feat(nss/ssl): Add support for composite ML-DSA (MLDSA-Ed25519-SHA512) signature scheme in the SSL stack

eferollo · romen · commit 8b5d6a795b11 · 2025-08-29T16:20:29.000+03:00
Signed-off-by: Francesco Rollo &lt;eferollo@gmail.com&gt;
diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -731,6 +731,9 @@ nsCString getSignatureName(uint32_t aSignatureScheme) {
     case ssl_sig_mldsa87:
       signatureName = "ML-DSA-87"_ns;
       break;
+    case ssl_sig_mldsa65_ed25519:
+      signatureName = "MLDSA65-ED25519"_ns;
+      break;
     // All other groups are not enabled in Firefox. See sEnabledSignatureSchemes
     // in nsNSSIOLayer.cpp.
     default:
@@ -1075,6 +1078,9 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
           glean::ssl::auth_mldsa_key_size_full.AccumulateSingleSample(
               NonECCKeySize(channelInfo.authKeyBits)); */
           break;
+        case ssl_auth_mldsa65_ed25519:
+          /* TODO: metrics */
+          break;
         default:
           MOZ_CRASH("impossible auth algorithm");
           break;
diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -1301,6 +1301,7 @@ static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd,
 // Please change getSignatureName in nsNSSCallbacks.cpp when changing the list
 // here. See NOTE at SSL_SignatureSchemePrefSet call site.
 static const SSLSignatureScheme sEnabledSignatureSchemes[] = {
+    ssl_sig_mldsa65_ed25519,
     ssl_sig_mldsa87,
     ssl_sig_mldsa65,
     ssl_sig_mldsa44,
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
@@ -191,6 +191,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
  * cipher suites just for consistency.
  */
 static const SSLSignatureScheme defaultSignatureSchemes[] = {
+    ssl_sig_mldsa65_ed25519,
     ssl_sig_mldsa87,
     ssl_sig_mldsa65,
     ssl_sig_mldsa44,
@@ -367,6 +368,7 @@ static const CK_MECHANISM_TYPE auth_alg_defs[] = {
     CKM_RSA_PKCS_PSS,      /* ssl_auth_rsa_pss */
     CKM_NSS_HKDF_SHA256,   /* ssl_auth_psk (just check for HKDF) */
     CKM_ML_DSA,            /* ssl_auth_mldsa */
+    CKM_MLDSA65_ED25519,   /* ssl_auth_mldsa65_ed25519 */
     CKM_INVALID_MECHANISM  /* ssl_auth_tls13_any */
 };
 PR_STATIC_ASSERT(PR_ARRAY_SIZE(auth_alg_defs) == ssl_auth_size);
@@ -765,7 +767,8 @@ ssl_HasCert(const sslSocket *ss, PRUint16 maxVersion, SSLAuthType authType)
 {
     PRCList *cursor;
     if (authType == ssl_auth_null || authType == ssl_auth_psk ||
-        authType == ssl_auth_tls13_any || authType == ssl_auth_mldsa) {
+        authType == ssl_auth_tls13_any || authType == ssl_auth_mldsa ||
+        authType == ssl_auth_mldsa65_ed25519) {
         return PR_TRUE;
     }
     for (cursor = PR_NEXT_LINK(&ss->serverCerts);
@@ -1412,6 +1415,9 @@ ssl_VerifySignedHashesWithPubKey(sslSocket *ss, SECKEYPublicKey *key,
             case ssl_sig_mldsa87:
                 encAlg = SEC_OID_MLDSA_87_SIGNATURE;
                 break;
+            case ssl_sig_mldsa65_ed25519:
+                encAlg = SEC_OID_MLDSA65_ED25519_SHA512_SIGNATURE;
+                break;
             default:
                 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
                 goto loser;
@@ -4452,6 +4458,7 @@ ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme)
         case ssl_sig_slhdsa_shake_192f:
         case ssl_sig_slhdsa_shake_256s:
         case ssl_sig_slhdsa_shake_256f:
+        case ssl_sig_mldsa65_ed25519:
             break;
     }
     PORT_Assert(0);
@@ -4462,7 +4469,7 @@ static PRBool
 ssl_SignatureSchemeMatchesSpkiOid(SSLSignatureScheme scheme, SECOidTag spkiOid)
 {
     if (scheme == ssl_sig_mldsa44 || scheme == ssl_sig_mldsa65 ||
-        scheme == ssl_sig_mldsa87) {
+        scheme == ssl_sig_mldsa87 || scheme == ssl_sig_mldsa65_ed25519) {
         return PR_TRUE;
     }
 
@@ -4732,6 +4739,7 @@ ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
         case ssl_sig_mldsa44:
         case ssl_sig_mldsa65:
         case ssl_sig_mldsa87:
+        case ssl_sig_mldsa65_ed25519:
             return PR_TRUE;
             break;
 
@@ -4847,6 +4855,8 @@ ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme)
         case ssl_sig_mldsa65:
         case ssl_sig_mldsa87:
             return ssl_auth_mldsa;
+        case ssl_sig_mldsa65_ed25519:
+            return ssl_auth_mldsa65_ed25519;
 
         default:
             PORT_Assert(0);
@@ -11777,6 +11787,11 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey)
             minKey = ss->sec.authKeyBits;
             break;
 
+        case mldsa65Ed25519Key:
+            /* Assume we only support mldsa keys we like */
+            minKey = ss->sec.authKeyBits;
+            break;
+
         default:
             FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);
             return SECFailure;
diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
@@ -175,6 +175,12 @@ typedef enum {
     ssl_sig_slhdsa_shake_256s = 0x091b,
     ssl_sig_slhdsa_shake_256f = 0x091c,
 
+    /*
+     * Composite ML-DSA SignatureSchemes as defined in
+     * https://datatracker.ietf.org/doc/draft-reddy-tls-composite-mldsa/04/
+     */
+    ssl_sig_mldsa65_ed25519 = 0x090b,
+
     /* The following value (which can't be used in the protocol), represents
      * the RSA signature using SHA-1 and MD5 that is used in TLS 1.0 and 1.1.
      * This is reported as a signature scheme when TLS 1.0 or 1.1 is used.
@@ -204,7 +210,8 @@ typedef enum {
     ssl_auth_rsa_pss = 8,    /* RSA signing with a PSS key. */
     ssl_auth_psk = 9,
     ssl_auth_mldsa = 10,
-    ssl_auth_tls13_any = 11,
+    ssl_auth_mldsa65_ed25519 = 11,
+    ssl_auth_tls13_any = 12,
     ssl_auth_size /* number of authentication types */
 } SSLAuthType;
 
