rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
- NULL,
- NULL,
- NULL,
- &key);
- assert_true(rc == -1);
- assert_null(key);
-#endif
-
- rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
- passphrase,
- NULL,
- NULL,
- &key);
- assert_return_code(rc, errno);
- assert_non_null(key);
-
- rc = ssh_key_is_private(key);
- assert_true(rc == 1);
-
- SSH_KEY_FREE(key);
-
- /* test if it returns -1 if passphrase is wrong */
- rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
- "wrong passphrase !!",
- NULL,
- NULL,
- &key);
- assert_true(rc == -1);
- assert_null(key);
-
- /* This free in unnecessary, but the static analyser does not know */
- SSH_KEY_FREE(key);
-
-#ifndef HAVE_LIBCRYPTO
- /* test if it returns -1 if passphrase is NULL */
- /* libcrypto asks for a passphrase, so skip this test */
- rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1),
- NULL,
- NULL,
- NULL,
- &key);
- assert_true(rc == -1);
- assert_null(key);
-
- /* This free in unnecessary, but the static analyser does not know */
- SSH_KEY_FREE(key);
-#endif /* HAVE_LIBCRYPTO */
-}
-
-static void
-torture_pki_dsa_import_openssh_privkey_base64_passphrase(void **state)
-{
- int rc;
- ssh_key key = NULL;
- const char *passphrase = torture_get_testkey_passphrase();
- const char *keystring = NULL;
-
- (void) state; /* unused */
-
- keystring = torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 1);
- assert_non_null(keystring);
-
- rc = ssh_pki_import_privkey_base64(keystring,
- passphrase,
- NULL,
- NULL,
- &key);
- assert_return_code(rc, errno);
- assert_non_null(key);
-
- rc = ssh_key_is_private(key);
- assert_true(rc == 1);
-
- SSH_KEY_FREE(key);
-
- /* test if it returns -1 if passphrase is wrong */
- rc = ssh_pki_import_privkey_base64(keystring,
- "wrong passphrase !!",
- NULL,
- NULL,
- &key);
- assert_true(rc == -1);
- assert_null(key);
-
- /* test if it returns -1 if passphrase is NULL */
- rc = ssh_pki_import_privkey_base64(keystring,
- NULL,
- NULL,
- NULL,
- &key);
- assert_true(rc == -1);
-
- rc = ssh_pki_import_privkey_base64(keystring,
- passphrase,
- NULL,
- NULL,
- &key);
- assert_return_code(rc, errno);
- assert_non_null(key);
-
- rc = ssh_key_is_private(key);
- assert_true(rc == 1);
-
- SSH_KEY_FREE(key);
-
- /* test if it returns -1 if passphrase is wrong */
- rc = ssh_pki_import_privkey_base64(keystring,
- "wrong passphrase !!",
- NULL,
- NULL,
- &key);
- assert_true(rc == -1);
- assert_null(key);
-
- /* This free is unnecessary, but the static analyser does not know */
- SSH_KEY_FREE(key);
-
- /* test if it returns -1 if passphrase is NULL */
- rc = ssh_pki_import_privkey_base64(keystring,
- NULL,
- NULL,
- NULL,
- &key);
- assert_true(rc == -1);
- assert_null(key);
-
- /* This free is unnecessary, but the static analyser does not know */
- SSH_KEY_FREE(key);
-}
-
-
-static void torture_pki_dsa_publickey_from_privatekey(void **state)
-{
- int rc;
- ssh_key key = NULL;
- ssh_key pubkey = NULL;
- const char *passphrase = NULL;
-
- (void) state; /* unused */
-
- rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0),
- passphrase,
- NULL,
- NULL,
- &key);
- assert_true(rc == 0);
- assert_non_null(key);
-
- rc = ssh_key_is_private(key);
- assert_true(rc == 1);
-
- rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
- assert_true(rc == SSH_OK);
- assert_non_null(pubkey);
-
- SSH_KEY_FREE(key);
- SSH_KEY_FREE(pubkey);
}
static void torture_pki_dsa_import_cert_file(void **state)
{
int rc;
ssh_key cert = NULL;
- enum ssh_keytypes_e type;
(void) state; /* unused */
rc = ssh_pki_import_cert_file(LIBSSH_DSA_TESTKEY "-cert.pub", &cert);
- assert_true(rc == 0);
- assert_non_null(cert);
-
- type = ssh_key_type(cert);
- assert_true(type == SSH_KEYTYPE_DSS_CERT01);
-
- rc = ssh_key_is_public(cert);
- assert_true(rc == 1);
-
- SSH_KEY_FREE(cert);
-}
-
-static void torture_pki_dsa_publickey_base64(void **state)
-{
- enum ssh_keytypes_e type;
- char *b64_key = NULL, *key_buf = NULL, *p = NULL;
- const char *str = NULL;
- ssh_key key = NULL;
- size_t keylen;
- size_t i;
- int rc;
-
- (void) state; /* unused */
-
- key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_DSS));
- assert_non_null(key_buf);
-
- keylen = strlen(key_buf);
-
- str = p = key_buf;
- for (i = 0; i < keylen; i++) {
- if (isspace((int)p[i])) {
- p[i] = '\0';
- break;
- }
-
- }
-
- type = ssh_key_type_from_name(str);
- assert_true(type == SSH_KEYTYPE_DSS);
-
- str = &p[i + 1];
-
- for (; i < keylen; i++) {
- if (isspace((int)p[i])) {
- p[i] = '\0';
- break;
- }
- }
-
- rc = ssh_pki_import_pubkey_base64(str, type, &key);
- assert_true(rc == 0);
- assert_non_null(key);
-
- rc = ssh_pki_export_pubkey_base64(key, &b64_key);
- assert_true(rc == 0);
- assert_non_null(b64_key);
-
- assert_string_equal(str, b64_key);
-
- free(b64_key);
- free(key_buf);
- SSH_KEY_FREE(key);
-}
-
-static void torture_pki_dsa_generate_pubkey_from_privkey(void **state)
-{
- char pubkey_generated[4096] = {0};
- ssh_key privkey = NULL;
- ssh_key pubkey = NULL;
- int len;
- int rc;
-
- (void) state; /* unused */
-
- /* remove the public key, generate it from the private key and write it. */
- unlink(LIBSSH_DSA_TESTKEY ".pub");
-
- rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
- NULL,
- NULL,
- NULL,
- &privkey);
- assert_true(rc == 0);
- assert_non_null(privkey);
-
- rc = ssh_pki_export_privkey_to_pubkey(privkey, &pubkey);
- assert_true(rc == SSH_OK);
- assert_non_null(pubkey);
-
- rc = ssh_pki_export_pubkey_file(pubkey, LIBSSH_DSA_TESTKEY ".pub");
- assert_true(rc == 0);
-
- rc = torture_read_one_line(LIBSSH_DSA_TESTKEY ".pub",
- pubkey_generated,
- sizeof(pubkey_generated));
- assert_true(rc == 0);
-
- len = torture_pubkey_len(torture_get_testkey_pub(SSH_KEYTYPE_DSS));
- assert_memory_equal(torture_get_testkey_pub(SSH_KEYTYPE_DSS),
- pubkey_generated,
- len);
-
- SSH_KEY_FREE(privkey);
- SSH_KEY_FREE(pubkey);
-}
-
-static void torture_pki_dsa_duplicate_key(void **state)
-{
- int rc;
- char *b64_key = NULL;
- char *b64_key_gen = NULL;
- ssh_key pubkey = NULL;
- ssh_key pubkey_dup = NULL;
- ssh_key privkey = NULL;
- ssh_key privkey_dup = NULL;
-
- (void) state;
-
- rc = ssh_pki_import_pubkey_file(LIBSSH_DSA_TESTKEY ".pub", &pubkey);
- assert_true(rc == 0);
- assert_non_null(pubkey);
-
- rc = ssh_pki_export_pubkey_base64(pubkey, &b64_key);
- assert_true(rc == 0);
- assert_non_null(b64_key);
- rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
- NULL,
- NULL,
- NULL,
- &privkey);
- assert_true(rc == 0);
- assert_non_null(privkey);
-
- privkey_dup = ssh_key_dup(privkey);
- assert_non_null(privkey_dup);
-
- rc = ssh_pki_export_privkey_to_pubkey(privkey, &pubkey_dup);
- assert_true(rc == SSH_OK);
- assert_non_null(pubkey_dup);
-
- rc = ssh_pki_export_pubkey_base64(pubkey_dup, &b64_key_gen);
- assert_true(rc == 0);
- assert_non_null(b64_key_gen);
-
- assert_string_equal(b64_key, b64_key_gen);
-
- rc = ssh_key_cmp(privkey, privkey_dup, SSH_KEY_CMP_PRIVATE);
- assert_true(rc == 0);
-
- rc = ssh_key_cmp(pubkey, pubkey_dup, SSH_KEY_CMP_PUBLIC);
- assert_true(rc == 0);
-
- SSH_KEY_FREE(pubkey);
- SSH_KEY_FREE(pubkey_dup);
-
- SSH_KEY_FREE(privkey);
- SSH_KEY_FREE(privkey_dup);
- SSH_STRING_FREE_CHAR(b64_key);
- SSH_STRING_FREE_CHAR(b64_key_gen);
-}
-
-static void torture_pki_dsa_generate_key(void **state)
-{
- int rc;
- ssh_key key = NULL, pubkey = NULL;
- ssh_signature sign = NULL;
- ssh_session session=ssh_new();
- (void) state;
-
- rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 1024, &key);
- assert_true(rc == SSH_OK);
- assert_non_null(key);
- rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(pubkey);
- sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
- assert_non_null(sign);
- rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
- assert_true(rc == SSH_OK);
- ssh_signature_free(sign);
- SSH_KEY_FREE(key);
- SSH_KEY_FREE(pubkey);
-
- rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 2048, &key);
- assert_true(rc == SSH_OK);
- assert_non_null(key);
- rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(pubkey);
- sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
- assert_non_null(sign);
- rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
- assert_true(rc == SSH_OK);
- ssh_signature_free(sign);
- SSH_KEY_FREE(key);
- SSH_KEY_FREE(pubkey);
-
- rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 3072, &key);
- assert_true(rc == SSH_OK);
- assert_non_null(key);
- rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(pubkey);
- sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
- assert_non_null(sign);
- rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
- assert_true(rc == SSH_OK);
- ssh_signature_free(sign);
- SSH_KEY_FREE(key);
- SSH_KEY_FREE(pubkey);
-
- ssh_free(session);
-}
-
-static void torture_pki_dsa_cert_verify(void **state)
-{
- int rc;
- ssh_key privkey = NULL, cert = NULL;
- ssh_signature sign = NULL;
- ssh_session session=ssh_new();
- (void) state;
-
- rc = ssh_pki_import_privkey_file(LIBSSH_DSA_TESTKEY,
- NULL,
- NULL,
- NULL,
- &privkey);
- assert_true(rc == 0);
- assert_non_null(privkey);
-
- rc = ssh_pki_import_cert_file(LIBSSH_DSA_TESTKEY "-cert.pub", &cert);
- assert_true(rc == 0);
- assert_non_null(cert);
-
- sign = pki_do_sign(privkey, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
- assert_non_null(sign);
- rc = ssh_pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT));
- assert_true(rc == SSH_OK);
- ssh_signature_free(sign);
- SSH_KEY_FREE(privkey);
- SSH_KEY_FREE(cert);
-
- ssh_free(session);
-}
-
-static void torture_pki_dsa_skip(UNUSED_PARAM(void **state))
-{
- skip();
+ assert_int_equal(rc, SSH_ERROR);
+ assert_null(cert);
}
int torture_run_tests(void)
@@ -895,60 +201,20 @@ int torture_run_tests(void)
cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64,
setup_dsa_key,
teardown),
- cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64_comment,
- setup_dsa_key,
- teardown),
- cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64_whitespace,
- setup_dsa_key,
- teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_import_privkey_base64,
setup_openssh_dsa_key,
teardown),
- cmocka_unit_test_setup_teardown(torture_pki_dsa_publickey_from_privatekey,
- setup_dsa_key,
- teardown),
cmocka_unit_test_setup_teardown(torture_pki_dsa_import_cert_file,
setup_dsa_key,
teardown),
-#ifdef HAVE_LIBCRYPTO
- cmocka_unit_test_setup_teardown(torture_pki_dsa_write_privkey,
- setup_dsa_key,
- teardown),
-#endif
- cmocka_unit_test(torture_pki_sign_data_dsa),
- cmocka_unit_test(torture_pki_fail_sign_with_incompatible_hash),
- cmocka_unit_test(torture_pki_dsa_import_privkey_base64_passphrase),
- cmocka_unit_test(torture_pki_dsa_import_openssh_privkey_base64_passphrase),
-
- /* public key */
- cmocka_unit_test_setup_teardown(torture_pki_dsa_publickey_base64,
- setup_dsa_key,
- teardown),
- cmocka_unit_test_setup_teardown(torture_pki_dsa_generate_pubkey_from_privkey,
- setup_dsa_key,
- teardown),
- cmocka_unit_test_setup_teardown(torture_pki_dsa_duplicate_key,
- setup_dsa_key,
- teardown),
- cmocka_unit_test_setup_teardown(torture_pki_dsa_duplicate_key,
- setup_dsa_key,
- teardown),
- cmocka_unit_test(torture_pki_dsa_generate_key),
- cmocka_unit_test_setup_teardown(torture_pki_dsa_cert_verify,
- setup_dsa_key,
- teardown),
- };
- struct CMUnitTest skip_tests[] = {
- cmocka_unit_test(torture_pki_dsa_skip)
+ cmocka_unit_test_setup_teardown(torture_pki_generate_dsa,
+ setup_dsa_key,
+ teardown),
};
ssh_init();
- if (ssh_fips_mode()) {
- rc = cmocka_run_group_tests(skip_tests, NULL, NULL);
- } else {
- torture_filter_tests(tests);
- rc = cmocka_run_group_tests(tests, NULL, NULL);
- }
+ torture_filter_tests(tests);
+ rc = cmocka_run_group_tests(tests, NULL, NULL);
ssh_finalize();
return rc;
}