All modules
CMVP Validated Module · FIPS 140-3 Security Policy

SUSE Linux Enterprise GnuTLS Cryptographic Module

Certificate#4742StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorSUSE, LLC
Medium review priority  ·  exposes network crypto parser/protocol  ·  GnuTLS upstream has published 9 CVEs since this module's initial validation  ·  last validated 24 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/25/2029
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy
VendorSUSE, LLC

Approved Algorithms (95)

AlgorithmACVP Cert
AES-CBCA2984
AES-CBCA2985
AES-CBCA2986
AES-CBCA2987
AES-CBCA2992
AES-CBCA2996
AES-CBCA2997
AES-CBCA3004
AES-CBCA3007
AES-CCMA2984
AES-CCMA2996
AES-CCMA3004
AES-CCMA3007
AES-CFB8A2989
AES-CFB8A2990
AES-CFB8A2995
AES-CMACA2984
AES-CMACA2987
AES-CMACA2992
AES-CMACA2996
AES-CMACA3004
AES-GCMA2984
AES-GCMA2985
AES-GCMA2986
AES-GCMA2987
AES-GCMA2992
AES-GCMA2996
AES-GCMA2997
AES-GCMA3004
AES-GCMA3007
AES-GMACA2992
AES-XTS Testing Revision 2.0A2993
Counter DRBGA2992
ECDSA KeyGen (FIPS186-4)A2992
ECDSA KeyVer (FIPS186-4)A2992
ECDSA SigGen (FIPS186-4)A2992
ECDSA SigVer (FIPS186-4)A2992
HMAC-SHA-1A2987
HMAC-SHA-1A2992
HMAC-SHA-1A2998
HMAC-SHA-1A3007
HMAC-SHA2-224A2987
HMAC-SHA2-224A2992
HMAC-SHA2-224A2998
HMAC-SHA2-224A3007
HMAC-SHA2-256A2987
HMAC-SHA2-256A2992
HMAC-SHA2-256A2998
HMAC-SHA2-256A3007
HMAC-SHA2-384A2987
HMAC-SHA2-384A2992
HMAC-SHA2-384A2998
HMAC-SHA2-384A3007
HMAC-SHA2-512A2987
HMAC-SHA2-512A2992
HMAC-SHA2-512A2998
HMAC-SHA2-512A3007
KAS-ECC-SSC Sp800-56Ar3A2992
KAS-FFC-SSC Sp800-56Ar3A2992
KDA HKDF Sp800-56Cr1A2991
KDF TLSA2992
PBKDFA2992
RSA KeyGen (FIPS186-4)A2992
RSA SigGen (FIPS186-4)A2992
RSA SigVer (FIPS186-4)A2992
Safe Primes Key GenerationA2992
SHA-1A2987
SHA-1A2992
SHA-1A2998
SHA-1A3007
SHA2-224A2987
SHA2-224A2992
SHA2-224A2998
SHA2-224A3007
SHA2-256A2987
SHA2-256A2992
SHA2-256A2998
SHA2-256A3007
SHA2-384A2987
SHA2-384A2992
SHA2-384A2998
SHA2-384A3007
SHA2-512A2987
SHA2-512A2992
SHA2-512A2998
SHA2-512A3007
SHA3-224A2988
SHA3-224A2994
SHA3-256A2988
SHA3-256A2994
SHA3-384A2988
SHA3-384A2994
SHA3-512A2988
SHA3-512A2994
TLS v1.2 KDF RFC7627A2992

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification1
Cryptographic Module Interfaces1
Roles, Services, and Authentication1
Software/Firmware Security1
Operational Environment1
Physical SecurityN/A
Sensitive Security Parameter Management1
Self-Tests1
Mitigation of Other AttacksN/A

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for SUSE Linux Enterprise GnuTLS Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Self-tests<br/>Show status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for SUSE Linux Enterprise GnuTLS Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Self-tests<br/>Show status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

SUSE Linux Enterprise GnuTLS Cryptographic Module version 1.1 Version 1.2 Last update: 2024-07-25 Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com © 2024 SUSE, LLC / atsec information security.

Page 2

SUSE Linux Enterprise GnuTLS Cryptographic Module

1 Table of Contents

2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security 2.9 4.1 4.1.1 5.1 5.2 5.3 6.1 6.2 6.3 9.1 9.2 9.3 9.4 9.5 9.6 10.1 © 2024 SUSE, LLC / atsec information security.

2 of 55
Page 3

SUSE Linux Enterprise GnuTLS Cryptographic Module 10.2 10.2.1 10.2.2 10.2.3 10.3 11.1 11.1.1 11.1.2 11.1.3 11.1.4 11.2 11.2.1 11.2.2 11.2.3 11.2.4 11.2.5 © 2024 SUSE, LLC / atsec information security.

3 of 55
Page 4
Security level
NameISO SectionRequirementLevel
Section 6. [NumberSection 6. [Number
Below]Below]
11General1
22Cryptographic Module Specification1
33Cryptographic Module Interfaces1
44Roles, Services, and Authentication1
55Software/Firmware Security1
66Operational Environment1
77Physical SecurityN/A
88Non-invasive SecurityN/A
99Sensitive Security Parameter Management1
1010Self-tests1
1111Life-cycle Assurance1
1212Mitigation of Other AttacksN/A
OverallOverall1

SUSE Linux Enterprise GnuTLS Cryptographic Module This document is the non-proprietary FIPS 140-3 Security Policy for version 1.1 of the SUSE Linux Enterprise GnuTLS Cryptographic Module. It has a one-to-one mapping to the [SP 800-140B] starting with section B.2.1 named “General” that maps to section 1 in this document and ending with section B.2.12 named “Mitigation of other attacks” that maps to section 12 in this document. and including this notice. Other documentation is proprietary to their authors. In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. Table 1 describes the individual security areas of FIPS 140-3, as well as the security levels of those individual areas. N/A N/A N/A Table 1 - Security Levels © 2024 SUSE, LLC / atsec information security.

4 of 55
Page 5

SUSE Linux Enterprise GnuTLS Cryptographic Module

2 Cryptographic Module Specification

2.1 Module Embodiment The SUSE Linux Enterprise GnuTLS Cryptographic Module (hereafter referred to as “the module”) is a Software multi-chip standalone cryptographic module. 2.2 Module Design, Components, Versions The software block diagram below shows the cryptographic boundary of the module, and its interfaces with the operational environment. Figure 1 - Cryptographic Boundary © 2024 SUSE, LLC / atsec information security.

5 of 55
Page 6
Module configuration
NameOperating SystemHardware PlatformProcessorPaa Pai#
1SUSE Linux Enterprise Server 15 SP4Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)1
2SUSE Linux Enterprise Server 15 SP4GIGABYTE R181-Z90-00AMD EPYCÔ 7371With and without AES-NI (PAA)2
3SUSE Linux Enterprise Server 15 SP4GIGABYTE G242-P32-QZARM Ampere® Altra® Q80-30With and without Crypto Extensions (PAA)3
4SUSE Linux Enterprise Server 15 SP4IBM z/15z15With and without CPACF (PAI)4
5SUSE Linux Enterprise Server 15 SP4 on PowerVM (VIOS 3.1.4.00)IBM Power E1080 (9080- HEX)Power10With and without ISA (PAA)5
1SUSE Linux Enterprise Server 15SP4IBM LinuxONE III LT1z15With and without CPACF (PAI)1
2SUSE Linux Enterprise Micro 5.3Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)2
3SUSE Linux Enterprise Micro 5.3GIGABYTE R181-Z90-00AMD EPYCÔ 7371With and without AES-NI (PAA)3
4SUSE Linux Enterprise Micro 5.3GIGABYTE G242-P32-QZARM Ampere® Altra® Q80- 30With and without Cryptography Extensions (PAA)4
5SUSE Linux Enterprise Micro 5.3IBM z/15z15With and without CPACF (PAI)5
6SUSE Linux Enterprise Micro 5.3IBM LinuxONE III LT1z15With and without CPACF (PAI)6
7SUSE Linux Enterprise Server for SAP 15SP4Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)7
8SUSE Linux Enterprise Server for SAP 15SP4GIGABYTE R181-Z90-00AMD EPYCÔ 7371With and without AES-NI (PAA)8
9SUSE Linux Enterprise Server for SAP 15SP4IBM Power E1080 (9080- HEX)Power10With and without ISA (PAA)9
10SUSE Linux Enterprise Base Container Image 15SP4Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)10
11SUSE Linux Enterprise Base Container Image 15SP4GIGABYTE R181-Z90-00AMD EPYCÔ 7371With and without AES-NI (PAA)11
12SUSE Linux Enterprise Base Container Image 15SP4GIGABYTE G242-P32-QZARM Ampere® Altra® Q80- 30With and without Cryptography Extensions (PAA)12
13SUSE Linux Enterprise Base Container Image 15SP4IBM z/15z15With and without CPACF (PAI)13
14SUSE Linux Enterprise Base Container Image 15SP4IBM LinuxONE III LT1z15With and without CPACF (PAI)14
15SUSE Linux Enterprise Base Container Image 15SP4IBM Power E1080 (9080- HEX)Power10With and without ISA (PAA)15
16SUSE Linux Enterprise Desktop 15SP4Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)16
17SUSE Linux Enterprise Desktop 15SP4GIGABYTE R181-Z90-00AMD EPYCÔ 7371With and without AES-NI (PAA)17
18SUSE Linux Enterprise Real Time 15SP4Supermicro Super Server SYS-6019P- WTRIntel® Xeon® Silver 4215RWith and without AES-NI (PAA)18
19SUSE Linux Enterprise Real Time 15SP4GIGABYTE R181-Z90-00AMD EPYCÔ 7371With and without AES-NI (PAA)19
ComponentsDescription
/usr/lib64/libgnutls.so.30Provides the API for the calling applications to request cryptographic services, and implements the TLS protocol, DRBG, RSA Key Generation, Diffie-Hellman and EC Diffie- Hellman.
/usr/lib64/libnettle.so.8Provides the cryptographic algorithm implementations, including AES, SHA, HMAC, RSA Digital Signature and ECDSA.
/usr/lib64/libhogweed.so.6Provides primitives used by libgnutls and libnettle to support the asymmetric cryptographic operations.
/usr/lib64/libgmp.so.10Provides big number arithmetic operations to support the asymmetric cryptographic operations.
/usr/lib64/.libgnutls.so.30.hmacThe .hmac files contain the HMAC-SHA2-256 values of their associated library for integrity check during the power-up.
/usr/lib64/.libnettle.so.8.hmac
/usr/lib64/.libhogweed.so.6.hmac
/usr/lib64/.libgmp.so.10.hmac

Table 2 lists the software components of the cryptographic module, which defines its cryptographic boundary. Table 2

6 of 55
Page 7

SUSE Linux Enterprise GnuTLS Cryptographic Module # E1080 (9080HEX) Table 3 - Tested Operational Environments 2.5 Vendor-Affirmed Operational Environments In addition to the platforms listed in Table 3, SUSE, LLC has also tested the module on the platforms in Table 4, and claims vendor affirmation on them. Note: the CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate. # 5.3 5.3 5.3 Altra® Q8030 5.3 5.3 E1080 (9080HEX) SYS-6019PWTR SYS-6019PWTR © 2024 SUSE, LLC / atsec information security.

7 of 55
Page 8

SUSE Linux Enterprise GnuTLS Cryptographic Module Altra® Q8030 E1080 (9080HEX) # SYS-6019PWTR SYS-6019PWTR SYS-6019PWTR Table 4 - Vendor-Affirmed Operational Environments 2.6 Approved Algorithms Table 5 lists all security functions of the module, including specific key strengths employed for approved services, and implemented modes of operation. The module supports RSA modulus sizes which are not tested by CAVP in compliance with FIPS 140-3 IG C.F. © 2024 SUSE, LLC / atsec information security.

8 of 55
Page 9
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
AESA2984, A2985,CBC128, 192, 256-bitSymmetric encryption;
FIPS197,A2986, A2987,keys with 128-256Symmetric decryption
SP800-38AA2992, A2996,bits of key strength
AESA2984, A2996,CCM128, 256-bit keysSymmetric encryption;
SP800-38CA3004, A3007with 128 or 256Symmetric decryption;
bits of key strengthbits of key strengthAuthenticated symmetric
AESA2989, A2990,CFB8128, 192, 256-bitSymmetric encryption;
FIPS197,A2995keys with 128-256Symmetric decryption
SP800-38Abits of key strength
AESA2984, A2987,CMAC128, 256-bit keysMessage authentication
SP800-38BA2992, A2996,with 128 or 256code (MAC)
A3004A3004bits of key strength
AESA2984, A2985,GCM128, 256-bit keysSymmetric encryption and
SP800-38DA2986, A2987,with 128 or 256decryption in the context
A2992, A2996,A2992, A2996,bits of key strengthof the Transport Layer
A2997, A3004,A2997, A3004,Security (TLS) network
A3007A3007protocol
AESA2992GMAC128, 256-bit keysMessage authentication
SP800-38Dwith 128 or 256code (MAC)
AESA2993XTS128, 256-bit keysSymmetric encryption (for
SP800-38Ewith 128 or 256data storage);
bits of key strengthbits of key strengthSymmetric decryption (for
CKGVendor AffirmedKey pairRSA: 2048, 3072,Key pair generation
SP800-generation4096-bit keys with
133rev2(FIPS-186-4,112, 128, 149 bits
SP800-56Arev3,SP800-56Arev3,of key strength
SP800-90Arev1);SP800-90Arev1);ECDH/ECDSA: P-
DRBGA2992CTR_DRBG:AES 256-bit keyRandom number
SP800-AES-256 withoutwith 256 bits ofgeneration
90Arev1DF, without PRkey strength
ECDSAA2992ECDSA KeyGenP-256, P-384,Key pair generation
FIPS186-4(B.4.2 TestingP-521 elliptic
Candidates)Candidates)curves with 128-
ECDSA KeyVerECDSA KeyVerP-256, P-384,Public key verification
ECDSA SigGenECDSA SigGenP-256, P-384, P-Digital signature
(SHA2-224,(SHA2-224,521 elliptic curvesgeneration
SHA2-256, SHA2-SHA2-256, SHA2-with 128-256 bits
384, SHA2-512)384, SHA2-512)of key strength
ECDSA SigVerECDSA SigVerP-256, P-384, P-Digital signature
(SHA2-224,(SHA2-224,521 elliptic curvesverification
SHA2-256, SHA2-SHA2-256, SHA2-with 128-256 bits
384, SHA2-512)384, SHA2-512)of key strength
HMACA2987, A2992,SHA-1, SHA2-112-524288 bitsMessage authentication
FIPS198-1A2998, A3007224, SHA2-256,with 112-256 bitscode (MAC)
SHA2-384, SHA2-SHA2-384, SHA2-of security strength
KAS-ECC-SSCA2992ECCP-256, P-384, P-EC Diffie-Hellman shared
SP800-Ephemeral521 elliptic curvessecret computation;
56Arev3Unified Schemekeys with 128-256Transport Layer Security
bits of key strengthbits of key strength(TLS) network protocol
KAS-FFC-SSCA2992Safe Prime2048, 3072, 4096,Diffie-Hellman shared
SP800-Groups:6144, 8192-bitsecret computation;
56Arev3ffdhe2048,keys with 112-200Transport Layer Security
ffdhe3072,ffdhe3072,bits of key strength(TLS) network protocol
KDA HKDFA2991HMAC-SHA2-224,HKDF derived keyHKDF key derivation Transport Layer Security (TLS) network protocol
SP800-56Cr1HMAC-SHA2-256,with 112 to 256
HMAC-SHA2-384,HMAC-SHA2-384,bits of key strength
KDF TLSA2992SHA-1TLS Derived keyTLS key derivation
v1.0/1.1with 112 to 256
SP800-bits of key strength
TLS v1.2 KDFA2992SHA2-256,TLS Derived keyTLS key derivation
SP800-SHA2-384with 112 to 256
135rev1bits of key strength
AES CCMA2984, A2996,KTS per IG D.G128, 256-bit keysKey wrapping; Key unwrapping
SP800-38CA3004, A3007with 128 or 256
AES GCMA2984, A2985,KTS per IG D.G128, 256-bit keys
SP800-38DA2986, A2987,with 128 or 256
A2992, A2996,A2992, A2996,bits of key strength
AES CBC andAESKTS per IG D.G128, 256-bit keys
HMACA2984, A2985,with 128 or 256
SP800-38A,A2986, A2987,bits of key strength
FIPS198-1A2992, A2996,
PBKDFA2992HMAC-SHA-1,8-128 charactersPassword-based key derivation
SP800-132HMAC-SHA2-224,with password
HMAC-SHA2-256,HMAC-SHA2-256,strength between
HMAC-SHA2-384,HMAC-SHA2-384,108 and 10128
RSAA2992RSA KeyGen2048-15360 bitsKey pair generation
FIPS186-4(B.3.2 Randomkeys with 112-256
Provable Primes)Provable Primes)bits of security
RSA SigGenRSA SigGen2048-15360 bitsDigital signature generation
(PKCS#1v1.5:(PKCS#1v1.5:keys with 112-256
SHA2-224, SHA2-SHA2-224, SHA2-bits of security
256, SHA2-384,256, SHA2-384,strength
RSA SigGenRSA SigGen2048-15360 bits
(PSS: SHA2-256,(PSS: SHA2-256,keys with 112-256
SHA2-384, SHA2-SHA2-384, SHA2-bits of security
512)512)strength
RSA SigVerRSA SigVer2048-15360 bitsDigital signature verification
(PKCS#1v1.5:(PKCS#1v1.5:keys with 112-256
SHA2-224, SHA2-SHA2-224, SHA2-bits of security
256, SHA2-384,256, SHA2-384,strength
RSA SigVer (PSS:RSA SigVer (PSS:2048-15360 bits
SHA2-256, SHA2-SHA2-256, SHA2-keys with 112-256
384, SHA2-512)384, SHA2-512)bits of security
Safe PrimesA2992Safe Prime2048, 3072, 4096,Key pair generation
SP800-ffdhe3072,bits of key strength
56Arev3ffdhe4096,
SHA-3A2988, A2994SHA3-224, SHA3-N/AMessage digest
FIPS202256, SHA3-384,
SHAA2987, A2992,SHA-1, SHA2-N/AMessage digest
FIPS180-4A2998, A3007224,

SUSE Linux Enterprise GnuTLS Cryptographic Module SP800133rev2 © 2024 SUSE, LLC / atsec information security.

9 of 55
Page 10

SUSE Linux Enterprise GnuTLS Cryptographic Module SP80090Arev1 SP800Ephemeral SP80056Arev3 © 2024 SUSE, LLC / atsec information security.

10 of 55
Page 11

SUSE Linux Enterprise GnuTLS Cryptographic Module SP800135rev1 (CVL) SP800135rev1 © 2024 SUSE, LLC / atsec information security.

11 of 55
Page 12

SUSE Linux Enterprise GnuTLS Cryptographic Module SP80056Arev3 C.C SHA-1, SHA2N/A Table 5 - Approved Algorithms © 2024 SUSE, LLC / atsec information security.

12 of 55
Page 13
Approved algorithm
NameUse FunctionUse/Function
MD5Only allowed as the PRF in TLSv1.0 and v1.1 per IG 2.4.AMessage digest used in TLS v1.0/1.1 KDF only
AES GCM when not used in the context of the TLS protocol.Symmetric encryption; Symmetric decryption
BlowfishSymmetric encryption; Symmetric decryption
CamelliaSymmetric encryption; Symmetric decryption
CASTSymmetric encryption; Symmetric decryption
ChaCha20Symmetric encryption; Symmetric decryption
Chacha20 and Poly1305Authenticated encryption; Authenticated decryption
CMAC with Triple-DESMessage authentication code (MAC)
DESSymmetric encryption; Symmetric decryption
Diffie-Hellman with keys generated with domain parameters other than safe primesKey agreement; Diffie-Hellman shared secret computation
Approved algorithm
NameUse FunctionUse/Function
MD5Only allowed as the PRF in TLSv1.0 and v1.1 per IG 2.4.AMessage digest used in TLS v1.0/1.1 KDF only
AES GCM when not used in the context of the TLS protocol.Symmetric encryption; Symmetric decryption
BlowfishSymmetric encryption; Symmetric decryption
CamelliaSymmetric encryption; Symmetric decryption
CASTSymmetric encryption; Symmetric decryption
ChaCha20Symmetric encryption; Symmetric decryption
Chacha20 and Poly1305Authenticated encryption; Authenticated decryption
CMAC with Triple-DESMessage authentication code (MAC)
DESSymmetric encryption; Symmetric decryption
Diffie-Hellman with keys generated with domain parameters other than safe primesKey agreement; Diffie-Hellman shared secret computation
DSAKey pair generation; Domain parameter generation; Digital signature generation; Digital signature verification
ECDSA with curves not listed in Table 5.Key pair generation; Public key verification; Digital signature generation; Digital signature verification
EC Diffie-Hellman with curves not listed in Table 5Key agreement; EC Diffie-Hellman shared secret computation
GMACMessage authentication code (MAC)
GOSTSymmetric encryption; Symmetric decryption; Message digest
HMAC with keys smaller than 112-bitMessage authentication code (MAC)
HMAC with GOSTMessage authentication code (MAC)
MD2, MD4, MD5Message digest; Message authentication code (MAC)
Non-supported cipher suites (not listed in Appendix A)Transport Layer Security (TLS) Network Protocol
PBKDF with non-approved message digest algorithmsPassword-based key derivation
RC2, RC4Symmetric encryption; Symmetric decryption
RMD160Message digest; Message authentication code (MAC)
RSA with keys smaller than 2048 bits or greater than 4096 bitsKey pair generation; Digital signature generation
RSA with keys smaller than 1024 bits or greater than 4096 bitsDigital signature verification
RSA encryption and decryption with any key sizesKey encapsulation; Key un-encapsulation
Salsa20Symmetric encryption; Symmetric decryption
SEEDSymmetric encryption; Symmetric decryption
SerpentSymmetric encryption; Symmetric decryption
SHA-1Digital signature generation
SRPKey agreement
STREEBOGMessage digest; Message authentication code (MAC)
Triple-DESSymmetric encryption; Symmetric decryption
TwofishSymmetric encryption; Symmetric decryption
UMACMessage authentication code (MAC)
YarrowRandom number generation

SUSE Linux Enterprise GnuTLS Cryptographic Module 2.7 Non-Approved Algorithms Allowed in the Approved Mode of Operation The module does not implement non-approved algorithms that are allowed in the approved mode of operation. 2.8 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Table 6 lists the non-approved algorithms that are allowed in the approved mode of operation with no security claimed. These algorithms are used by the approved services listed in Table 10. Table 6 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed 2.9 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Table 7 lists non-approved algorithms that are not allowed in the approved mode of operation. These algorithms are used by the non-approved services listed in Table 11.

1 These algorithms do not claim any security and are not used to meet FIPS 140-3 requirements. Therefore, SSPs do not

map to these algorithms. © 2024 SUSE, LLC / atsec information security.

13 of 55
Page 14

SUSE Linux Enterprise GnuTLS Cryptographic Module © 2024 SUSE, LLC / atsec information security.

14 of 55
Page 15

SUSE Linux Enterprise GnuTLS Cryptographic Module Table 7 - Non-Approved Not Allowed in the Approved Mode of Operation © 2024 SUSE, LLC / atsec information security.

15 of 55
Page 16
Ports and interfaces
NamePhysical PortLogical Interface
Data InputAPI input parameters, kernel I/O network or files on filesystem, TLS protocol input messages.Data Input
Data OutputAPI output parameters, kernel I/O network or files on filesystem, TLS protocol output messages.Data Output
Control InputAPI function calls, API input parameters for control.Control Input
Status OutputAPI return codes, API output parameters for status output.Status Output

SUSE Linux Enterprise GnuTLS Cryptographic Module

3 Cryptographic Module Ports and Interfaces

As a software-only module, the module does not have physical ports. The operator can only interact with the module through the API provided by the module. Thus, the physical ports are interpreted to be the physical ports of the hardware platform on which the module runs. The following table shows the logical interfaces implemented in the module. All data output via data output interface is inhibited when the module is performing preoperational test conditional cryptographic algorithms self-tests or zeroization or when the module enters error state. Table 8 - Ports and Interfaces

2 The control output interface is omitted on purpose because the module does not implement it.

© 2024 SUSE, LLC / atsec information security.

16 of 55
Page 17
Service
NameRolesInputOutput
Authenticated symmetric encryptionCrypto Officer (CO)Key, Plaintext, IVCiphertext, MAC tag
Authenticated symmetric decryptionKey, Ciphertext, MAC tagPlaintext
Key pair generationRSA key size, Diffie-Hellman Safe Prime or Elliptic CurveKey pair
Diffie-Hellman shared secret computationPrivate key, public key from peerShared secret
Digital signature generationMessage, private key, hash algorithmDigital signature
Digital signature verificationSignature, message, public key, hash algorithmVerification result
Domain parameter generationDomain parameters inputGenerated domain parameters
EC Diffie-Hellman shared secret computationPrivate key, public key from peerShared secret
HKDF key derivationShared secretHKDF derived key
TLS key derivationTLS Pre-master secretDerived key
Key agreementKey pairShared secret
Key encapsulationKey to be encapsulated, Key encapsulating keyEncapsulated key
Key un-encapsulationEncapsulated key, Key encapsulating keyUnencapsulated key
Key unwrappingWrapped key, Key unwrapping keyUnwrapped key
Key wrappingKey to be wrapped, Key wrapping keyWrapped key
Message authentication code (MAC)Message, HMAC key or AES keyMessage authentication code
Message digestMessageDigest of the message
Password-based key derivationPassword or passphrase, salt, iteration countPBKDF Derived key
Public key verificationKey pairPass/fail
Random number generationNumber of bitsRandom number
Self-testsModule reset or API callResult of self-test (pass/fail)
Symmetric decryptionKey, CiphertextPlaintext
Symmetric encryptionKey, PlaintextCiphertext
Show module name and versionNoneName and version information
Show statusN/AReturn codes and/or log messages
Transport Layer Security (TLS) network protocolCipher-suites, Digital Certificate, Public and Private Keys, Application DataReturn codes and/or log messages, Application data

SUSE Linux Enterprise GnuTLS Cryptographic Module

4 Roles, services, and authentication

4.1 Services The module supports the Crypto Officer role only. This sole role is implicitly assumed by the operator of the module when performing a service. The module does not support authentication. © 2024 SUSE, LLC / atsec information security.

17 of 55
Page 18

SUSE Linux Enterprise GnuTLS Cryptographic Module N/A N/A Table 9 - Roles, Service Commands, Input and Output The module provides services to the users that assume one of the available roles. All services are shown in Table 10 and Table 11. 4.1.1 Approved Services Table 10 lists the approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or SSPs involved, and their access type(s). The following convention is used to specify access rights to an SSP:

18 of 55
Page 19
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Symmetric encryptionPerform AES encryptionCOAES keyAES-CBC AES-CCM AES-CFB8 AES-CMAC AES-GMAC AES-XTSW, EGNUTLS_FIPS140_OP_ APPROVED
Symmetric decryptionPerform AES decryptionAES keyAES-CBC AES-CCM AES-CFB8 AES-CMAC AES-GMAC AES-XTSW, EGNUTLS_FIPS140_OP_ APPROVED
Authenticated symmetric encryptionEncrypt a plaintextAES keyAES-CCMW, EGNUTLS_FIPS140_OP_ APPROVED
Authenticated symmetric decryptionDecrypt a ciphertextAES keyAES-CCMW, EGNUTLS_FIPS140_OP_ APPROVED
Key wrappingKey wrapping (as part of the cipher suites in the TLS protocol)AES keyAES-CCM AES-GCMW, EGNUTLS_FIPS140_OP_ APPROVED
AES-CBC, HMACAES keyAES-CBC, HMACW, E
HMAC keyHMAC keyW, E
Key unwrappingKey unwrapping (as part of the cipher suites in the TLS protocol)AES keyAES-CCM AES-GCMW, EGNUTLS_FIPS140_OP_ APPROVED
AES-CBC, HMACAES keyAES-CBC, HMACW, E
HMAC keyHMAC keyW, E
Key pair generationGenerate RSA, DH, ECDH and ECDSA key pairsModule- generated Diffie-Hellman public keyCKG DRBG Safe primes key pair generation RSA ECDSAG, E, RGNUTLS_FIPS140_OP_ APPROVED
Module- generated Diffie-Hellman private keyModule- generated Diffie-Hellman private keyG, E, R
Module- generated RSA public keyModule- generated RSA public keyG, E, R
Module- generated RSA private keyModule- generated RSA private keyG, E, R
Module- generated ECDSA public keyModule- generated ECDSA public keyG, E, R
Module- generated ECDSA private keyModule- generated ECDSA private keyG, E, R
Module- generated EC Diffie-Hellman private keyModule- generated EC Diffie-Hellman private keyG, E, R
Module- generated EC Diffie-Hellman public keyModule- generated EC Diffie-Hellman public keyG, E, R
Digital signature generationGenerate RSA and ECDSA signatureRSA private keySHA, RSA ECDSAW, EGNUTLS_FIPS140_OP_ APPROVED
Digital signature verificationVerify RSA, and ECDSA signatureRSA public keySHA RSA ECDSAW, EGNUTLS_FIPS140_OP_ APPROVED
Public key verificationVerify ECDSA public keyECDSA public keyECDSAW, EGNUTLS_FIPS140_OP_ APPROVED
Random number generationGenerate random bitstringsEntropy inputDRBG, Non- Physical Entropy SourceW, EGNUTLS_FIPS140_OP_ APPROVED
DRBG internal state: V value, keyDRBG internal state: V value, keyG, EGNUTLS_FIPS140_OP_ APPROVED
DRBG seedDRBG seedE, G
Message digestCompute SHA hashesNoneSHAN/AGNUTLS_FIPS140_OP_ APPROVED
Message authentication code (MAC)Compute HMACHMAC keyHMACW, EGNUTLS_FIPS140_OP_ APPROVED
Compute AES- based CMACCompute AES- based CMACAES keyAES-CMACW, E
Compute AES- based GMACCompute AES- based GMACAES keyAES-GMACW, E
Diffie-Hellman shared secret computationPerform shared secret computationDiffie-Hellman public keyKAS-FFC-SSCW, EGNUTLS_FIPS140_OP_ APPROVED
Diffie-Hellman private keyDiffie-Hellman private keyW, E
Diffie-Hellman shared secretDiffie-Hellman shared secretG, R
EC Diffie- Hellman shared secret computationPerform shared secret computationEC Diffie- Hellman public keyKAS-ECC-SSCW, EGNUTLS_FIPS140_OP_ APPROVED
EC Diffie- Hellman private keyEC Diffie- Hellman private keyW, E
EC Diffie- Hellman shared secretEC Diffie- Hellman shared secretG, R
HKDF key derivationPerform key derivation using HKDF (in the context of TLS 1.3)Diffie-Hellman shared SecretKDA HKDFW, EGNUTLS_FIPS140_OP_ APPROVED
EC Diffie- Hellman shared secretEC Diffie- Hellman shared secretW, E
HKDF derived keyHKDF derived keyG, R
Password-based key derivationPerform password-based key derivationPassword or passphrasePBKDFW, EGNUTLS_FIPS140_OP_ APPROVED
PBKDF derived keyPBKDF derived keyG, R
TLS KDF key derivationPerform key derivation using TLS 1.0/1.1, 1.2 KDFTLS Pre-master secretTLS KDF v1.0/1.1 TLS KDF v1.2 RFC7627W, EGNUTLS_FIPS140_OP_ APPROVED
TLS Master secretTLS Master secretW, E, G
TLS Derived keyTLS Derived keyG, R
Transport Layer Security (TLS) network protocolEstablish TLS sessionCORSA public key, RSA private key ECDSA public key, ECDSA private keySupported cipher suites in FIPS-validated configuration (see Appendix A for the complete list of valid cipher suites)W, EGNUTLS_FIPS140_OP_ APPROVED
Diffie-Hellman public key, EC Diffie- Hellman public keyDiffie-Hellman public key, EC Diffie- Hellman public keyW, E, G, R
TLS pre-master secret, TLS Master secret, TLS Derived key, HKDF derived key, Diffie-Hellman private key, EC Diffie- Hellman private keyTLS pre-master secret, TLS Master secret, TLS Derived key, HKDF derived key, Diffie-Hellman private key, EC Diffie- Hellman private keyE, G
Show statusShow module statusCONoneN/AN/AImplicit (always approved)
Self-testsPerform self- testsNoneAES, Diffie- Hellman, EC Diffie-Hellman, ECDSA, DRBG, HMAC, RSA, SHS, HKDF KDA, TLSv1.2 KDF (RFC7627)N/AImplicit (always approved)
Show module name and versionShow module name and versionNoneN/AN/AImplicit (always approved)

SUSE Linux Enterprise GnuTLS Cryptographic Module W, E W, E W, E W, E W, E W, E W, E W, E W, E W, E Modulegenerated G, E, R Modulegenerated G, E, R Modulegenerated RSA G, E, R Modulegenerated RSA G, E, R © 2024 SUSE, LLC / atsec information security.

19 of 55
Page 20

SUSE Linux Enterprise GnuTLS Cryptographic Module Modulegenerated G, E, R Modulegenerated G, E, R Modulegenerated EC G, E, R Modulegenerated EC G, E, R W, E W, E W, E W, E G, E E, G N/A W, E W, E W, E W, E W, E G, R © 2024 SUSE, LLC / atsec information security.

20 of 55
Page 21

SUSE Linux Enterprise GnuTLS Cryptographic Module W, E EC DiffieHellman W, E G, R W, E W, E G, R W, E G, R W, E W, E, G G, R 1.3) W, E W, E, G, R © 2024 SUSE, LLC / atsec information security.

21 of 55
Page 22

SUSE Linux Enterprise GnuTLS Cryptographic Module EC DiffieHellman E, G N/A N/A N/A Z Perform selftests AES, DiffieNone N/A N/A N/A Table 10 - Approved Services Table 11 lists the non-approved services. The details of the non-approved cryptographic algorithms available in non-Approved mode can be found in Table 7. © 2024 SUSE, LLC / atsec information security.

22 of 55
Page 23
Service
NameDescriptionRolesApproved Functions
Symmetric encryptionCompute the cipher for encryptionCOAES GCM when not used in the context of the TLS protocol. Blowfish Camellia CAST ChaCha20 DES GOST RC2, RC4 Salsa20 SEED Serpent Triple-DES Twofish
Symmetric decryptionCompute the cipher for decryptionAES GCM when not used in the context of the TLS protocol. Blowfish Camellia CAST ChaCha20 DES GOST RC2, RC4 Salsa20 SEED Serpent Triple-DES Twofish
Key pair generationGenerate RSA, DSA, and ECDSA key pairsDSA ECDSA with curves not listed in Table 5 RSA with keys smaller than 2048 bits or greater than 4096 bits
Digital signature generationSign RSA, DSA, and ECDSA signaturesDSA ECDSA with curves not listed in Table 5 RSA with keys smaller than 2048 bits or greater than 4096 bits SHA-1
Digital signature verificationVerify RSA, DSA, and ECDSA signaturesDSA ECDSA with curves not listed in Table 5 RSA with keys smaller than 1024 bits or greater than 4096 bits.
Domain parameter generationGenerate domain parameterDSA
Message digestCompute message digestGOST MD2, MD4, MD5 RMD160 STREEBOG
Message authentication code (MAC)Compute message authentication codeCMAC with Triple-DES GMAC HMAC with keys smaller than 112-bit HMAC with GOST MD2, MD4, MD5 RMD160 STREEBOG UMAC
Key encapsulationPerform RSA key encapsulationRSA encryption and decryption with any key sizes
Key un- encapsulationPerform RSA key un- encapsulationRSA encryption and decryption with any key sizes
Diffie-Hellman shared secret computationShared secret computation using DHDiffie-Hellman with keys generated with domain parameters other than safe primes
EC Diffie-Hellman shared secret computationShared secret computation using ECDHEC Diffie-Hellman with curves not listed in Table 5
Key agreementPerform key agreementDiffie-Hellman with keys generated with domain parameters other than safe primes EC Diffie-Hellman with curves not listed in Table 5 SRP
Password-based key derivationPerform key derivation using PBKDFPBKDF with non-approved message digest algorithms
Public key verificationVerify ECDSA public keyECDSA with curves not listed in Table 5.
Transport Layer Security (TLS) Network ProtocolEstablish non-supported TLS channelNon-supported cipher suites (see Appendix A for the complete list of valid cipher suites)

SUSE Linux Enterprise GnuTLS Cryptographic Module © 2024 SUSE, LLC / atsec information security.

23 of 55
Page 24

SUSE Linux Enterprise GnuTLS Cryptographic Module Key unencapsulation © 2024 SUSE, LLC / atsec information security.

24 of 55
Page 25

SUSE Linux Enterprise GnuTLS Cryptographic Module

5 Software/Firmware security

5.1 Integrity Techniques The integrity of the module is verified by comparing an HMAC-SHA2-256 value calculated at run time with the HMAC value stored in the .hmac file that was computed at build time for each software component of the module listed in section 2. If the HMAC values do not match, the test fails, and the module enters the error state. 5.2 On-Demand Integrity Test The module provides the Self-Test service to perform self-tests on demand which includes the preoperational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The SelfTests service can be called on demand by invoking the gnutls_fips140_run_self_tests() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the SelfTest service can be invoked by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output is possible. 5.3 Executable Code The module consists of executable code in the form of libgnutls, libnettle, libhogweed, and libgmp shared libraries as stated in the Table 2. © 2024 SUSE, LLC / atsec information security.

25 of 55
Page 26

SUSE Linux Enterprise GnuTLS Cryptographic Module

6 Operational Environment

6.1 Applicability This module operates in a modifiable operational environment per the FIPS 140-3 level 1 specifications. The SUSE Linux Enterprise Server operating system is used as the basis of other products. Compliance is maintained for SUSE products whenever the binary is found unchanged per the vendor affirmation from SUSE based on the allowance FIPS 140-3 management manual section 7.9.1 bullet 1 a i). Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when supported if the specific operational environment is not listed on the validation certificate. 6.2 Policy The module does not support concurrent operators. Instrumentation tools like the ptrace system call, gdb and strace utilities, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-tested operational environment. 6.3 Requirements The module shall be installed as stated in section 11. The operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented. © 2024 SUSE, LLC / atsec information security.

26 of 55
Page 27

SUSE Linux Enterprise GnuTLS Cryptographic Module

7 Physical Security

The module is comprised of software only, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.

27 of 55
Page 28

SUSE Linux Enterprise GnuTLS Cryptographic Module

8 Non-invasive Security

This module does not implement any non-invasive security mechanism, and therefore this section is not applicable. © 2024 SUSE, LLC / atsec information security.

28 of 55
Page 29
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageZeroizationUseImport Export
AES keyAES-XTS: 128, 256 Other modes: 128, 192, 256AES-CBC, AES-CCM, AES-CFB8, AES-CMAC, AES-GCM, AES-GMAC, AES-XTS A2984, A2985, A2986, A2987, A2989, A2990, A2992, A2993, A2995, A2996, A2997, A3004, A3007N/AN/ARAMgnutls_cipher_ deinit() gnutls_aead_ci pher_deinit()Use: Symmetric encryption; Symmetric decryption; Authenticated symmetric encryption; Authenticated symmetric decryption; Message authentication code (MAC); Key wrapping; Key unwrapping; Related SSPs: N/AMD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
HMAC key112-256HMAC A2987, A2992, A2998, A3007N/AN/ARAMgnutls_hmac_d einit()Use: Message Authentication Code (MAC); Key wrapping; Key unwrapping; Related SSPs: N/AMD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
Module- generated RSA public key112 to 256RSA CTR_DRBG A2992Generated using the FIPS 186-4 key generation method; the random value used in key generation is obtained from the SP800- 90Arev1 DRBG.N/ARAMgnutls_privkey _deinit() gnutls_x509_p rivkey_deinit() gnutls_rsa_par ams_deinit()Use: Key pair generation Related SSPs: DRBG internal state: V value, key; Module- generated RSA private keyMD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None
Module- generated RSA private key112 to 256RSA CTR_DRBG A2992Generated using the FIPS 186-4 key generation method; the random value used in key generation is obtained fromN/ARAMgnutls_privkey _deinit() gnutls_x509_p rivkey_deinit() gnutls_rsa_par ams_deinit()Use: Key pair generation Related SSPs: DRBG internal state: V value, key; Module- generated RSA public keyMD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format.
the SP800- 90Arev1 DRBG.the SP800- 90Arev1 DRBG.Import: None
RSA private key112-256RSA A2992N/AN/ARAMgnutls_privkey _deinit() gnutls_x509_p rivkey_deinit() gnutls_rsa_par ams_deinit()Use: Digital signature generation; Transport Layer Security (TLS) network protocol Related SSPs: RSA public keyMD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
RSA public key112-256RSA A2992N/AN/ARAMgnutls_privkey _deinit() gnutls_x509_p rivkey_deinit() gnutls_rsa_par ams_deinit()Use: Digital signature verification; Transport Layer Security (TLS) network protocol Related SSPs: RSA private keyMD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
Module- generated ECDSA private key128, 192, 256ECDSA CTR_DRBG A2992Generated using the FIPS 186-4 key generation method; the random value used in key generation is obtained from the SP800- 90Arev1 DRBG.N/ARAMgnutls_pk_par ams_clear()Use: Key pair generation Related SSPs: DRBG internal state: V value, key; Module- generated ECDSA public keyMD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None
Module- generated ECDSA public key128, 192, 256ECDSA CTR_DRBG A2992Generated using the FIPS 186-4 key generation method; the random value used in key generation is obtained from the SP800- 90Arev1 DRBGN/ARAMgnutls_pk_par ams_clear()Use: Key pair generation Related SSPs: DRBG internal state: V value, key; Module- generated ECDSA private keyMD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None
ECDSA public key128, 192, 256ECDSA A2992N/AN/ARAMgnutls_pk_par ams_clear()Use: Digital signature verification; Public key verification; Transport Layer Security (TLS) network protocol Related SSPs: ECDSA private keyMD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
ECDSA private key128, 192, 256ECDSA A2992N/AN/ARAMgnutls_pk_par ams_clear()Use: Digital signature generation; Transport Layer Security (TLS) network protocol; Public key verification; Related SSPs: ECDSA public keyMD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
Module- generated Diffie- Hellman public key112 to 200KAS-FFC-SSC CTR_DRBG A2992Generated using the SP 800-56Arev3 Safe Primes key generation method; random values are obtained from the SP800- 90Arev1 DRBG.N/ARAMgnutls_dh_par ams_deinit() gnutls_pk_par ams_clear()Use: Key pair generation; Transport Layer Security (TLS) network protocol Related SSPs: Module- generated Diffie-Hellman private key; DRBG internal state: V value, key; TLS pre- master secretMD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None
Module- generated Diffie- Hellman private key112 to 200KAS-FFC-SSC CTR_DRBG A2992Generated using the SP 800-56Arev3 Safe Primes key generation method; random values are obtained from the SP800- 90Arev1 DRBG.N/ARAMgnutls_dh_par ams_deinit() gnutls_pk_par ams_clear()Use: Key pair generation; Transport Layer Security (TLS) network protocol Related SSPs: Module- generated Diffie-Hellman public key; DRBG internal state: V value, key; TLS pre- master secretMD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None
Diffie- Hellman public key112 to 200KAS-FFC-SSC A2992N/ARAMgnutls_dh_par ams_deinit() gnutls_pk_par ams_clear()Use: Diffie- Hellman shared secret computation; Transport Layer Security (TLS) network protocol Related keys: Diffie- Hellman private key; Diffie-Hellman shared secretMD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
Diffie- Hellman private key112 to 200KAS-FFC-SSC A2992N/ARAMgnutls_dh_par ams_deinit() gnutls_pk_par ams_clear()Use: Diffie- Hellman shared secret computation;MD/EE
Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: NoneTransport Layer Security (TLS) network protocol Related keys: Diffie- Hellman public key; Diffie- Hellman shared secretImport: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
Module- generated EC Diffie- Hellman private key128, 192, 256KAS-ECC-SSC CTR_DRBG A2992Generated internally by the module using the ECDSA key generation method compliant with [FIPS186-4] and [SP800- 56Arev3]; the random value used in key generation is obtained from the SP800- 90Arev1 DRBGN/ARAMgnutls_pk_par ams_clear()Use: Key pair generation; Transport Layer Security (TLS) network protocol Related keys: Module- generated EC Diffie-Hellman public key; DRBG internal state: V value, key; TLS pre- master secretMD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None
Module- generated EC Diffie- Hellman public key128, 192, 256KAS-ECC-SSC CTR_DRBG A2992Generated internally by the module using the ECDSA key generation method compliant with [FIPS186-4] and [SP800- 56Arev3]; the random value used in key generation is obtained from the SP800- 90Arev1 DRBGN/ARAMgnutls_pk_par ams_clear()Use: Key pair generation; Transport Layer Security (TLS) network protocol Related keys: Module- generated EC Diffie-Hellman private key; DRBG internal state: V value, key; TLS pre- master secretMD/EE Export: CM to TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None
EC Diffie- Hellman private key128, 192, 256KAS-ECC-SSC A2992N/AN/ARAMgnutls_pk_par ams_clear()Use: EC Diffie- Hellman shared secret computation; Related keys: EC Diffie-Hellman shared secret; EC Diffie- Hellman public keyMD/EE Import: CM from TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
EC Diffie- Hellman public key128, 192, 256KAS-ECC-SSC A2992N/AN/ARAMgnutls_pk_par ams_clear()Use: EC Diffie- Hellman shared secret computation; Related keys: ECMD/EE Import: CM from TOEPP Path.
Passed to the module via API parameters in plaintext (P) format. Export: NoneDiffie-Hellman private key; EC Diffie-Hellman shared secretPassed to the module via API parameters in plaintext (P) format. Export: None
Diffie- Hellman shared secret112 to 200KAS-FFC-SSC A2992N/AGenerate d during the Diffie- Hellman key agreeme nt and shared secret computat ion per SP800- 56Arev3.RAMzeroize_key()Use: Diffie- Hellman shared secret computation; HKDF key derivation Related keys: Diffie- Hellman public key, Diffie- Hellman private key;MD/EE Import: CM to/from TOEPP Path. Passed to/from the module via API parameters in plaintext (P) format Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format.
EC Diffie- Hellman shared secret112 to 256KAS-ECC-SSC A2992N/AGenerate d during the EC Diffie- Hellman key agreeme nt and shared secret computat ion per SP800- 56Arev3.RAMzeroize key()Use: EC Diffie- Hellman shared secret computation; HKDF key derivation Related keys: EC Diffie-Hellman public key; EC Diffie-Hellman private key;MD/EE Import: CM to/from TOEPP Path. Passed to/from the module via API parameters in plaintext (P) format. Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format.
PBKDF password or passphrasePassword strength 1020 - 10128PBKDF A2992N/A (key material is entered via API parameters)N/ARAMInternal PBKDF state is zeroized automatically when function returns.Use: Password- based key derivation Related keys: PBKDF derived keyMD/EE Import: CM to TOEPP Path. Passed to the module via API parameters in plaintext (P) format. Export: None
PBKDF derived key112-256 bitsPBKDF A2992Derived during the PBKDFN/ARAMzeroize_key()Use: Password- based key derivation Related keys: PBKDF password or passphraseMD/EE Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format.
Entropy input IG D.L compliant192 to 384 bitsDRBG A2992 ESV E28, E29N/AN/ARAMgnutls_global_ deinit()Use: Random number generation Related keys: DRBG seedImport: None Export: None it remains within the cryptographic boundary.
DRBG seed IG D.L compliant192 to 384 bitsCTR_DRBG A2992 ESV E28, E29Generated from the entropy input as defined in SP800- 90Arev1N/ARAMgnutls_global_ deinit()Use: Random number generation Related SSPs: Entropy input; DRBG internal state: V value, keyImport: None Export: None it remains within the cryptographic boundary.
DRBG internal state: V value, key IG D.L compliant128 to 256 bitsCTR_DRBG A2992Generated from the DRBG seed as defined in SP800-90Arev1N/ARAMgnutls_global_ deinit()Use: Random number generation Related keys: DRBG seed, Module- generated ECDSA public key, Module- generated ECDSA private key, Module- generated RSA public key, Module- generated RSA private key, Module- generated Diffie-Hellman public key, Module- generated Diffie-Hellman private key, Module- generated EC Diffie-Hellman public key, Module- generated EC Diffie-Hellman private keyImport: None Export: None
TLS pre- master secretDH 112 to 200 ECDH 112 to 256 bitsKDF TLS, TLS v1.2 KDF RFC7627 A2992N/AGenerate d during the EC Diffie- Hellman / Diffie- Hellman key agreeme nt and shared secret computatRAMgnutls_deinit()Use: Transport Layer Security (TLS) network protocol; TLS key derivation Related keys: TLS master secretMD/EE Export: None Import: CM to TOEPP Path. Passed to the module via API parameters in plaintext (P) format.
TLS master secret112 to 256 bitsKDF TLS, TLS v1.2 KDF RFC7627 A2992Derived from TLS pre-master secret using TLS KDF per SP800-135rev1 (TLSv1.0/1.1) TLS v1.2 KDF RFC7627N/ARAMgnutls_deinit()Use: Transport Layer Security (TLS) network protocol; TLS key derivation Related keys: TLS pre- master secret, TLS Derived keyMD/EE Export: None Import: None
TLS Derived key112 to 256 bitsKDF TLS, TLS v1.2 KDF RFC7627 A2992Derived from TLS master secret during the TLS KDF per SP800-135rev1 (TLSv1.0/1.1) TLS v1.2 KDF RFC7627N/ARAMgnutls_deinit()Use: Transport Layer Security (TLS) network protocol; TLS key derivation Related keys: TLS pre- master secret; TLS master secretMD/EE Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None
HKDF derived key112 to 256 bitsKDA HKDF A2991Derived (as part of TLSv1.3) with KDA HKDFN/ARAMgnutls_deinit()Use: Transport Layer Security (TLS) network protocol; HKDF key derivation Related keys: EC Diffie- Hellman shared secret; Diffie-Hellman shared secretMD/EE Export: CM from TOEPP Path. Passed from the module via API parameters in plaintext (P) format. Import: None

SUSE Linux Enterprise GnuTLS Cryptographic Module

9 Sensitive Security Parameter Management

Table 12 summarizes the SSPs that are used by the cryptographic services implemented in the Modulegenerated e N/A N/A N/A N/A N/A Modulegenerated RSA Module112 to Modulegenerated RSA N/A

3 see Table 5 for the certificate number of each algorithm listed in this column.

© 2024 SUSE, LLC / atsec information security.

29 of 55
Page 30

SUSE Linux Enterprise GnuTLS Cryptographic Module e N/A N/A N/A N/A Modulegenerated N/A Modulegenerated Modulegenerated N/A Modulegenerated N/A N/A © 2024 SUSE, LLC / atsec information security.

30 of 55
Page 31

SUSE Linux Enterprise GnuTLS Cryptographic Module N/A e N/A Modulegenerated DiffieHellman N/A SSPs: Modulegenerated Modulegenerated DiffieHellman N/A SSPs: Modulegenerated DiffieHellman N/A Use: DiffieHellman keys: DiffieHellman DiffieHellman N/A Use: DiffieHellman © 2024 SUSE, LLC / atsec information security.

31 of 55
Page 32

SUSE Linux Enterprise GnuTLS Cryptographic Module e key; DiffieHellman Modulegenerated EC DiffieHellman N/A [SP800Import: None Modulegenerated EC DiffieHellman N/A [SP800Import: None EC DiffieHellman N/A N/A EC DiffieHellman N/A N/A © 2024 SUSE, LLC / atsec information security.

32 of 55
Page 33

SUSE Linux Enterprise GnuTLS Cryptographic Module e DiffieHellman N/A Use: DiffieHellman key, DiffieHellman EC DiffieHellman N/A N/A N/A Passwordzeroized N/A Passwordbased key © 2024 SUSE, LLC / atsec information security.

33 of 55
Page 34

SUSE Linux Enterprise GnuTLS Cryptographic Module e N/A N/A N/A in SP800the N/A seed, Modulegenerated key, Modulegenerated Modulegenerated RSA Modulegenerated Modulegenerated Modulegenerated EC Modulegenerated EC N/A DiffieHellman / DiffieHellman TLS premaster © 2024 SUSE, LLC / atsec information security.

34 of 55
Page 35

SUSE Linux Enterprise GnuTLS Cryptographic Module e SP80056Arev3. N/A N/A EC DiffieHellman N/A Table 12 - SSPs 9.1 The module employs a Deterministic Random Bit Generator (DRBG) based on [SP800-90Arev1] for the creation of seeds for asymmetric keys, random numbers for security functions (e.g. ECDSA signature generation), and server and client random numbers for the TLS protocol. In addition, the module provides a Random Number Generation service to calling applications. The DRBG supports the CTR_DRBG with AES-256, without derivation function and without prediction resistance. The module uses an SP800-90B-compliant entropy source specified in Table 13. This entropy source is located within the physical perimeter, but outside of the cryptographic boundary of the module. The module obtains 384 bits to seed the DRBG, and 256 bits to reseed it, © 2024 SUSE, LLC / atsec information security.

35 of 55
Page 36
Non-Physical Entropy Source ESV E28, E29256 bits of entropy in the 256-bit outputUserspace Standalone CPU Time Jitter RNG version 3.4.0 entropy source (using SHA-3 as the vetted conditioning component) is located within the physical perimeter of the operational environment but outside the module cryptographic boundary.

SUSE Linux Enterprise GnuTLS Cryptographic Module Table 13 - Non-Deterministic Random Number Generation Specification 9.2 SSP Generation In accordance with FIPS 140-3 IG D.H, the cryptographic module performs Cryptographic Key Generation (CKG) for asymmetric keys according to section 4, 5.1 and 5.2 of [SP800-133rev2] by obtaining a random bit string directly from an approved [SP800-90Arev1] DRBG and that can support the required security strength requested by the caller (without any V, as described in Additional Comments 2 of IG D.H).

36 of 55
Page 37

SUSE Linux Enterprise GnuTLS Cryptographic Module For Diffie-Hellman, the module supports the use of safe primes from RFC7919 for domain parameters and key generation, which are used in the TLS key agreement implemented by the module.

37 of 55
Page 38

SUSE Linux Enterprise GnuTLS Cryptographic Module 9.4 SSP Entry and Output The module does not support manual SSP entry or intermediate SSP generation output. The SSPs are provided to the module via API input parameters in plaintext form and output via API output parameters in plaintext form within the physical perimeter of the operational environment. This is allowed by [FIPS140-3_IG] IG 9.5.A, according to the “CM Software to/from App via TOEPP Path” entry on the Key Establishment Table. 9.5 SSP Storage All SSPs not generated by the module are provided by the calling application. The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. 9.6 SSP Zeroization The memory occupied by SSPs is allocated by regular memory allocation operating system calls. The application that is acting as the CO is responsible for calling the appropriate zeroization functions provided in the module's API and listed in Table 12. Calling the gnutls_global_deinit() will zeroize the SSPs stored in the TLS protocol internal state and also invoke the corresponding API functions listed in Table 12 to zeroize SSPs. The zeroization functions overwrite the memory occupied by SSPs with “zeros” and deallocate the memory with the regular memory deallocation operating system call. The completion of a zeroization routine(s) will indicate that a zeroization procedure succeeded. © 2024 SUSE, LLC / atsec information security.

38 of 55
Page 39
AlgorithmTest
AESKAT AES CBC mode with 128, 256-bit keys, encryption and decryption (separately tested); KAT AES GCM mode with 256-bit key, encryption and decryption (separately tested); KAT AES XTS mode with 256-bit keys, encryption and decryption (separately tested); KAT AES CFB8 mode with 256-bit keys, encryption and decryption (separately tested); KAT AES CMAC mode with 256-bit keys, encryption and decryption (separately tested);
Diffie-HellmanPrimitive “Z” Computation KAT with 3072-bit key using ffdhe3072 safe- prime.
DRBGKAT CTR_DRBG with AES with 256-bit keys without DF, without PR Health tests according to section 11.3 of [SP800-90Arev1]
EC Diffie-HellmanPrimitive “Z” Computation KAT with P-256 curve
ECDSAKAT ECDSA with P-256 using SHA-256, P-384 using SHA-384, and P-521 using SHA-512, signature generation and verification (separately tested)
HKDF KDAKAT with HMAC-SHA2-256
HMACKAT HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC- SHA2-512

SUSE Linux Enterprise GnuTLS Cryptographic Module Self-tests The module performs the pre-operational self-test and CASTs automatically when the module is loaded into memory. The pre-operational self-test ensure that the module is not corrupted, and the CASTs ensure that the cryptographic algorithms work as expected. While the module is executing the self-tests, services are not available, and input and output are inhibited. The module is not available for use by the calling application until the pre-operational tests and CASTs are completed successfully. After the pre-operational test and the CASTs succeed, the module becomes operational. If any of the pre-operational test or any of the CASTs fail an error message is returned, and the module transitions to the error state.

10.1 Pre-Operational Tests

The module performs the integrity test using HMAC-SHA2-256. The details of integrity test are provided in 5.1.

10.2 Conditional Tests
10.2.1 Cryptographic algorithm tests

Table 14 specifies all the CASTs. The CASTs are performed in the form of the Known Answer Tests (KATs) and are run prior to performing the integrity test. A KAT includes the comparison of a calculated output with an expected known answer, hard coded as part of the test vectors used in the test. If the values do not match, the KAT fails. © 2024 SUSE, LLC / atsec information security.

39 of 55
Page 40
Approved algorithm
NameUse Function
TestAlgorithm
PCT using SHA2-256, signature generation and verification.ECDSA key generation
PCT using SHA2-256, signature generation and verification.RSA key generation
PCT according to section 5.6.2.1.4 of [SP800-56Arev3]Diffie-Hellman key generation
Covered by ECDSA PCT as allowed by IG 10.3.A additional comment 1EC Diffie-Hellman key generation
AlgorithmTest
PBKDF2 KDFKAT with HMAC-SHA2-256
RSAKAT RSA with 2048-bit key using SHA2-256, signature generation and verification (separately tested);
SHA-3KAT SHA3-224, SHA3-256, SHA3-384, SHA3-512
TLSv1.2 KDF (RFC7627)KAT with SHA2-256

SUSE Linux Enterprise GnuTLS Cryptographic Module Table 14 - Conditional Cryptographic Algorithms Self-Tests

10.2.2 Pairwise Consistency Test

The module performs the Pair-wise Consistency Tests (PCT) shown in the following table. If at least one of the tests fails, the module returns an error code and enters the Error state. When the module is in the Error state, no data is output, and cryptographic operations are not allowed. Table 15 - Pairwise Consistency Test

10.2.3 Periodic/On-Demand Self-Test

The module provides the Self-Test service to perform self-tests on demand which includes the preoperational test (i.e., integrity test) and the cryptographic algorithm self-tests (CASTs). The SelfTests service can be called on demand by invoking the gnutls_fips140_run_self_tests() function which will perform integrity tests and the cryptographic algorithms self-tests. Additionally, the SelfTest service can be invoked by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and no data output is possible.

10.3 Error States

When the module fails any pre-operational self-test or conditional test, the module will return an error code to indicate the error and enters error state. Any further cryptographic operations and the data output via the data output interface are inhibited. The calling application can obtain the module state by calling the gnutls_fips140_get_operation_state() API function. The function returns GNUTLS_FIPS140_OP_ERROR if the module is in the Error state. The following table shows the error codes and the corresponding condition: © 2024 SUSE, LLC / atsec information security.

40 of 55
Page 41
ErrorCause of ErrorStatus Indicator
State
Error StateWhen the integrity tests or KATs fail at power-up.GNUTLS_E_SELF_TEST_ERROR (-400)
When the KAT of DRBG fails during pre- operational testsGNUTLS_E_RANDOM_FAILED (-206)
When the newly generated RSA, ECDSA, Diffie-Hellman or EC Diffie-Hellman key pair fails the PCTGNUTLS_E_PK_GENERATION_ERROR (-403)
When the module is in error state and caller requests cryptographic operationsGNUTLS_E_LIB_IN_ERROR_STATE (-402)

SUSE Linux Enterprise GnuTLS Cryptographic Module Table 16 - Error States Self-test errors transition the module into an error state that keeps the module operational but prevents any cryptographic related operations. The module must be restarted and perform the per-operational self-test and the CASTs to recover from these errors. If failures persist, the module must be re-installed. A completed list of the error codes can be found in Appendix C “Error Codes and Descriptions” in the gnutls.pdf provided with the module's code. © 2024 SUSE, LLC / atsec information security.

41 of 55
Page 42

SUSE Linux Enterprise GnuTLS Cryptographic Module

11 Life-cycle assurance

The following sections describe the Delivery and Operation and Crypto Officer Guidance of the module.

11.1 Delivery and Operation
11.1.1 Module Installation

The Crypto Officer can install the RPM packages containing the module as listed in Table 18 using the zypper tool. The integrity of the RPM package is automatically verified during the installation, and the Crypto Officer shall not install the RPM package if there is any integrity error.

11.1.2 Operating Environment Configuration

The operating environment needs to be configured to support FIPS, so the following steps shall be performed with the root privilege:

  1. Install the dracut-fips RPM package: # zypper install dracut-fips
  2. Recreate the INITRAMFS image: # dracut -f
  3. After regenerating the initrd, the Crypto Officer has to append the following parameter in the /etc/default/grub configuration file in the GRUB_CMDLINE_LINUX_DEFAULT line: fips=1
  4. After editing the configuration file, please run the following command to change the setting in the boot loader: # grub2-mkconfig -o /boot/grub2/grub.cfg If /boot or /boot/efi resides on a separate partition, the kernel parameter boot=<partition of /boot or /boot/efi> must be supplied. The partition can be identified with the command "df /boot" or "df /boot/efi" respectively. For example: # df /boot Filesystem 1K-blocks Used Available Use% /dev/sda1 233191 30454 190296 14% Mounted on /boot The partition of /boot is located on /dev/sda1 in this example. Therefore, the following string needs to be appended in the aforementioned grub file: "boot=/dev/sda1"
  5. Reboot to apply these settings. Now, the operating environment is configured to support FIPS operation. The Crypto Officer should check the existence of the file /proc/sys/crypto/fips_enabled, and verify it contains a numeric value “1”. If the file does not exist or does not contain “1”, the operating environment is not configured to support FIPS and the module will not operate as a FIPS-validated module properly.
11.1.3 Module Installation for Vendor Affirmed Platforms

Table 17 includes the information on module installation process for the vendor affirmed platforms that are listed in Table 4. © 2024 SUSE, LLC / atsec information security.

42 of 55
Page 43
Module configuration
NameProcessorPackage
Intel 64-bitIntel 64-bitlibgnutls30-3.7.3-150400.4.35.1.x86_64.rpm libnettle8-3.7.3-150400.2.21.x86_64.rpm libhogweed6-3.7.3-150400.2.21.x86_64.rpm libgmp10-6.1.2-4.9.1.x86_64.rpm
AMD 64-bitAMD 64-bitlibgnutls30-3.7.3-150400.4.35.1.x86_64.rpm
libnettle8-3.7.3-150400.2.21.x86_64.rpm libhogweed6-3.7.3-150400.2.21.x86_64.rpm libgmp10-6.1.2-4.9.1.x86_64.rpmlibnettle8-3.7.3-150400.2.21.x86_64.rpm libhogweed6-3.7.3-150400.2.21.x86_64.rpm libgmp10-6.1.2-4.9.1.x86_64.rpm
IBM z15IBM z15libgnutls30-3.7.3-150400.4.35.1.s390x.rpm libnettle8-3.7.3-150400.2.21.s390x.rpm libhogweed6-3.7.3-150400.2.21.s390x.rpm libgmp10-6.1.2-4.9.1.s390x.rpm
ARMv8 64-bitARMv8 64-bitlibgnutls30-3.7.3-150400.4.35.1.aarch64.rpm libnettle8-3.7.3-150400.2.21.aarch64.rpm libhogweed6-3.7.3-150400.2.21.aarch64.rpm libgmp10-6.1.2-4.9.1.aarch64.rpm
IBM Power10 64-bitIBM Power10 64-bitlibgnutls30-3.7.3-150400.4.35.1.ppc64le.rpm libnettle8-3.7.3-150400.2.21.ppc64le.rpm libhogweed6-3.7.3-150400.2.21.ppc64le.rpm libgmp10-6.1.2-4.9.1.ppc64le.rpm
ProductLink
SUSE Linux Enterprise Micro 5.3https://documentation.suse.com/sle-micro/5.3/single-html/SLE-Micro- security/#sec-fips-slemicro-install
SUSE Linux Enterprise Server for SAP 15SP4https://documentation.suse.com/sles/15-SP4/html/SLES-all/book- security.html
SUSE Linux Enterprise Base Container Image 15SP4https://documentation.suse.com/smart/linux/html/concept- bci/index.html
SUSE Linux Enterprise Desktop 15SP4https://documentation.suse.com/sled/15-SP4/html/SLED-all/book- security.html
SUSE Linux Enterprise Real Time 15SP4https://documentation.suse.com/sle-rt/15-SP4/

SUSE Linux Enterprise GnuTLS Cryptographic Module Table 17 - Installation for Vendor Affirmed Platforms Note: Per section 7.9 in the FIPS 140-3 Management Manual [FIPS140-3_MM], the Cryptographic Module Validation Program (CMVP) makes no statement as to the correct operation of the module or the security strengths of the generated keys when this module is ported and executed in an operational environment not listed on the validation certificate.

11.1.4 End of Life Procedure

For secure sanitization of the cryptographic module, the module needs first to be powered off, which will zeroize all keys and CSPs in volatile memory. Then, for actual deprecation, the module shall be upgraded to a newer version that is FIPS 140-3 validated. The module does not possess persistent storage of SSPs, so further sanitization steps are not needed.

11.2 Crypto Officer Guidance

The binaries of the module are contained in the RPM packages for delivery. The Crypto Officer shall follow section 11.1.1 and 11.1.2 to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. Table 16 lists the RPM packages that contain the FIPS validated module. The "Show module name and version" service returns the value “GnuTLS version 3.7.3-150400.4.35.1”, which matches the version included in the RPM package filenames, and map to version 1.1 of the cryptogtaphic module. © 2024 SUSE, LLC / atsec information security.

43 of 55
Page 44

SUSE Linux Enterprise GnuTLS Cryptographic Module Table 18 - RPM packages

11.2.1 TLS

The TLS protocol implementation provides both server and client sides. In order to operate in the approved mode, digital certificates used for server and client authentication shall comply with the restrictions of key size and message digest algorithms imposed by [SP800-131Arev2]. In addition, as required also by [SP800-131Arev2], Diffie-Hellman with keys smaller than 2048 bits must not be used. The TLS protocol lacks the support to negotiate the used Diffie-Hellman key sizes. To ensure full support for all TLS protocol versions, the TLS client implementation of the module accepts DiffieHellman key sizes smaller than 2048 bits offered by the TLS server. For complying with the requirement to not allow Diffie-Hellman key sizes smaller than 2048 bits, the Crypto Officer must ensure that:

11.2.2 AES XTS

The AES algorithm in XTS mode can be only used for the cryptographic protection of data on storage devices, as specified in [SP800-38E]. The length of a single data unit encrypted with the XTS-AES shall not exceed 2²⁰ AES blocks, that is 16MB of data. The module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical (in compliance with IG C.I). Note: AES-XTS shall be used with 128 and 256-bit keys only. AES-XTS with 192-bit keys is not an Approved service. © 2024 SUSE, LLC / atsec information security.

44 of 55
Page 45

SUSE Linux Enterprise GnuTLS Cryptographic Module

11.2.3 AES GCM IV

The module implements AES GCM for being used in the TLS v1.2 and v1.3 protocols. AES GCM IV generation is in compliance with [FIPS140-3_IG] IG C.H for both protocols as follows:

11.2.4 Restrictions on environment variables and API functions

The module cannot use the following environment variables:

11.2.5 Key derivation using SP800-132 PBKDF

The module provides password-based key derivation (PBKDF), compliant with SP800-132 and IG D.N. The module supports option 1a from section 5.4 of [SP800-132], in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with [SP800-132], the following requirements shall be met.

45 of 55
Page 46

SUSE Linux Enterprise GnuTLS Cryptographic Module

46 of 55
Page 47

SUSE Linux Enterprise GnuTLS Cryptographic Module

12 Mitigation of other attacks

The module does not offer mitigation of other attacks. © 2024 SUSE, LLC / atsec information security.

47 of 55
Page 48
Approved algorithm
NameReferenceID
TLS_DH_RSA_WITH_AES_128_CBC_SHARFC3268{ 0x00, 0x31 }
TLS_DHE_RSA_WITH_AES_128_CBC_SHARFC3268{ 0x00, 0x33 }
TLS_DH_RSA_WITH_AES_256_CBC_SHARFC3268{ 0x00, 0x37 }
TLS_DHE_RSA_WITH_AES_256_CBC_SHARFC3268{ 0x00, 0x39 }
TLS_DH_RSA_WITH_AES_128_CBC_SHA256RFC5246{ 0x00,0x3F }
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256RFC5246{ 0x00,0x67 }
TLS_DH_RSA_WITH_AES_256_CBC_SHA256RFC5246{ 0x00,0x69 }
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256RFC5246{ 0x00,0x6B }
TLS_PSK_WITH_AES_128_CBC_SHARFC4279{ 0x00, 0x8C }
TLS_PSK_WITH_AES_256_CBC_SHARFC4279{ 0x00, 0x8D }
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256RFC5288{ 0x00, 0x9E }
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384RFC5288{ 0x00, 0x9F }
TLS_DH_RSA_WITH_AES_128_GCM_SHA256RFC5288{ 0x00, 0xA0 }
TLS_DH_RSA_WITH_AES_256_GCM_SHA384RFC5288{ 0x00, 0xA1 }
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHARFC4492{ 0xC0, 0x04 }
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHARFC4492{ 0xC0, 0x05 }
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHARFC4492{ 0xC0, 0x09 }
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHARFC4492{ 0xC0, 0x0A }
TLS_ECDH_RSA_WITH_AES_128_CBC_SHARFC4492{ 0xC0, 0x0E }
TLS_ECDH_RSA_WITH_AES_256_CBC_SHARFC4492{ 0xC0, 0x0F }
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHARFC4492{ 0xC0, 0x13 }
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHARFC4492{ 0xC0, 0x14 }
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256RFC5289{ 0xC0, 0x23 }
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384RFC5289{ 0xC0, 0x24 }
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256RFC5289{ 0xC0, 0x25 }
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384RFC5289{ 0xC0, 0x26 }
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256RFC5289{ 0xC0, 0x27 }
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384RFC5289{ 0xC0, 0x28 }
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256RFC5289{ 0xC0, 0x29 }
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384RFC5289{ 0xC0, 0x2A }
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256RFC5289{ 0xC0, 0x2B }
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384RFC5289{ 0xC0, 0x2C }
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256RFC5289{ 0xC0, 0x2D }
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384RFC5289{ 0xC0, 0x2E }
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256RFC5289{ 0xC0, 0x2F }
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384RFC5289{ 0xC0, 0x30 }
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256RFC5289{ 0xC0, 0x31 }
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384RFC5289{ 0xC0, 0x32 }
TLS_DHE_RSA_WITH_AES_128_CCMRFC6655{ 0xC0, 0x9E }
TLS_DHE_RSA_WITH_AES_256_CCMRFC6655{ 0xC0, 0x9F }
TLS_DHE_RSA_WITH_AES_128_CCM_8RFC6655{ 0xC0, 0xA2 }
TLS_DHE_RSA_WITH_AES_256_CCM_8RFC6655{ 0xC0, 0xA3 }
TLS_AES_128_GCM_SHA256RFC8446{ 0x13, 0x01 }
TLS_AES_256_GCM_SHA384RFC8446{ 0x13, 0x02 }
TLS_AES_128_CCM_SHA256RFC8446{ 0x13, 0x04 }
TLS_AES_128_CCM_8_SHA256RFC8446{ 0x13, 0x05 }

SUSE Linux Enterprise GnuTLS Cryptographic Module Appendix A. The module supports the following cipher suites for the TLS protocol version 1.0, 1.1, 1.2 and 1.3, compliant with section 3.3.1 of [SP800-52rev2]. Each cipher suite defines the key exchange algorithm, the bulk encryption algorithm (including the symmetric key size) and the MAC algorithm. © 2024 SUSE, LLC / atsec information security.

48 of 55
Page 49

SUSE Linux Enterprise GnuTLS Cryptographic Module Table 19 - TLS Cipher Suites © 2024 SUSE, LLC / atsec information security.

49 of 55
Page 50

SUSE Linux Enterprise GnuTLS Cryptographic Module Appendix B. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CPACF Central Processor Assist for Cryptographic Function CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DF Derivation Function DSA Digital Signature Algorithm DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptography FFC Finite Field Cryptography FIPS Federal Information Processing Standards Publication FSM Finite State Model GCM Galois Counter Mode HMAC Hash Message Authentication Code KAS Key Agreement Schema KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology OFB Output Feedback O/S Operating System PAA Processor Algorithm Acceleration PAI Processor Algorithm Implementation PR Prediction Resistance PSS Probabilistic Signature Scheme RNG Random Number Generator RSA Rivest, Shamir, Addleman SHA Secure Hash Algorithm © 2024 SUSE, LLC / atsec information security.

50 of 55
Page 51

SUSE Linux Enterprise GnuTLS Cryptographic Module SHS Secure Hash Standard SSH Secure Shell SSP Sensitive Security Parameter TDES Triple-DES XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2024 SUSE, LLC / atsec information security.

51 of 55
Page 52

SUSE Linux Enterprise GnuTLS Cryptographic Module Appendix C. References FIPS140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS140-3_IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program March 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS140-3_MM FIPS 140-3 Cryptographic Module Validation Program Management Manual April 2024 https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS-140-3CMVP%20Management%20Manual.pdf FIPS180-4 Secure Hash Standard (SHS) August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 https://www.ietf.org/rfc/rfc3447.txt RFC3394 Advanced Encryption Standard (AES) Key Wrap Algorithm September 2002 https://www.ietf.org/rfc/rfc3394.txt © 2024 SUSE, LLC / atsec information security.

52 of 55
Page 53

SUSE Linux Enterprise GnuTLS Cryptographic Module SP800-38A NIST Special Publication 800-38A - Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038a.pdf SP800-38B NIST Special Publication 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf SP800-38C NIST Special Publication 800-38C - Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality May 2004 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038c.pdf SP800-38D NIST Special Publication 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC November 2007 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038d.pdf SP800-38E NIST Special Publication 800-38E - Recommendation for Block Cipher Modes of Operation: The XTS AES Mode for Confidentiality on Storage Devices January 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80038e.pdfhttps://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-80038E.pdf SP800-38F NIST Special Publication 800-38F - Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP800-38G NIST Special Publication 800-38G - Recommendation for Block Cipher Modes of Operation: Methods for Format - Preserving Encryption March 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf SP800-52rev2 NIST Special Publication 800-52 Revision 2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations August 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf © 2024 SUSE, LLC / atsec information security.

53 of 55
Page 54

SUSE Linux Enterprise GnuTLS Cryptographic Module SP800-56Arev3 NIST Special Publication 800-56A Revision 3 - Recommendation for Pair Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP800-56Crev2 NIST Special Publication 800-56C Revision 2 - Recommendation for Key Derivation through Extraction-then-Expansion August 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf SP800-57rev5 NIST Special Publication 800-57 Part 1 Revision 5 Recommendation for Key Management Part 1: General May 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80057pt1r5.pdf SP800-90Arev1 NIST Special Publication 800-90A Revision 1 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP800-90B NIST Special Publication 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP800-108rev1 NIST Special Publication 800-108 Revision 1 - Recommendation for Key Derivation Using Pseudorandom Functions (Revised) August 2022 https://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf SP800-131Arev2 NIST Special Publication 800-131 Revision 2 - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800131Ar2.pdf SP800-132 NIST Special Publication 800-132 - Recommendation for PasswordBased Key Derivation - Part 1: Storage Applications December 2010 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800132.pdf SP800-133rev2 NIST Special Publication 800-133 Revision 2 - Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf © 2024 SUSE, LLC / atsec information security.

54 of 55
Page 55

SUSE Linux Enterprise GnuTLS Cryptographic Module SP800-135rev1 NIST Special Publication 800-135 Revision 1 - Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800135r1.pdf SP800-140B NIST Special Publication 800-140B - CMVP Security Policy Requirements March 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140B.pdf RFC7627 Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension September 2015 https://www.rfc-editor.org/rfc/rfc7627.txt RFC5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.rfc-editor.org/rfc/rfc5288.txt RFC8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.rfc-editor.org/rfc/rfc8446.txt © 2024 SUSE, LLC / atsec information security.

55 of 55

Referenced URLs