Align Falcon TLS 1.3 SignatureAlgorithm codepoints with oqs-provider

claude · claude · commit cbd4cf35310d · 2026-04-22T09:11:02.000Z
Move Falcon-512 from 0xFEAE to 0xFED7 and Falcon-1024 from 0xFEB1 to
0xFEDA, the codepoints oqs-provider registers and that any future
Falcon-capable library will almost certainly inherit. This removes the
need to set OQS_CODEPOINT_FALCON512 / OQS_CODEPOINT_FALCON1024 on the
oqs-provider side for wolfSSL &lt;-&gt; openssl TLS interop.

Hybrid codepoints shift in lockstep:
 * HYBRID_P256_FALCON_LEVEL1_SA_MINOR    0xAF -&gt; 0xD8
 * HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR 0xB0 -&gt; 0xD9
 * HYBRID_P521_FALCON_LEVEL5_SA_MINOR    0xB2 -&gt; 0xDB

All four Falcon 1.3 handshake combinations (wolfSSL &lt;-&gt; openssl
s_server/s_client, levels 1 and 5) now succeed out of the box with no
environment overrides.

Breaking change note: existing wolfSSL &lt;-&gt; wolfSSL Falcon-authenticated
handshakes that negotiated the old 0xFEAE / 0xFEB1 codepoints will stop
working. Consistent with the OID migration in the same PR, we're
committing to matching the ecosystem rather than preserving prior
wolfSSL wire values. All of these codepoints live under the
experimental 0xFExx range and will change once FN-DSA gets an official
IANA allocation.
diff --git a/src/tls13.c b/src/tls13.c
@@ -8426,9 +8426,10 @@ static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo,
 #define HYBRID_RSA3072_DILITHIUM_LEVEL2_SA_MINOR 0xA2
 #define HYBRID_P384_DILITHIUM_LEVEL3_SA_MINOR    0xA4
 #define HYBRID_P521_DILITHIUM_LEVEL5_SA_MINOR    0xA6
-#define HYBRID_P256_FALCON_LEVEL1_SA_MINOR       0xAF
-#define HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR    0xB0
-#define HYBRID_P521_FALCON_LEVEL5_SA_MINOR       0xB2
+/* Falcon hybrid codepoints aligned with oqs-provider. */
+#define HYBRID_P256_FALCON_LEVEL1_SA_MINOR       0xD8
+#define HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR    0xD9
+#define HYBRID_P521_FALCON_LEVEL5_SA_MINOR       0xDB
 
 /* Custom defined ones for PQC first */
 #define HYBRID_DILITHIUM_LEVEL2_P256_SA_MINOR    0xD1
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
@@ -1765,11 +1765,14 @@ enum Misc {
     FALCON_SA_MAJOR     = 0xFE,/* Most significant byte used with falcon sig algs */
     DILITHIUM_SA_MAJOR  = 0x09,/* Most significant byte used with dilithium sig algs */
 
-    /* These values for falcon match what OQS has defined. */
+    /* Falcon TLS SignatureAlgorithm codepoints; aligned with the values
+     * oqs-provider registers (0xFED7 and 0xFEDA). All Falcon-related TLS
+     * codepoints live under the experimental 0xFExx range reserved for
+     * OQS until FN-DSA gets an official IANA allocation. */
     FALCON_LEVEL1_SA_MAJOR = 0xFE,
-    FALCON_LEVEL1_SA_MINOR = 0xAE,
+    FALCON_LEVEL1_SA_MINOR = 0xD7,
     FALCON_LEVEL5_SA_MAJOR = 0xFE,
-    FALCON_LEVEL5_SA_MINOR = 0xB1,
+    FALCON_LEVEL5_SA_MINOR = 0xDA,
 
     /* these values for MLDSA (Dilithium) correspond to what is proposed in the
      * IETF. */
