| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 7/10/2029 |
| Caveat | No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | wolfSSL Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A4308 |
| AES-CCM | A4308 |
| AES-CMAC | A4308 |
| AES-CTR | A4308 |
| AES-ECB | A4308 |
| AES-GCM | A4308 |
| AES-GMAC | A4308 |
| AES-OFB | A4308 |
| DSA KeyGen (FIPS186-4) | A4308 |
| ECDSA KeyGen (FIPS186-4) | A4308 |
| ECDSA KeyVer (FIPS186-4) | A4308 |
| ECDSA SigGen (FIPS186-4) | A4308 |
| ECDSA SigVer (FIPS186-4) | A4308 |
| Hash DRBG | A4308 |
| HMAC-SHA-1 | A4308 |
| HMAC-SHA2- 224 | A4308 |
| HMAC-SHA2- 256 | A4308 |
| HMAC-SHA2- 384 | A4308 |
| HMAC-SHA2- 512 | A4308 |
| HMAC-SHA3- 224 | A4308 |
| HMAC-SHA3- 256 | A4308 |
| HMAC-SHA3- 384 | A4308 |
| HMAC-SHA3- 512 | A4308 |
| KAS-ECC-SSC Sp800-56Ar3 | A4308 |
| KAS-FFC-SSC Sp800-56Ar3 | A4308 |
| KDF SSH (CVL) | A4308 |
| KDF TLS (CVL) | A4308 |
| RSA KeyGen (FIPS186-4) | A4308 |
| RSA SigGen (FIPS186-4) | A4308 |
| RSA SigVer (FIPS186-4) | A4308 |
| SHA-1 | A4308 |
| SHA2-224 | A4308 |
| SHA2-256 | A4308 |
| SHA2-384 | A4308 |
| SHA2-512 | A4308 |
| SHA3-224 | A4308 |
| SHA3-256 | A4308 |
| SHA3-384 | A4308 |
| SHA3-512 | A4308 |
| TLS v1.2 KDF RFC7627 (CVL) | A4308 |
| TLS v1.3 KDF (CVL) | A4308 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Physical Security | 7 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
flowchart LR
%% Deterministic review-risk graph for wolfCrypt
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>UnAuth Block Cipher<br/>Self-test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>library named: wolfssl</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for wolfCrypt
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>UnAuth Block Cipher<br/>Self-test<br/>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>library named: wolfssl</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3 clueHigh;
class C5,C6 clueLow;wolfSSL Inc. wolfCrypt Document Version 1.6
Edmonds, WA 98020 wolfSSL.com +1 425.245.8247 wolfSSL Inc. Public Material
| # | Section | Page |
|---|---|---|
| 1 | – General | 5 |
| 1.1 | Overview | 5 |
| 1.2 | Security Levels | 5 |
| 1.3 | Additional Information | 5 |
| 2 | – Cryptographic Module Specification | 6 |
| 2.1 | Description | 6 |
| 2.2 | Tested and Vendor Affirmed Module Version and Identification | 7 |
| 2.3 | Excluded Components | 10 |
| 2.4 | Modes of Operation | 10 |
| 2.5 | Algorithms | 12 |
| 2.6 | Security Function Implementations | 15 |
| 2.7 | Algorithm Specific Information | 20 |
| 2.8 | RBG and Entropy | 21 |
| 2.9 | Key Generation | 21 |
| 2.10 | Key Establishment | 21 |
| 2.11 | Industry Protocols | 21 |
| 2.12 | Additional Information | 21 |
| 3 | Cryptographic Module Interfaces | 22 |
| 3.1 | Ports and Interfaces | 22 |
| 4 | Roles, Services, and Authentication | 22 |
| 4.1 | Authentication Methods | 22 |
| 4.2 | Roles | 22 |
| 4.3 | Approved Services | 22 |
| 4.4 | Non-Approved Services | 26 |
| 5 | Software/Firmware Security | 26 |
| 5.1 | Integrity Techniques | 26 |
| 5.2 | Initiate on Demand | 26 |
| 5.3 | Open-Source Parameters | 26 |
| 6 | Operational Environment | 26 |
| 6.1 | Operational Environment Type and Requirements | 26 |
| 6.2 | Configuration Settings and Restrictions | 27 |
| 6.3 | Additional Information | 27 |
| 7 | Physical Security | 27 |
| 7.1 | Mechanisms and Actions Required | 27 |
| 7.5 | EFP/EFT Information | 27 |
| 7.6 | Hardness Testing Temperature Ranges | 27 |
| 8 | Non-Invasive Security | 27 |
| 9 | Sensitive Security Parameters Management | 27 |
| 9.1 | Storage Areas | 27 |
| 9.2 | SSP Input-Output Methods | 28 |
| 9.3 | SSP Zeroization Methods | 28 |
| 9.4 | SSPs | 28 |
| 10 | Self-Tests | 34 |
| 10.1 | Pre-Operational Self-Tests | 34 |
| 10.2 | Conditional Self-Tests | 35 |
| 10.3 | Periodic Self-Test Information | 40 |
| 10.4 | Error States | 41 |
| 10.5 | Operator Initiation of Self-Tests | 43 |
| 11 | Life-Cycle Assurance | 43 |
| 11.1 | Installation, Initialization, and Startup Procedures | 43 |
| 11.2 | Administrator Guidance | 45 |
| 11.3 | Non-Administrator Guidance | 45 |
| 11.7 | Additional Information | 45 |
| 12 | Mitigation of Other Attacks | 45 |
wolfSSL Inc. Public Material
| Item | Page |
|---|---|
| Table 1: Security Levels | 5 |
| Table 2: Legend of Terms and references that appear in this document | 6 |
| Table 3: Source Files | 7 |
| Table 4: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets) | 8 |
| Table 5: Tested Operational Environments - Software, Firmware, Hybrid | 10 |
| Table 6: Modes List and Description | 11 |
| Table 7: Approved Algorithms | 14 |
| Table 8: Vendor-Affirmed Algorithms | 15 |
| Table 9: Security Function Implementations | 20 |
| Table 10: Ports and Interfaces | 22 |
| Table 11: Roles | 22 |
| Table 12: Approved Services | 25 |
| Table 13: Storage Areas | 28 |
| Table 14: SSP Input-Output Methods | 28 |
| Table 15: SSP Zeroization Methods | 28 |
| Table 16: SSP Table 1 | 33 |
| Table 17: SSP Table 2 | 34 |
| Table 18: Pre-Operational Self-Tests | 35 |
| Table 19: Conditional Self-Tests | 39 |
| Table 20: Pre-Operational Periodic Information | 40 |
| Table 21: Conditional Periodic Information | 40 |
| Table 22: Periodic Method Descriptions | 41 |
| Table 23: Error States | 42 |
| Figure 1: Module Block Diagram | 7 |
| Figure 2: Code Sample A | 45 |
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | N/A |
| Overall Level | Overall Level | 1 |
| Term/Ref | Description | ||
|---|---|---|---|
| [140-3] | FIPS 140-3, Security Requirements for Cryptographic Modules | ||
| [OE] | The “Operating Environment” | ||
| [186-4] | FIPS 186-4, Digital Signature Standard (DSS) | ||
| [90Arev1] | NIST SP 800-90A Rev. 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators | ||
| [56Arev3] | NIST SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography | ||
| [56Crev2] | NIST SP 800-56C Rev. 2, Recommendation for Key- Derivation Methods in Key-Establishment Schemes | ||
| [135rev1] | NIST SP 800-135 Rev. 1, Recommendation for Existing Application-Specific Key Derivation Functions |
This document defines the Security Policy for wolfSSL Inc. wolfCrypt cryptographic module, security levels as described in section 1.2 below.
In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply wolfSSL Inc. Public Material
| Term/Ref | Description | ||
|---|---|---|---|
| [140Drev2] | NIST SP 800-140D revision 2, CMVP Approved Sensitive Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759 | ||
| [UG] | wolfCrypt FIPS 140-3 User Guide (sometimes referred to as the “Cryptographic Officer Guidance Manual” in documentation not produced by this vendor) | ||
| [COGM] | Cryptographic Officer Guidance Manual (Another term for [UG] recognized by some in the Industry. Same meaning as [UG] | ||
| [140-3 IG] | FIPS 140-3, Implementation Guidance | ||
| [131Arev2] | NIST SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths | ||
| [56Brev2] | NIST SP 800-56B Rev. 2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography |
Table 2: Legend of Terms and references that appear in this document
TOEPP: The platform(s) used for testing are documented in Table 6: Tested Operational Environments - Software, Firmware, Hybrid. If the onboard CPU of a tested platform supported a known PAA [FIPS 140-3 IG 2.3.C] and was desirable for FIPS use, then in accordance with [FIPS 140-3 IG2.3.C] that platform was tested both with and without PAA unless an identical or similar platform had already been tested. When an identical or similar platform was already tested, the new platform was tested only with PAA. This is reflected by the column PAA/PAI in table 6 as marked with a Yes or No entry. The Intel and AMD AESNI (AES New Instructions) are known PAA(s). The Module is a cryptography software library. The Module is a Multi-Chip Stand Alone embodiment. The Module is intended for use by U.S. and Canadian Federal agencies in addition to any other markets that require FIPS 140-3 validated cryptographic functionality. The Module was originally designed with embedded and IoT in mind. As a side effect of this design, it also scales exceptionally well on larger desktop and server systems allowing more connections per box than similar competing solutions. The Module version under validation is Software Version v5.2.1. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: wolfSSL Inc. Public Material
| Name | Description | Approved Functions | |
|---|---|---|---|
| aes_asm.s | AES assembler optimizations (Linux) | aes_asm.s | |
| aes_asm.asm | AES assembler optimizations (Windows 10) | ||
| cmac.c | CMAC algorithm | cmac.c | |
| dh.c | Diffie-Hellman | ||
| ecc.c | Elliptic curve cryptography | ecc.c | |
| fips.c | Pre-operational entry point and API wrappers | ||
| fips_test.c | Power on self-tests | fips_test.c | |
| hmac.c | HMAC algorithm | ||
| kdf.c | TLS v1.2, v1.3 and SSH v2 KDFs | kdf.c | |
| random.c | DRBG algorithm | ||
| rsa.c | RSA algorithm | rsa.c | |
| sha.c | SHA algorithm | ||
| sha256.c | SHA-256 algorithm | sha256.c | |
| sha256_asm.s | SHA-256 assembler optimizations (Linux) | ||
| sha512_asm.s | SHA-512 assembler optimizations (Linux) | sha512_asm.s | |
| sha3.c | SHA-3 algorithm | ||
| sha512.c | SHA-512 algorithm | sha512.c | |
| wolfcrypt_first.c | First function and Read Only address marking start | wolfcrypt_first.c | |
| wolfcrypt_last.c | Last function and Read Only address marking end of cryptographic boundary | wolfcrypt_last.c |
Figure 1 depicts the Module operational environment, with the software module cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per AS02.03. No components are excluded from [140-3] requirements. The pre-operational approved integrity test is performed over all components of the cryptographic boundary. Updates to the Module are provided as a complete replacement in accordance with AS04.27
Tested Module Identification
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|
| wolfssl-5.6.3- commercial-fips- linuxv5.2.1.7z | v5.2.1 | FIPS 140-3 module and SSL/TLS library | wolfssl-5.6.3- commercial-fips- linuxv5.2.1.7z | HMAC-SHA256 | |||||
| Linux 4.4 (Ubuntu 16.04 LTS) | Linux 4.4 (Ubuntu 16.04 LTS) | Intel Ultrabook 2 in 1 | v5.2.1 | Intel Core i5-5300U CPU @2.30GHz x 4 | Yes | ||||
| Linux 4.4 (Ubuntu 16.04 LTS) | Linux 4.4 (Ubuntu 16.04 LTS) | Intel Ultrabook 2 in 1 | v5.2.1 | Intel Core i5-5300U CPU @2.30GHz x 4 | No | ||||
| Android 13 | Android 13 | Samsung Galaxy XCover Pro | v5.2.1 | Exynos 9611 without PAA | No | ||||
| Linux 5.4 | Linux 5.4 | WTM 4100 | v5.2.1 | Broadcom BCM56260B0IFSBG - Saber2 | No | ||||
| RedHat Enterprise Linux Workstation 8.9 | RedHat Enterprise Linux Workstation 8.9 | Precision 5820 Tower | v5.2.1 | Intel® Xeon® W- 2255 @ 3.7GHz | No | ||||
| FreeRTOS v10.4 | FreeRTOS v10.4 | Network Interface Card for Aclara RF | v5.2.1 | Renesas R7FA6E10F | No | ||||
| Linux 5.15 | Linux 5.15 | iSTAR physical access controller | v5.2.1 | Freescale i.MX7 Dual Arm Cortex A-7 | No | ||||
| Linux 4.14 | Linux 4.14 | Ricoh IM C3010 | v5.2.1 | Intel® Atom® E3930 @1.30GHz | No | ||||
| Linux 4.14 | Linux 4.14 | Ricoh IM C4510 | v5.2.1 | Intel® Atom® E3940 @1.60GHz | No | ||||
| NET+OS v7.6 | NET+OS v7.6 | Spectrum Infusion System | v5.2.1 | Digi International NS9210 | No | ||||
| Yocto (kirkstone) 4.0 | Yocto (kirkstone) 4.0 | Novum IQ Infusion Platform | v5.2.1 | NXP i.MX6UL | No | ||||
| MQX 3.4 | MQX 3.4 | FEI-Zyfer Time and Frequency System | v5.2.1 | NXP PowerQUICC II MPC8313e 32bit | No |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|
| wolfssl-5.6.3- commercial-fips- linuxv5.2.1.7z | v5.2.1 | FIPS 140-3 module and SSL/TLS library | wolfssl-5.6.3- commercial-fips- linuxv5.2.1.7z | HMAC-SHA256 | |||||
| Linux 4.4 (Ubuntu 16.04 LTS) | Linux 4.4 (Ubuntu 16.04 LTS) | Intel Ultrabook 2 in 1 | v5.2.1 | Intel Core i5-5300U CPU @2.30GHz x 4 | Yes | ||||
| Linux 4.4 (Ubuntu 16.04 LTS) | Linux 4.4 (Ubuntu 16.04 LTS) | Intel Ultrabook 2 in 1 | v5.2.1 | Intel Core i5-5300U CPU @2.30GHz x 4 | No | ||||
| Android 13 | Android 13 | Samsung Galaxy XCover Pro | v5.2.1 | Exynos 9611 without PAA | No | ||||
| Linux 5.4 | Linux 5.4 | WTM 4100 | v5.2.1 | Broadcom BCM56260B0IFSBG - Saber2 | No | ||||
| RedHat Enterprise Linux Workstation 8.9 | RedHat Enterprise Linux Workstation 8.9 | Precision 5820 Tower | v5.2.1 | Intel® Xeon® W- 2255 @ 3.7GHz | No | ||||
| FreeRTOS v10.4 | FreeRTOS v10.4 | Network Interface Card for Aclara RF | v5.2.1 | Renesas R7FA6E10F | No | ||||
| Linux 5.15 | Linux 5.15 | iSTAR physical access controller | v5.2.1 | Freescale i.MX7 Dual Arm Cortex A-7 | No | ||||
| Linux 4.14 | Linux 4.14 | Ricoh IM C3010 | v5.2.1 | Intel® Atom® E3930 @1.30GHz | No | ||||
| Linux 4.14 | Linux 4.14 | Ricoh IM C4510 | v5.2.1 | Intel® Atom® E3940 @1.60GHz | No | ||||
| NET+OS v7.6 | NET+OS v7.6 | Spectrum Infusion System | v5.2.1 | Digi International NS9210 | No | ||||
| Yocto (kirkstone) 4.0 | Yocto (kirkstone) 4.0 | Novum IQ Infusion Platform | v5.2.1 | NXP i.MX6UL | No | ||||
| MQX 3.4 | MQX 3.4 | FEI-Zyfer Time and Frequency System | v5.2.1 | NXP PowerQUICC II MPC8313e 32bit | No | ||||
| CodeOS v1.4 | CodeOS v1.4 | Series CR2700 Code Reader(s) | v5.2.1 | CodeCorp CT8200 (ARM FA626TE) | No | ||||
| OpenRTOS v10.5 | OpenRTOS v10.5 | Teledyne Webb SOM Module | v5.2.1 | STM32L4R5 | No | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 2144 | v5.2.1 | Intel® Xeon® Silver 4316 CPU @2.30GHz | No | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 2144 | v5.2.1 | Intel® Xeon® Silver 4316 CPU @2.30GHz | Yes | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 2184 | v5.2.1 | Intel® Xeon® Gold 6338N CPU @2.20GHz | No | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 2184 | v5.2.1 | Intel® Xeon® Gold 6338N CPU @2.20GHz | Yes | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 94C8 | v5.2.1 | Intel® Xeon® Gold 5418N CPU @1.80GHz | Yes | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 92C8 | v5.2.1 | Intel® Xeon® Gold 6230N CPU @2.30GHz | Yes | ||||
| Anyware Trusted Zero Client Firmware Kernel 6.1 | Anyware Trusted Zero Client Firmware Kernel 6.1 | Anyware Trusted Zero Client | v5.2.1 | AMD Ryzen Embedded R1305G | No | ||||
| Anyware Trusted Zero Client Firmware Kernel 6.1 | Anyware Trusted Zero Client Firmware Kernel 6.1 | Anyware Trusted Zero Client | v5.2.1 | AMD Ryzen Embedded R1305G | Yes | ||||
| Anyware Trusted Zero Client Firmware Kernel 6.1 | Anyware Trusted Zero Client Firmware Kernel 6.1 | HP tz655 Trusted Zero Client | v5.2.1 | AMD Ryzen Embedded R2314 | Yes | ||||
| Fusion Embedded RTOS 5.0 | Fusion Embedded RTOS 5.0 | Classone ® IP Radio Gateway | v5.2.1 | Analog Devices ADSP-BF516 (Blackfin) | No | ||||
| Linux 5.4 | Linux 5.4 | Harman MUSE MU Controller | v5.2.1 | NXP i.MX8M | No | ||||
| Linux 4.9 | Linux 4.9 | Harman N2612S Video encoder/decoder | v5.2.1 | ARM Cortex-A7 | No | ||||
| Linux 5.10 | Linux 5.10 | Harman N4321D audio transcoder | v5.2.1 | NXP i.MX8 | No | ||||
| Red Hat Enterprise Linux Workstation 8.10 | Red Hat Enterprise Linux Workstation 8.10 | Precision 5820 Tower | v5.2.1 | Intel® Xeon® W- 2255 @ 3.7GHz | No | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 2144 | v5.2.1 | Intel® Xeon® Gold 5411N @1.90GHz | Yes | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 2184 | v5.2.1 | Intel® Xeon® Gold 6438N @2.00GHz | Yes | ||||
| Endace Crypto Firmware 2.1 | Endace Crypto Firmware 2.1 | EndaceProbe 92C8 | v5.2.1 | Intel® Xeon® Gold 6148 CPU @2.40GHz | Yes |
wolfssl-5.6.3commercial-fipslinuxv5.2.1.7z Table 4: Tested Module Identification
2.1 2.1 2.1 2.1 2.1 2.1 wolfSSL Inc. Public Material
| Name | Description | Indicator | Type |
|---|---|---|---|
| Approved mode of operation | The Module supports an Approved mode of operation. In this mode all services are available. | FIPS_MODE_NORMAL (1) | Approved |
| Degraded mode of operation | The Module implements a Degraded Mode of operation: when a CAST fails, that CAST is marked as failed and the module will inhibit use of algorithms governed by that CAST | FIPS_MODE_DEGRADED (2) | Approved |
2.1 2.1 2.1 Table 5: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: The Module conforms to [140-3 IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The Intel Processor AES-NI functions are identified by [140-3 IG] 2.3.C as a known PAA. No vendor affirmed operational environments are claimed for this validation of the module.
N/A the module does not support excluded components. Modes List and Description: wolfSSL Inc. Public Material
(2) Table 6: Modes List and Description Each time the module is power cycled or reloaded all CAST status are initialized to FIPS_CAST_STATE_INIT. Each algorithm invocation includes a check of the algorithms CAST status; if the CAST status is CAST status will be updated to either FIPS_CAST_STATE_SUCCESS (if it passes) or FIPS_CAST_STATE_FAILURE (if it fails). See degraded mode for when a CAST status fails. To check the modules overall status at any time the cryptographic officer may use the Show Status service by calling wolfCrypt_GetMode_fips() this will return either: FIPS_MODE_INIT (0) - Module is currently running its’ pre-operational self-test in another thread (multi-threaded) FIPS_MODE_NORMAL (1) - Module in normal mode of operation without errors To check the CAST state of any algorithm the cryptographic officer may use the Show Status Service by calling wc_GetCastStatus_fips(<algorithm type>) where algorithm type can be any of the following:
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A4308 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CCM | A4308 | Key Length - 128, 192, 256 | SP 800-38C |
| AES-CMAC | A4308 | Direction - Generation, Verification Key Length - 128, 192, 256 | SP 800-38B |
| AES-CTR | A4308 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A4308 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-GCM | A4308 | Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 | SP 800-38D |
| AES-GMAC | A4308 | Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 | SP 800-38D |
| AES-OFB | A4308 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| DSA KeyGen (FIPS186-4) | A4308 | L - 2048 N - 256 | FIPS 186-4 |
| ECDSA KeyGen (FIPS186-4) | A4308 | Curve - P-224, P-256, P-384, P-521 Secret Generation Mode - Extra Bits | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A4308 | Curve - P-192, P-224, P-256, P-384, P-521 | FIPS 186-4 |
| ECDSA SigGen (FIPS186-4) | A4308 | Component - No Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA3-224, SHA3-256, SHA3- 384, SHA3-512 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A4308 | Component - No Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | FIPS 186-4 |
| Hash DRBG | A4308 | Prediction Resistance - No Mode - SHA2-256 | SP 800-90A Rev. 1 |
| HMAC-SHA-1 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| HMAC-SHA2- 224 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| HMAC-SHA2- 256 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| HMAC-SHA2- 384 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| HMAC-SHA2- 512 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| HMAC-SHA3- 224 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| HMAC-SHA3- 256 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| HMAC-SHA3- 384 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| HMAC-SHA3- 512 | A4308 | Key Length - Key Length: 112-1024 Increment 8 | FIPS 198-1 |
| KAS-ECC-SSC Sp800-56Ar3 | A4308 | Domain Parameter Generation Methods - P- 256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A4308 | Domain Parameter Generation Methods - ffdhe2048 Scheme - dhEphem - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KDF SSH (CVL) | A4308 | Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 |
| KDF TLS (CVL) | A4308 | TLS Version - v1.2 Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512 | SP 800-135 Rev. 1 |
| RSA KeyGen (FIPS186-4) | A4308 | Key Generation Mode - B.3.3 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard | FIPS 186-4 |
| RSA SigGen (FIPS186-4) | A4308 | Signature Type - PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096 | FIPS 186-4 |
| RSA SigVer (FIPS186-4) | A4308 | Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096 | FIPS 186-4 |
| SHA-1 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-224 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-256 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-384 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA2-512 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 180-4 |
| SHA3-224 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-256 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-384 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| SHA3-512 | A4308 | Message Length - Message Length: 0-65536 Increment 8 | FIPS 202 |
| TLS v1.2 KDF RFC7627 (CVL) | A4308 | Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512 | SP 800-135 Rev. 1 |
| TLS v1.3 KDF (CVL) | A4308 | HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHE | SP 800-135 Rev. 1 |
Approved Algorithms: wolfSSL Inc. Public Material
HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 wolfSSL Inc. Public Material
| Name | Description | Approved Functions | Type | Properties | ||
|---|---|---|---|---|---|---|
| CKG- 1 | Asymmetric:RSA Asymmetric:ECDSA | wolfCrypt | SP800-133r2 5.1 "Key Pairs for Digital Signature Schemes" | |||
| CKG- 2 | Asymmetric:ECC Asymmetric:FFC | wolfCrypt | SP800-133r2 5.2 "Key Pairs for Key Establishment" | |||
| CKG- 3 | Symmetric:AES Symmetric:HMAC | wolfCrypt | SP800-133r2 6.2 "Derivation of Symmetric Keys" | |||
| DRBG | Deterministic Random Byte Generator | SHA2-256 A4308: Hash DRBG A4308: | DRBG | |||
| Message Authentication | Hash-Based Message Authentication Codes, Generation and Verification | HMAC-SHA-1 A4308: HMAC-SHA2- 224 A4308: HMAC-SHA2- 256 A4308: HMAC-SHA2- 384 A4308: HMAC-SHA2- 512 A4308: HMAC-SHA3- 224 A4308: HMAC-SHA3- | MAC |
Table 7: Approved Algorithms NOTE: Only the algorithms specified in this section are supported by the module in approved mode of operation. No operational use of an algorithm may be performed until the corresponding CAST has passed. Vendor-Affirmed Algorithms: CKG1 wolfSSL Inc. Public Material
| Name | Description | Approved Functions | Type | Properties | ||
|---|---|---|---|---|---|---|
| CKG- 2 | Asymmetric:ECC Asymmetric:FFC | wolfCrypt | SP800-133r2 5.2 "Key Pairs for Key Establishment" | |||
| CKG- 3 | Symmetric:AES Symmetric:HMAC | wolfCrypt | SP800-133r2 6.2 "Derivation of Symmetric Keys" | |||
| DRBG | Deterministic Random Byte Generator | SHA2-256 A4308: Hash DRBG A4308: | DRBG | |||
| Message Authentication | Hash-Based Message Authentication Codes, Generation and Verification | HMAC-SHA-1 A4308: HMAC-SHA2- 224 A4308: HMAC-SHA2- 256 A4308: HMAC-SHA2- 384 A4308: HMAC-SHA2- 512 A4308: HMAC-SHA3- 224 A4308: HMAC-SHA3- | MAC | |||
| Secure Hash | Secure Hash Function | SHA-1 A4308: SHA2-224 A4308: SHA2-256 A4308: SHA2-384 A4308: SHA2-512 A4308: SHA3-224 A4308: SHA3-256 A4308: SHA3-384 A4308: SHA3-512 A4308: | SHA | |||
| TLS 1.3 Key Agreement | KDF: Extract then Expand (56C) | TLS v1.3 KDF A4308: HMAC-SHA2- 256 A4308: HMAC-SHA2- 384 A4308: HMAC-SHA2- 512 A4308: | KAS-56CKDF | |||
| Primitive Key Agreement | DH: Key agreement primitives | KAS-FFC-SSC Sp800-56Ar3 A4308: | KAS-KeyGen | |||
| KDF Derived Key Agreement | KDF: Derive keying material from a shared secret (135); | KDF SSH A4308: KDF TLS A4308: TLS v1.2 KDF RFC7627 A4308: SHA-1 A4308: | KAS-135KDF | |||
| KAS SSC Derived Key Agreement | Derived keying material from a shared secret | KAS-ECC-SSC Sp800-56Ar3 A4308: KAS-FFC-SSC Sp800-56Ar3 A4308: | KAS-SSC | |||
| 133r2 5.1 Asymmetric Key Generation | SP800-133r2 5.1 "Key Pairs for Digital Signature Schemes" | RSA KeyGen (FIPS186-4) A4308: ECDSA KeyGen (FIPS186-4) A4308: Hash DRBG A4308: CKG-1 Vendor Affirmed: | CKG | |||
| 133r2 5.2 Asymmetric Key Generation | SP800-133r2 5.2 "Key Pairs for Key Establishment" | KAS-ECC-SSC Sp800-56Ar3 A4308: KAS-FFC-SSC Sp800-56Ar3 A4308: Hash DRBG A4308: CKG-2 Vendor Affirmed: | CKG | |||
| Symmetric Key Generation | SP800-133r2 6.2 "Derivation of Symmetric Keys" | AES-CBC A4308: AES-CCM A4308: AES-CMAC A4308: AES-CTR A4308: AES-ECB A4308: AES-GCM A4308: AES-GMAC A4308: AES-OFB A4308: HMAC-SHA-1 | CKG | |||
| RSA Asymmetric Key-Pair Generation | Generate an RSA Asymmetric Key Pair | RSA KeyGen (FIPS186-4) A4308: Hash DRBG A4308: | AsymKeyPair- KeyGen | |||
| DSA Asymmetric Key-Pair Generation | Generate a DSA Asymmetric Key Pair, Validate a Public DSA Key and KAS-FFC- SSC Domain Parameter Generation (SP800-56Ar3) | KAS-FFC-SSC Sp800-56Ar3 A4308: DSA KeyGen (FIPS186-4) A4308: Hash DRBG A4308: | AsymKeyPair- KeyGen AsymKeyPair- PubKeyVal AsymKeyPair- DomPar | |||
| ECC Asymmetric Key-Pair Generation | Generate an ECC Asymmetric Key Pair, ECC KeyVer and KAS-ECC-SSC | KAS-ECC-SSC Sp800-56Ar3 A4308: ECDSA KeyGen (FIPS186-4) A4308: | AsymKeyPair- KeyVer AsymKeyPair- KeyGen AsymKeyPair- DomPar |
CKG2 CKG3 Table 8: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The Module does not implement non-approved algorithms. The services listed in this Security Policy include all cryptographic and non-cryptographic functionality. NOTE: For TLS 1.2 KDF Extended master-secret shall be used in approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.
HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 wolfSSL Inc. Public Material
HMAC-SHA3384 HMAC-SHA3512 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 wolfSSL Inc. Public Material
wolfSSL Inc. Public Material
AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairPubKeyVal AsymKeyPairDomPar AsymKeyPairKeyVer AsymKeyPairKeyGen AsymKeyPairDomPar HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 wolfSSL Inc. Public Material
| Name | Description | Approved Functions | Type | |
|---|---|---|---|---|
| Digital Signature Generation | Digital Signature Generation | RSA SigGen (FIPS186-4) A4308: ECDSA SigGen (FIPS186-4) A4308: SHA2-224 A4308: SHA2-256 A4308: SHA2-384 A4308: SHA2-512 A4308: SHA3-224 A4308: SHA3-256 A4308: SHA3-384 A4308: SHA3-512 A4308: Hash DRBG A4308: | DigSig-SigGen | |
| Digital Signature Verification | Digital Signature Verification | RSA SigVer (FIPS186-4) A4308: ECDSA SigVer (FIPS186-4) A4308: ECDSA KeyVer (FIPS186-4) A4308: SHA-1 A4308: SHA2-224 A4308: SHA2-256 A4308: SHA2-384 A4308: SHA2-512 A4308: SHA3-224 A4308: SHA3-256 | DigSig-SigVer | DigSig- SigVer:1024 (verification only) DigSig- SigVer:SHA-1 (verification only) DigSig- SigVer:P-192 (Signature and Key Verification only) |
DigSigSigVer:1024 DigSigSigVer:SHA-1 DigSigSigVer:P-192 wolfSSL Inc. Public Material
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Auth Block Cipher | Authenticated Block Ciphers | AES-GMAC A4308: AES-GCM A4308: AES-CMAC A4308: AES-CCM A4308: | BC-Auth |
| UnAuth Block Cipher | Unauthenticated Block Ciphers | AES-CBC A4308: AES-ECB A4308: AES-OFB A4308: AES-CTR A4308: | BC-UnAuth |
Table 9: Security Function Implementations
The conditions for using the Module in the Approved mode of operation are:
performs a check for nonce_explicit rollover, returning an error if that condition is encountered. b. ECDSA and RSA signature generation must be used with a SHA-2 or SHA-3 hash function. c. RSA signature generation and encryption primitives must use RSA keys with k = 2048,
d. The calling process shall adhere to all current [131Arev2] algorithm usage restrictions.
N/A for this module. N/A for this module.
The Module conforms to [140-3 IG] D.C References to the Support of Industry Protocols: while the module provides [56A] conformant schemes and API entry points oriented to TLS and SSH usage, the Module does not contain the full implementation of TLS or SSH. The following statements are required per IG D.C case #2: No parts of the TLS protocol other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. No parts of the SSH protocol other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.
The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. wolfSSL Inc. Public Material
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A: Internal (call stack) | N/A: Internal (call stack) | Control Input | API entry point: stack frame including non-sensitive parameters |
| N/A: Internal (call stack) | N/A: Internal (call stack) | Control Output | API call parameters passed by reference for structures allocated by wolfCrypt |
| N/A: Internal (call stack) | N/A: Internal (call stack) | Data Input | API call parameters passed by reference or value for cryptographic service input |
| N/A: Internal (call stack) | N/A: Internal (call stack) | Data Output | API call parameters passed by reference for cryptographic service output |
| N/A: Internal (call stack) | N/A: Internal (call stack) | Status Output | API return value: enumerated status resulting from call execution |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output |
|---|---|---|---|---|---|---|---|---|
| CO | CO | Role | ||||||
| Digital Signature | Generate or verify | CO - DS_SGK: | Digital Signature | Successf ul | Sign: Key Struct | Sign: Status return; |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output |
|---|---|---|---|---|---|---|---|---|
| CO | CO | Role | ||||||
| Digital Signature | Generate or verify | CO - DS_SGK: | Digital Signature | Successf ul | Sign: Key Struct | Sign: Status return; |
Table 10: Ports and Interfaces Table 7 defines the Module’s [140-3] logical interfaces; the Module does not interact with physical ports.
Table 11: Roles The Module supports the Cryptographic Officer (CO) operator role, and does not support multiple concurrent operators, a maintenance role or bypass capability. The cryptographic module does not provide an authentication or identification method of its own. The CO role is implicitly identified by the service requested.
n wolfSSL Inc. Public Material
| Name | Description | Strength | Security Function | Generation | Output | Indicator completi on of the service (status code >= 0) |
|---|---|---|---|---|---|---|
| Generate Key Pair | Generate asymmetric key pairs. | FFC, ECC: curve identifier; RSA: modulus size; | CO - GKP_Privat e: G,R,Z - GKP_Publi c: G,R,Z | ECC Asymmetric Key-Pair Generation DSA Asymmetric Key-Pair Generation RSA Asymmetric Key-Pair Generation 133r2 5.2 Asymmetric Key Generation 133r2 5.1 Asymmetric Key Generation | Status return; Key structure (GKP_Privat e) | Successf ul completi on of the service (status code >= 0) |
| Key Agreeme nt | DH key agreement primitives. | Key structures (KAS_Priva te and KAS_Publi c); flags; | CO - KAS_Privat e: W,E,Z - KAS_Public : W,E,Z - KAS_SSC: G,R,Z | Primitive Key Agreement | Status return; KAS_SSC; | Successf ul completi on of the service (status code >= 0) |
| Key Derivatio n | Derive keying material from a shared secret | KAS_SSC; flags; | CO - KAS_SSC: R,E,Z | TLS 1.3 Key Agreement KDF Derived Key Agreement KAS SSC Derived Key Agreement | Status return; KD_DKM; | Successf ul completi on of the service (status code >= 0) |
| Keyed Hash | Generate or verify message integrity | KH_Key | CO - KH_Key: W,E | Message Authenticati on | Status return; Tag value; | Successf ul completi on of the |
n 0) 0) e) 0) n 0) W,E,Z W,E,Z e: G,R,Z c: G,R,Z e: W,E,Z : W,E,Z G,R,Z R,E,Z W,E wolfSSL Inc. Public Material
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Message Digest | Generate a message digest | CO | Secure Hash | Successf ul completi on of the service (status code >= 0) | Message; flags; | Status return; Hash value; |
| Random | Generate random bits using the DRBG | CO - Seed: W,E,Z - Internal State: G,E - Secret C: G,E - Secret V: G,E - Entropy Input String: W,E,Z | DRBG | Successf ul completi on of the service (status code >= 0) | DRBG structure (Internal State containing secret(s) C and V); Seed | Status return; Random Value; |
| Self-test | Perform the designated self-test. | CO - MOD_INT: G,Z - coreKey: E | Message Authenticati on | Successf ul completi on of the service (status code >= 0) | Flags | Status return |
| Show Status | Provide Module status | CO | Successf ul completi on of the service (status code >= 0) | None | Status return | |
| Symmetri c cipher | Encrypt or Decrypt data, including AEAD modes | CO - SC_EDK: E,W | Auth Block Cipher UnAuth Block Cipher Symmetric | Successf ul completi on of the service (status | SC_EDK; flags; | Status return. Plaintext or ciphertext data; |
n 0) 0) 0) 0) 0) W,E,Z G,E G,E W,E,Z G,Z E E,W wolfSSL Inc. Public Material
| Name | Description | Security Function | Input | Output | Indicator code >= 0) |
|---|---|---|---|---|---|
| Zeroise | FreeRng_fi ps destroys RNG CSPs. All functions zeroise CSPs using function ForceZero (overwriting with zeros) within the function scope after use. Caller stack cleanup is the duty of the application. Restarting the general- purpose computer clears all CSPs in RAM. | CO - DS_SGK: Z - GKP_Privat e: Z - KAS_Privat e: Z - KAS_SSC: Z - KD_DKM: Z - KH_Key: Z - Seed: Z - Internal State: Z - Secret C: Z - Secret V: Z - SC_EDK: Z - Entropy Input String: Z | DRBG struct (RBG State) or other structures containing SSPs | Status return | Successf ul completi on of the service (status code >= 0) |
| Show Version | Provide Module Version | CO | None | Plaintext containing the module version | Successf ul completi on of the service (status code >= 0) |
n generalpurpose Table 12: Approved Services 0) 0)
See the wolfCrypt FIPS 140-3 User Guide [UG] for additional information on the cryptographic services listed in this section. Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is outside the scope of the Module. For services Generate Key Pair, Key Agreement and Key Derivation consistent with [140-3 IG] 9.5.A, available only if the private_key_read_enable property is set to TRUE
The Module uses HMAC-SHA2-256 with a 256-bit key (HMAC Cert. #A4308) as the approved integrity technique. Before the integrity technique is executed the module performs an HMACSHA2-256 KAT.
The operator can initiate the integrity test on demand by reloading the Module or by calling the API wolfCrypt_IntegrityTest_fips() at any time after power on. (See Section 10.5 “Operator Initiation of Self-Tests” later in this document for details of proper use of this API in an application).
While the module is not “open source” since it is only shipped under a commercial license, open source practice of source code delivery with a commercial license is standard for the module. As such the module (while not required to do so) will abide by ISO/IEC 19790:2012 B.2.5. Please see details in the wolfCrypt FIPS 140-3 User Guide [UG] for the [OE] listed on the FIPS certificate. Details will include information about compiler, compiler configuration settings and methods to compile the source code into an executable form in a FIPS validated manner. See also section 11.1 Installation, Initialization, and Startup Procedures later in this document.
Type of Operational Environment: Modifiable wolfSSL Inc. Public Material
Any setting that affects the module directly while compiling the executable binary shall not be used. If unsure contact wolfSSL Inc. by sending email to “support at wolfssl dot com”. A wolfSSL engineer will review the setting for impact on the FIPS validated sources and determine if the setting is allowed or disallowed for an approved mode of operation. NOTE: The User Guide [UG] will contain an exact list of allowed settings. CO should refer to the [UG] first before contacting wolfSSL support.
The operational environment for the Module is modifiable. Table 6 lists the operational environments on which the Module was tested. Specification of the security rules, settings or restrictions to the configuration of the operational environment are covered in the [UG]. The configure script provided with the package detects the environment and sets the required flags. There are no specific restrictions to the configuration of the operational environment unless stated in the [UG].
The Module does not implement non-invasive security mechanisms.
wolfSSL Inc. Public Material
| Name | Type | Description | Strength | Use |
|---|---|---|---|---|
| S1 | Dynamic | RAM (Memory) | ||
| DS_SGK | Private - CSP | Digital Signature: Signature Generation using Private Key | RSA: 2048, 3072, 4096; ECDSA: 224, 256, 384, | ECDSA SigGen (FIPS18 6-4) (A4308) RSA SigGen (FIPS18 |
| Name | Type | From | To | ||
|---|---|---|---|---|---|
| IE1 | Plaintext | EXT: Call stack (API) input parameters | INT | Automated | Electronic |
| IE2 | Plaintext | INT: Call stack (API) output parameters | EXT | Automated | Electronic |
| IE3 | Plaintext | EXT: Loaded from external entropy source | INT | Automated | Electronic |
| Name | Type | Description | Strength | Generation | Establishment | Use | Size - Strengt h |
|---|---|---|---|---|---|---|---|
| S1 | Dynamic | RAM (Memory) | |||||
| DS_SGK | Private - CSP | Digital Signature: Signature Generation using Private Key | RSA: 2048, 3072, 4096; ECDSA: 224, 256, 384, | ECDSA SigGen (FIPS18 6-4) (A4308) RSA SigGen (FIPS18 | |||
| 521; - RSA: 112, 128; ECDSA: 112, 128, 192, 256; | 521; - RSA: 112, 128; ECDSA: 112, 128, 192, 256; | 6-4) (A4308) | |||||
| DS_SVK | Public - PSP | Digital Signature Verification using Public Key | RSA: 1024*, 2048, 3072, 4096; ECDSA: 192*, 224, 256, 384, 521; - RSA: 80*, 112, 128; ECDSA: 80*, 112, 128, 192, 256; | ECDSA SigVer (FIPS18 6-4) (A4308) RSA SigVer (FIPS18 6-4) (A4308) | |||
| GKP_Privat e | Private - CSP | Generated Key Pair (Private) | RSA: 2048, 3072, 4096; ECDSA: 224, 256, 384, 521; - RSA: 112, 128; ECDSA: 112, 128, 192, 256; | RSA Asymmetric Key-Pair Generation ECC Asymmetric Key-Pair Generation | ECDSA KeyGen (FIPS18 6-4) (A4308) RSA KeyGen (FIPS18 6-4) (A4308) | ||
| GKP_Publi c | Public - PSP | Generated Key Pair (Public) | RSA: 2048, 3072, 4096; ECDSA: 224, 256, 384, 521; - RSA: 112, 128; ECDSA: 112, 128, 192, 256; | RSA Asymmetric Key-Pair Generation ECC Asymmetric Key-Pair Generation | ECDSA KeyGen (FIPS18 6-4) (A4308) RSA KeyGen (FIPS18 6-4) (A4308) | ||
| KAS_Privat e | Private - CSP | Key pair component provided by the local participant, used for Diffie- Hellman shared secret generation. | FFC: 2048; ECC: 224, 256, 384, 521; - FFC: 112; ECC: 112, 128, 192, 256; | ECC Asymmetric Key-Pair Generation DSA Asymmetric Key-Pair Generation Primitive Key Agreement | KAS- ECC- SSC Sp800- 56Ar3 (A4308) KAS- FFC- SSC Sp800- 56Ar3 (A4308) | ||
| KAS_Publi c | Public - PSP | Key pair component provided by the local participant, used for Diffie- Hellman shared secret generation. | FFC: 2048; ECC: 224, 256, 384, 521; - FFC: 112; ECC: 112, 128, 192, 256; | ECC Asymmetric Key-Pair Generation DSA Asymmetric Key-Pair Generation Primitive Key Agreement | KAS- ECC- SSC Sp800- 56Ar3 (A4308) KAS- FFC- SSC Sp800- 56Ar3 (A4308) | ||
| KAS_SSC | Shared Secret - CSP | Shared secret calculation; z output value is expected to be used by a KDF | FFC: 2048; ECC: 224, 256, 384, 521; - FFC: 112; ECC: 112, 128, 192, 256; | ECC Asymmetri c Key-Pair Generation DSA Asymmetri c Key-Pair Generation KAS SSC Derived Key Agreement | KAS- ECC- SSC Sp800- 56Ar3 (A4308) KAS- FFC- SSC Sp800- 56Ar3 (A4308) KDF SSH (A4308) KDF TLS (A4308) | ||
| KD_DKM | Derived Key Material - CSP | Key Derivation derived keying material | TLS KDF v1.2 RFC 7627: 1024; TLS KDF v1.3: 256, 384; KDF SSH: 256, 384, 512 - 256-bit | TLS 1.3 Key Agreement KDF Derived Key Agreement | KDF SSH (A4308) TLS v1.2 KDF RFC762 7 (A4308) TLS v1.3 KDF (A4308) | ||
| KH_Key | Symmetric Key - CSP | Keyed Hash key | CMAC: 128, 192, 256; GMAC: 128, 192, 256; HMAC: 160, 256, 512; - CMAC: 128, | AES- CMAC (A4308) AES- GMAC (A4308) HMAC- SHA-1 (A4308) HMAC- SHA2- 224 (A4308) HMAC- | |||
| 192, 256; GMAC: 128, 192, 256; HMAC: 128, 256; | 192, 256; GMAC: 128, 192, 256; HMAC: 128, 256; | SHA2- 256 (A4308) HMAC- SHA2- 384 (A4308) HMAC- SHA2- 512 (A4308) HMAC- SHA3- 224 (A4308) HMAC- SHA3- 256 (A4308) HMAC- SHA3- 384 (A4308) HMAC- SHA3- 512 (A4308) | |||||
| Entropy Input String | Entropy - CSP | Entropy input bit string loaded from the external entropy source | 256-bit - 256-bit | Hash DRBG (A4308) | |||
| Seed | Entropy - CSP | DRBG Seed_materi al consisting of entropy input string (256-bit) concatenate d with the nonce (128- bit) | 384-bit - 256-bit | DRBG | Hash DRBG (A4308) | ||
| Secret C | Entropy - CSP | Hash DRBG Internal | 440-bits - 256-bit | DRBG | Hash DRBG (A4308) | ||
| Secret V | Entropy - CSP | Hash DRBG Internal State Secret V | 440-bits - 256-bit | DRBG | Hash DRBG (A4308) | ||
| Internal State | Entropy - CSP | Hash DRBG Internal State (SHA- 256) with secret values V and C. V is 440- bits, C is 440-bits. | 880-bit - 256-bit | DRBG | Hash DRBG (A4308) | ||
| SC_EDK | Symmetric Key - CSP | AES key used for symmetric encryption (including AES authenticate d encryption). Modes: CBC, CCM, CTR, ECB, GCM, OFB | 128, 192 or 256 bits - 128, 192 or 256 bits | AES- CBC (A4308) AES- CCM (A4308) AES- CTR (A4308) AES- ECB (A4308) AES- GCM (A4308) AES- OFB (A4308) | |||
| MOD_INT | Message Authenticati on - CSP | Module Integrity Value Computed at Run Time | 32- bytes - 256-bit | Message Authenticati on | HMAC- SHA2- 256 (A4308) | ||
| coreKey | Message Authenticati on - CSP | HMAC key for in-core integrity check self- test | 32- bytes - 256-bit | HMAC- SHA2- 256 (A4308) | |||
| DS_SGK | While in use | IE1 | Z1 | S1:Plaintext | |||
| DS_SVK | While in use | IE1 | Z1 | S1:Plaintext | |||
| GKP_Private | While in use | IE2 | Z1 | GKP_Public:Paired With | S1:Plaintext | ||
| GKP_Public | While in use | IE2 | Z1 | GKP_Private:Paired With | S1:Plaintext | ||
| KAS_Private | While in use | IE1 | Z1 | S1:Plaintext | |||
| KAS_Public | While in use | IE2 | Z1 | S1:Plaintext | |||
| KAS_SSC | While in use | Z1 | KAS_Public:Derived From KAS_Private:Derived From | S1:Plaintext | |||
| KD_DKM | While in use | Z1 | S1:Plaintext | ||||
| KH_Key | While in use | IE1 | Z1 | S1:Plaintext | |||
| Entropy Input String | While in use | IE3 | Z1 | S1:Plaintext | |||
| Seed | While in use | Z1 | S1:Plaintext | ||||
| Secret C | While in use | Z1 | Seed:Derived From | S1:Plaintext | |||
| Secret V | While in use | Z1 | Seed:Derived From | S1:Plaintext | |||
| Internal State | While in use | Z1 | S1:Plaintext | ||||
| SC_EDK | While in use | IE1 | Z1 | S1:Plaintext | |||
| MOD_INT | While in use | Z1 | S1:Plaintext | ||||
| coreKey | While in use | Z2 | S1:Plaintext |
| Zeroization | Description | Rationale | Operator | ||
|---|---|---|---|---|---|
| Method | Initiation | ||||
| Z1 | cleared immediately after use | Module does not store SSPs persistently | Zeroise | ||
| Z2 | Per ISO/IEC 19790:2012 section 7.9.7, parameters used solely for self-test purposes in 7.10 need not meet zeroisation requirements | FIPS 140-3 IG 9.7.B |
Table 14: SSP Input-Output Methods
9.7.B Table 15: SSP Zeroization Methods The module supports an implicit Zeroisation indicator. The implicit indicator is a successful completion of the service call. h 6-4) wolfSSL Inc. Public Material
e h 6-4) 6-4) 6-4) 6-4) 6-4) wolfSSL Inc. Public Material
c e DiffieHellman c DiffieHellman h 6-4) 6-4) KASECCSSC Sp80056Ar3 KASFFCSSC Sp80056Ar3 KASECCSSC Sp80056Ar3 KASFFCSSC Sp80056Ar3 wolfSSL Inc. Public Material
h KASECCSSC Sp80056Ar3 KASFFCSSC Sp80056Ar3 AESCMAC AESGMAC HMACSHA-1 HMACSHA2224 wolfSSL Inc. Public Material
nonce (128bit) h SHA2256 HMACSHA2384 HMACSHA2512 HMACSHA3224 HMACSHA3256 HMACSHA3384 HMACSHA3512 wolfSSL Inc. Public Material
C V C. V is 440bits, C is d check selftest h AESCBC AESCCM AESCTR AESECB AESGCM AESOFB HMACSHA2256 HMACSHA2256 Table 16: SSP Table 1 wolfSSL Inc. Public Material
Table 17: SSP Table 2 * Per SP800-131Ar2 Section 3, Table 2, key sizes (1024-bit for RSA and 192-bit for ECC) are available for legacy use verification requirements when inter-oping with legacy systems. These key sizes shall not be used for signing operations.
wolfSSL Inc. Public Material
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Indicator | Conditio ns |
|---|---|---|---|---|---|---|---|
| HMAC- SHA2-256 | HMAC- SHA2-256 | KAT | SW/FW Integrity | MAC | hash type: SHA256, key length: 32-bytes. Please note this is the module integrity test | FIPS_MODE_NORMAL or FIPS_MODE_FAILED | |
| AES- CBC | AES- CBC | KAT | CAS T | Encrypt | key length: 32-bytes | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) AES- ECB, AES- CBC, AES- CTR, AES- OFB, AES- GCM, AES- GMAC, AES- CCM or AES- CMAC |
| AES- CBC | AES- CBC | KAT | CAS T | Decrypt | key length: 32-bytes | FIPS_CAST_STATE_SU CCESS or | Before first use of |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Test Properties | Indicator | Conditio ns |
|---|---|---|---|---|---|---|---|
| HMAC- SHA2-256 | HMAC- SHA2-256 | KAT | SW/FW Integrity | MAC | hash type: SHA256, key length: 32-bytes. Please note this is the module integrity test | FIPS_MODE_NORMAL or FIPS_MODE_FAILED | |
| AES- CBC | AES- CBC | KAT | CAS T | Encrypt | key length: 32-bytes | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) AES- ECB, AES- CBC, AES- CTR, AES- OFB, AES- GCM, AES- GMAC, AES- CCM or AES- CMAC |
| AES- CBC | AES- CBC | KAT | CAS T | Decrypt | key length: 32-bytes | FIPS_CAST_STATE_SU CCESS or | Before first use of |
| FIPS_CAST_STATE_FAI LURE | FIPS_CAST_STATE_FAI LURE | algorithm( s) AES- ECB, AES- CBC, AES- CTR, AES- OFB, AES- GCM, AES- GMAC, AES- CCM or AES- CMAC | |||||
| AES- GCM | AES- GCM | KAT | CAS T | Decrypt | key length: 32-bytes | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) AES- GCM or AES- GMAC |
| AES- GCM | AES- GCM | KAT | CAS T | Encrypt | key length: 32-bytes | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) AES- GCM or AES- GMAC |
| HMAC- SHA1 | HMAC- SHA1 | KAT | CAS T | MAC | hash type: SHA1; key length: 20- bytes | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) SHA1 or HMAC- SHA1 |
| HMAC- SHA2- 256 | HMAC- SHA2- 256 | KAT | CAS T | MAC | hash type: SHA256; key length: 20-bytes | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) SHA224, SHA256, |
| HMAC- SHA2- 512 | HMAC- SHA2- 512 | KAT | CAS T | MAC | hash type: SHA2-512, key length: 20-bytes | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) SHA384, SHA512, HMAC- SHA384 or HMAC- SHA512 |
| HMAC- SHA3- 256 | HMAC- SHA3- 256 | KAT | CAS T | MAC | hash type: SHA3-256, key length: 64-bytes | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) SHA3- 224, SHA3- 256, SHA3- 384 or SHA3- 512, HMAC- SHA3- 224, HMAC- SHA3- 256, HMAC- SHA3- 384 or HMAC- SHA3- 512 |
| RSA- PKCSv 1.5 | RSA- PKCSv 1.5 | KAT | CAS T | Sign | hash type: SHA256; key length: 2048-bits | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) RSA (PKCSv1. 5) or RSA (PSS) |
| RSA- PKCSv 1.5 | RSA- PKCSv 1.5 | KAT | CAS T | Verify | hash type: SHA256, key length: 2048-bits | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) RSA (PKCSv1. 5) or RSA (PSS) |
| ECC Diffie- Hellman | ECC Diffie- Hellman | KAT | CAS T | Computatio n Shared Secret Z | hashType: SHA2-256; curve: P-256 | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) ECC for shared secret generatio n |
| FFC Diffie- Hellman | FFC Diffie- Hellman | KAT | CAS T | Computatio n Shared Secret Z | hashType: SHA2-256; keySize: 2048-bit; | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) FFC for shared secret generatio n |
| ECDSA | ECDSA | KAT | CAS T | Sign | curve: P256; hashType: SHA2-256 | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) ECDSA |
| ECDSA | ECDSA | KAT | CAS T | Verify | curve: P256; hashType: SHA2-256 | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) ECDSA |
| TLSv1. 2 KDF | TLSv1. 2 KDF | KAT | CAS T | Derive Keying Material | HMAC- SHA2-256 | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of TLSv1.2 KDF |
| TLSv1. 3 KDF | TLSv1. 3 KDF | KAT | CAS T | Derive Keying Material | HMAC- SHA2-256 | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of TLSv1.3 KDF |
| KDF SSH | KDF SSH | KAT | CAS T | Derive Keying Material | hashType: SHA2-256 | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of KDF SSH |
| RSA- PCT | RSA- PCT | PCT | PCT | Sign/Verify | key size: 2048,3072,4 096 | Service is successful or an error code RSA_KEY_PAIR_E | Invoked automatic ally during generate key pair service |
| ECC- PCT | ECC- PCT | PCT | PCT | Sign/Verify | curve size: 224, 256, 384, 521 | Service is successful or an error code ECC_PCT_E | Invoked automatic ally during generate key pair service |
| DH- PCT | DH- PCT | PCT | PCT | Modulus Exponentia tion | key size: 2048, 3072, 4096 | Service is successful or an error code MP_CMP_E | Invoked automatic ally during generate key pair service |
| DRBG | DRBG | KAT | CAS T | Health-Test with sub- elements: Instantiate, Generate, Reseed | DRBG mode: SHA2-256 | FIPS_CAST_STATE_SU CCESS or FIPS_CAST_STATE_FAI LURE | Before first use of algorithm( s) DBRG or Immediat ely upon registerin g an external entropy source with the module |
HMACSHA2-256 Table 18: Pre-Operational Self-Tests Each time the Module is powered on or loaded (equivalent to a power on) the integrity of the module is tested per ISO/IEC 19790:2012 Section 7.10.2.2. The very first step of the preoperational self-test (POST) is to force every Conditional Algorithm Self-Test to be in the FIPS_CAST_STATE_INIT mode meaning the CAST for a given algorithm has not run since power on and the CAST must run and pass prior to operational use of the algorithm. The integrity test uses HMAC-SHA2-256 to ensure the modules integrity therefore per AS 10.20 HMAC CAST is triggered prior to the integrity check. The HMAC CAST uses a known answer test per ISO/IEC 19790-2012 Section 7.10.3.2. The POST executes outside user control as the module is powering on or being loaded.
AESCBC AESCBC e T T s) AESECB, AESCBC, AESCTR, AESOFB, AESGCM, AESGMAC, AESCCM or AESCMAC wolfSSL Inc. Public Material
e AESGCM T AESGCM T HMACSHA1 length: 20bytes T HMACSHA2256 T s) AESECB, AESCBC, AESCTR, AESOFB, AESGCM, AESGMAC, AESCCM or AESCMAC s) AESGCM or AESGMAC s) AESGCM or AESGMAC or HMACSHA1 s) wolfSSL Inc. Public Material
e HMACSHA2512 T HMACSHA3256 T RSAPKCSv 1.5 T HMACSHA224 or HMACSHA256 s) HMACSHA384 or HMACSHA512 s) SHA3224, SHA3256, SHA3384 or SHA3512, HMACSHA3224, HMACSHA3256, HMACSHA3384 or HMACSHA3512 wolfSSL Inc. Public Material
RSAPKCSv 1.5 e T T DiffieHellman T T T HMACSHA2-256 T HMACSHA2-256 T n n DiffieHellman wolfSSL Inc. Public Material
e T RSAPCT ECCPCT DHPCT T with subelements: Table 19: Conditional Self-Tests Once the module is powered on and has passed the POST, calls to any cryptographic algorithm will trigger the CAST on first operational use of the algorithm. The POST and CASTS are available on demand after power on and can be executed by the cryptographic officer (CO) at any time. The CO may optionally invoke any CAST ahead of algorithm use at a more convenient time rather than letting it run automatically on first use. Regardless of the CAST running manually or automatically, once it has passed the CO may manually re-run any CAST at any time in a periodic fashion, a CAST will no longer run automatically after it has passed the first time. wolfSSL Inc. Public Material
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| HMAC-SHA2- 256 | HMAC-SHA2- 256 | KAT | SW/FW Integrity | P2 | Automatic or Manually |
| AES-CBC | AES-CBC | KAT | CAST | P1 | Manually |
| AES-CBC | AES-CBC | KAT | CAST | P1 | Manually |
| AES-GCM | AES-GCM | KAT | CAST | P1 | Manually |
| AES-GCM | AES-GCM | KAT | CAST | P1 | Manually |
| HMAC-SHA1 | HMAC-SHA1 | KAT | CAST | P1 | Manually |
| HMAC-SHA2- 256 | HMAC-SHA2- 256 | KAT | CAST | P2 | Automatic or Manually |
| HMAC-SHA2- 512 | HMAC-SHA2- 512 | KAT | CAST | P1 | Manually |
| HMAC-SHA3- 256 | HMAC-SHA3- 256 | KAT | CAST | P1 | Manually |
| RSA-PKCSv1.5 | RSA-PKCSv1.5 | KAT | CAST | P1 | Manually |
| RSA-PKCSv1.5 | RSA-PKCSv1.5 | KAT | CAST | P1 | Manually |
| ECC Diffie- Hellman | ECC Diffie- Hellman | KAT | CAST | P1 | Manually |
| FFC Diffie- Hellman | FFC Diffie- Hellman | KAT | CAST | P1 | Manually |
| ECDSA | ECDSA | KAT | CAST | P1 | Manually |
| ECDSA | ECDSA | KAT | CAST | P1 | Manually |
| TLSv1.2 KDF | TLSv1.2 KDF | KAT | CAST | P1 | Manually |
| TLSv1.3 KDF | TLSv1.3 KDF | KAT | CAST | P1 | Manually |
| KDF SSH | KDF SSH | KAT | CAST | P1 | Manually |
| RSA-PCT | RSA-PCT | PCT | PCT | P3 | Automatic |
| ECC-PCT | ECC-PCT | PCT | PCT | P3 | Automatic |
| DH-PCT | DH-PCT | PCT | PCT | P3 | Automatic |
| DRBG | DRBG | KAT | CAST | P4 | Automatic or Manually |
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| P1 | Periodic method 1: Automatically by the module when algorithm is first invoked. CO may opt to invoke prior to first algorithm use to avoid delay at time of first operational use of an algorithm or at a later time manually. | |||
| P2 | Periodic method 2: Automatically by the module during power on. CO may opt to invoke manually thereafter. | |||
| P3 | Periodic method 3: Automatically during key generation service | |||
| P4 | Automatically by the module upon first operational use of the DRBG algorithm. When an external entropy source is registered with the module by application level entropy callback function it is considered the first operational use of the DRBG. Does a periodic reseed every 1 million invocations, during the reseed the DRBG health test will be automatically executed. | |||
| FIPS_MODE_FAILED | Module has failed its software integrity check | HMAC- SHA2- 256 CAST Failure Module Integrity Check Failure | fipsModeId set to FIPS_MODE_FAILED (3) | Power Cycle |
| FIPS_CAST_STATE_F AILURE | One or more algorithm(s) are no longer usable and the module mode is set to FIPS_MODE_DEG RADED (2) | AES- CBC AES- GCM HMAC- SHA1 HMAC- SHA2- 256 HMAC- SHA2- 512 HMAC- SHA3- 256 RSA- PKCSv1 .5 DRBG ECC Diffie- Hellman | One or more algorithms CAST status values set to FIPS_CAST_STATE_F AILURE (3) | Power Cycle |
HMAC-SHA2256 HMAC-SHA2256 HMAC-SHA2512 HMAC-SHA3256 ECC DiffieHellman FFC DiffieHellman Table 20: Pre-Operational Periodic Information Table 21: Conditional Periodic Information wolfSSL Inc. Public Material
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| P3 | Periodic method 3: Automatically during key generation service | |||
| P4 | Automatically by the module upon first operational use of the DRBG algorithm. When an external entropy source is registered with the module by application level entropy callback function it is considered the first operational use of the DRBG. Does a periodic reseed every 1 million invocations, during the reseed the DRBG health test will be automatically executed. | |||
| FIPS_MODE_FAILED | Module has failed its software integrity check | HMAC- SHA2- 256 CAST Failure Module Integrity Check Failure | fipsModeId set to FIPS_MODE_FAILED (3) | Power Cycle |
| FIPS_CAST_STATE_F AILURE | One or more algorithm(s) are no longer usable and the module mode is set to FIPS_MODE_DEG RADED (2) | AES- CBC AES- GCM HMAC- SHA1 HMAC- SHA2- 256 HMAC- SHA2- 512 HMAC- SHA3- 256 RSA- PKCSv1 .5 DRBG ECC Diffie- Hellman | One or more algorithms CAST status values set to FIPS_CAST_STATE_F AILURE (3) | Power Cycle |
| FIPS_MODE_DEGRA DED | One or more of the CASTS have failed anytime following a successful power on and integrity check. Upon entering this mode the module will automatically run all CASTS prior to the operational use of any cryptographic algorithm. | Any CAST Failure | fipsModeId set to FIPS_MODE_DEGRA DED (2) | Power Cycle |
| RSA_KEY_PAIR_E | RSA Pairwise Consistency Test Failure | RSA- PCT | RSA_KEY_PAIR_E (- 262) | Manual self- test service call or power cycle |
| ECC_PCT_E | ECC Pairwise Consistency Test Failure | ECC- PCT | ECC_PCT_E (-286) | Manual self- test service call or power cycle |
| MP_CMP_E | DH Pairwise Consistency Test Failure | DH-PCT | MP_CMP_E (-120) | Manual self- test service call or power cycle |
Table 22: Periodic Method Descriptions
HMACSHA2256 AESCBC AESGCM HMACSHA1 HMACSHA2256 HMACSHA2512 HMACSHA3256 RSAPKCSv1 .5 DiffieHellman d (3) wolfSSL Inc. Public Material
DiffieHellman RSAConsistency Test ECCPCT Table 23: Error States d selftest selftest selftest wolfSSL Inc. Public Material
For calling applications the following is required:
wolfSSL Inc. Public Material
The CO shall use the provided wolfCrypt FIPS 140-3 User Guide hereafter referred to as [UG]. A common name for this document is also the Cryptographic Officer Guidance Manual [COGM]. [UG] and [COGM] are one and the same for this module and include all administrative guidance. The [UG] will have a section specific to each Operational Environment [OE] that appears on the modules FIPS certificate and/or in Table 6: Tested Operational Environments - Software, Firmware, Hybrid. The instructions provided in the [UG] shall be followed or the module will never have been properly initialized and built and therefore non-compliant. To create the compliant module, as per this Security Policy, the configuration steps shall be followed.
printf("message = %s\n", wc_GetErrorString(err)); printf("hash = %s\n", hash); if (err == IN_CORE_FIPS_E) { printf("In core integrity hash check failure," "copy above hash\n"); printf("into verifyCore[] in fips_test.c and rebuild\n"); } } Figure 2: Code Sample A If using a FIPS callback the CO will register the FIPS callback by passing the function pointer of the FIPS callback function to the following API like so: wolfCrypt_SetCb_fips(myFipsCb); Prior to operational use of the module the CO shall register an entropy callback to load entropy into the module from an external entropy source. A portable callback is available but must be registered by the application on startup since the entropy source is external to the module. To register the portable callback provided with the module the application will call “ret = wc_SetSeed_Cb(wc_GenerateSeed);” where “ret” is an integer to capture the status return of the call and should be checked against the value 0 for success or < 0 for failure. A successful register of any entropy callback function is considered the first operational use of the module outside of pre-operational tests and the DBRG CAST will run during registration of the callback. When working with a private key the application must programmatically unlock access to private key material with the API: wolfCrypt_SetPrivateKeyReadEnable_fips(true/false, key-type).
The CO shall use the provided wolfCrypt FIPS 140-3 User Guide [UG].
The Module supports the Cryptographic Officer (CO) operator role and does not support nonadministrators or non-administrative roles.
Please defer to wolfCrypt FIPS 140-3 User Guide [UG].
The module does not claim mitigation of other attacks. wolfSSL Inc. Public Material