Help Needed: wolfSSL Build Issue with Latest Version and Runtime Error with Dilithium Certificates

[SanzidaH]

Version

6af54d3

Description

I am stuck on the following issues with wolfSSL, and I would greatly appreciate any guidance or suggestions to resolve them.

1. Runtime Issue with an Older wolfSSL Version: With an earlier version of wolfSSL that successfully installed few days ago, I face a runtime error when using Dilithium-based certificates (i.e. dilithium2) generated using liboqs library.

wolfSSL Entering GetAlgoId
Unknown or not compiled in key OID
Decode to key failed
wolfSSL Leaving ProcessBuffer, return -463
wolfSSL error: can't load server cert file, check file and run from wolfSSL home dir

It seems wolfSSL does not recognize the OID for dilithium2.
For configure this is what I run: ./configure --enable-certreq --enable-certgen --enable-certext --enable-keygen --enable-cryptocb --with-liboqs --disable-psk --disable-shared --enable-intelasm --enable-aesni --enable-sp-math-all --enable-sp-asm --enable-experimental --enable-kyber CFLAGS="-Os"

2. Build Issue with Latest wolfSSL: When building the latest wolfSSL version, I get the following error -

./wolfssl/wolfcrypt/dilithium.h:515:39: error: ‘OQS_SIG_ml_dsa_87_ipd_length_public_key’ undeclared here (not in a function); did you mean ‘OQS_SIG_ml_dsa_87_length_public_key’?
515 | #define DILITHIUM_LEVEL5_PUB_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_public_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:515:39: note: in definition of macro ‘DILITHIUM_LEVEL5_PUB_KEY_SIZE’
515 | #define DILITHIUM_LEVEL5_PUB_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_public_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:596:12: note: in expansion of macro ‘DILITHIUM_MAX_PUB_KEY_SIZE’
596 | byte p[DILITHIUM_MAX_PUB_KEY_SIZE];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:513:39: error: ‘OQS_SIG_ml_dsa_87_ipd_length_secret_key’ undeclared here (not in a function); did you mean ‘OQS_SIG_ml_dsa_87_length_secret_key’?
513 | #define DILITHIUM_LEVEL5_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_secret_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:513:39: note: in definition of macro ‘DILITHIUM_LEVEL5_KEY_SIZE’
513 | #define DILITHIUM_LEVEL5_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_secret_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:597:12: note: in expansion of macro ‘DILITHIUM_MAX_KEY_SIZE’
597 | byte k[DILITHIUM_MAX_KEY_SIZE];
| ^~~~~~~~~~~~~~~~~~~~~~
make[2]: *** [Makefile:7294: wolfcrypt/src/src_libwolfssl_la-sha.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
In file included from ./wolfssl/wolfcrypt/cryptocb.h:83,
from wolfcrypt/src/aes.c:63:
./wolfssl/wolfcrypt/dilithium.h:515:39: error: ‘OQS_SIG_ml_dsa_87_ipd_length_public_key’ undeclared here (not in a function); did you mean ‘OQS_SIG_ml_dsa_87_length_public_key’?
515 | #define DILITHIUM_LEVEL5_PUB_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_public_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:515:39: note: in definition of macro ‘DILITHIUM_LEVEL5_PUB_KEY_SIZE’
515 | #define DILITHIUM_LEVEL5_PUB_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_public_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:596:12: note: in expansion of macro ‘DILITHIUM_MAX_PUB_KEY_SIZE’
596 | byte p[DILITHIUM_MAX_PUB_KEY_SIZE];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:513:39: error: ‘OQS_SIG_ml_dsa_87_ipd_length_secret_key’ undeclared here (not in a function); did you mean ‘OQS_SIG_ml_dsa_87_length_secret_key’?
513 | #define DILITHIUM_LEVEL5_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_secret_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:513:39: note: in definition of macro ‘DILITHIUM_LEVEL5_KEY_SIZE’
513 | #define DILITHIUM_LEVEL5_KEY_SIZE OQS_SIG_ml_dsa_87_ipd_length_secret_key
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/dilithium.h:597:12: note: in expansion of macro ‘DILITHIUM_MAX_KEY_SIZE’
597 | byte k[DILITHIUM_MAX_KEY_SIZE];
| ^~~~~~~~~~~~~~~~~~~~~~
make[2]: *** [Makefile:7280: wolfcrypt/src/src_libwolfssl_la-aes.lo] Error 1
make[2]: Leaving directory '/home/sanzida-pqc/osp/oqs/wolfssl'
make[1]: *** [Makefile:9027: install-recursive] Error 1
make[1]: Leaving directory '/home/sanzida-pqc/osp/oqs/wolfssl'
make: *** [Makefile:9502: install] Error 2

It seems that some macros, such as OQS_SIG_ml_dsa_87_ipd_length_public_key, are undefined. Is this a compatibility issue between liboqs and wolfSSL, or am I missing some configuration steps?

I will really appreciate any suggestion/guidance to resolve these issues.

[SanzidaH]

Second one got resolved as I updated liboqs to 0.10.0. I will really appreciate any suggestion for first one. Please let me know if any additional info is required.

[anhu]

Hello @SanzidaH
Thank you for your interest in our post-quantum implementations in wolfSSL! Note that we currently support both MLDSA and Dilithium. This particular snippet from asn.c might be of interest to you:

#ifdef HAVE_DILITHIUM
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
    /* Dilithium Level 2: 1.3.6.1.4.1.2.267.12.4.4 */
    static const byte keyDilithium_Level2Oid[] =
        {43, 6, 1, 4, 1, 2, 130, 11, 12, 4, 4};

    /* Dilithium Level 3: 1.3.6.1.4.1.2.267.12.6.5 */
    static const byte keyDilithium_Level3Oid[] =
        {43, 6, 1, 4, 1, 2, 130, 11, 12, 6, 5};

    /* Dilithium Level 5: 1.3.6.1.4.1.2.267.12.8.7 */
    static const byte keyDilithium_Level5Oid[] =
        {43, 6, 1, 4, 1, 2, 130, 11, 12, 8, 7};
#endif

    /* ML-DSA Level 2: 2.16.840.1.101.3.4.3.17 */
    static const byte keyMlDsa_Level2Oid[] =
        {96, 134, 72, 1, 101, 3, 4, 3, 17};

    /* ML-DSA Level 3: 2.16.840.1.101.3.4.3.18 */
    static const byte keyMlDsa_Level3Oid[] =
        {96, 134, 72, 1, 101, 3, 4, 3, 18};

    /* ML-DSA Level 5: 2.16.840.1.101.3.4.3.19 */
    static const byte keyMlDsa_Level5Oid[] =
        {96, 134, 72, 1, 101, 3, 4, 3, 19};
#endif /* HAVE_DILITHIUM */

can you please try using --enable-dilithium=fips204-draft and let us know if that helps?

Warm regards, Anthony

[anhu]

Here at wolfSSL we love learning about how the academic community is using our source code. Can you please tells more about yourself and your project?

• where are you located?
• what are the goals of your project?
• will there be a paper published based on your work on this project?
• is there a specific institution and/or professor associated to this project?
• any other relevant information you'd like to share.

If you are hesitant to share this information on a public platform, you can send me email at [email protected].

Warm regards, Anthony

[fj-blanco]

I'm encountering similar issues (problem 2). While I can compile wolfSSL v5.7.0-stable with liboqs 0.12.0, this wolfSSL version yields problems with Dilithium 2 and Dilithium 3 certificates in my libcoap application (the problem relates to keyType being set to dilithium_level5_sa_algo in line 7937 of src/ssl.c). This issue doesn't occur with wolfSSL's example server and client. So I cannot use this version for my research. I see this part of the code has changed since v5.7.2-stable so the fix is no longer required, but I don't know which target liboqs version works with this version of wolfSSL.