feat: add wolfssl git submodule; update for new wolfSSL API

- Add wolfssl-src/wolfssl as a git submodule (github.com/wolfSSL/wolfssl
  @ 0c9b639) so vendored builds work out-of-the-box after
  `git submodule update --init`, with no WOLFSSL_SRC required
- Add submodule fallback (step 3) in resolve_source_dir; skip empty
  WOLFSSL_SRC so callers can unset it without triggering a panic
- Add include = [...] to wolfssl-src/Cargo.toml so cargo publish
  captures the submodule tree
- Add WOLFSSL_TLS13 to user_settings.h (required by wolfcrypt-tls)
- Update wolfcrypt-wrapper Dilithium calls to new wolfSSL API:
  wc_dilithium_{sign,verify}_msg → wc_dilithium_{sign,verify}_ctx_msg
  (upstream added context-string params per FIPS 204 final)
- Point .cargo/config.toml at wolfssl-repo-install / wolfssl-repo

Author: MarkAtwood

.cargo/config.toml

@@ -19,11 +19,11 @@ rustflags = ["-C", "link-arg=-Tmemory.x", "-C", "link-arg=-Tlink.x"]
 # Use the local wolfssl build that has HAVE_DILITHIUM and WOLF_CRYPTO_CB enabled.
 # Built from ~/wolfssl with -DWOLFSSL_CRYPTOCB=yes -DWOLFSSL_DILITHIUM=yes.
 # Overrides the system pkg-config installation at /usr/local (which lacks these flags).
-WOLFSSL_DIR = "/home/mark/wolfssl-install"
+WOLFSSL_DIR = "/home/mark/wolfssl-rs/wolfssl-repo-install"
 # wolfSSL source tree for the vendored build (cryptocb-only / riscv-bare-metal features).
 # When those features are active, wolfcrypt-sys bypasses WOLFSSL_DIR and compiles
 # wolfSSL from source via wolfssl-src using this path.
-WOLFSSL_SRC = "/home/mark/wolfssl"
+WOLFSSL_SRC = "/home/mark/wolfssl-rs/wolfssl-repo"
 # riscv32 C cross-compiler via zig cc.
 # Used by the cc crate when compiling wolfssl-src for the riscv32imc-unknown-none-elf target.
 CC_riscv32imc_unknown_none_elf = { value = ".cargo/riscv32-cc", relative = true }
@@ -35,4 +35,4 @@ CC_riscv32imc_unknown_none_elf = { value = ".cargo/riscv32-cc", relative = true
 # cache entry for /usr/local/lib wins.
 # --disable-new-dtags is required: modern binutils defaults to DT_RUNPATH which loses
 # to the ldconfig cache, while DT_RPATH takes priority before everything.
-rustflags = ["-C", "link-arg=-Wl,--disable-new-dtags,-rpath,/home/mark/wolfssl-install/lib"]
+rustflags = ["-C", "link-arg=-Wl,--disable-new-dtags,-rpath,/home/mark/wolfssl-rs/wolfssl-repo-install/lib"]

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "wolfssl-src/wolfssl"]
+	path = wolfssl-src/wolfssl
+	url = https://github.com/wolfSSL/wolfssl.git

wolfcrypt-wrapper/src/dilithium.rs

@@ -867,7 +867,8 @@ impl Dilithium {
         let msg_len = msg.len() as u32;
         let mut sig_len = sig.len() as u32;
         let rc = unsafe {
-            sys::wc_dilithium_sign_msg(
+            sys::wc_dilithium_sign_ctx_msg(
+                core::ptr::null(), 0,
                 msg.as_ptr(), msg_len,
                 sig.as_mut_ptr(), &mut sig_len,
                 &mut self.ws_key,
@@ -1038,7 +1039,8 @@ impl Dilithium {
         let msg_len = msg.len() as u32;
         let mut sig_len = sig.len() as u32;
         let rc = unsafe {
-            sys::wc_dilithium_sign_msg_with_seed(
+            sys::wc_dilithium_sign_ctx_msg_with_seed(
+                core::ptr::null(), 0,
                 msg.as_ptr(), msg_len,
                 sig.as_mut_ptr(), &mut sig_len,
                 &mut self.ws_key,
@@ -1184,8 +1186,9 @@ impl Dilithium {
         let msg_len = msg.len() as u32;
         let mut res = 0i32;
         let rc = unsafe {
-            sys::wc_dilithium_verify_msg(
+            sys::wc_dilithium_verify_ctx_msg(
                 sig.as_ptr(), sig_len,
+                core::ptr::null(), 0,
                 msg.as_ptr(), msg_len,
                 &mut res,
                 &mut self.ws_key,

wolfssl-src/Cargo.toml

@@ -10,6 +10,15 @@ repository = "https://github.com/wolfSSL/wolfssl-rs"
 readme = "README.md"
 keywords = ["wolfcrypt", "wolfssl", "fips", "cryptography"]
 categories = ["cryptography"]
+include = [
+    "src/**",
+    "patches/**",
+    "wolfssl/**",
+    "user_settings*.h",
+    "riscv_bare_metal_helpers.c",
+    "README.md",
+    "Cargo.toml",
+]
 
 [features]
 default = []

wolfssl-src/src/lib.rs

@@ -16,7 +16,8 @@
 //! The builder discovers wolfSSL sources in order:
 //! 1. `source_dir()` programmatic override
 //! 2. `WOLFSSL_SRC` environment variable
-//! 3. `pkg-config` (looks for a `wolfssl` package whose prefix contains source files)
+//! 3. Bundled submodule at `wolfssl-src/wolfssl/` (present after `git submodule update --init`)
+//! 4. `pkg-config` (looks for a `wolfssl` package whose prefix contains source files)
 
 use std::collections::HashSet;
 use std::env;
@@ -52,7 +53,7 @@ impl Build {
     }
 
     /// Set the path to the wolfSSL source tree.
-    /// If not set, defaults to `WOLFSSL_SRC` env var, then `pkg-config`.
+    /// If not set, defaults to `WOLFSSL_SRC` env var, then the bundled submodule, then `pkg-config`.
     pub fn source_dir(&mut self, dir: PathBuf) -> &mut Self {
         self.source_dir = Some(dir);
         self
@@ -227,23 +228,31 @@ impl Build {
 
         // 2. WOLFSSL_SRC env var
         if let Ok(dir) = env::var("WOLFSSL_SRC") {
-            let path = PathBuf::from(&dir);
-            if !path.exists() {
-                panic!("WOLFSSL_SRC={dir} does not exist");
+            if !dir.is_empty() {
+                let path = PathBuf::from(&dir);
+                if !path.exists() {
+                    panic!("WOLFSSL_SRC={dir} does not exist");
+                }
+                return path;
             }
-            return path;
         }
 
-        // 3. pkg-config
+        // 3. Bundled submodule (wolfssl-src/wolfssl/ inside this crate)
+        let bundled = PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("wolfssl");
+        if bundled.join("wolfcrypt/src").exists() {
+            return bundled;
+        }
+
+        // 4. pkg-config
         if let Some(dir) = Self::find_via_pkg_config() {
             return dir;
         }
 
         panic!(
             "wolfSSL source not found. Either:\n  \
+             - Run: git submodule update --init\n  \
              - Set WOLFSSL_SRC to the path of your wolfssl checkout\n  \
-             - Install wolfssl-dev so that pkg-config can find it\n  \
-             - Clone it: git clone https://github.com/wolfSSL/wolfssl.git"
+             - Install wolfssl-dev so that pkg-config can find it"
         );
     }
 

wolfssl-src/user_settings.h

@@ -109,6 +109,9 @@
  * instead of RSA_BUFFER_E. Required for Wycheproof OAEP zero-length test vectors. */
 #define WOLFSSL_RSA_DECRYPT_TO_0_LEN
 
+/* TLS 1.3 */
+#define WOLFSSL_TLS13
+
 /* TLS extensions and SNI — required by OPENSSL_ALL for struct layout
  * in ssl.c even though we don't compile the TLS protocol files. */
 #define HAVE_TLS_EXTENSIONS