All modules
CMVP Validated Module · FIPS 140-3 Security Policy

wolfCrypt

Certificate#4718StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorwolfSSL Inc.
Medium review priority  ·  exposes network crypto parser/protocol  ·  wolfSSL upstream has published 86 CVEs since this module's initial validation  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/10/2029
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys)
VendorwolfSSL Inc.

Approved Algorithms (41)

AlgorithmACVP Cert
AES-CBCA4308
AES-CCMA4308
AES-CMACA4308
AES-CTRA4308
AES-ECBA4308
AES-GCMA4308
AES-GMACA4308
AES-OFBA4308
DSA KeyGen (FIPS186-4)A4308
ECDSA KeyGen (FIPS186-4)A4308
ECDSA KeyVer (FIPS186-4)A4308
ECDSA SigGen (FIPS186-4)A4308
ECDSA SigVer (FIPS186-4)A4308
Hash DRBGA4308
HMAC-SHA-1A4308
HMAC-SHA2- 224A4308
HMAC-SHA2- 256A4308
HMAC-SHA2- 384A4308
HMAC-SHA2- 512A4308
HMAC-SHA3- 224A4308
HMAC-SHA3- 256A4308
HMAC-SHA3- 384A4308
HMAC-SHA3- 512A4308
KAS-ECC-SSC Sp800-56Ar3A4308
KAS-FFC-SSC Sp800-56Ar3A4308
KDF SSH (CVL)A4308
KDF TLS (CVL)A4308
RSA KeyGen (FIPS186-4)A4308
RSA SigGen (FIPS186-4)A4308
RSA SigVer (FIPS186-4)A4308
SHA-1A4308
SHA2-224A4308
SHA2-256A4308
SHA2-384A4308
SHA2-512A4308
SHA3-224A4308
SHA3-256A4308
SHA3-384A4308
SHA3-512A4308
TLS v1.2 KDF RFC7627 (CVL)A4308
TLS v1.3 KDF (CVL)A4308

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Physical Security7
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for wolfCrypt
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>UnAuth Block Cipher<br/>Self-test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>library named: wolfssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>kernel<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for wolfCrypt
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>UnAuth Block Cipher<br/>Self-test<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>library named: wolfssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>kernel<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3 clueHigh;
  class C5,C6 clueLow;

Security Policy, page by page

Page 1

wolfSSL Inc. wolfCrypt Document Version 1.6

5 Dec 2025
10016 Edmonds Way, Suite C-300

Edmonds, WA 98020 wolfSSL.com +1 425.245.8247 wolfSSL Inc. Public Material

Page 2
Table of Contents
#SectionPage
1– General5
1.1Overview5
1.2Security Levels5
1.3Additional Information5
2– Cryptographic Module Specification6
2.1Description6
2.2Tested and Vendor Affirmed Module Version and Identification7
2.3Excluded Components10
2.4Modes of Operation10
2.5Algorithms12
2.6Security Function Implementations15
2.7Algorithm Specific Information20
2.8RBG and Entropy21
2.9Key Generation21
2.10Key Establishment21
2.11Industry Protocols21
2.12Additional Information21
3Cryptographic Module Interfaces22
3.1Ports and Interfaces22
4Roles, Services, and Authentication22
4.1Authentication Methods22
4.2Roles22
4.3Approved Services22
4.4Non-Approved Services26
5Software/Firmware Security26
5.1Integrity Techniques26
5.2Initiate on Demand26
5.3Open-Source Parameters26
6Operational Environment26
6.1Operational Environment Type and Requirements26
6.2Configuration Settings and Restrictions27
6.3Additional Information27
7Physical Security27
7.1Mechanisms and Actions Required27
7.5EFP/EFT Information27
7.6Hardness Testing Temperature Ranges27
8Non-Invasive Security27
9Sensitive Security Parameters Management27
9.1Storage Areas27
9.2SSP Input-Output Methods28
9.3SSP Zeroization Methods28
9.4SSPs28
10Self-Tests34
10.1Pre-Operational Self-Tests34
10.2Conditional Self-Tests35
10.3Periodic Self-Test Information40
10.4Error States41
10.5Operator Initiation of Self-Tests43
11Life-Cycle Assurance43
11.1Installation, Initialization, and Startup Procedures43
11.2Administrator Guidance45
11.3Non-Administrator Guidance45
11.7Additional Information45
12Mitigation of Other Attacks45
Page 3

wolfSSL Inc. Public Material

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Legend of Terms and references that appear in this document6
Table 3: Source Files7
Table 4: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 5: Tested Operational Environments - Software, Firmware, Hybrid10
Table 6: Modes List and Description11
Table 7: Approved Algorithms14
Table 8: Vendor-Affirmed Algorithms15
Table 9: Security Function Implementations20
Table 10: Ports and Interfaces22
Table 11: Roles22
Table 12: Approved Services25
Table 13: Storage Areas28
Table 14: SSP Input-Output Methods28
Table 15: SSP Zeroization Methods28
Table 16: SSP Table 133
Table 17: SSP Table 234
Table 18: Pre-Operational Self-Tests35
Table 19: Conditional Self-Tests39
Table 20: Pre-Operational Periodic Information40
Table 21: Conditional Periodic Information40
Table 22: Periodic Method Descriptions41
Table 23: Error States42
Figure 1: Module Block Diagram7
Figure 2: Code Sample A45
Page 5
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacksN/A
Overall LevelOverall Level1
Term/RefDescription
[140-3]FIPS 140-3, Security Requirements for Cryptographic Modules
[OE]The “Operating Environment”
[186-4]FIPS 186-4, Digital Signature Standard (DSS)
[90Arev1]NIST SP 800-90A Rev. 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators
[56Arev3]NIST SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
[56Crev2]NIST SP 800-56C Rev. 2, Recommendation for Key- Derivation Methods in Key-Establishment Schemes
[135rev1]NIST SP 800-135 Rev. 1, Recommendation for Existing Application-Specific Key Derivation Functions
1.1 Overview

This document defines the Security Policy for wolfSSL Inc. wolfCrypt cryptographic module, security levels as described in section 1.2 below.

1.2 Security Levels
1.3 Additional Information

In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply wolfSSL Inc. Public Material

Page 6
Term/RefDescription
[140Drev2]NIST SP 800-140D revision 2, CMVP Approved Sensitive Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759
[UG]wolfCrypt FIPS 140-3 User Guide (sometimes referred to as the “Cryptographic Officer Guidance Manual” in documentation not produced by this vendor)
[COGM]Cryptographic Officer Guidance Manual (Another term for [UG] recognized by some in the Industry. Same meaning as [UG]
[140-3 IG]FIPS 140-3, Implementation Guidance
[131Arev2]NIST SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths
[56Brev2]NIST SP 800-56B Rev. 2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography

Table 2: Legend of Terms and references that appear in this document

2 – Cryptographic Module Specification

TOEPP: The platform(s) used for testing are documented in Table 6: Tested Operational Environments - Software, Firmware, Hybrid. If the onboard CPU of a tested platform supported a known PAA [FIPS 140-3 IG 2.3.C] and was desirable for FIPS use, then in accordance with [FIPS 140-3 IG2.3.C] that platform was tested both with and without PAA unless an identical or similar platform had already been tested. When an identical or similar platform was already tested, the new platform was tested only with PAA. This is reflected by the column PAA/PAI in table 6 as marked with a Yes or No entry. The Intel and AMD AESNI (AES New Instructions) are known PAA(s). The Module is a cryptography software library. The Module is a Multi-Chip Stand Alone embodiment. The Module is intended for use by U.S. and Canadian Federal agencies in addition to any other markets that require FIPS 140-3 validated cryptographic functionality. The Module was originally designed with embedded and IoT in mind. As a side effect of this design, it also scales exceptionally well on larger desktop and server systems allowing more connections per box than similar competing solutions. The Module version under validation is Software Version v5.2.1. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: wolfSSL Inc. Public Material

Page 7
Service
NameDescriptionApproved Functions
aes_asm.sAES assembler optimizations (Linux)aes_asm.s
aes_asm.asmAES assembler optimizations (Windows 10)
cmac.cCMAC algorithmcmac.c
dh.cDiffie-Hellman
ecc.cElliptic curve cryptographyecc.c
fips.cPre-operational entry point and API wrappers
fips_test.cPower on self-testsfips_test.c
hmac.cHMAC algorithm
kdf.cTLS v1.2, v1.3 and SSH v2 KDFskdf.c
random.cDRBG algorithm
rsa.cRSA algorithmrsa.c
sha.cSHA algorithm
sha256.cSHA-256 algorithmsha256.c
sha256_asm.sSHA-256 assembler optimizations (Linux)
sha512_asm.sSHA-512 assembler optimizations (Linux)sha512_asm.s
sha3.cSHA-3 algorithm
sha512.cSHA-512 algorithmsha512.c
wolfcrypt_first.cFirst function and Read Only address marking startwolfcrypt_first.c
wolfcrypt_last.cLast function and Read Only address marking end of cryptographic boundarywolfcrypt_last.c

Figure 1 depicts the Module operational environment, with the software module cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per AS02.03. No components are excluded from [140-3] requirements. The pre-operational approved integrity test is performed over all components of the cryptographic boundary. Updates to the Module are provided as a complete replacement in accordance with AS04.27

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiFeaturesPackageIntegrity Test
wolfssl-5.6.3- commercial-fips- linuxv5.2.1.7zv5.2.1FIPS 140-3 module and SSL/TLS librarywolfssl-5.6.3- commercial-fips- linuxv5.2.1.7zHMAC-SHA256
Linux 4.4 (Ubuntu 16.04 LTS)Linux 4.4 (Ubuntu 16.04 LTS)Intel Ultrabook 2 in 1v5.2.1Intel Core i5-5300U CPU @2.30GHz x 4Yes
Linux 4.4 (Ubuntu 16.04 LTS)Linux 4.4 (Ubuntu 16.04 LTS)Intel Ultrabook 2 in 1v5.2.1Intel Core i5-5300U CPU @2.30GHz x 4No
Android 13Android 13Samsung Galaxy XCover Prov5.2.1Exynos 9611 without PAANo
Linux 5.4Linux 5.4WTM 4100v5.2.1Broadcom BCM56260B0IFSBG - Saber2No
RedHat Enterprise Linux Workstation 8.9RedHat Enterprise Linux Workstation 8.9Precision 5820 Towerv5.2.1Intel® Xeon® W- 2255 @ 3.7GHzNo
FreeRTOS v10.4FreeRTOS v10.4Network Interface Card for Aclara RFv5.2.1Renesas R7FA6E10FNo
Linux 5.15Linux 5.15iSTAR physical access controllerv5.2.1Freescale i.MX7 Dual Arm Cortex A-7No
Linux 4.14Linux 4.14Ricoh IM C3010v5.2.1Intel® Atom® E3930 @1.30GHzNo
Linux 4.14Linux 4.14Ricoh IM C4510v5.2.1Intel® Atom® E3940 @1.60GHzNo
NET+OS v7.6NET+OS v7.6Spectrum Infusion Systemv5.2.1Digi International NS9210No
Yocto (kirkstone) 4.0Yocto (kirkstone) 4.0Novum IQ Infusion Platformv5.2.1NXP i.MX6ULNo
MQX 3.4MQX 3.4FEI-Zyfer Time and Frequency Systemv5.2.1NXP PowerQUICC II MPC8313e 32bitNo
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiFeaturesPackageIntegrity Test
wolfssl-5.6.3- commercial-fips- linuxv5.2.1.7zv5.2.1FIPS 140-3 module and SSL/TLS librarywolfssl-5.6.3- commercial-fips- linuxv5.2.1.7zHMAC-SHA256
Linux 4.4 (Ubuntu 16.04 LTS)Linux 4.4 (Ubuntu 16.04 LTS)Intel Ultrabook 2 in 1v5.2.1Intel Core i5-5300U CPU @2.30GHz x 4Yes
Linux 4.4 (Ubuntu 16.04 LTS)Linux 4.4 (Ubuntu 16.04 LTS)Intel Ultrabook 2 in 1v5.2.1Intel Core i5-5300U CPU @2.30GHz x 4No
Android 13Android 13Samsung Galaxy XCover Prov5.2.1Exynos 9611 without PAANo
Linux 5.4Linux 5.4WTM 4100v5.2.1Broadcom BCM56260B0IFSBG - Saber2No
RedHat Enterprise Linux Workstation 8.9RedHat Enterprise Linux Workstation 8.9Precision 5820 Towerv5.2.1Intel® Xeon® W- 2255 @ 3.7GHzNo
FreeRTOS v10.4FreeRTOS v10.4Network Interface Card for Aclara RFv5.2.1Renesas R7FA6E10FNo
Linux 5.15Linux 5.15iSTAR physical access controllerv5.2.1Freescale i.MX7 Dual Arm Cortex A-7No
Linux 4.14Linux 4.14Ricoh IM C3010v5.2.1Intel® Atom® E3930 @1.30GHzNo
Linux 4.14Linux 4.14Ricoh IM C4510v5.2.1Intel® Atom® E3940 @1.60GHzNo
NET+OS v7.6NET+OS v7.6Spectrum Infusion Systemv5.2.1Digi International NS9210No
Yocto (kirkstone) 4.0Yocto (kirkstone) 4.0Novum IQ Infusion Platformv5.2.1NXP i.MX6ULNo
MQX 3.4MQX 3.4FEI-Zyfer Time and Frequency Systemv5.2.1NXP PowerQUICC II MPC8313e 32bitNo
CodeOS v1.4CodeOS v1.4Series CR2700 Code Reader(s)v5.2.1CodeCorp CT8200 (ARM FA626TE)No
OpenRTOS v10.5OpenRTOS v10.5Teledyne Webb SOM Modulev5.2.1STM32L4R5No
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 2144v5.2.1Intel® Xeon® Silver 4316 CPU @2.30GHzNo
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 2144v5.2.1Intel® Xeon® Silver 4316 CPU @2.30GHzYes
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 2184v5.2.1Intel® Xeon® Gold 6338N CPU @2.20GHzNo
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 2184v5.2.1Intel® Xeon® Gold 6338N CPU @2.20GHzYes
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 94C8v5.2.1Intel® Xeon® Gold 5418N CPU @1.80GHzYes
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 92C8v5.2.1Intel® Xeon® Gold 6230N CPU @2.30GHzYes
Anyware Trusted Zero Client Firmware Kernel 6.1Anyware Trusted Zero Client Firmware Kernel 6.1Anyware Trusted Zero Clientv5.2.1AMD Ryzen Embedded R1305GNo
Anyware Trusted Zero Client Firmware Kernel 6.1Anyware Trusted Zero Client Firmware Kernel 6.1Anyware Trusted Zero Clientv5.2.1AMD Ryzen Embedded R1305GYes
Anyware Trusted Zero Client Firmware Kernel 6.1Anyware Trusted Zero Client Firmware Kernel 6.1HP tz655 Trusted Zero Clientv5.2.1AMD Ryzen Embedded R2314Yes
Fusion Embedded RTOS 5.0Fusion Embedded RTOS 5.0Classone ® IP Radio Gatewayv5.2.1Analog Devices ADSP-BF516 (Blackfin)No
Linux 5.4Linux 5.4Harman MUSE MU Controllerv5.2.1NXP i.MX8MNo
Linux 4.9Linux 4.9Harman N2612S Video encoder/decoderv5.2.1ARM Cortex-A7No
Linux 5.10Linux 5.10Harman N4321D audio transcoderv5.2.1NXP i.MX8No
Red Hat Enterprise Linux Workstation 8.10Red Hat Enterprise Linux Workstation 8.10Precision 5820 Towerv5.2.1Intel® Xeon® W- 2255 @ 3.7GHzNo
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 2144v5.2.1Intel® Xeon® Gold 5411N @1.90GHzYes
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 2184v5.2.1Intel® Xeon® Gold 6438N @2.00GHzYes
Endace Crypto Firmware 2.1Endace Crypto Firmware 2.1EndaceProbe 92C8v5.2.1Intel® Xeon® Gold 6148 CPU @2.40GHzYes

wolfssl-5.6.3commercial-fipslinuxv5.2.1.7z Table 4: Tested Module Identification

Page 9

2.1 2.1 2.1 2.1 2.1 2.1 wolfSSL Inc. Public Material

Page 10
Service
NameDescriptionIndicatorType
Approved mode of operationThe Module supports an Approved mode of operation. In this mode all services are available.FIPS_MODE_NORMAL (1)Approved
Degraded mode of operationThe Module implements a Degraded Mode of operation: when a CAST fails, that CAST is marked as failed and the module will inhibit use of algorithms governed by that CASTFIPS_MODE_DEGRADED (2)Approved

2.1 2.1 2.1 Table 5: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: The Module conforms to [140-3 IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The Intel Processor AES-NI functions are identified by [140-3 IG] 2.3.C as a known PAA. No vendor affirmed operational environments are claimed for this validation of the module.

2.3 Excluded Components

N/A the module does not support excluded components. Modes List and Description: wolfSSL Inc. Public Material

Page 11

(2) Table 6: Modes List and Description Each time the module is power cycled or reloaded all CAST status are initialized to FIPS_CAST_STATE_INIT. Each algorithm invocation includes a check of the algorithms CAST status; if the CAST status is CAST status will be updated to either FIPS_CAST_STATE_SUCCESS (if it passes) or FIPS_CAST_STATE_FAILURE (if it fails). See degraded mode for when a CAST status fails. To check the modules overall status at any time the cryptographic officer may use the Show Status service by calling wolfCrypt_GetMode_fips() this will return either: FIPS_MODE_INIT (0) - Module is currently running its’ pre-operational self-test in another thread (multi-threaded) FIPS_MODE_NORMAL (1) - Module in normal mode of operation without errors To check the CAST state of any algorithm the cryptographic officer may use the Show Status Service by calling wc_GetCastStatus_fips(<algorithm type>) where algorithm type can be any of the following:

Page 12
Approved algorithm
NameCAVP CertPropertiesReference
AES-CBCA4308Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-CCMA4308Key Length - 128, 192, 256SP 800-38C
AES-CMACA4308Direction - Generation, Verification Key Length - 128, 192, 256SP 800-38B
AES-CTRA4308Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-ECBA4308Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
AES-GCMA4308Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256SP 800-38D
AES-GMACA4308Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256SP 800-38D
AES-OFBA4308Direction - Decrypt, Encrypt Key Length - 128, 192, 256SP 800-38A
DSA KeyGen (FIPS186-4)A4308L - 2048 N - 256FIPS 186-4
ECDSA KeyGen (FIPS186-4)A4308Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - Extra BitsFIPS 186-4
ECDSA KeyVer (FIPS186-4)A4308Curve - P-192, P-224, P-256, P-384, P-521FIPS 186-4
ECDSA SigGen (FIPS186-4)A4308Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA3-224, SHA3-256, SHA3- 384, SHA3-512FIPS 186-4
ECDSA SigVer (FIPS186-4)A4308Component - No Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512FIPS 186-4
Hash DRBGA4308Prediction Resistance - No Mode - SHA2-256SP 800-90A Rev. 1
HMAC-SHA-1A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
HMAC-SHA2- 224A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
HMAC-SHA2- 256A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
HMAC-SHA2- 384A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
HMAC-SHA2- 512A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
HMAC-SHA3- 224A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
HMAC-SHA3- 256A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
HMAC-SHA3- 384A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
HMAC-SHA3- 512A4308Key Length - Key Length: 112-1024 Increment 8FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A4308Domain Parameter Generation Methods - P- 256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responderSP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A4308Domain Parameter Generation Methods - ffdhe2048 Scheme - dhEphem - KAS Role - initiator, responderSP 800-56A Rev. 3
KDF SSH (CVL)A4308Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512SP 800-135 Rev. 1
KDF TLS (CVL)A4308TLS Version - v1.2 Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512SP 800-135 Rev. 1
RSA KeyGen (FIPS186-4)A4308Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - StandardFIPS 186-4
RSA SigGen (FIPS186-4)A4308Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096FIPS 186-4
RSA SigVer (FIPS186-4)A4308Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096FIPS 186-4
SHA-1A4308Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-224A4308Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-256A4308Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-384A4308Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA2-512A4308Message Length - Message Length: 0-65536 Increment 8FIPS 180-4
SHA3-224A4308Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-256A4308Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-384A4308Message Length - Message Length: 0-65536 Increment 8FIPS 202
SHA3-512A4308Message Length - Message Length: 0-65536 Increment 8FIPS 202
TLS v1.2 KDF RFC7627 (CVL)A4308Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512SP 800-135 Rev. 1
TLS v1.3 KDF (CVL)A4308HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHESP 800-135 Rev. 1
2.5 Algorithms

Approved Algorithms: wolfSSL Inc. Public Material

Page 13

HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 wolfSSL Inc. Public Material

Page 14
Service
NameDescriptionApproved FunctionsTypeProperties
CKG- 1Asymmetric:RSA Asymmetric:ECDSAwolfCryptSP800-133r2 5.1 "Key Pairs for Digital Signature Schemes"
CKG- 2Asymmetric:ECC Asymmetric:FFCwolfCryptSP800-133r2 5.2 "Key Pairs for Key Establishment"
CKG- 3Symmetric:AES Symmetric:HMACwolfCryptSP800-133r2 6.2 "Derivation of Symmetric Keys"
DRBGDeterministic Random Byte GeneratorSHA2-256 A4308: Hash DRBG A4308:DRBG
Message AuthenticationHash-Based Message Authentication Codes, Generation and VerificationHMAC-SHA-1 A4308: HMAC-SHA2- 224 A4308: HMAC-SHA2- 256 A4308: HMAC-SHA2- 384 A4308: HMAC-SHA2- 512 A4308: HMAC-SHA3- 224 A4308: HMAC-SHA3-MAC

Table 7: Approved Algorithms NOTE: Only the algorithms specified in this section are supported by the module in approved mode of operation. No operational use of an algorithm may be performed until the corresponding CAST has passed. Vendor-Affirmed Algorithms: CKG1 wolfSSL Inc. Public Material

Page 15
Service
NameDescriptionApproved FunctionsTypeProperties
CKG- 2Asymmetric:ECC Asymmetric:FFCwolfCryptSP800-133r2 5.2 "Key Pairs for Key Establishment"
CKG- 3Symmetric:AES Symmetric:HMACwolfCryptSP800-133r2 6.2 "Derivation of Symmetric Keys"
DRBGDeterministic Random Byte GeneratorSHA2-256 A4308: Hash DRBG A4308:DRBG
Message AuthenticationHash-Based Message Authentication Codes, Generation and VerificationHMAC-SHA-1 A4308: HMAC-SHA2- 224 A4308: HMAC-SHA2- 256 A4308: HMAC-SHA2- 384 A4308: HMAC-SHA2- 512 A4308: HMAC-SHA3- 224 A4308: HMAC-SHA3-MAC
Secure HashSecure Hash FunctionSHA-1 A4308: SHA2-224 A4308: SHA2-256 A4308: SHA2-384 A4308: SHA2-512 A4308: SHA3-224 A4308: SHA3-256 A4308: SHA3-384 A4308: SHA3-512 A4308:SHA
TLS 1.3 Key AgreementKDF: Extract then Expand (56C)TLS v1.3 KDF A4308: HMAC-SHA2- 256 A4308: HMAC-SHA2- 384 A4308: HMAC-SHA2- 512 A4308:KAS-56CKDF
Primitive Key AgreementDH: Key agreement primitivesKAS-FFC-SSC Sp800-56Ar3 A4308:KAS-KeyGen
KDF Derived Key AgreementKDF: Derive keying material from a shared secret (135);KDF SSH A4308: KDF TLS A4308: TLS v1.2 KDF RFC7627 A4308: SHA-1 A4308:KAS-135KDF
KAS SSC Derived Key AgreementDerived keying material from a shared secretKAS-ECC-SSC Sp800-56Ar3 A4308: KAS-FFC-SSC Sp800-56Ar3 A4308:KAS-SSC
133r2 5.1 Asymmetric Key GenerationSP800-133r2 5.1 "Key Pairs for Digital Signature Schemes"RSA KeyGen (FIPS186-4) A4308: ECDSA KeyGen (FIPS186-4) A4308: Hash DRBG A4308: CKG-1 Vendor Affirmed:CKG
133r2 5.2 Asymmetric Key GenerationSP800-133r2 5.2 "Key Pairs for Key Establishment"KAS-ECC-SSC Sp800-56Ar3 A4308: KAS-FFC-SSC Sp800-56Ar3 A4308: Hash DRBG A4308: CKG-2 Vendor Affirmed:CKG
Symmetric Key GenerationSP800-133r2 6.2 "Derivation of Symmetric Keys"AES-CBC A4308: AES-CCM A4308: AES-CMAC A4308: AES-CTR A4308: AES-ECB A4308: AES-GCM A4308: AES-GMAC A4308: AES-OFB A4308: HMAC-SHA-1CKG
RSA Asymmetric Key-Pair GenerationGenerate an RSA Asymmetric Key PairRSA KeyGen (FIPS186-4) A4308: Hash DRBG A4308:AsymKeyPair- KeyGen
DSA Asymmetric Key-Pair GenerationGenerate a DSA Asymmetric Key Pair, Validate a Public DSA Key and KAS-FFC- SSC Domain Parameter Generation (SP800-56Ar3)KAS-FFC-SSC Sp800-56Ar3 A4308: DSA KeyGen (FIPS186-4) A4308: Hash DRBG A4308:AsymKeyPair- KeyGen AsymKeyPair- PubKeyVal AsymKeyPair- DomPar
ECC Asymmetric Key-Pair GenerationGenerate an ECC Asymmetric Key Pair, ECC KeyVer and KAS-ECC-SSCKAS-ECC-SSC Sp800-56Ar3 A4308: ECDSA KeyGen (FIPS186-4) A4308:AsymKeyPair- KeyVer AsymKeyPair- KeyGen AsymKeyPair- DomPar

CKG2 CKG3 Table 8: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The Module does not implement non-approved algorithms. The services listed in this Security Policy include all cryptographic and non-cryptographic functionality. NOTE: For TLS 1.2 KDF Extended master-secret shall be used in approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.

2.6 Security Function Implementations

HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 wolfSSL Inc. Public Material

Page 16

HMAC-SHA3384 HMAC-SHA3512 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 wolfSSL Inc. Public Material

Page 17

wolfSSL Inc. Public Material

Page 18

AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairPubKeyVal AsymKeyPairDomPar AsymKeyPairKeyVer AsymKeyPairKeyGen AsymKeyPairDomPar HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 wolfSSL Inc. Public Material

Page 19
Service
NameDescriptionApproved FunctionsType
Digital Signature GenerationDigital Signature GenerationRSA SigGen (FIPS186-4) A4308: ECDSA SigGen (FIPS186-4) A4308: SHA2-224 A4308: SHA2-256 A4308: SHA2-384 A4308: SHA2-512 A4308: SHA3-224 A4308: SHA3-256 A4308: SHA3-384 A4308: SHA3-512 A4308: Hash DRBG A4308:DigSig-SigGen
Digital Signature VerificationDigital Signature VerificationRSA SigVer (FIPS186-4) A4308: ECDSA SigVer (FIPS186-4) A4308: ECDSA KeyVer (FIPS186-4) A4308: SHA-1 A4308: SHA2-224 A4308: SHA2-256 A4308: SHA2-384 A4308: SHA2-512 A4308: SHA3-224 A4308: SHA3-256DigSig-SigVerDigSig- SigVer:1024 (verification only) DigSig- SigVer:SHA-1 (verification only) DigSig- SigVer:P-192 (Signature and Key Verification only)

DigSigSigVer:1024 DigSigSigVer:SHA-1 DigSigSigVer:P-192 wolfSSL Inc. Public Material

Page 20
Service
NameDescriptionApproved FunctionsType
Auth Block CipherAuthenticated Block CiphersAES-GMAC A4308: AES-GCM A4308: AES-CMAC A4308: AES-CCM A4308:BC-Auth
UnAuth Block CipherUnauthenticated Block CiphersAES-CBC A4308: AES-ECB A4308: AES-OFB A4308: AES-CTR A4308:BC-UnAuth

Table 9: Security Function Implementations

2.7 Algorithm Specific Information

The conditions for using the Module in the Approved mode of operation are:

  1. The Module is a cryptographic library and it is intended to be used with a calling application. The calling application is responsible for the usage of the primitives in the correct sequence including the IVs and sessions.
  2. The keys used by the Module for cryptographic purposes are determined by the calling application. The calling application is required to provide keys in accordance with [140Drev2].
  3. With the Module installed and configured in accordance with [UG] instructions, only the algorithms listed in the table in Section 2.5 are available. The module is in the Approved mode if the following conditions for algorithm use are met. NOTE: All conditions and restrictions below are met when the executable binary is built in accordance with the UG instructions. Applications that would be at risk of violating any restriction in this section will fail to build and link successfully against the compliant module binary executable. a. Adherence to [140-3 IG] C.H Key/IV Pair Uniqueness Requirements from SP 800-38D. The Module supports both internal IV generation (for use with the [56Arev3] compliant KAS API entry points) and external IV generation (for TLS KAS usage). For internal IV generation, the Module complies with C.H 2, users MUST specify an IV length of GCM_NONCE_MID_SZ or greater for internal IV generation otherwise specifying any length less than 96-bits is rejected by the module. For internal IV generation, C.H requires the calling application to use the modules internal approved DRBG to generate the random IV For external IV generation, the Module complies with C.H 1 (a), tested per option (ii) under C.H TLS protocol IV generation. The module wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision).
Page 21

performs a check for nonce_explicit rollover, returning an error if that condition is encountered. b. ECDSA and RSA signature generation must be used with a SHA-2 or SHA-3 hash function. c. RSA signature generation and encryption primitives must use RSA keys with k = 2048,

3072 or 4096 bits or greater.

d. The calling process shall adhere to all current [131Arev2] algorithm usage restrictions.

  1. Manual key entry is not supported.
  2. Data output is inhibited during self-tests, zeroization, and error states.
  3. RSA Decrypt Primitive (RSADP) with k=2048-bit is the only CAVP testable aspect of [56Brev2]. The module implements the RSA primitive operations only, there are no claims of key transport. The module implements ‘RSA Encrypt Primitive’ (RSAEP) and RSADP. The vendor affirms conformance to [56Brev2] for RSAEP and RSADP with other key sizes since no CAVP test is available for key sizes other than 2048-bit.
2.8 RBG and Entropy

N/A for this module. N/A for this module.

2.9 Key Generation
2.10 Key Establishment
2.11 Industry Protocols

The Module conforms to [140-3 IG] D.C References to the Support of Industry Protocols: while the module provides [56A] conformant schemes and API entry points oriented to TLS and SSH usage, the Module does not contain the full implementation of TLS or SSH. The following statements are required per IG D.C case #2: No parts of the TLS protocol other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. No parts of the SSH protocol other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

2.12 Additional Information

The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. wolfSSL Inc. Public Material

Page 22
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/A: Internal (call stack)N/A: Internal (call stack)Control InputAPI entry point: stack frame including non-sensitive parameters
N/A: Internal (call stack)N/A: Internal (call stack)Control OutputAPI call parameters passed by reference for structures allocated by wolfCrypt
N/A: Internal (call stack)N/A: Internal (call stack)Data InputAPI call parameters passed by reference or value for cryptographic service input
N/A: Internal (call stack)N/A: Internal (call stack)Data OutputAPI call parameters passed by reference for cryptographic service output
N/A: Internal (call stack)N/A: Internal (call stack)Status OutputAPI return value: enumerated status resulting from call execution
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
COCORole
Digital SignatureGenerate or verifyCO - DS_SGK:Digital SignatureSuccessf ulSign: Key StructSign: Status return;
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
COCORole
Digital SignatureGenerate or verifyCO - DS_SGK:Digital SignatureSuccessf ulSign: Key StructSign: Status return;
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Table 10: Ports and Interfaces Table 7 defines the Module’s [140-3] logical interfaces; the Module does not interact with physical ports.

4 Roles, Services, and Authentication
4.2 Roles

Table 11: Roles The Module supports the Cryptographic Officer (CO) operator role, and does not support multiple concurrent operators, a maintenance role or bypass capability. The cryptographic module does not provide an authentication or identification method of its own. The CO role is implicitly identified by the service requested.

4.3 Approved Services

n wolfSSL Inc. Public Material

Page 23
Sensitive security parameter
NameDescriptionStrengthSecurity FunctionGenerationOutputIndicator completi on of the service (status code >= 0)
Generate Key PairGenerate asymmetric key pairs.FFC, ECC: curve identifier; RSA: modulus size;CO - GKP_Privat e: G,R,Z - GKP_Publi c: G,R,ZECC Asymmetric Key-Pair Generation DSA Asymmetric Key-Pair Generation RSA Asymmetric Key-Pair Generation 133r2 5.2 Asymmetric Key Generation 133r2 5.1 Asymmetric Key GenerationStatus return; Key structure (GKP_Privat e)Successf ul completi on of the service (status code >= 0)
Key Agreeme ntDH key agreement primitives.Key structures (KAS_Priva te and KAS_Publi c); flags;CO - KAS_Privat e: W,E,Z - KAS_Public : W,E,Z - KAS_SSC: G,R,ZPrimitive Key AgreementStatus return; KAS_SSC;Successf ul completi on of the service (status code >= 0)
Key Derivatio nDerive keying material from a shared secretKAS_SSC; flags;CO - KAS_SSC: R,E,ZTLS 1.3 Key Agreement KDF Derived Key Agreement KAS SSC Derived Key AgreementStatus return; KD_DKM;Successf ul completi on of the service (status code >= 0)
Keyed HashGenerate or verify message integrityKH_KeyCO - KH_Key: W,EMessage Authenticati onStatus return; Tag value;Successf ul completi on of the

n 0) 0) e) 0) n 0) W,E,Z W,E,Z e: G,R,Z c: G,R,Z e: W,E,Z : W,E,Z G,R,Z R,E,Z W,E wolfSSL Inc. Public Material

Page 24
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Message DigestGenerate a message digestCOSecure HashSuccessf ul completi on of the service (status code >= 0)Message; flags;Status return; Hash value;
RandomGenerate random bits using the DRBGCO - Seed: W,E,Z - Internal State: G,E - Secret C: G,E - Secret V: G,E - Entropy Input String: W,E,ZDRBGSuccessf ul completi on of the service (status code >= 0)DRBG structure (Internal State containing secret(s) C and V); SeedStatus return; Random Value;
Self-testPerform the designated self-test.CO - MOD_INT: G,Z - coreKey: EMessage Authenticati onSuccessf ul completi on of the service (status code >= 0)FlagsStatus return
Show StatusProvide Module statusCOSuccessf ul completi on of the service (status code >= 0)NoneStatus return
Symmetri c cipherEncrypt or Decrypt data, including AEAD modesCO - SC_EDK: E,WAuth Block Cipher UnAuth Block Cipher SymmetricSuccessf ul completi on of the service (statusSC_EDK; flags;Status return. Plaintext or ciphertext data;

n 0) 0) 0) 0) 0) W,E,Z G,E G,E W,E,Z G,Z E E,W wolfSSL Inc. Public Material

Page 25
Sensitive security parameter
NameDescriptionSecurity FunctionInputOutputIndicator code >= 0)
ZeroiseFreeRng_fi ps destroys RNG CSPs. All functions zeroise CSPs using function ForceZero (overwriting with zeros) within the function scope after use. Caller stack cleanup is the duty of the application. Restarting the general- purpose computer clears all CSPs in RAM.CO - DS_SGK: Z - GKP_Privat e: Z - KAS_Privat e: Z - KAS_SSC: Z - KD_DKM: Z - KH_Key: Z - Seed: Z - Internal State: Z - Secret C: Z - Secret V: Z - SC_EDK: Z - Entropy Input String: ZDRBG struct (RBG State) or other structures containing SSPsStatus returnSuccessf ul completi on of the service (status code >= 0)
Show VersionProvide Module VersionCONonePlaintext containing the module versionSuccessf ul completi on of the service (status code >= 0)

n generalpurpose Table 12: Approved Services 0) 0)

  1. Z e: Z e: Z Z Z Z Z Z Z All services implemented by the Module are listed in Table
  2. The calling application may use the Show status service (wolfCrypt_GetStatus_fips call) to determine the status of the Module. A return code of FIPS_MODE_NORMAL means the Module is in a state without errors; Please see Section 2.4 for more information. In addition, as per [140-3 IG] 2.4.C the module supports an implicit indicator via the successful completion of a service, module does not support nonapproved services. wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision).
Page 26

See the wolfCrypt FIPS 140-3 User Guide [UG] for additional information on the cryptographic services listed in this section. Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is outside the scope of the Module. For services Generate Key Pair, Key Agreement and Key Derivation consistent with [140-3 IG] 9.5.A, available only if the private_key_read_enable property is set to TRUE

4.4 Non-Approved Services
5 Software/Firmware Security
5.1 Integrity Techniques

The Module uses HMAC-SHA2-256 with a 256-bit key (HMAC Cert. #A4308) as the approved integrity technique. Before the integrity technique is executed the module performs an HMACSHA2-256 KAT.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by reloading the Module or by calling the API wolfCrypt_IntegrityTest_fips() at any time after power on. (See Section 10.5 “Operator Initiation of Self-Tests” later in this document for details of proper use of this API in an application).

5.3 Open-Source Parameters

While the module is not “open source” since it is only shipped under a commercial license, open source practice of source code delivery with a commercial license is standard for the module. As such the module (while not required to do so) will abide by ISO/IEC 19790:2012 B.2.5. Please see details in the wolfCrypt FIPS 140-3 User Guide [UG] for the [OE] listed on the FIPS certificate. Details will include information about compiler, compiler configuration settings and methods to compile the source code into an executable form in a FIPS validated manner. See also section 11.1 Installation, Initialization, and Startup Procedures later in this document.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable wolfSSL Inc. Public Material

Page 27
6.2 Configuration Settings and Restrictions

Any setting that affects the module directly while compiling the executable binary shall not be used. If unsure contact wolfSSL Inc. by sending email to “support at wolfssl dot com”. A wolfSSL engineer will review the setting for impact on the FIPS validated sources and determine if the setting is allowed or disallowed for an approved mode of operation. NOTE: The User Guide [UG] will contain an exact list of allowed settings. CO should refer to the [UG] first before contacting wolfSSL support.

6.3 Additional Information

The operational environment for the Module is modifiable. Table 6 lists the operational environments on which the Module was tested. Specification of the security rules, settings or restrictions to the configuration of the operational environment are covered in the [UG]. The configure script provided with the package detects the environment and sets the required flags. There are no specific restrictions to the configuration of the operational environment unless stated in the [UG].

7 Physical Security
7.1 Mechanisms and Actions Required
7.5 EFP/EFT Information
7.6 Hardness Testing Temperature Ranges
8 Non-Invasive Security

The Module does not implement non-invasive security mechanisms.

9 Sensitive Security Parameters Management
9.1 Storage Areas

wolfSSL Inc. Public Material

Page 28
Sensitive security parameter
NameTypeDescriptionStrengthUse
S1DynamicRAM (Memory)
DS_SGKPrivate - CSPDigital Signature: Signature Generation using Private KeyRSA: 2048, 3072, 4096; ECDSA: 224, 256, 384,ECDSA SigGen (FIPS18 6-4) (A4308) RSA SigGen (FIPS18
Service
NameTypeFromTo
IE1PlaintextEXT: Call stack (API) input parametersINTAutomatedElectronic
IE2PlaintextINT: Call stack (API) output parametersEXTAutomatedElectronic
IE3PlaintextEXT: Loaded from external entropy sourceINTAutomatedElectronic
Sensitive security parameter
NameTypeDescriptionStrengthGenerationEstablishmentUseSize - Strengt h
S1DynamicRAM (Memory)
DS_SGKPrivate - CSPDigital Signature: Signature Generation using Private KeyRSA: 2048, 3072, 4096; ECDSA: 224, 256, 384,ECDSA SigGen (FIPS18 6-4) (A4308) RSA SigGen (FIPS18
521; - RSA: 112, 128; ECDSA: 112, 128, 192, 256;521; - RSA: 112, 128; ECDSA: 112, 128, 192, 256;6-4) (A4308)
DS_SVKPublic - PSPDigital Signature Verification using Public KeyRSA: 1024*, 2048, 3072, 4096; ECDSA: 192*, 224, 256, 384, 521; - RSA: 80*, 112, 128; ECDSA: 80*, 112, 128, 192, 256;ECDSA SigVer (FIPS18 6-4) (A4308) RSA SigVer (FIPS18 6-4) (A4308)
GKP_Privat ePrivate - CSPGenerated Key Pair (Private)RSA: 2048, 3072, 4096; ECDSA: 224, 256, 384, 521; - RSA: 112, 128; ECDSA: 112, 128, 192, 256;RSA Asymmetric Key-Pair Generation ECC Asymmetric Key-Pair GenerationECDSA KeyGen (FIPS18 6-4) (A4308) RSA KeyGen (FIPS18 6-4) (A4308)
GKP_Publi cPublic - PSPGenerated Key Pair (Public)RSA: 2048, 3072, 4096; ECDSA: 224, 256, 384, 521; - RSA: 112, 128; ECDSA: 112, 128, 192, 256;RSA Asymmetric Key-Pair Generation ECC Asymmetric Key-Pair GenerationECDSA KeyGen (FIPS18 6-4) (A4308) RSA KeyGen (FIPS18 6-4) (A4308)
KAS_Privat ePrivate - CSPKey pair component provided by the local participant, used for Diffie- Hellman shared secret generation.FFC: 2048; ECC: 224, 256, 384, 521; - FFC: 112; ECC: 112, 128, 192, 256;ECC Asymmetric Key-Pair Generation DSA Asymmetric Key-Pair Generation Primitive Key AgreementKAS- ECC- SSC Sp800- 56Ar3 (A4308) KAS- FFC- SSC Sp800- 56Ar3 (A4308)
KAS_Publi cPublic - PSPKey pair component provided by the local participant, used for Diffie- Hellman shared secret generation.FFC: 2048; ECC: 224, 256, 384, 521; - FFC: 112; ECC: 112, 128, 192, 256;ECC Asymmetric Key-Pair Generation DSA Asymmetric Key-Pair Generation Primitive Key AgreementKAS- ECC- SSC Sp800- 56Ar3 (A4308) KAS- FFC- SSC Sp800- 56Ar3 (A4308)
KAS_SSCShared Secret - CSPShared secret calculation; z output value is expected to be used by a KDFFFC: 2048; ECC: 224, 256, 384, 521; - FFC: 112; ECC: 112, 128, 192, 256;ECC Asymmetri c Key-Pair Generation DSA Asymmetri c Key-Pair Generation KAS SSC Derived Key AgreementKAS- ECC- SSC Sp800- 56Ar3 (A4308) KAS- FFC- SSC Sp800- 56Ar3 (A4308) KDF SSH (A4308) KDF TLS (A4308)
KD_DKMDerived Key Material - CSPKey Derivation derived keying materialTLS KDF v1.2 RFC 7627: 1024; TLS KDF v1.3: 256, 384; KDF SSH: 256, 384, 512 - 256-bitTLS 1.3 Key Agreement KDF Derived Key AgreementKDF SSH (A4308) TLS v1.2 KDF RFC762 7 (A4308) TLS v1.3 KDF (A4308)
KH_KeySymmetric Key - CSPKeyed Hash keyCMAC: 128, 192, 256; GMAC: 128, 192, 256; HMAC: 160, 256, 512; - CMAC: 128,AES- CMAC (A4308) AES- GMAC (A4308) HMAC- SHA-1 (A4308) HMAC- SHA2- 224 (A4308) HMAC-
192, 256; GMAC: 128, 192, 256; HMAC: 128, 256;192, 256; GMAC: 128, 192, 256; HMAC: 128, 256;SHA2- 256 (A4308) HMAC- SHA2- 384 (A4308) HMAC- SHA2- 512 (A4308) HMAC- SHA3- 224 (A4308) HMAC- SHA3- 256 (A4308) HMAC- SHA3- 384 (A4308) HMAC- SHA3- 512 (A4308)
Entropy Input StringEntropy - CSPEntropy input bit string loaded from the external entropy source256-bit - 256-bitHash DRBG (A4308)
SeedEntropy - CSPDRBG Seed_materi al consisting of entropy input string (256-bit) concatenate d with the nonce (128- bit)384-bit - 256-bitDRBGHash DRBG (A4308)
Secret CEntropy - CSPHash DRBG Internal440-bits - 256-bitDRBGHash DRBG (A4308)
Secret VEntropy - CSPHash DRBG Internal State Secret V440-bits - 256-bitDRBGHash DRBG (A4308)
Internal StateEntropy - CSPHash DRBG Internal State (SHA- 256) with secret values V and C. V is 440- bits, C is 440-bits.880-bit - 256-bitDRBGHash DRBG (A4308)
SC_EDKSymmetric Key - CSPAES key used for symmetric encryption (including AES authenticate d encryption). Modes: CBC, CCM, CTR, ECB, GCM, OFB128, 192 or 256 bits - 128, 192 or 256 bitsAES- CBC (A4308) AES- CCM (A4308) AES- CTR (A4308) AES- ECB (A4308) AES- GCM (A4308) AES- OFB (A4308)
MOD_INTMessage Authenticati on - CSPModule Integrity Value Computed at Run Time32- bytes - 256-bitMessage Authenticati onHMAC- SHA2- 256 (A4308)
coreKeyMessage Authenticati on - CSPHMAC key for in-core integrity check self- test32- bytes - 256-bitHMAC- SHA2- 256 (A4308)
DS_SGKWhile in useIE1Z1S1:Plaintext
DS_SVKWhile in useIE1Z1S1:Plaintext
GKP_PrivateWhile in useIE2Z1GKP_Public:Paired WithS1:Plaintext
GKP_PublicWhile in useIE2Z1GKP_Private:Paired WithS1:Plaintext
KAS_PrivateWhile in useIE1Z1S1:Plaintext
KAS_PublicWhile in useIE2Z1S1:Plaintext
KAS_SSCWhile in useZ1KAS_Public:Derived From KAS_Private:Derived FromS1:Plaintext
KD_DKMWhile in useZ1S1:Plaintext
KH_KeyWhile in useIE1Z1S1:Plaintext
Entropy Input StringWhile in useIE3Z1S1:Plaintext
SeedWhile in useZ1S1:Plaintext
Secret CWhile in useZ1Seed:Derived FromS1:Plaintext
Secret VWhile in useZ1Seed:Derived FromS1:Plaintext
Internal StateWhile in useZ1S1:Plaintext
SC_EDKWhile in useIE1Z1S1:Plaintext
MOD_INTWhile in useZ1S1:Plaintext
coreKeyWhile in useZ2S1:Plaintext
ZeroizationDescriptionRationaleOperator
MethodInitiation
Z1cleared immediately after useModule does not store SSPs persistentlyZeroise
Z2Per ISO/IEC 19790:2012 section 7.9.7, parameters used solely for self-test purposes in 7.10 need not meet zeroisation requirementsFIPS 140-3 IG 9.7.B
9.2 SSP Input-Output Methods

Table 14: SSP Input-Output Methods

9.3 SSP Zeroization Methods

9.7.B Table 15: SSP Zeroization Methods The module supports an implicit Zeroisation indicator. The implicit indicator is a successful completion of the service call. h 6-4) wolfSSL Inc. Public Material

Page 29

e h 6-4) 6-4) 6-4) 6-4) 6-4) wolfSSL Inc. Public Material

Page 30

c e DiffieHellman c DiffieHellman h 6-4) 6-4) KASECCSSC Sp80056Ar3 KASFFCSSC Sp80056Ar3 KASECCSSC Sp80056Ar3 KASFFCSSC Sp80056Ar3 wolfSSL Inc. Public Material

Page 31

h KASECCSSC Sp80056Ar3 KASFFCSSC Sp80056Ar3 AESCMAC AESGMAC HMACSHA-1 HMACSHA2224 wolfSSL Inc. Public Material

Page 32

nonce (128bit) h SHA2256 HMACSHA2384 HMACSHA2512 HMACSHA3224 HMACSHA3256 HMACSHA3384 HMACSHA3512 wolfSSL Inc. Public Material

Page 33

C V C. V is 440bits, C is d check selftest h AESCBC AESCCM AESCTR AESECB AESGCM AESOFB HMACSHA2256 HMACSHA2256 Table 16: SSP Table 1 wolfSSL Inc. Public Material

Page 34

Table 17: SSP Table 2 * Per SP800-131Ar2 Section 3, Table 2, key sizes (1024-bit for RSA and 192-bit for ECC) are available for legacy use verification requirements when inter-oping with legacy systems. These key sizes shall not be used for signing operations.

10 Self-Tests
10.1 Pre-Operational Self-Tests

wolfSSL Inc. Public Material

Page 35
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorConditio ns
HMAC- SHA2-256HMAC- SHA2-256KATSW/FW IntegrityMAChash type: SHA256, key length: 32-bytes. Please note this is the module integrity testFIPS_MODE_NORMAL or FIPS_MODE_FAILED
AES- CBCAES- CBCKATCAS TEncryptkey length: 32-bytesFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) AES- ECB, AES- CBC, AES- CTR, AES- OFB, AES- GCM, AES- GMAC, AES- CCM or AES- CMAC
AES- CBCAES- CBCKATCAS TDecryptkey length: 32-bytesFIPS_CAST_STATE_SU CCESS orBefore first use of
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsTest PropertiesIndicatorConditio ns
HMAC- SHA2-256HMAC- SHA2-256KATSW/FW IntegrityMAChash type: SHA256, key length: 32-bytes. Please note this is the module integrity testFIPS_MODE_NORMAL or FIPS_MODE_FAILED
AES- CBCAES- CBCKATCAS TEncryptkey length: 32-bytesFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) AES- ECB, AES- CBC, AES- CTR, AES- OFB, AES- GCM, AES- GMAC, AES- CCM or AES- CMAC
AES- CBCAES- CBCKATCAS TDecryptkey length: 32-bytesFIPS_CAST_STATE_SU CCESS orBefore first use of
FIPS_CAST_STATE_FAI LUREFIPS_CAST_STATE_FAI LUREalgorithm( s) AES- ECB, AES- CBC, AES- CTR, AES- OFB, AES- GCM, AES- GMAC, AES- CCM or AES- CMAC
AES- GCMAES- GCMKATCAS TDecryptkey length: 32-bytesFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) AES- GCM or AES- GMAC
AES- GCMAES- GCMKATCAS TEncryptkey length: 32-bytesFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) AES- GCM or AES- GMAC
HMAC- SHA1HMAC- SHA1KATCAS TMAChash type: SHA1; key length: 20- bytesFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) SHA1 or HMAC- SHA1
HMAC- SHA2- 256HMAC- SHA2- 256KATCAS TMAChash type: SHA256; key length: 20-bytesFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) SHA224, SHA256,
HMAC- SHA2- 512HMAC- SHA2- 512KATCAS TMAChash type: SHA2-512, key length: 20-bytesFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) SHA384, SHA512, HMAC- SHA384 or HMAC- SHA512
HMAC- SHA3- 256HMAC- SHA3- 256KATCAS TMAChash type: SHA3-256, key length: 64-bytesFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) SHA3- 224, SHA3- 256, SHA3- 384 or SHA3- 512, HMAC- SHA3- 224, HMAC- SHA3- 256, HMAC- SHA3- 384 or HMAC- SHA3- 512
RSA- PKCSv 1.5RSA- PKCSv 1.5KATCAS TSignhash type: SHA256; key length: 2048-bitsFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) RSA (PKCSv1. 5) or RSA (PSS)
RSA- PKCSv 1.5RSA- PKCSv 1.5KATCAS TVerifyhash type: SHA256, key length: 2048-bitsFIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) RSA (PKCSv1. 5) or RSA (PSS)
ECC Diffie- HellmanECC Diffie- HellmanKATCAS TComputatio n Shared Secret ZhashType: SHA2-256; curve: P-256FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) ECC for shared secret generatio n
FFC Diffie- HellmanFFC Diffie- HellmanKATCAS TComputatio n Shared Secret ZhashType: SHA2-256; keySize: 2048-bit;FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) FFC for shared secret generatio n
ECDSAECDSAKATCAS TSigncurve: P256; hashType: SHA2-256FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) ECDSA
ECDSAECDSAKATCAS TVerifycurve: P256; hashType: SHA2-256FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) ECDSA
TLSv1. 2 KDFTLSv1. 2 KDFKATCAS TDerive Keying MaterialHMAC- SHA2-256FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of TLSv1.2 KDF
TLSv1. 3 KDFTLSv1. 3 KDFKATCAS TDerive Keying MaterialHMAC- SHA2-256FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of TLSv1.3 KDF
KDF SSHKDF SSHKATCAS TDerive Keying MaterialhashType: SHA2-256FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of KDF SSH
RSA- PCTRSA- PCTPCTPCTSign/Verifykey size: 2048,3072,4 096Service is successful or an error code RSA_KEY_PAIR_EInvoked automatic ally during generate key pair service
ECC- PCTECC- PCTPCTPCTSign/Verifycurve size: 224, 256, 384, 521Service is successful or an error code ECC_PCT_EInvoked automatic ally during generate key pair service
DH- PCTDH- PCTPCTPCTModulus Exponentia tionkey size: 2048, 3072, 4096Service is successful or an error code MP_CMP_EInvoked automatic ally during generate key pair service
DRBGDRBGKATCAS THealth-Test with sub- elements: Instantiate, Generate, ReseedDRBG mode: SHA2-256FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LUREBefore first use of algorithm( s) DBRG or Immediat ely upon registerin g an external entropy source with the module

HMACSHA2-256 Table 18: Pre-Operational Self-Tests Each time the Module is powered on or loaded (equivalent to a power on) the integrity of the module is tested per ISO/IEC 19790:2012 Section 7.10.2.2. The very first step of the preoperational self-test (POST) is to force every Conditional Algorithm Self-Test to be in the FIPS_CAST_STATE_INIT mode meaning the CAST for a given algorithm has not run since power on and the CAST must run and pass prior to operational use of the algorithm. The integrity test uses HMAC-SHA2-256 to ensure the modules integrity therefore per AS 10.20 HMAC CAST is triggered prior to the integrity check. The HMAC CAST uses a known answer test per ISO/IEC 19790-2012 Section 7.10.3.2. The POST executes outside user control as the module is powering on or being loaded.

10.2 Conditional Self-Tests

AESCBC AESCBC e T T s) AESECB, AESCBC, AESCTR, AESOFB, AESGCM, AESGMAC, AESCCM or AESCMAC wolfSSL Inc. Public Material

Page 36

e AESGCM T AESGCM T HMACSHA1 length: 20bytes T HMACSHA2256 T s) AESECB, AESCBC, AESCTR, AESOFB, AESGCM, AESGMAC, AESCCM or AESCMAC s) AESGCM or AESGMAC s) AESGCM or AESGMAC or HMACSHA1 s) wolfSSL Inc. Public Material

Page 37

e HMACSHA2512 T HMACSHA3256 T RSAPKCSv 1.5 T HMACSHA224 or HMACSHA256 s) HMACSHA384 or HMACSHA512 s) SHA3224, SHA3256, SHA3384 or SHA3512, HMACSHA3224, HMACSHA3256, HMACSHA3384 or HMACSHA3512 wolfSSL Inc. Public Material

Page 38

RSAPKCSv 1.5 e T T DiffieHellman T T T HMACSHA2-256 T HMACSHA2-256 T n n DiffieHellman wolfSSL Inc. Public Material

Page 39

e T RSAPCT ECCPCT DHPCT T with subelements: Table 19: Conditional Self-Tests Once the module is powered on and has passed the POST, calls to any cryptographic algorithm will trigger the CAST on first operational use of the algorithm. The POST and CASTS are available on demand after power on and can be executed by the cryptographic officer (CO) at any time. The CO may optionally invoke any CAST ahead of algorithm use at a more convenient time rather than letting it run automatically on first use. Regardless of the CAST running manually or automatically, once it has passed the CO may manually re-run any CAST at any time in a periodic fashion, a CAST will no longer run automatically after it has passed the first time. wolfSSL Inc. Public Material

Page 40
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
HMAC-SHA2- 256HMAC-SHA2- 256KATSW/FW IntegrityP2Automatic or Manually
AES-CBCAES-CBCKATCASTP1Manually
AES-CBCAES-CBCKATCASTP1Manually
AES-GCMAES-GCMKATCASTP1Manually
AES-GCMAES-GCMKATCASTP1Manually
HMAC-SHA1HMAC-SHA1KATCASTP1Manually
HMAC-SHA2- 256HMAC-SHA2- 256KATCASTP2Automatic or Manually
HMAC-SHA2- 512HMAC-SHA2- 512KATCASTP1Manually
HMAC-SHA3- 256HMAC-SHA3- 256KATCASTP1Manually
RSA-PKCSv1.5RSA-PKCSv1.5KATCASTP1Manually
RSA-PKCSv1.5RSA-PKCSv1.5KATCASTP1Manually
ECC Diffie- HellmanECC Diffie- HellmanKATCASTP1Manually
FFC Diffie- HellmanFFC Diffie- HellmanKATCASTP1Manually
ECDSAECDSAKATCASTP1Manually
ECDSAECDSAKATCASTP1Manually
TLSv1.2 KDFTLSv1.2 KDFKATCASTP1Manually
TLSv1.3 KDFTLSv1.3 KDFKATCASTP1Manually
KDF SSHKDF SSHKATCASTP1Manually
RSA-PCTRSA-PCTPCTPCTP3Automatic
ECC-PCTECC-PCTPCTPCTP3Automatic
DH-PCTDH-PCTPCTPCTP3Automatic
DRBGDRBGKATCASTP4Automatic or Manually
Service
NameDescriptionRole AccessIndicator
P1Periodic method 1: Automatically by the module when algorithm is first invoked. CO may opt to invoke prior to first algorithm use to avoid delay at time of first operational use of an algorithm or at a later time manually.
P2Periodic method 2: Automatically by the module during power on. CO may opt to invoke manually thereafter.
P3Periodic method 3: Automatically during key generation service
P4Automatically by the module upon first operational use of the DRBG algorithm. When an external entropy source is registered with the module by application level entropy callback function it is considered the first operational use of the DRBG. Does a periodic reseed every 1 million invocations, during the reseed the DRBG health test will be automatically executed.
FIPS_MODE_FAILEDModule has failed its software integrity checkHMAC- SHA2- 256 CAST Failure Module Integrity Check FailurefipsModeId set to FIPS_MODE_FAILED (3)Power Cycle
FIPS_CAST_STATE_F AILUREOne or more algorithm(s) are no longer usable and the module mode is set to FIPS_MODE_DEG RADED (2)AES- CBC AES- GCM HMAC- SHA1 HMAC- SHA2- 256 HMAC- SHA2- 512 HMAC- SHA3- 256 RSA- PKCSv1 .5 DRBG ECC Diffie- HellmanOne or more algorithms CAST status values set to FIPS_CAST_STATE_F AILURE (3)Power Cycle
10.3 Periodic Self-Test Information

HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2512 HMAC-SHA3256 ECC DiffieHellman FFC DiffieHellman Table 20: Pre-Operational Periodic Information Table 21: Conditional Periodic Information wolfSSL Inc. Public Material

Page 41
Service
NameDescriptionRole AccessIndicator
P3Periodic method 3: Automatically during key generation service
P4Automatically by the module upon first operational use of the DRBG algorithm. When an external entropy source is registered with the module by application level entropy callback function it is considered the first operational use of the DRBG. Does a periodic reseed every 1 million invocations, during the reseed the DRBG health test will be automatically executed.
FIPS_MODE_FAILEDModule has failed its software integrity checkHMAC- SHA2- 256 CAST Failure Module Integrity Check FailurefipsModeId set to FIPS_MODE_FAILED (3)Power Cycle
FIPS_CAST_STATE_F AILUREOne or more algorithm(s) are no longer usable and the module mode is set to FIPS_MODE_DEG RADED (2)AES- CBC AES- GCM HMAC- SHA1 HMAC- SHA2- 256 HMAC- SHA2- 512 HMAC- SHA3- 256 RSA- PKCSv1 .5 DRBG ECC Diffie- HellmanOne or more algorithms CAST status values set to FIPS_CAST_STATE_F AILURE (3)Power Cycle
FIPS_MODE_DEGRA DEDOne or more of the CASTS have failed anytime following a successful power on and integrity check. Upon entering this mode the module will automatically run all CASTS prior to the operational use of any cryptographic algorithm.Any CAST FailurefipsModeId set to FIPS_MODE_DEGRA DED (2)Power Cycle
RSA_KEY_PAIR_ERSA Pairwise Consistency Test FailureRSA- PCTRSA_KEY_PAIR_E (- 262)Manual self- test service call or power cycle
ECC_PCT_EECC Pairwise Consistency Test FailureECC- PCTECC_PCT_E (-286)Manual self- test service call or power cycle
MP_CMP_EDH Pairwise Consistency Test FailureDH-PCTMP_CMP_E (-120)Manual self- test service call or power cycle

Table 22: Periodic Method Descriptions

10.4 Error States

HMACSHA2256 AESCBC AESGCM HMACSHA1 HMACSHA2256 HMACSHA2512 HMACSHA3256 RSAPKCSv1 .5 DiffieHellman d (3) wolfSSL Inc. Public Material

Page 42

DiffieHellman RSAConsistency Test ECCPCT Table 23: Error States d selftest selftest selftest wolfSSL Inc. Public Material

Page 43
10.5 Operator Initiation of Self-Tests

For calling applications the following is required:

  1. Include the library configuration header wolfssl/options.h (or user_settings.h via wolfssl/wolfcrypt/settings.h) first.
  2. After including the library configuration header, include wolfssl/wolfcrypt/fips_test.h then use the API specified below to execute a given self-test. CO may initiate all CAST self-tests in one-shot. The API wc_RunAllCast_fips() is provided as a public API to applications using the module that have included the headers above in proper order. CO may initiate CAST self-tests individually using the API wc_RunCast_fips(algorithm type) with any of the below “algorithm type” inputs: • • • • • • • • • • • • • • FIPS_CAST_AES_CBC FIPS_CAST_AES_GCM FIPS_CAST_HMAC_SHA1 FIPS_CAST_HMAC_SHA2_256 FIPS_CAST_HMAC_SHA2_512 FIPS_CAST_HMAC_SHA3_256 FIPS_CAST_DRBG FIPS_CAST_RSA_SIGN_PKCS1v15 FIPS_CAST_ECC_PRIMITIVE_Z FIPS_CAST_DH_PRIMITIVE_Z FIPS_CAST_ECDSA FIPS_CAST_KDF_TLS12 FIPS_CAST_KDF_TLS13 FIPS_CAST_KDF_SSH CO may re-run the POST at any time after power on using the public API wolfCrypt_IntegrityTest_fips(). This function always returns a value of zero regardless if the integrity check passed or failed so the CO shall then check the status of the module using the API wolfCrypt_GetStatus_fips(). The return value of the GetStatus API shall then be checked against the status indicators below: • • • FIPS_MODE_INIT status indicator value is
  3. This indicator means then integrity test has not completed and is likely running in another thread (multi-threaded) FIPS_MODE_NORMAL status indicator value is
  4. This indicator means the integrity test passed and the module is in a state without errors FIPS_MODE_FAILED status indicator value is
  5. This indicator means the integrity test failed and the module is unusable. The CO shall power cycle or reloaded (equivalent to power cycle) to restore the module.
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

wolfSSL Inc. Public Material

Page 44

The CO shall use the provided wolfCrypt FIPS 140-3 User Guide hereafter referred to as [UG]. A common name for this document is also the Cryptographic Officer Guidance Manual [COGM]. [UG] and [COGM] are one and the same for this module and include all administrative guidance. The [UG] will have a section specific to each Operational Environment [OE] that appears on the modules FIPS certificate and/or in Table 6: Tested Operational Environments - Software, Firmware, Hybrid. The instructions provided in the [UG] shall be followed or the module will never have been properly initialized and built and therefore non-compliant. To create the compliant module, as per this Security Policy, the configuration steps shall be followed.

Page 45

printf("message = %s\n", wc_GetErrorString(err)); printf("hash = %s\n", hash); if (err == IN_CORE_FIPS_E) { printf("In core integrity hash check failure," "copy above hash\n"); printf("into verifyCore[] in fips_test.c and rebuild\n"); } } Figure 2: Code Sample A If using a FIPS callback the CO will register the FIPS callback by passing the function pointer of the FIPS callback function to the following API like so: wolfCrypt_SetCb_fips(myFipsCb); Prior to operational use of the module the CO shall register an entropy callback to load entropy into the module from an external entropy source. A portable callback is available but must be registered by the application on startup since the entropy source is external to the module. To register the portable callback provided with the module the application will call “ret = wc_SetSeed_Cb(wc_GenerateSeed);” where “ret” is an integer to capture the status return of the call and should be checked against the value 0 for success or < 0 for failure. A successful register of any entropy callback function is considered the first operational use of the module outside of pre-operational tests and the DBRG CAST will run during registration of the callback. When working with a private key the application must programmatically unlock access to private key material with the API: wolfCrypt_SetPrivateKeyReadEnable_fips(true/false, key-type).

11.2 Administrator Guidance

The CO shall use the provided wolfCrypt FIPS 140-3 User Guide [UG].

11.3 Non-Administrator Guidance

The Module supports the Cryptographic Officer (CO) operator role and does not support nonadministrators or non-administrative roles.

11.7 Additional Information

Please defer to wolfCrypt FIPS 140-3 User Guide [UG].

12 Mitigation of Other Attacks

The module does not claim mitigation of other attacks. wolfSSL Inc. Public Material