ML_KEM IDs backward compat

Allow backward compatibilitly of Hybrid ML_KEM codepoints in TLS with
version before wolfSSL 5.8.0.
When WOLFSSL_ML_KEM_USE_OLD_IDS is defined, it will accept the old
codepoints for P256 with ML-KEM-512, P384 with ML-KEM-768, P521 with
ML-KEM-10124. (Others combinations were not know pre 5.8.0.)
Both old client with new server and new client with new server work with
old codepoints.

Author: SparkiDev

.wolfssl_known_macro_extras

@@ -724,6 +724,7 @@ WOLFSSL_MLKEM_MAKEKEY_SMALL_MEM
 WOLFSSL_MLKEM_NO_LARGE_CODE
 WOLFSSL_MLKEM_NO_MALLOC
 WOLFSSL_MLKEM_NTT_UNROLL
+WOLFSSL_ML_KEM_USE_OLD_IDS
 WOLFSSL_MONT_RED_CT
 WOLFSSL_MP_COND_COPY
 WOLFSSL_MP_INVMOD_CONSTANT_TIME

src/internal.c

@@ -35344,6 +35344,11 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             case WOLFSSL_P521_ML_KEM_1024:
             case WOLFSSL_X25519_ML_KEM_512:
             case WOLFSSL_X448_ML_KEM_768:
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+            case WOLFSSL_P256_ML_KEM_512_OLD:
+            case WOLFSSL_P384_ML_KEM_768_OLD:
+            case WOLFSSL_P521_ML_KEM_1024_OLD:
+#endif
         #endif
         #ifdef WOLFSSL_MLKEM_KYBER
             case WOLFSSL_P256_KYBER_LEVEL3:

src/ssl.c

@@ -15591,6 +15591,10 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
             return "ML_KEM_512";
         case WOLFSSL_P256_ML_KEM_512:
             return "P256_ML_KEM_512";
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+        case WOLFSSL_P256_ML_KEM_512_OLD:
+            return "P256_ML_KEM_512_OLD";
+#endif
         #ifdef HAVE_CURVE25519
         case WOLFSSL_X25519_ML_KEM_512:
             return "X25519_ML_KEM_512";
@@ -15601,6 +15605,10 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
             return "ML_KEM_768";
         case WOLFSSL_P384_ML_KEM_768:
             return "P384_ML_KEM_768";
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+        case WOLFSSL_P384_ML_KEM_768_OLD:
+            return "P384_ML_KEM_768_OLD";
+#endif
         case WOLFSSL_P256_ML_KEM_768:
             return "P256_ML_KEM_768";
         #ifdef HAVE_CURVE25519
@@ -15617,6 +15625,10 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
             return "ML_KEM_1024";
         case WOLFSSL_P521_ML_KEM_1024:
             return "P521_ML_KEM_1024";
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+        case WOLFSSL_P521_ML_KEM_1024_OLD:
+            return "P521_ML_KEM_1024_OLD";
+#endif
         case WOLFSSL_P384_ML_KEM_1024:
             return "P384_ML_KEM_1024";
     #endif

src/tls.c

@@ -4600,8 +4600,14 @@ static int TLSX_IsGroupSupported(int namedGroup)
             case WOLFSSL_ML_KEM_1024:
             case WOLFSSL_P521_ML_KEM_1024:
             case WOLFSSL_P384_ML_KEM_1024:
+                break;
         #endif
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+            case WOLFSSL_P256_ML_KEM_512_OLD:
+            case WOLFSSL_P384_ML_KEM_768_OLD:
+            case WOLFSSL_P521_ML_KEM_1024_OLD:
                 break;
+#endif
     #elif defined(HAVE_LIBOQS)
         case WOLFSSL_ML_KEM_512:
         case WOLFSSL_ML_KEM_768:
@@ -4619,6 +4625,7 @@ static int TLSX_IsGroupSupported(int namedGroup)
             }
             break;
         }
+
         case WOLFSSL_P256_ML_KEM_512:
         case WOLFSSL_P384_ML_KEM_768:
         case WOLFSSL_P256_ML_KEM_768:
@@ -5866,6 +5873,23 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, void* heap)
                                                                           heap);
         if (ret != 0)
             return ret;
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+        if (name == WOLFSSL_P256_ML_KEM_512) {
+            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
+                WOLFSSL_P256_ML_KEM_512_OLD, heap);
+        }
+        else if (name == WOLFSSL_P384_ML_KEM_768) {
+            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
+                WOLFSSL_P384_ML_KEM_768_OLD, heap);
+        }
+        else if (name == WOLFSSL_P521_ML_KEM_1024) {
+            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
+                WOLFSSL_P521_ML_KEM_1024_OLD, heap);
+        }
+        if (ret != 0) {
+            return ret;
+        }
+#endif
     }
 
     return WOLFSSL_SUCCESS;
@@ -8436,6 +8460,11 @@ static const PqcHybridMapping pqc_hybrid_mapping[] = {
     {WOLFSSL_P256_ML_KEM_768, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_768, 0},
     {WOLFSSL_P521_ML_KEM_1024, WOLFSSL_ECC_SECP521R1, WOLFSSL_ML_KEM_1024, 0},
     {WOLFSSL_P384_ML_KEM_1024, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_1024, 0},
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+    {WOLFSSL_P256_ML_KEM_512_OLD, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_512, 0},
+    {WOLFSSL_P384_ML_KEM_768_OLD, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_768, 0},
+    {WOLFSSL_P521_ML_KEM_1024_OLD, WOLFSSL_ECC_SECP521R1, WOLFSSL_ML_KEM_1024, 0},
+#endif
 #ifdef HAVE_CURVE25519
     {WOLFSSL_X25519_ML_KEM_512, WOLFSSL_ECC_X25519, WOLFSSL_ML_KEM_512, 1},
     {WOLFSSL_X25519_ML_KEM_768, WOLFSSL_ECC_X25519, WOLFSSL_ML_KEM_768, 1},
@@ -10541,6 +10570,18 @@ int TLSX_KeyShare_Use(const WOLFSSL* ssl, word16 group, word16 len, byte* data,
     /* Try to find the key share entry with this group. */
     keyShareEntry = (KeyShareEntry*)extension->data;
     while (keyShareEntry != NULL) {
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+        if ((group == WOLFSSL_P256_ML_KEM_512_OLD &&
+                keyShareEntry->group == WOLFSSL_P256_ML_KEM_512) ||
+            (group == WOLFSSL_P384_ML_KEM_768_OLD &&
+                keyShareEntry->group == WOLFSSL_P384_ML_KEM_768) ||
+            (group == WOLFSSL_P521_ML_KEM_1024_OLD &&
+                keyShareEntry->group == WOLFSSL_P521_ML_KEM_1024)) {
+            keyShareEntry->group = group;
+            break;
+        }
+        else
+#endif
         if (keyShareEntry->group == group)
             break;
         keyShareEntry = keyShareEntry->next;
@@ -10778,9 +10819,20 @@ static int TLSX_KeyShare_GroupRank(const WOLFSSL* ssl, int group)
           return WOLFSSL_FATAL_ERROR;
 #endif
 
-    for (i = 0; i < numGroups; i++)
+    for (i = 0; i < numGroups; i++) {
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+        if ((group == WOLFSSL_P256_ML_KEM_512_OLD &&
+             groups[i] == WOLFSSL_P256_ML_KEM_512) ||
+            (group == WOLFSSL_P384_ML_KEM_768_OLD &&
+             groups[i] == WOLFSSL_P384_ML_KEM_768) ||
+            (group == WOLFSSL_P521_ML_KEM_1024_OLD &&
+             groups[i] == WOLFSSL_P521_ML_KEM_1024)) {
+            return i;
+        }
+#endif
         if (groups[i] == (word16)group)
             return i;
+    }
 
     return WOLFSSL_FATAL_ERROR;
 }

wolfssl/ssl.h

@@ -4617,6 +4617,11 @@ enum {
      * https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/
      *      oqs-kem-info.md
      */
+#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
+    WOLFSSL_P256_ML_KEM_512_OLD   = 12103,
+    WOLFSSL_P384_ML_KEM_768_OLD   = 12104,
+    WOLFSSL_P521_ML_KEM_1024_OLD  = 12105,
+#endif
     WOLFSSL_P256_ML_KEM_512       = 12107,
     WOLFSSL_P384_ML_KEM_768       = 12108,
     WOLFSSL_P521_ML_KEM_1024      = 12109,