wolfProvider is a library that can be used as a Provider in OpenSSL.
wolfProvider supports all release versions of OpenSSL 3.x
wolfProvider can be configured to replace OpenSSL's default provider, making wolfSSL's cryptographic implementations the default for all OpenSSL operations. This ensures applications use wolfSSL crypto without code changes. See the Integration Guide for details.
Information on how to configure, build, and test wolfProvider can be found here:
- wolfProvider FIPS Integration Guide - FIPS baseline and production builds
- wolfProvider Integration Guide - General integration and replace-default mode
- MD5
- SHA-1
- SHA-2: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256
- SHA-3: SHA3-224, SHA3-256, SHA3-384, SHA3-512
- SHAKE-256
- AES (128, 192, 256-bit keys)
- ECB, CBC, CTR, CFB, CTS
- GCM, CCM (AEAD)
- Key Wrap
- 3DES-CBC
- HMAC
- CMAC
- GMAC
- HKDF
- PBKDF2
- PKCS12 KDF
- TLS 1.3 KDF
- TLS1 PRF
- KBKDF
- KRB5 KDF
- SSHKDF
- CTR-DRBG
- Hash-DRBG
- Signing, Verification (PKCS#1 v1.5, PSS)
- Encryption, Decryption
- Key generation
- Key exchange
- Key generation
- ECDSA (signing, verification)
- ECDH (key exchange)
- Key generation
- Curves: P-192, P-224, P-256, P-384, P-521
- X25519, X448 (key exchange)
- Ed25519, Ed448 (signatures)
PQC is opt-in and requires wolfSSL master/v5.9.2-stable+ and OpenSSL 3.6+.
- With the script:
./scripts/build-wolfprovider.sh --enable-pqc(or--enable-mlkem/--enable-mldsafor one only) - Building wolfProvider directly:
./configure --enable-pqc(or--enable-mlkem/--enable-mldsa); build wolfSSL with the matching--enable-mlkem/--enable-mldsaand link an OpenSSL 3.6+
Without an enable flag no PQC code is compiled, regardless of what wolfSSL enables.
- ML-KEM (FIPS 203): ML-KEM-512, ML-KEM-768, ML-KEM-1024 (key encapsulation)
- ML-DSA (FIPS 204): ML-DSA-44, ML-DSA-65, ML-DSA-87 (signatures, pure mode with empty context per FIPS 204 sec 5.2)