Expose TLS signature algorithm and per-connection sigalg preferences#513
Open
lukevalenta wants to merge 2 commits into
Open
Expose TLS signature algorithm and per-connection sigalg preferences#513lukevalenta wants to merge 2 commits into
lukevalenta wants to merge 2 commits into
Conversation
lukevalenta
force-pushed
the
mldsa-signature-algorithm
branch
from
e5516cc to
015e6cc
Compare
bwesterb
approved these changes
Jun 24, 2026
cjpatton
requested changes
Jun 24, 2026
cjpatton
reviewed
Jun 24, 2026
lukevalenta
force-pushed
the
mldsa-signature-algorithm
branch
from
015e6cc to
7f0bf94
Compare
cjpatton
reviewed
Jun 24, 2026
Comment on lines
+745
to
+752
| pub const ML_DSA_44: SslSignatureAlgorithm = | ||
| SslSignatureAlgorithm(ffi::SSL_SIGN_ML_DSA_44 as _); | ||
|
|
||
| pub const ML_DSA_65: SslSignatureAlgorithm = | ||
| SslSignatureAlgorithm(ffi::SSL_SIGN_ML_DSA_65 as _); | ||
|
|
||
| pub const ML_DSA_87: SslSignatureAlgorithm = | ||
| SslSignatureAlgorithm(ffi::SSL_SIGN_ML_DSA_87 as _); |
Collaborator
There was a problem hiding this comment.
This creates some friction for downstream users who want a newer version of boring but are stuck on an older version of BoringSSL (e.g., because they have their own patch set they would need to rebase), then it will fail to compile.
Contributor
Author
There was a problem hiding this comment.
What about hard-coding the code points instead of pulling them from BoringSSL? Then, once we think consumers are all on recent-enough BoringSSL versions, we could again pull them via ffi.
cjpatton
reviewed
Jun 24, 2026
Add Rust bindings for identifying the signature algorithm negotiated
during a TLS handshake, including the post-quantum ML-DSA signature
family. These are useful for inspecting which signature scheme each
side of a handshake used to authenticate itself.
SslSignatureAlgorithm:
- ML_DSA_44 / ML_DSA_65 / ML_DSA_87 constants
- name() wraps SSL_get_signature_algorithm_name (TLS 1.3 form)
- Display formats as the algorithm name or 'unknown (0xNNNN)'
SslRef:
- peer_signature_algorithm() wraps SSL_get_peer_signature_algorithm,
returning None when BoringSSL reports the zero sentinel
(pre-handshake, session resumption, or protocol errors). When
called on a server-side SslRef during mTLS it surfaces the
client-cert signature scheme.
- signature_algorithm_used() wraps SSL_get_signature_algorithm_used,
returning the local side's signature scheme. BoringSSL only retains
this during the handshake; the doc comment directs callers to a
HANDSHAKE_DONE info callback for post-handshake observation.
Tests: cover default and forced handshakes, mTLS observation of peer
and local signature schemes from both server and client sides, and the
post-handshake None contract for signature_algorithm_used.
Add `SslRef::set_verify_algorithm_prefs`, the per-connection counterpart to the existing `SslContextBuilder::set_verify_algorithm_prefs`. This controls the schemes advertised in the `signature_algorithms` extension on the wire (ClientHello on a client, CertificateRequest on a server doing mutual TLS). Useful for varying which sigalgs a given handshake will accept from the peer without restating the full ctx. The doc comment on `set_sigalgs_list` is updated to point at `set_verify_algorithm_prefs` as the modern alternative; the BoringSSL header recommends the `_prefs` accessor over the OpenSSL-compatible helper because it does not round-trip through string parsing. Tests: cover per-connection verify prefs accepting a satisfiable scheme and rejecting a scheme the peer's cert cannot satisfy.
lukevalenta
force-pushed
the
mldsa-signature-algorithm
branch
from
7f0bf94 to
1755b06
Compare
lukevalenta
changed the title
cjpatton
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add bindings for inspecting the signature algorithm (incl. ML-DSA) negotiated on a TLS connection, and for setting the accepted signature algorithms per-connection.
Expose peer signature algorithm and post-quantum sig constants is net-new functionality to surface the negotiated signature algorithm. The ML-DSA constants use hardcoded IANA codepoints (rather than
ffi::SSL_SIGN_ML_DSA_*) so the crate continues to compile against older BoringSSL versions. This has planned usage in a downstream consumer.Expose per-connection verify algorithm preferences adds
SslRef::set_verify_algorithm_prefs, the per-connection counterpart to the existingSslContextBuilder::set_verify_algorithm_prefs. This has planned usage in a downstream consumer.Closes #511.