Skip to content

Add support for ML-DSA in TLS #4723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add support for ML-DSA in TLS #4723

wants to merge 3 commits into from

Conversation

@randombit
Copy link
Owner

@randombit randombit commented Feb 27, 2025

No description provided.

@randombit randombit requested a review from reneme February 27, 2025 22:49
@randombit randombit mentioned this pull request Feb 27, 2025
Open
@randombit
Remove one outdated test
d65930d 
We now always return something here since DER is only used for ECDSA
@randombit
Just remove ML-DSA from default
b2d5298
@randombit
Copy link
Owner Author

randombit commented Feb 27, 2025

asio tests are failing which is somewhat unexpected, I'll look at this tomorrow

reneme
reneme reviewed Feb 28, 2025
View reviewed changes
src/cli/tls_helpers.h
Comment on lines +164 to +168
if(std::find(cert_signature_schemes.begin(),
cert_signature_schemes.end(),
i.certs[0].subject_public_key_algo()) == cert_signature_schemes.end()) {
continue;
}
Copy link
Collaborator

@reneme reneme Feb 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the reason that the ASIO tests fail to perform a successful handshake. The algorithm identifiers of the signature scheme involve the padding (e.g. "RSA/PKCS1v15(SHA-256)") but the subject public key's algorithm identifier is just that, e.g. "RSA", without the padding.

The ASIO integration tests happen to use an RSA certificate that doesn't pass this check. So the server fails to find a suitable certificate and raises a handshake failure.

@KaganCanSit
Copy link
Contributor

KaganCanSit commented Jun 16, 2025
edited
Loading

Hi @randombit,

I tried to develop a solution by addressing @reneme's comment explaining the reason for the ASIO test failures. I made the following changes.

Changes:
KaganCanSit@0f0afcf

#include <algorithm>

Botan::OID cert_oid = i.certs[0].subject_public_key_algo().oid();
bool compatible = 
	std::ranges::any_of(cert_signature_schemes, [&cert_oid](const Botan::AlgorithmIdentifier& scheme) {
		return scheme.oid() == cert_oid || (scheme.parameters_are_null_or_empty() &&
		  scheme.oid().to_formatted_string().starts_with(cert_oid.to_formatted_string()));
	});

if(!compatible) {
	continue;
}

Then I performed the following steps.

Compilation:

ninja clean && ./configure.py --without-documentation --with-boost --cc=clang --compiler-cache=ccache --build-targets=static,cli,tests --build-tool=ninja && ninja

Test-1:

./botan-test --test-threads=4 --run-long-tests

Test-2:

python3 src/scripts/test_cli.py ./botan cli_tls_socket_tests

Since I am not fully familiar with the functions here, I made improvements by checking the calls I could make. First, I compared the string components, but then I thought OID could be faster. I may have mistakes, but it can save you time and help you merge this PR content.

If you find it appropriate, I can create a PR or you can include it by cherry-pick.

@KaganCanSit KaganCanSit mentioned this pull request Jun 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reneme reneme reneme left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@randombit @KaganCanSit @reneme