Teach SSL_trace() about ML-DSA

Ensure the ML-DSA based sigalgs are recognised by SSL_trace() Also ensure the test_ssl_trace test passes correctly. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26654)
2025-04-12 20:30:52 +08:00 · 2025-02-06 13:48:52 +00:00 · 2025-02-06 13:48:52 +00:00 · a0fc1ff348
commit a0fc1ff348
parent 36f10925ff
4 changed files with 27 additions and 12 deletions
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@ -600,7 +600,15 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = {
    {TLSEXT_SIGALG_gostr34102001_gostr3411, TLSEXT_SIGALG_gostr34102001_gostr3411_name},
    {TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256_name},
    {TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384_name},
-    {TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name}
+    {TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512_name},
+    /*
+     * Well known groups that we happen to know about, but only come from
+     * provider capability declarations (hence no macros for the
+     * codepoints/names)
+     */
+    {0x0904, "mldsa44"},
+    {0x0905, "mldsa65"},
+    {0x0906, "mldsa87"}
 };

 static const ssl_trace_tbl ssl_ctype_tbl[] = {
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@ -36,7 +36,8 @@ static int is_fips = 0;
 /* The ssltrace test assumes some options are switched on/off */
 #if !defined(OPENSSL_NO_SSL_TRACE) \
    && defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD) \
-    && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH)
+    && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH) \
+    && !defined(OPENSSL_NO_ML_DSA)
 # define DO_SSL_TRACE_TEST
 #endif

--- a/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt
+++ b/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt
@ -2,8 +2,8 @@ Sent TLS Record
 Header:
  Version = TLS 1.0 (0x301)
  Content Type = Handshake (22)
-  Length = 263
-    ClientHello, Length=259
+  Length = 269
+    ClientHello, Length=265
      client_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0x????????
@ -13,7 +13,7 @@ Header:
        {0x13, 0x01} TLS_AES_128_GCM_SHA256
      compression_methods (len=1)
        No Compression (0x00)
-      extensions, length = 216
+      extensions, length = 222
        extension_type=UNKNOWN(57), length=49
          0000 - 0c 00 0f 00 01 04 80 00-75 30 03 02 44 b0 0e   ........u0..D..
          000f - 01 02 04 04 80 0c 00 00-05 04 80 08 00 00 06   ...............
@ -39,7 +39,7 @@ Header:
          ossltest
        extension_type=encrypt_then_mac(22), length=0
        extension_type=extended_master_secret(23), length=0
-        extension_type=signature_algorithms(13), length=36
+        extension_type=signature_algorithms(13), length=42
          ecdsa_secp256r1_sha256 (0x0403)
          ecdsa_secp384r1_sha384 (0x0503)
          ecdsa_secp521r1_sha512 (0x0603)
@ -57,6 +57,9 @@ Header:
          rsa_pkcs1_sha256 (0x0401)
          rsa_pkcs1_sha384 (0x0501)
          rsa_pkcs1_sha512 (0x0601)
+          mldsa44 (0x0904)
+          mldsa65 (0x0905)
+          mldsa87 (0x0906)
        extension_type=supported_versions(43), length=3
          TLS 1.3 (772)
        extension_type=psk_key_exchange_modes(45), length=2
@ -69,7 +72,7 @@ Header:

 Sent Frame: Crypto
    Offset: 0
-    Len: 263
+    Len: 269
 Sent Frame: Padding
 Sent Packet
  Packet Type: Initial
--- a/test/recipes/75-test_quicapi_data/ssltraceref.txt
+++ b/test/recipes/75-test_quicapi_data/ssltraceref.txt
@ -2,8 +2,8 @@ Sent TLS Record
 Header:
  Version = TLS 1.0 (0x301)
  Content Type = Handshake (22)
-  Length = 256
-    ClientHello, Length=252
+  Length = 262
+    ClientHello, Length=258
      client_version=0x303 (TLS 1.2)
      Random:
        gmt_unix_time=0x????????
@ -13,7 +13,7 @@ Header:
        {0x13, 0x01} TLS_AES_128_GCM_SHA256
      compression_methods (len=1)
        No Compression (0x00)
-      extensions, length = 209
+      extensions, length = 215
        extension_type=UNKNOWN(57), length=49
          0000 - 0c 00 0f 00 01 04 80 00-75 30 03 02 44 b0 0e   ........u0..D..
          000f - 01 02 04 04 80 0c 00 00-05 04 80 08 00 00 06   ...............
@ -39,7 +39,7 @@ Header:
          ossltest
        extension_type=encrypt_then_mac(22), length=0
        extension_type=extended_master_secret(23), length=0
-        extension_type=signature_algorithms(13), length=36
+        extension_type=signature_algorithms(13), length=42
          ecdsa_secp256r1_sha256 (0x0403)
          ecdsa_secp384r1_sha384 (0x0503)
          ecdsa_secp521r1_sha512 (0x0603)
@ -57,6 +57,9 @@ Header:
          rsa_pkcs1_sha256 (0x0401)
          rsa_pkcs1_sha384 (0x0501)
          rsa_pkcs1_sha512 (0x0601)
+          mldsa44 (0x0904)
+          mldsa65 (0x0905)
+          mldsa87 (0x0906)
        extension_type=supported_versions(43), length=3
          TLS 1.3 (772)
        extension_type=psk_key_exchange_modes(45), length=2
@ -67,7 +70,7 @@ Header:

 Sent Frame: Crypto
    Offset: 0
-    Len: 256
+    Len: 262
 Sent Frame: Padding
 Sent Packet
  Packet Type: Initial