wolfProvider is designed for customers who want FIPS-validated cryptography but are already invested in using OpenSSL. The provider delivers drop-in replacements for cryptographic algorithms used by OpenSSL, leveraging the wolfCrypt engine underneath, which is FIPS 140-3 certified.

New Cryptographic Features
This release introduces several important cryptographic capabilities:

• KBKDF (Key-Based Key Derivation Function): Implementation of NIST SP 800-108 key derivation for secure key generation from existing key material.

• KRB5KDF (Kerberos 5 Key Derivation Function): Support for Kerberos cryptographic operations, enabling enterprise authentication scenarios.

• AES-CTS (Ciphertext Stealing): Additional AES cipher mode for applications requiring specific padding behavior.

• RSA No-Padding Operations: Raw RSA encrypt/decrypt operations for applications with custom padding schemes.

Replace-Default Provider Mode
A groundbreaking feature in this release is the ability to replace OpenSSL’s default provider entirely with wolfProvider. This mode makes wolfProvider the primary cryptographic implementation system-wide, allowing existing OpenSSL applications to transparently use wolfSSL’s FIPS-validated cryptography without any code modifications. This feature includes comprehensive testing to ensure the default swap works as expected across various scenarios.

Enhanced Testing and Quality Assurance
wolfProvider 1.1.0 significantly expands our integration testing with real-world open-source applications. We’ve added automated CI/CD workflows for over 40 popular applications, ensuring wolfProvider works seamlessly with:

Network Infrastructure: gRPC, OpenSSH, libssh2, OpenSC/PKCS11, OpenLDAP, IPMItool, Stunnel, socat, SSSD, net-snmp, liboauth2, tnftp, systemd, X11VNC, sscep, TPM2 tools, libcryptsetup, libtss2, KRB5, bind9, hostap
Development Tools: Python3 NTP, libeac, xmlsec, Qt5 Network, rsync, libwebsockets, tcpdump, cjose, iperf, libfido2, ppp, pam-pkcs11, kmod, libnice

This extensive testing demonstrates wolfProvider’s production-readiness and compatibility with the broader OpenSSL ecosystem.

Command-Line Integration
New command-line integration tests validate wolfProvider’s compatibility with OpenSSL command-line tools for AES, RSA, RSA-PSS, Hash, and ECC operations. This ensures that scripts and automation tools using OpenSSL commands work correctly with wolfProvider.

Debian Package Support
This release includes comprehensive Debian packaging support, making deployment on Debian-based systems straightforward. The packaging includes proper dependency management and integration with the system OpenSSL configurations.

Bug Fixes and Stability Improvements
wolfProvider 1.1.0 includes over 100 bug fixes addressing issues across all cryptographic operations:
AES Improvements: Fixed AES-GCM streaming bugs, authentication tag handling, IV management, and CBC consecutive call handling.
RSA Enhancements: Resolved RSA PSS decoding issues, key import edge cases, keygen retry logic, certificate display formatting, and parameter handling.
ECC Fixes: Corrected public key validation, parameter handling, private key operations, signing restrictions, and encoding issues.
DH Corrections: Fixed FIPS build compatibility, parameter handling, private key operations, and decoder registrations.
General Stability: Improved locking around signature operations, NULL reinit handling, core libctx management, and OpenSSL patching detection.

Looking Forward
wolfProvider 1.1.0 represents a major step forward in providing FIPS-validated cryptography to the OpenSSL ecosystem. The extensive integration testing, new cryptographic features, and replace-default mode make this release suitable for production deployment in enterprise environments requiring FIPS compliance.

Refer to the README.md found in the release for usage instructions. We also maintain a ChangeLog.md for a complete list of changes in each release.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now