NIST standardized the pre-standardization Dilithium signature scheme as ML-DSA in FIPS 204. Migrate the provider's user-visible surface to canonical spellings, with a temporary shim that preserves source-level backward compatibility for existing consumers. Renames ------- * File: wolfcrypt/src/dilithium.c -> wolfcrypt/src/wc_mldsa.c * New canonical header: wolfssl/wolfcrypt/wc_mldsa.h * Types: dilithium_key -> MlDsaKey, wc_dilithium_params -> MlDsaParams * Functions: wc_dilithium_* / wc_Dilithium_* -> wc_MlDsaKey_* * Build gates: HAVE_DILITHIUM -> WOLFSSL_HAVE_MLDSA, WOLFSSL_DILITHIUM_* / WC_DILITHIUM_* -> WOLFSSL_MLDSA_* / WC_MLDSA_* * Configure flag: --enable-mldsa (legacy --enable-dilithium still works) * CMake option: WOLFSSL_MLDSA (legacy WOLFSSL_DILITHIUM emits a DEPRECATION message) Backward compatibility ---------------------- wolfssl/wolfcrypt/dilithium.h is now a temporary compatibility shim: * Forward-translates legacy build gates to canonical (the two sub-gates read by certs_test.h are translated in settings.h so the auto-generated header is reachable without including dilithium.h; the remainder lives in dilithium.h itself). * Reverse-translates canonical gates back to legacy so unmigrated consumer code keying off HAVE_DILITHIUM / WOLFSSL_DILITHIUM_* keeps compiling. * Provides macro / static-inline aliases for the legacy type and function names so source-level callers compile unchanged. Sets WC_DILITHIUMKEY_TYPE_DEFINED to suppress strict-C99 typedef redefinition in asn_public.h. Two opt-outs are honored: WOLFSSL_NO_DILITHIUM_LEGACY_GATES disables build-gate translation; WOLFSSL_NO_DILITHIUM_LEGACY_NAMES disables the symbol aliases. Both are temporary and the shim will be removed in a future release. doc/dilithium-to-mldsa-migration.md describes the migration path for downstream consumers. ABI note -------- The library now exports wc_MlDsaKey_* instead of wc_dilithium_*. Pre-built binaries that linked against the legacy symbols need to recompile against the shim header (which resolves to the new symbols at compile time) or migrate to the canonical names directly. Source code keeps building unchanged. Other changes ------------- * wolfssl/wolfcrypt/memory.h: drop ML-DSA sub-gate branching for static memory pool sizing; WOLFSSL_HAVE_MLDSA builds now pick the larger LARGEST_MEM_BUCKET / WOLFMEM_BUCKETS / WOLFMEM_DIST unconditionally. Override these macros for small-mem builds. * gencertbuf.pl + wolfssl/certs_test.h: outer guards migrated to the canonical WOLFSSL_HAVE_MLDSA spelling. * tests/api/test_mldsa.c: adds compile-time API surface validators (canonical wc_MlDsaKey_* surface plus legacy alias surface) so signature drift produces a build error during make check. * IDE files (Xcode, INTIME-RTOS, WIN10, VS2022, CSharp wrapper), Zephyr CMakeLists.txt, and autotools include.am updated for the rename. * DYNAMIC_TYPE_DILITHIUM and ML_DSA_PCT_E retained as internal symbols; scheduled to be renamed alongside the eventual shim removal.
wolfSSL and wolfCrypt Xcode Projects for OS X and iOS
This directory contains the following files:
wolfssl.xcworkspace-- workspace with library and testsuite clientwolfssl_testsuite.xcodeproj-- project to run the testsuite.wolfssl.xcodeproj-- project to build OS/x and iOS libraries for wolfSSL and/or wolfCryptwolfssl-FIPS.xcodeproj-- project to build wolfSSL and wolfCrypt-FIPS if availableuser_settings.h-- custom library settings, which are shared across projects
The library will output as libwolfssl_osx.a or 'libwolfssl_ios.adepending on the target. It will also copy the wolfSSL/wolfCrypt (and the CyaSSL/CtaoCrypt compatibility) headers into anincludedirectory located inBuild/Products/DebugorBuild/Products/Release`.
For the library and testsuite to link properly the build location needs to be configured as realitive to workspace.
- File -> Workspace Settings (or Xcode -> Preferences -> Locations -> Locations)
- Derived Data -> Advanced
- Custom -> Relative to Workspace
- Products -> Build/Products
These Xcode projects define the WOLFSSL_USER_SETTINGS preprocessor
to enable the user_settings.h file for setting macros across
multiple projects.
If needed the Xcode preprocessors can be modified with these steps:
- Click on the Project in "Project Navigator".
- Click on the "Build Settings" tab.
- Scroll down to the "Apple LLVM 6.0 - Preprocessing" section.
- Open the disclosure for "Preprocessor Macros" and use the "+" and "-" buttons to modify. Remember to do this for both Debug and Release.
wolfSSL
This project should build wolfSSL and wolfCrypt using the default settings.
wolfSSL-FIPS
To use the FIPS version, one must have the FIPS sources. The project won't build without them. Please contact info@wolfssl.com for more information about wolfCrypt with FIPS.
By default, this builds the wolfSSL and wolfCrypt with FIPS library. The default configuration enables the settings required for FIPS. Others may be turned on. The project also ensures the FIPS related objects are linked in the proper order.
Building libwolfssl.a
There are several options of builds. You can make a simulator build, or a device build. Both are debug builds.
You can make an archive for a device, as well. That is a release build.
Known issues:
When building for older i386 architectures and using tfm.c there are specific CFLAGS required to expose the necessary registers for inline assembly in tfm.c. An example script has been provided "build-for-i386.sh" that targets the watchos by default. If using SDK iphonesimulator10.1 or older you can change the SDK variable in that script however newer versions of the SDK no longer support i386 for the iphones.
Installing libwolfssl.a
Simply drag the file libwolfssl_XXX_.a and the directory include and drop it into
your project file list pane where it makes sense for you. Allow it to copy the
files over to the project directory. This should automatically add the library
to the list of libraries to link against.
Click on your project target, then the "Build Phases" tab. On the targets list click your target. Click the disclosure triangle on the section "Link Binary With Libraries" and verify libwolfssl.a is in the list. If not, click the "+", and on the "Choose frameworks and libraries to add:" dialog, click the button "Add other..." then find the file libwolfssl.a.
Click on the "Build Settings" tab. Scroll down to the section "Search Paths". Add the path to the include directory to the list "Header Search Paths".
When using FIPS
When using the FIPS version the following preprocessors need to be defined:
IPHONEHAVE_FIPSHAVE_HASHDRBGHAVE_AESGCMWOLFSSL_SHA512WOLFSSL_SHA384NO_MD4NO_DSANO_PWDBASED
The approved FIPS source files are from the CyaSSL project tag v3.4.8.fips. The files fips.c and fips_test.c, and the wolfCAVP test app are from the FIPS project tag v3.4.8a. The wolfSSL/wolfCrypt files are from tag v3.4.8.
Using the FIPS library
The FIPS library contains a self-check verify hash. Normally, on the desktop or server build, the library is built as a dynamic library. The library looks the same to every application that builds against it, and can be verified. For static libraries, when linking into your application, the addresses are all fixed, and the verify checksum becomes unusable. iOS does not allow dynamic libraries like this, so static builds are required. This creates a problem. Every time the application is changed, the FIPS checksum will change, because the FIPS library's position in the executable may change.
You need to add something to your application that will output the verifyCore value to be used. The verifyCore in fips_test.c will need to be updated with this value, the library rebuilt, and relinked into your application. The application should not be changed during this process or the verifyCore check will fail again.