Add dashes to ssh-mldsa-* algorithms (#180) (#183)

dstebila · maxgoedjen · web-flow · commit 3eca538ea253 · 2025-09-14T14:54:32.000-04:00
* Add dashes to ssh-mldsa-* algorithms * Fix a few more * Just a few more * Revert "Just a few more" This reverts commit 58c23ab. * Update templates and regen. --------- Signed-off-by: Max Goedjen <max.goedjen@gmail.com> Co-authored-by: Max Goedjen <max.goedjen@gmail.com>
diff --git a/README.md b/README.md
@@ -66,7 +66,7 @@ The following quantum-safe algorithms from liboqs are supported (assuming they h
 - **FrodoKEM**: `frodokem-640-aes-sha256`\*, `frodokem-976-aes-sha384`\*, `frodokem-1344-aes-sha512`\*, `frodokem-640-shake-sha256`\*, `frodokem-976-shake-sha384`\*, `frodokem-1344-shake-sha512`\*
 - **HQC**: `hqc-128-sha256`, `hqc-192-sha384`, `hqc-256-sha512`†
 - **Kyber**: `kyber-512-sha256`\*, `kyber-768-sha384`\*, `kyber-1024-sha512`\*
-- **ML-KEM**: `mlkem512-sha256`\*, `mlkem768-sha256`\*, `mlkem1024-sha384`\*
+- **ML-KEM**: `ml-kem-512-sha256`\*, `ml-kem-768-sha256`\*, `ml-kem-1024-sha384`\*
 - **NTRU-Prime**: `ntruprime-sntrup761-sha512`\*
 <!--- OQS_TEMPLATE_FRAGMENT_LIST_ALL_KEXS_END -->
 
diff --git a/oqs-template/generate.yml b/oqs-template/generate.yml
@@ -537,6 +537,7 @@ sigs:
   -
     family: 'ML-DSA'
     name: 'ml_dsa_44'
+    pretty_name: 'mldsa-44'
     enable: true
     level: 1
     mix_with:
@@ -549,6 +550,7 @@ sigs:
   -
     family: 'ML-DSA'
     name: 'ml_dsa_65'
+    pretty_name: 'mldsa-65'
     enable: true
     level: 3
     mix_with:
@@ -558,6 +560,7 @@ sigs:
   -
     family: 'ML-DSA'
     name: 'ml_dsa_87'
+    pretty_name: 'mldsa-87'
     enable: true
     level: 5
     mix_with:
diff --git a/oqs-template/oqs-test/try_connection.py/list_all_sigs.fragment b/oqs-template/oqs-test/try_connection.py/list_all_sigs.fragment
@@ -1,7 +1,7 @@
 {%- for sig in config['sigs'] %}
-    "ssh-{{ sig['name']|replace('_','') }}",
+    "ssh-{{ sig.get('pretty_name', sig['name']|replace('_','')) }}",
     {%- for alg in sig['mix_with'] %}
-    "ssh-{{ alg['name']|replace('_','-') }}-{{ sig['name']|replace('_','') }}",
+    "ssh-{{ alg['name']|replace('_','-') }}-{{ sig.get('pretty_name', sig['name']|replace('_','')) }}",
     {%- endfor -%}
 {%- endfor %}
 
diff --git a/oqs-template/regress/keygen-comment.sh/exclude_oqs_algs.fragment b/oqs-template/regress/keygen-comment.sh/exclude_oqs_algs.fragment
@@ -1,4 +1,4 @@
 {%- for sig in config['sigs'] %}
-		*{{ sig['name']|replace('_','') }}*) test -z "$oldfmt" || continue ;;
+		*{{ sig.get('pretty_name', sig['name']|replace('_','')) }}*) test -z "$oldfmt" || continue ;;
 {%- endfor %}
 
diff --git a/oqs-template/ssh-keygen.c/define_key_types.fragment b/oqs-template/ssh-keygen.c/define_key_types.fragment
@@ -1,16 +1,16 @@
 {%- for sig in config['sigs'] %}
-		{ "{{ sig['name']|replace('_','') }}", "{{ sig['name']|upper }}", _PATH_HOST_{{ sig['name']|upper }}_KEY_FILE },
+		{ "{{ sig.get('pretty_name', sig['name']|replace('_','')) }}", "{{ sig['name']|upper }}", _PATH_HOST_{{ sig['name']|upper }}_KEY_FILE },
 {%- endfor %}
 #ifdef WITH_OPENSSL
 {%- for sig in config['sigs'] %}
     {%- for alg in sig['mix_with'] if alg['rsa'] %}
-		{ "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
+		{ "{{ alg['name'] }}_{{ sig.get('pretty_name', sig['name']|replace('_','')) }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
     {%- endfor %}
 {%- endfor %}
 #ifdef OPENSSL_HAS_ECC
 {%- for sig in config['sigs'] %}
     {%- for alg in sig['mix_with'] if not alg['rsa'] %}
-		{ "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
+		{ "{{ alg['name'] }}_{{ sig.get('pretty_name', sig['name']|replace('_','')) }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
     {%- endfor %}
 {%- endfor %}
 #endif /* OPENSSL_HAS_ECC */
diff --git a/oqs-template/ssh-keyscan.c/add_proposal_server_host_key_algs.fragment b/oqs-template/ssh-keyscan.c/add_proposal_server_host_key_algs.fragment
@@ -1,21 +1,21 @@
 {%- for sig in config['sigs'] %}
 	case KT_{{ sig['name']|upper }}:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-{{ sig['name']|replace('_','') }}";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-{{ sig.get('pretty_name', sig['name']|replace('_','')) }}";
 	  break;
 {%- endfor %}
 #ifdef WITH_OPENSSL
 {%- for sig in config['sigs'] %}
     {%- for alg in sig['mix_with'] if alg['rsa'] %}
 	case KT_{{ alg['name']|upper }}_{{ sig['name']|upper }}:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-{{ alg['name'] }}-{{ sig['name']|replace('_','') }}";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-{{ alg['name'] }}-{{ sig.get('pretty_name', sig['name']|replace('_','')) }}";
 	  break;
     {%- endfor %}
 {%- endfor %}
 #ifdef OPENSSL_HAS_ECC
 {%- for sig in config['sigs'] %}
     {%- for alg in sig['mix_with'] if not alg['rsa'] %}
 	case KT_{{ alg['name']|upper }}_{{ sig['name']|upper }}:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-{{ alg['name']|replace('_','-') }}-{{ sig['name']|replace('_','') }}";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-{{ alg['name']|replace('_','-') }}-{{ sig.get('pretty_name', sig['name']|replace('_','')) }}";
 	  break;
     {%- endfor %}
 {%- endfor %}
diff --git a/oqs-template/ssh-oqs.c/define_sig_functions.fragment b/oqs-template/ssh-oqs.c/define_sig_functions.fragment
@@ -1,5 +1,6 @@
 {%- for sig in config['sigs'] %}
 {%- set symbol_base_name = sig['name']|replace('_','') %}
+{%- set symbol_base_pretty_name = sig.get('pretty_name', sig['name']|replace('_','')) %}
 /*---------------------------------------------------
  * {{ sig['name']|upper }} METHODS
  *---------------------------------------------------
@@ -29,7 +30,7 @@ int ssh_{{ symbol_base_name }}_sign(struct sshkey *key,
     if (sig == NULL) {
         return SSH_ERR_ALLOC_FAIL;
     }
-    int r = oqs_sign(sig, "{{ symbol_base_name }}", key, sigp, lenp, data, datalen, compat);
+    int r = oqs_sign(sig, "{{ symbol_base_pretty_name }}", key, sigp, lenp, data, datalen, compat);
     OQS_SIG_free(sig);
     return r;
 }
@@ -47,7 +48,7 @@ int ssh_{{ symbol_base_name }}_verify(const struct sshkey *key,
     if (sig == NULL) {
         return SSH_ERR_ALLOC_FAIL;
     }
-    int r = oqs_verify(sig, "{{ symbol_base_name }}", key, signature, signaturelen, data, datalen, compat);
+    int r = oqs_verify(sig, "{{ symbol_base_pretty_name }}", key, signature, signaturelen, data, datalen, compat);
     OQS_SIG_free(sig);
     return r;
 }
@@ -68,8 +69,8 @@ static const struct sshkey_impl_funcs sshkey_{{ symbol_base_name }}_funcs = {
 };
 
 const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
-  /* .name = */ "ssh-{{ symbol_base_name }}",
-  /* .shortname = */ "{{ symbol_base_name|upper }}",
+  /* .name = */ "ssh-{{ symbol_base_pretty_name }}",
+  /* .shortname = */ "{{ symbol_base_pretty_name|upper }}",
   /* .sigalg = */ NULL,
   /* .type = */ KEY_{{ sig['name']|upper }},
   /* .nid = */ 0,
@@ -84,6 +85,7 @@ const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
 {%- for sig in config['sigs'] %}
 {%- for alg in sig['mix_with'] if alg['rsa'] %}
 {%- set symbol_base_name = alg['name']|replace('_','') + '_' + sig['name']|replace('_','') %}
+{%- set symbol_base_pretty_name = alg['name']|replace('_','') + '_' + sig.get('pretty_name', sig['name']|replace('_','')) %}
 static const struct sshkey_impl_funcs sshkey_{{ symbol_base_name }}_funcs = {
   /* .size = */ ssh_generic_size,
   /* .alloc = */ ssh_generic_alloc,
@@ -100,8 +102,8 @@ static const struct sshkey_impl_funcs sshkey_{{ symbol_base_name }}_funcs = {
 };
 
 const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
-  /* .name = */ "ssh-{{ alg['name']|replace('_','') + '-' + sig['name']|replace('_','') }}",
-  /* .shortname = */ "{{ symbol_base_name|upper }}",
+  /* .name = */ "ssh-{{ alg['name']|replace('_','') + '-' + sig.get('pretty_name', sig['name']|replace('_','')) }}",
+  /* .shortname = */ "{{ symbol_base_pretty_name|upper }}",
   /* .sigalg = */ NULL,
   /* .type = */ KEY_{{ alg['name']|upper }}_{{ sig['name']|upper }},
   /* .nid = */ 0,
@@ -132,8 +134,8 @@ static const struct sshkey_impl_funcs sshkey_{{ symbol_base_name }}_funcs = {
 };
 
 const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
-  /* .name = */ "ssh-{{ alg['name']|replace('_','-') + '-' + sig['name']|replace('_','') }}",
-  /* .shortname = */ "{{ alg['name']|upper + '_' + sig['name']|replace('_','')|upper }}",
+  /* .name = */ "ssh-{{ alg['name']|replace('_','-') + '-' + sig.get('pretty_name', sig['name']|replace('_','')) }}",
+  /* .shortname = */ "{{ alg['name']|upper + '_' + sig.get('pretty_name', sig['name']|replace('_',''))|upper }}",
   /* .sigalg = */ NULL,
   /* .type = */ KEY_{{ alg['name']|upper }}_{{ sig['name']|upper }},
   /* .nid = */ {{ alg['openssl_nid'] }},
diff --git a/oqs-template/ssh-rsa.c/list_l1_rsa_hybrids.fragment b/oqs-template/ssh-rsa.c/list_l1_rsa_hybrids.fragment
@@ -1,7 +1,7 @@
 {%- for sig in config['sigs'] if sig['level'] == 1 %}
     {%- set outer_loop_last = loop.last -%}
     {%- for alg in sig['mix_with'] if alg['rsa'] %}
-	    strcmp(ident, "ssh-{{ alg['name'] }}-{{ sig['name']|replace('_','') }}") == 0 {%- if outer_loop_last and loop.last -%}){%- else %} || {%- endif -%}
+	    strcmp(ident, "ssh-{{ alg['name'] }}-{{ sig.get('pretty_name', sig['name']|replace('_','')) }}") == 0 {%- if outer_loop_last and loop.last -%}){%- else %} || {%- endif -%}
     {%- endfor %}
 {%- endfor %}
 
diff --git a/oqs-test/try_connection.py b/oqs-test/try_connection.py
@@ -88,13 +88,13 @@
     "ssh-ecdsa-nistp256-sphincssha2128fsimple",
     "ssh-sphincssha2256fsimple",
     "ssh-ecdsa-nistp521-sphincssha2256fsimple",
-    "ssh-mldsa44",
-    "ssh-rsa3072-mldsa44",
-    "ssh-ecdsa-nistp256-mldsa44",
-    "ssh-mldsa65",
-    "ssh-ecdsa-nistp384-mldsa65",
-    "ssh-mldsa87",
-    "ssh-ecdsa-nistp521-mldsa87",
+    "ssh-mldsa-44",
+    "ssh-rsa3072-mldsa-44",
+    "ssh-ecdsa-nistp256-mldsa-44",
+    "ssh-mldsa-65",
+    "ssh-ecdsa-nistp384-mldsa-65",
+    "ssh-mldsa-87",
+    "ssh-ecdsa-nistp521-mldsa-87",
     "ssh-mayo2",
     "ssh-rsa3072-mayo2",
     "ssh-ecdsa-nistp256-mayo2",
diff --git a/regress/keygen-comment.sh b/regress/keygen-comment.sh
@@ -35,9 +35,9 @@ for fmt in '' RFC4716 PKCS8 PEM; do
 		*falcon1024*) test -z "$oldfmt" || continue ;;
 		*sphincssha2128fsimple*) test -z "$oldfmt" || continue ;;
 		*sphincssha2256fsimple*) test -z "$oldfmt" || continue ;;
-		*mldsa44*) test -z "$oldfmt" || continue ;;
-		*mldsa65*) test -z "$oldfmt" || continue ;;
-		*mldsa87*) test -z "$oldfmt" || continue ;;
+		*mldsa-44*) test -z "$oldfmt" || continue ;;
+		*mldsa-65*) test -z "$oldfmt" || continue ;;
+		*mldsa-87*) test -z "$oldfmt" || continue ;;
 		*mayo2*) test -z "$oldfmt" || continue ;;
 		*mayo3*) test -z "$oldfmt" || continue ;;
 		*mayo5*) test -z "$oldfmt" || continue ;;
diff --git a/ssh-keygen.c b/ssh-keygen.c
@@ -1221,25 +1221,25 @@ do_gen_all_hostkeys(struct passwd *pw)
 		{ "falcon1024", "FALCON_1024", _PATH_HOST_FALCON_1024_KEY_FILE },
 		{ "sphincssha2128fsimple", "SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
 		{ "sphincssha2256fsimple", "SPHINCS_SHA2_256F_SIMPLE", _PATH_HOST_SPHINCS_SHA2_256F_SIMPLE_KEY_FILE },
-		{ "mldsa44", "ML_DSA_44", _PATH_HOST_ML_DSA_44_KEY_FILE },
-		{ "mldsa65", "ML_DSA_65", _PATH_HOST_ML_DSA_65_KEY_FILE },
-		{ "mldsa87", "ML_DSA_87", _PATH_HOST_ML_DSA_87_KEY_FILE },
+		{ "mldsa-44", "ML_DSA_44", _PATH_HOST_ML_DSA_44_KEY_FILE },
+		{ "mldsa-65", "ML_DSA_65", _PATH_HOST_ML_DSA_65_KEY_FILE },
+		{ "mldsa-87", "ML_DSA_87", _PATH_HOST_ML_DSA_87_KEY_FILE },
 		{ "mayo2", "MAYO_2", _PATH_HOST_MAYO_2_KEY_FILE },
 		{ "mayo3", "MAYO_3", _PATH_HOST_MAYO_3_KEY_FILE },
 		{ "mayo5", "MAYO_5", _PATH_HOST_MAYO_5_KEY_FILE },
 #ifdef WITH_OPENSSL
 		{ "rsa3072_falcon512", "RSA3072_FALCON_512", _PATH_HOST_RSA3072_FALCON_512_KEY_FILE },
 		{ "rsa3072_sphincssha2128fsimple", "RSA3072_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_RSA3072_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
-		{ "rsa3072_mldsa44", "RSA3072_ML_DSA_44", _PATH_HOST_RSA3072_ML_DSA_44_KEY_FILE },
+		{ "rsa3072_mldsa-44", "RSA3072_ML_DSA_44", _PATH_HOST_RSA3072_ML_DSA_44_KEY_FILE },
 		{ "rsa3072_mayo2", "RSA3072_MAYO_2", _PATH_HOST_RSA3072_MAYO_2_KEY_FILE },
 #ifdef OPENSSL_HAS_ECC
 		{ "ecdsa_nistp256_falcon512", "ECDSA_NISTP256_FALCON_512", _PATH_HOST_ECDSA_NISTP256_FALCON_512_KEY_FILE },
 		{ "ecdsa_nistp521_falcon1024", "ECDSA_NISTP521_FALCON_1024", _PATH_HOST_ECDSA_NISTP521_FALCON_1024_KEY_FILE },
 		{ "ecdsa_nistp256_sphincssha2128fsimple", "ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
 		{ "ecdsa_nistp521_sphincssha2256fsimple", "ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE", _PATH_HOST_ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE_KEY_FILE },
-		{ "ecdsa_nistp256_mldsa44", "ECDSA_NISTP256_ML_DSA_44", _PATH_HOST_ECDSA_NISTP256_ML_DSA_44_KEY_FILE },
-		{ "ecdsa_nistp384_mldsa65", "ECDSA_NISTP384_ML_DSA_65", _PATH_HOST_ECDSA_NISTP384_ML_DSA_65_KEY_FILE },
-		{ "ecdsa_nistp521_mldsa87", "ECDSA_NISTP521_ML_DSA_87", _PATH_HOST_ECDSA_NISTP521_ML_DSA_87_KEY_FILE },
+		{ "ecdsa_nistp256_mldsa-44", "ECDSA_NISTP256_ML_DSA_44", _PATH_HOST_ECDSA_NISTP256_ML_DSA_44_KEY_FILE },
+		{ "ecdsa_nistp384_mldsa-65", "ECDSA_NISTP384_ML_DSA_65", _PATH_HOST_ECDSA_NISTP384_ML_DSA_65_KEY_FILE },
+		{ "ecdsa_nistp521_mldsa-87", "ECDSA_NISTP521_ML_DSA_87", _PATH_HOST_ECDSA_NISTP521_ML_DSA_87_KEY_FILE },
 		{ "ecdsa_nistp256_mayo2", "ECDSA_NISTP256_MAYO_2", _PATH_HOST_ECDSA_NISTP256_MAYO_2_KEY_FILE },
 		{ "ecdsa_nistp384_mayo3", "ECDSA_NISTP384_MAYO_3", _PATH_HOST_ECDSA_NISTP384_MAYO_3_KEY_FILE },
 		{ "ecdsa_nistp521_mayo5", "ECDSA_NISTP521_MAYO_5", _PATH_HOST_ECDSA_NISTP521_MAYO_5_KEY_FILE },
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
@@ -346,13 +346,13 @@ keygrab_ssh2(con *c)
 	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-sphincssha2256fsimple";
 	  break;
 	case KT_ML_DSA_44:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-mldsa44";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-mldsa-44";
 	  break;
 	case KT_ML_DSA_65:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-mldsa65";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-mldsa-65";
 	  break;
 	case KT_ML_DSA_87:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-mldsa87";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-mldsa-87";
 	  break;
 	case KT_MAYO_2:
 	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-mayo2";
@@ -371,7 +371,7 @@ keygrab_ssh2(con *c)
 	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-rsa3072-sphincssha2128fsimple";
 	  break;
 	case KT_RSA3072_ML_DSA_44:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-rsa3072-mldsa44";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-rsa3072-mldsa-44";
 	  break;
 	case KT_RSA3072_MAYO_2:
 	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-rsa3072-mayo2";
@@ -390,13 +390,13 @@ keygrab_ssh2(con *c)
 	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-ecdsa-nistp521-sphincssha2256fsimple";
 	  break;
 	case KT_ECDSA_NISTP256_ML_DSA_44:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-ecdsa-nistp256-mldsa44";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-ecdsa-nistp256-mldsa-44";
 	  break;
 	case KT_ECDSA_NISTP384_ML_DSA_65:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-ecdsa-nistp384-mldsa65";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-ecdsa-nistp384-mldsa-65";
 	  break;
 	case KT_ECDSA_NISTP521_ML_DSA_87:
-	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-ecdsa-nistp521-mldsa87";
+	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-ecdsa-nistp521-mldsa-87";
 	  break;
 	case KT_ECDSA_NISTP256_MAYO_2:
 	  myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "ssh-ecdsa-nistp256-mayo2";
diff --git a/ssh-oqs.c b/ssh-oqs.c
diff --git a/ssh-rsa.c b/ssh-rsa.c
