Remove last traces of DSA and NSEC3DSA algorithm, but restore the algnumber -> name mapping

bin/dnssec/dnssec-keyfromlabel.c

@@ -64,8 +64,8 @@ usage(void) {
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -a algorithm: \n"
-			"        RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
-			"        NSEC3DSA | NSEC3RSASHA1 |\n"
+			"        RSA | RSAMD5 | DH | RSASHA1 |\n"
+			"        NSEC3RSASHA1 |\n"
 			"        RSASHA256 | RSASHA512 |\n"
 			"        ECDSAP256SHA256 | ECDSAP384SHA384\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
@@ -402,13 +402,9 @@ main(int argc, char **argv) {
 
 		if (use_nsec3) {
 			switch (alg) {
-			case DST_ALG_DSA:
-				alg = DST_ALG_NSEC3DSA;
-				break;
 			case DST_ALG_RSASHA1:
 				alg = DST_ALG_NSEC3RSASHA1;
 				break;
-			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -106,7 +106,7 @@
 	  <para>
 	    Selects the cryptographic algorithm.  The value of
 	    <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+	    NSEC3RSASHA1, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </para>
 	  <para>
@@ -119,9 +119,9 @@
 	  <para>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    or NSEC3DSA will be used instead.
+	    will be used instead.
 	  </para>
 	  <para>
 	    As of BIND 9.12.0, this option is mandatory except when using

bin/dnssec/dnssec-keygen.c

@@ -79,8 +79,8 @@ usage(void) {
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -K <directory>: write keys into directory\n");
 	fprintf(stderr, "    -a <algorithm>:\n");
-	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
-				" | NSEC3DSA |\n");
+	fprintf(stderr, "        RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1"
+				" |\n");
 	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
 	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
 	fprintf(stderr, "        ED25519 | ED448 | DH\n");
@@ -92,9 +92,6 @@ usage(void) {
 	fprintf(stderr, "        RSASHA256:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
-	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
-	fprintf(stderr, "        NSEC3DSA:\t[512..1024] and divisible "
-				"by 64\n");
 	fprintf(stderr, "        ECCGOST:\tignored\n");
 	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
 	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
@@ -161,11 +158,6 @@ usage(void) {
 	exit (-1);
 }
 
-static bool
-dsa_size_ok(int size) {
-	return (size >= 512 && size <= 1024 && size % 64 == 0);
-}
-
 static void
 progress(int p)
 {
@@ -542,13 +534,9 @@ main(int argc, char **argv) {
 
 		if (use_nsec3) {
 			switch (alg) {
-			case DST_ALG_DSA:
-				alg = DST_ALG_NSEC3DSA;
-				break;
 			case DST_ALG_RSASHA1:
 				alg = DST_ALG_NSEC3RSASHA1;
 				break;
-			case DST_ALG_NSEC3DSA:
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
@@ -728,11 +716,6 @@ main(int argc, char **argv) {
 		if (size != 0 && (size < 128 || size > 4096))
 			fatal("DH key size %d out of range", size);
 		break;
-	case DNS_KEYALG_DSA:
-	case DNS_KEYALG_NSEC3DSA:
-		if (size != 0 && !dsa_size_ok(size))
-			fatal("invalid DSS key size: %d", size);
-		break;
 	case DST_ALG_ECCGOST:
 		size = 256;
 		break;
@@ -815,8 +798,6 @@ main(int argc, char **argv) {
 		param = generator;
 		break;
 
-	case DNS_KEYALG_DSA:
-	case DNS_KEYALG_NSEC3DSA:
 	case DST_ALG_ECCGOST:
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:

bin/dnssec/dnssec-keygen.docbook

@@ -123,7 +123,7 @@
 	  <para>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
 	    of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+	    NSEC3RSASHA1, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the <option>-T KEY</option>
@@ -132,9 +132,9 @@
 	  <para>
 	    These values are case insensitive. In some cases, abbreviations
 	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
-	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
 	    along with the <option>-3</option> option, then NSEC3RSASHA1
-	    or NSEC3DSA will be used instead.
+	    will be used instead.
 	  </para>
 	  <para>
 	    This parameter <emphasis>must</emphasis> be specified except

bin/pkcs11/pkcs11-keygen.c

@@ -78,11 +78,10 @@
 static CK_BBOOL truevalue = TRUE;
 static CK_BBOOL falsevalue = FALSE;
 
-/* Key class: RSA, ECC, ECX, DSA, or unknown */
+/* Key class: RSA, ECC, ECX, or unknown */
 typedef enum {
 	key_unknown,
 	key_rsa,
-	key_dsa,
 	key_ecc,
 	key_ecx
 } key_class_t;
@@ -150,45 +149,6 @@ static CK_ATTRIBUTE ecc_template[] = {
 	{CKA_ID, NULL_PTR, 0}
 };
 
-/*
- * Public key template for DSA keys
- */
-#define DSA_LABEL 0
-#define DSA_VERIFY 1
-#define DSA_TOKEN 2
-#define DSA_PRIVATE 3
-#define DSA_PRIME 4
-#define DSA_SUBPRIME 5
-#define DSA_BASE 6
-#define DSA_ID 7
-#define DSA_ATTRS 8
-static CK_ATTRIBUTE dsa_template[] = {
-	{CKA_LABEL, NULL_PTR, 0},
-	{CKA_VERIFY, &truevalue, sizeof(truevalue)},
-	{CKA_TOKEN, &truevalue, sizeof(truevalue)},
-	{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
-	{CKA_PRIME, NULL_PTR, 0},
-	{CKA_SUBPRIME, NULL_PTR, 0},
-	{CKA_BASE, NULL_PTR, 0},
-	{CKA_ID, NULL_PTR, 0}
-};
-#define DSA_PARAM_PRIME 0
-#define DSA_PARAM_SUBPRIME 1
-#define DSA_PARAM_BASE 2
-#define DSA_PARAM_ATTRS 3
-static CK_ATTRIBUTE dsa_param_template[] = {
-	{CKA_PRIME, NULL_PTR, 0},
-	{CKA_SUBPRIME, NULL_PTR, 0},
-	{CKA_BASE, NULL_PTR, 0},
-};
-#define DSA_DOMAIN_PRIMEBITS 0
-#define DSA_DOMAIN_PRIVATE 1
-#define DSA_DOMAIN_ATTRS 2
-static CK_ATTRIBUTE dsa_domain_template[] = {
-	{CKA_PRIME_BITS, NULL_PTR, 0},
-	{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
-};
-
 /*
  * Convert from text to key class.  Accepts the names of DNSSEC
  * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
@@ -202,9 +162,6 @@ keyclass_fromtext(const char *name) {
 	if (strncasecmp(name, "rsa", 3) == 0 ||
 	    strncasecmp(name, "nsec3rsa", 8) == 0)
 		return (key_rsa);
-	else if (strncasecmp(name, "dsa", 3) == 0 ||
-		 strncasecmp(name, "nsec3dsa", 8) == 0)
-		return (key_dsa);
 	else if (strncasecmp(name, "ecc", 3) == 0 ||
 		 strncasecmp(name, "ecdsa", 5) == 0)
 		return (key_ecc);
@@ -242,7 +199,7 @@ main(int argc, char *argv[]) {
 	pk11_context_t pctx;
 	int error = 0;
 	int c, errflg = 0;
-	int hide = 1, special = 0, quiet = 0;
+	int hide = 1, quiet = 0;
 	int idlen = 0, id_offset = 0;
 	unsigned int i;
 	unsigned long id = 0;
@@ -415,30 +372,6 @@ main(int argc, char *argv[]) {
 
 #endif
 		break;
-	case key_dsa:
-		op_type = OP_DSA;
-		if (bits == 0)
-			usage();
-
-		dpmech.mechanism = CKM_DSA_PARAMETER_GEN;
-		dpmech.pParameter = NULL;
-		dpmech.ulParameterLen = 0;
-		mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
-		mech.pParameter = NULL;
-		mech.ulParameterLen = 0;
-
-		public_template = dsa_template;
-		public_attrcnt = DSA_ATTRS;
-		id_offset = DSA_ID;
-
-		domain_template = dsa_domain_template;
-		domain_attrcnt = DSA_DOMAIN_ATTRS;
-		param_template = dsa_param_template;
-		param_attrcnt = DSA_PARAM_ATTRS;
-
-		domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
-		domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
-		break;
 	case key_unknown:
 		usage();
 	}
@@ -546,7 +479,7 @@ main(int argc, char *argv[]) {
 		fprintf(stderr,
 			"C_GetAttributeValue0: Error = 0x%.8lX\n", rv);
 		error = 1;
-		goto exit_domain;
+		goto exit_search;
 	}
 
 	/* Allocate space for parameter attributes */
@@ -559,39 +492,10 @@ main(int argc, char *argv[]) {
 		if (param_template[i].pValue == NULL) {
 			fprintf(stderr, "malloc failed\n");
 			error = 1;
-			goto exit_params;
+			goto exit_search;
 		}
 	}
 
-	rv = pkcs_C_GetAttributeValue(hSession, domainparams,
-				 dsa_param_template, DSA_PARAM_ATTRS);
-
-	if (rv != CKR_OK) {
-		fprintf(stderr,
-			"C_GetAttributeValue1: Error = 0x%.8lX\n", rv);
-		error = 1;
-		goto exit_params;
-	}
-
-	switch (keyclass) {
-	case key_dsa:
-		public_template[DSA_PRIME].pValue =
-			param_template[DSA_PARAM_PRIME].pValue;
-		public_template[DSA_PRIME].ulValueLen =
-			param_template[DSA_PARAM_PRIME].ulValueLen;
-		public_template[DSA_SUBPRIME].pValue =
-			param_template[DSA_PARAM_SUBPRIME].pValue;
-		public_template[DSA_SUBPRIME].ulValueLen =
-			param_template[DSA_PARAM_SUBPRIME].ulValueLen;
-		public_template[DSA_BASE].pValue =
-			param_template[DSA_PARAM_BASE].pValue;
-		public_template[DSA_BASE].ulValueLen =
-			param_template[DSA_PARAM_BASE].ulValueLen;
-		break;
-	default:
-		break;
-	}
-
  generate_keys:
 	/* Generate Key pair for signing/verifying */
 	rv = pkcs_C_GenerateKeyPair(hSession, &mech,
@@ -605,27 +509,6 @@ main(int argc, char *argv[]) {
 	 } else if (!quiet)
 		printf("Key pair generation complete.\n");
 
- exit_params:
-	/* Free parameter attributes */
-	if (keyclass == key_dsa) {
-		for (i = 0; i < param_attrcnt; i++) {
-			if (param_template[i].pValue != NULL) {
-				free(param_template[i].pValue);
-			}
-		}
-	}
-
- exit_domain:
-	/* Destroy domain parameters */
-	if (keyclass == key_dsa) {
-		rv = pkcs_C_DestroyObject(hSession, domainparams);
-		if (rv != CKR_OK) {
-			fprintf(stderr,
-				"C_DestroyObject: Error = 0x%.8lX\n", rv);
-			error = 1;
-		}
-	}
-
  exit_search:
 	rv = pkcs_C_FindObjectsFinal(hSession);
 	if (rv != CKR_OK) {

bin/tests/optional/dst_test.c

@@ -254,11 +254,9 @@ main(void) {
 	result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (1);
-	io(name, 23616, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
 	io(name, 54622, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 	   mctx);
 
-	io(name, 49667, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
 	io(name, 2, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
 
 	isc_buffer_constinit(&b, "dh.", 3);
@@ -270,7 +268,6 @@ main(void) {
 
 	generate(DST_ALG_RSAMD5, mctx);
 	generate(DST_ALG_DH, mctx);
-	generate(DST_ALG_DSA, mctx);
 	generate(DST_ALG_HMACMD5, mctx);
 
 	dst_lib_destroy();

config.h.in

@@ -99,9 +99,6 @@
 /* Define to 1 to enable dnstap support */
 #undef HAVE_DNSTAP
 
-/* Define to 1 if you have the `DSA_get0_pqg' function. */
-#undef HAVE_DSA_GET0_PQG
-
 /* Define to 1 if you have the `ECDSA_sign' function. */
 #undef HAVE_ECDSA_SIGN
 

config.h.win32

@@ -111,15 +111,6 @@
 /* Define if you have h_errno */
 #define HAVE_H_ERRNO
 
-/* Define if you have RSA_generate_key(). */
-#define HAVE_RSA_GENERATE_KEY
-
-/* Define if you have DSA_generate_parameters(). */
-#define HAVE_DSA_GENERATE_PARAMETERS
-
-/* Define if you have DH_generate_parameters(). */
-#define HAVE_DH_GENERATE_PARAMETERS
-
 /* Define if you have getpassphrase in the C library. */
 #define HAVE_GETPASSPHRASE
 
@@ -289,9 +280,6 @@ typedef __int64 off_t;
 /* Define if your OpenSSL version supports DH functions. */
 @HAVE_DH_GET0_KEY@
 
-/* Define if your OpenSSL version supports DSA functions. */
-@HAVE_DSA_GET0_PQG@
-
 /* Define if your OpenSSL version supports ECDSA functions. */
 @HAVE_ECDSA_SIG_GET0@
 

configure

@@ -15787,7 +15787,7 @@ done
 #
 # Check for OpenSSL 1.1.x/LibreSSL functions
 #
-for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg
+for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

configure.ac

@@ -857,7 +857,7 @@ AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:],
 #
 # Check for OpenSSL 1.1.x/LibreSSL functions
 #
-AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
+AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key])
 
 #
 # Check whether FIPS mode is available and whether we should enable it

lib/dns/dst_parse.h

@@ -63,13 +63,6 @@
 #define TAG_DH_PRIVATE		((DST_ALG_DH << TAG_SHIFT) + 2)
 #define TAG_DH_PUBLIC		((DST_ALG_DH << TAG_SHIFT) + 3)
 
-#define DSA_NTAGS		5
-#define TAG_DSA_PRIME		((DST_ALG_DSA << TAG_SHIFT) + 0)
-#define TAG_DSA_SUBPRIME	((DST_ALG_DSA << TAG_SHIFT) + 1)
-#define TAG_DSA_BASE		((DST_ALG_DSA << TAG_SHIFT) + 2)
-#define TAG_DSA_PRIVATE		((DST_ALG_DSA << TAG_SHIFT) + 3)
-#define TAG_DSA_PUBLIC		((DST_ALG_DSA << TAG_SHIFT) + 4)
-
 #define ECDSA_NTAGS		4
 #define TAG_ECDSA_PRIVATEKEY	((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
 #define TAG_ECDSA_ENGINE	((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)

lib/dns/include/dns/keyvalues.h

@@ -90,12 +90,6 @@
 #define DNS_SIG_RSAMINSIZE	((DNS_SIG_RSAMINBITS+7)/8)
 #define DNS_SIG_RSAMAXSIZE	((DNS_SIG_RSAMAXBITS+7)/8)
 
-#define DNS_SIG_DSASIGSIZE	41
-#define DNS_SIG_DSAMINBITS	512
-#define DNS_SIG_DSAMAXBITS	1024
-#define DNS_SIG_DSAMINBYTES	213
-#define DNS_SIG_DSAMAXBYTES	405
-
 #define DNS_SIG_ECDSA256SIZE	64
 #define DNS_SIG_ECDSA384SIZE	96
 

lib/dns/nsec.c

@@ -274,8 +274,7 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		if (dnskey.algorithm == DST_ALG_RSAMD5 ||
-		    dnskey.algorithm == DST_ALG_RSASHA1 ||
-		    dnskey.algorithm == DST_ALG_DSA)
+		    dnskey.algorithm == DST_ALG_RSASHA1)
 			break;
 	}
 	dns_rdataset_disassociate(&rdataset);

lib/dns/rcode.c

@@ -108,7 +108,9 @@
 	{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
 	{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
 	{ DNS_KEYALG_DH, "DH", 0 }, \
+	{ DNS_KEYALG_DSA, "DSA", 0 }, \
 	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+	{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
 	{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
 	{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
 	{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \

lib/dns/zone.c

@@ -17861,8 +17861,7 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 			continue;
 
 		alg = tuple->rdata.data[3];
-		if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
-		    alg == DST_ALG_DSA) {
+		if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
 			nseconly = true;
 			break;
 		}

lib/isc/include/pk11/pk11.h

@@ -58,7 +58,6 @@ typedef struct pk11_object pk11_object_t;
 typedef enum {
 	OP_ANY = 0,
 	OP_RSA = 1,
-	OP_DSA = 2,
 	OP_DH = 3,
 	OP_ECDSA = 4,
 	OP_EDDSA = 5,

lib/ns/update.c

@@ -1960,8 +1960,7 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		if (tuple->rdata.type == dns_rdatatype_dnskey) {
 			uint8_t alg;
 			alg = tuple->rdata.data[3];
-			if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
-			    alg == DST_ALG_DSA) {
+			if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
 				nseconly = true;
 				break;
 			}

win32utils/Configure

@@ -203,7 +203,6 @@ my @substdefh = ("AES_CC",
                  "HAVE_OPENSSL_ED25519",
                  "HAVE_OPENSSL_ED448",
 		 "HAVE_DH_GET0_KEY",
-		 "HAVE_DSA_GET0_PQG",
 		 "HAVE_ECDSA_SIG_GET0",
 		 "HAVE_RSA_SET0_KEY",
 		 "USE_BACKTRACE",
@@ -1483,7 +1482,7 @@ int main() {
         }
         printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
                OPENSSL_VERSION_NUMBER);
-        printf("This version has no built-in support for DH/DSA/ECDSA/RSA functions.\n\n");
+        printf("This version has no built-in support for DH/ECDSA/RSA functions.\n\n");
         return (1);
 }
 EOF
@@ -1495,7 +1494,6 @@ EOF
         `.\\testosslfunc.exe`;
         if ($? == 0) {
             $configdefh{"HAVE_DH_GET0_KEY"} = 1;
-            $configdefh{"HAVE_DSA_GET0_PQG"} = 1;
             $configdefh{"HAVE_ECDSA_SIG_GET0"} = 1;
             $configdefh{"HAVE_RSA_SET0_KEY"} = 1;
         }