Help Needed: wolfSSL Build Issue with Latest Version and Runtime Error with Dilithium Certificates

[SanzidaH]

Version

6af54d3

Description

I am stuck on the following issues with wolfSSL, and I would greatly appreciate any guidance or suggestions to resolve them.

1. Runtime Issue with an Older wolfSSL Version: With an earlier version of wolfSSL that successfully installed few days ago, I face a runtime error when using Dilithium-based certificates (i.e. dilithium2) generated using liboqs library.

wolfSSL Entering GetAlgoId
Unknown or not compiled in key OID
Decode to key failed
wolfSSL Leaving ProcessBuffer, return -463
wolfSSL error: can't load server cert file, check file and run from wolfSSL home dir

It seems wolfSSL does not recognize the OID for dilithium2.
For configure this is what I run: ./configure --enable-certreq --enable-certgen --enable-certext --enable-keygen --enable-cryptocb --with-liboqs --disable-psk --disable-shared --enable-intelasm --enable-aesni --enable-sp-math-all --enable-sp-asm --enable-experimental --enable-kyber CFLAGS="-Os"

2. Build Issue with Latest wolfSSL: When building the latest wolfSSL version, I get the following error -

./wolfssl/wolfcrypt/dilithium.h:515:39: error: ‘OQS_SIG_ml_dsa_87_ipd_length_public_key’ undeclared here (not in a function); did you mean ‘OQS_SIG_ml_dsa_87_length_public_key’?
515 | #define DILITHIUM_LEVEL5_PUB_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_public_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:515:39: note: in definition of macro ‘DILITHIUM_LEVEL5_PUB_KEY_SIZE’
515 | #define DILITHIUM_LEVEL5_PUB_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_public_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:596:12: note: in expansion of macro ‘DILITHIUM_MAX_PUB_KEY_SIZE’
596 | byte p[DILITHIUM_MAX_PUB_KEY_SIZE];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:513:39: error: ‘OQS_SIG_ml_dsa_87_ipd_length_secret_key’ undeclared here (not in a function); did you mean ‘OQS_SIG_ml_dsa_87_length_secret_key’?
513 | #define DILITHIUM_LEVEL5_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_secret_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:513:39: note: in definition of macro ‘DILITHIUM_LEVEL5_KEY_SIZE’
513 | #define DILITHIUM_LEVEL5_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_secret_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:597:12: note: in expansion of macro ‘DILITHIUM_MAX_KEY_SIZE’
597 | byte k[DILITHIUM_MAX_KEY_SIZE];
| ^~~~~~~~~~~~~~~~~~~~~~
make[2]: *** [Makefile:7294: wolfcrypt/src/src_libwolfssl_la-sha.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
In file included from ./wolfssl/wolfcrypt/cryptocb.h:83,
from wolfcrypt/src/aes.c:63:
./wolfssl/wolfcrypt/dilithium.h:515:39: error: ‘OQS_SIG_ml_dsa_87_ipd_length_public_key’ undeclared here (not in a function); did you mean ‘OQS_SIG_ml_dsa_87_length_public_key’?
515 | #define DILITHIUM_LEVEL5_PUB_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_public_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:515:39: note: in definition of macro ‘DILITHIUM_LEVEL5_PUB_KEY_SIZE’
515 | #define DILITHIUM_LEVEL5_PUB_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_public_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:596:12: note: in expansion of macro ‘DILITHIUM_MAX_PUB_KEY_SIZE’
596 | byte p[DILITHIUM_MAX_PUB_KEY_SIZE];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:513:39: error: ‘OQS_SIG_ml_dsa_87_ipd_length_secret_key’ undeclared here (not in a function); did you mean ‘OQS_SIG_ml_dsa_87_length_secret_key’?
513 | #define DILITHIUM_LEVEL5_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_secret_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:513:39: note: in definition of macro ‘DILITHIUM_LEVEL5_KEY_SIZE’
513 | #define DILITHIUM_LEVEL5_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_secret_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:597:12: note: in expansion of macro ‘DILITHIUM_MAX_KEY_SIZE’
597 | byte k[DILITHIUM_MAX_KEY_SIZE];
| ^~~~~~~~~~~~~~~~~~~~~~
make[2]: *** [Makefile:7280: wolfcrypt/src/src_libwolfssl_la-aes.lo] Error 1
make[2]: Leaving directory '/home/sanzida-pqc/osp/oqs/wolfssl'
make[1]: *** [Makefile:9027: install-recursive] Error 1
make[1]: Leaving directory '/home/sanzida-pqc/osp/oqs/wolfssl'
make: *** [Makefile:9502: install] Error 2

It seems that some macros, such as OQS_SIG_ml_dsa_87_ipd_length_public_key, are undefined. Is this a compatibility issue between liboqs and wolfSSL, or am I missing some configuration steps?

I will really appreciate any suggestion/guidance to resolve these issues.

[SanzidaH]

Second one got resolved as I updated liboqs to 0.10.0. I will really appreciate any suggestion for first one. Please let me know if any additional info is required.

[anhu]

Hello @SanzidaH
Thank you for your interest in our post-quantum implementations in wolfSSL! Note that we currently support both MLDSA and Dilithium. This particular snippet from asn.c might be of interest to you:

#ifdef HAVE_DILITHIUM
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
    /* Dilithium Level 2: 1.3.6.1.4.1.2.267.12.4.4 */
    static const byte keyDilithium_Level2Oid[] =
        {43, 6, 1, 4, 1, 2, 130, 11, 12, 4, 4};

    /* Dilithium Level 3: 1.3.6.1.4.1.2.267.12.6.5 */
    static const byte keyDilithium_Level3Oid[] =
        {43, 6, 1, 4, 1, 2, 130, 11, 12, 6, 5};

    /* Dilithium Level 5: 1.3.6.1.4.1.2.267.12.8.7 */
    static const byte keyDilithium_Level5Oid[] =
        {43, 6, 1, 4, 1, 2, 130, 11, 12, 8, 7};
#endif

    /* ML-DSA Level 2: 2.16.840.1.101.3.4.3.17 */
    static const byte keyMlDsa_Level2Oid[] =
        {96, 134, 72, 1, 101, 3, 4, 3, 17};

    /* ML-DSA Level 3: 2.16.840.1.101.3.4.3.18 */
    static const byte keyMlDsa_Level3Oid[] =
        {96, 134, 72, 1, 101, 3, 4, 3, 18};

    /* ML-DSA Level 5: 2.16.840.1.101.3.4.3.19 */
    static const byte keyMlDsa_Level5Oid[] =
        {96, 134, 72, 1, 101, 3, 4, 3, 19};
#endif /* HAVE_DILITHIUM */

can you please try using --enable-dilithium=fips204-draft and let us know if that helps?

Warm regards, Anthony

[anhu]

Here at wolfSSL we love learning about how the academic community is using our source code. Can you please tells more about yourself and your project?

• where are you located?
• what are the goals of your project?
• will there be a paper published based on your work on this project?
• is there a specific institution and/or professor associated to this project?
• any other relevant information you'd like to share.

If you are hesitant to share this information on a public platform, you can send me email at [email protected].

Warm regards, Anthony

[fj-blanco]

I'm encountering similar issues (problem 2). While I can compile wolfSSL v5.7.0-stable with liboqs 0.12.0, this wolfSSL version yields problems with Dilithium 2 and Dilithium 3 certificates in my libcoap application (the problem relates to keyType being set to dilithium_level5_sa_algo in line 7937 of src/ssl.c). This issue doesn't occur with wolfSSL's example server and client. So I cannot use this version for my research. I see this part of the code has changed since v5.7.2-stable so the fix is no longer required, but I don't know which target liboqs version works with this version of wolfSSL.

[dasobral]

Hello all. I am a colleage of @fj-blanco and we are actively working with his wolfSSL implementation into libcoap.

I've encountered and investigated the same issue to the extent I could grasp. These are my findings:

1. The build error (problem 2) is due to a naming mismatch between wolfSSL and the latest liboqs version. The wolfSSL code is looking for identifiers with 'ipd' in their names (e.g., OQS_SIG_ml_dsa_87_ipd_length_public_key), but current liboqs uses names without 'ipd' (e.g., OQS_SIG_ml_dsa_87_length_public_key). They removed the IPD intermediate values recently (see this note).

2. Removing 'ipd' from the macro definitions in wolfssl/wolfcrypt/dilithium.h and the '_ipd' ones from wolfcrypt/src/dilithium.c fixes this issue and building finishes normally. So, in principle, this reconciliates latest liboqs, oqs-provider and wolfSSL versions.

3. The predefined benchmarks with ./wolfcrypt/benchmark/benchmark -pq complete succesfully but do not show any Dilithium metric, just ML-DSA. On the other hand, the predefined test with ./build/wolfcrypt/test/testwolfcrypt fail when it reaches Dilithium

ED448    test passed!
KYBER    test passed!
DILITHIUM test failed!
 error L=42200 code=-790 (unknown error number)
 [fiducial line numbers: 8773 27740 43402 55860]
Exiting main with return code: -1

The failing wolfcrypt test suggests there might be additional considerations needed beyond just updating the macro names, possibly related to test vectors or internal function mappings in the test script. This could be related to the ongoing transition in liboqs where Dilithium implementations are being consolidated under ML-DSA names. What I have not entirely clear is if wolfSSL maps only to the ML-DSA or if there is also a way to access the old Dilithium (both are still available through the provider).