All modules
CMVP Validated Module · FIPS 140-3 Security Policy

CorSSL

Certificate#4897StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorCorsec Security, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date11/20/2026
CaveatInterim validation. When operated in approved mode. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorCorsec Security, Inc.

Approved Algorithms (63)

AlgorithmACVP Cert
AES-CBCA3254
AES-CCMA3254
AES-CFB1A3254
AES-CFB128A3254
AES-CFB8A3254
AES-CMACA3254
AES-CTRA3254
AES-ECBA3254
AES-GCMA3254
AES-GMACA3254
AES-KWA3254
AES-KWPA3254
AES-OFBA3254
AES-XTS Testing Revision 2.0A3254
Counter DRBGA3254
DSA KeyGen (FIPS186-4)A3254
DSA PQGGen (FIPS186-4)A3254
DSA PQGVer (FIPS186-4)A3254
DSA SigGen (FIPS186-4)A3254
DSA SigVer (FIPS186-4)A3254
ECDSA KeyGen (FIPS186-4)A3254
ECDSA KeyVer (FIPS186-4)A3254
ECDSA SigGen (FIPS186-4)A3254
ECDSA SigVer (FIPS186-4)A3254
HMAC-SHA-1A3254
HMAC-SHA2-224A3254
HMAC-SHA2-256A3254
HMAC-SHA2-384A3254
HMAC-SHA2-512A3254
HMAC-SHA3-224A3254
HMAC-SHA3-256A3254
HMAC-SHA3-384A3254
HMAC-SHA3-512A3254
KAS-ECC-SSC Sp800-56Ar3A3254
KAS-FFC-SSC Sp800-56Ar3A3254
PBKDFA3254
RSA KeyGen (FIPS186-4)A3254
RSA SigGen (FIPS186-4)A3254
RSA SigGen (FIPS186-4)A3254
RSA SigGen (FIPS186-4)A3254
RSA SigVer (FIPS186-4)A3254
RSA SigVer (FIPS186-4)A3254
RSA SigVer (FIPS186-4)A3254
SHA-1A3254
SHA2-224A3254
SHA2-256A3254
SHA2-384A3254
SHA2-512A3254
SHA3-224A3254
SHA3-256A3254
SHA3-384A3254
SHA3-512A3254
SHAKE-128A3254
SHAKE-256A3254
TDES-CBCA3254
TDES-CFB1A3254
TDES-CFB64A3254
TDES-CFB8A3254
TDES-CMACA3254
TDES-ECBA3254
TDES-OFBA3254
TLS v1.2 KDF RFC7627A3254
TLS v1.3 KDFA3253

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for CorSSL
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for CorSSL
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>HTTPS<br/>library named: openssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Corsec Security, Inc. CorSSL™ Software Version: 1.1.1s.005 FIPS Security Level: 1 Document Version: 0.1 Prepared by: Corsec Security, Inc.

12600 Fair Lakes Circle, Suite 210

Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 www.corsec.com

Page 2

Abstract This is a non-proprietary Cryptographic Module Security Policy for CorSSL™ (version: 1.1.1s.005) from Corsec Security, Inc. (Corsec). This Security Policy describes how CorSSL™ meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) Cryptographic Module Validation Program (CMVP) website at http://csrc.nist.gov/groups/STM/cmvp. This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. CorSSL™ is also referred to in this document as the module. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:

Page 3
Table of Contents
#SectionPage
Page 4
List of Tables
ItemPage
Table 1 – Security Levels5
Table 2 – Tested Operational Environments7
Table 3 – Approved Algorithms8
Table 4 – Non-Approved Algorithms Allowed in the Approved Mode of Operation14
Table 5 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation14
Table 6 – Ports and Interfaces18
Table 7 – Roles, Service Commands, Input and Output19
Table 8 – Approved Services21
Table 9 – Non-Approved Services23
Table 10 – Keys29
Table 11 – Non-Deterministic Random Number Generation Specification33
Table 12 – CVEs39
Table 13 – Acronyms and Abbreviations41
Figure 1 – GPC Block Diagram16
Figure 2 – Module Block Diagram (with Cryptographic Boundary)17
Page 5
  1. General Corsec Security, Inc. is a privately owned company dedicated to assisting organizations through the security certification and validation process. Over the past 22 years, Corsec has grown significantly, becoming a global leader in product and corporate security, offering critical guidance and expertise to meet important business challenges in product security and third-party certifications and security validations, including FIPS 140-2, FIPS 140-3, Common Criteria, and the DoDIN1 APL2. Corsec’s certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Corsec’s broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations. CorSSL™ v1.1.1s.005 is a software library providing a C language API 3 for use by other applications requiring cryptographic functionality. CorSSL™ v1.1.1s.005 offers symmetric encryption/decryption, digital signature generation/verification, hashing, cryptographic key generation, random number generation, message authentication, and key establishment functions to secure data-at-rest/data-in-flight and to support industrystandard secure communications protocols (including TLS4 1.2/1.3). Corsec’s CorSSL™ is built upon the OpenSSL 1.1.1 code base, providing engineering teams with a completely compatible cryptographic/protocol engine, allowing quick “drop-in” replacement into any existing OpenSSL 1.1.1based architecture. CorSSL™ (which includes both the libcrypto crypto library and the libssl protocol library) does not modify the OpenSSL interface, maintaining complete compatibility, and eliminating engineering development time to meet FIPS 140-3 requirements. CorSSL™ is validated at the FIPS 140-3 section levels shown in Table
  2. Table 1 – Security Levels ISO/IEC 24579 Section
  3. FIPS 140-3 Section Title Security Level [Number Below]

1 General 1

2 Cryptographic Module Specification 1

3 Cryptographic Module Interfaces 1

4 Roles, Services, and Authentication 1

5 Software/Firmware Security 1

6 Operational Environment 1

7 Physical Security N/A

8 Non-Invasive Security N/A

1 DoDIN – Department of Defense Information Network
2 APL – Approved Product List

API

4 TLS – Transport Layer Security

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 6

ISO/IEC 24579 Section 6. FIPS 140-3 Section Title Security Level [Number Below]

9 Sensitive Security Parameter Management 1

10 Self-tests 1

11 Life-Cycle Assurance 1

12 Mitigation of Other Attacks N/A

The module has an overall security level of 1. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 7

2. Cryptographic Module Specification CorSSL™ v1.1.1s.005 is a software module with a multi-chip standalone embodiment. The module is designed to operate within a modifiable operational environment.

2.1 Operational Environments

The module was tested and found to be compliant with FIPS 140-3 requirements on the environments listed in Table 2. Table 2

1 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R With (AES-NI)

2 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R Without

The module is designed to utilize the AES-NI5 extended instruction set when available on the host platform’s CPU to accelerate the processing of its AES implementation. There are no vendor-affirmed operational environments claimed. The cryptographic module maintains validation compliance when operating on any general-purpose computer (GPC) provided that the GPC uses any single-user operating system/mode specified on the validation certificate, or another compatible single-user operating system. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment not listed on the validation certificate.

2.2 Algorithm Implementations

The module implements cryptographic algorithms in the following providers:

5 AES-NI – Advanced Encryption Algorithm New Instructions

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 8

Table 3

6 This table includes vendor-affirmed algorithms that are approved but CAVP testing is not yet available.

7 CBC – Cipher Block Chaining
9 CCM – Counter with Cipher Block Chaining - Message Authentication Code
10 CFB – Cipher Feedback
11 CMAC – Cipher-Based Message Authentication Code
13 ECB – Electronic Code Book
14 GCM – Galois Counter Mode
15 GMAC – Galois Message Authentication Code
16 KW – Key Wrap

KWP

18 OFB – Output Feedback

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 9

CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) A3254 AES-XTS19,20,21 Testing Revision XTS22,23,24 128, 256 Encryption/Decryption 2.0 NIST SP 800-38E A3254 Counter DRBG25 Counter-based 128, 192, 256-bit AES-CTR Deterministic Random Bit NIST SP 800-90Arev1 Generation A3254 DSA26 KeyGen (FIPS186-4) DSA KeyGen 2048/224, 2048/256, Key Pair Generation FIPS PUB 186-4 3072/256 A3254 DSA PQGGen (FIPS186-4) DSA PQGGen 2048/224, 2048/256, Domain Parameter FIPS PUB 186-4 3072/256 (SHA2-224, Generation SHA2-256, SHA2-384, SHA2-512) A3254 DSA PQGVer (FIPS186-4) DSA PQGVer 1024/160, 2048/224, Domain Parameter FIPS PUB 186-4 2048/256, 3072/256 (SHA- Verification 1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 DSA SigGen (FIPS186-4) DSA SigGen 2048/224, 2048/256, Digital Signature Generation FIPS PUB 186-4 3072/256 (SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 DSA SigVer (FIPS186-4) DSA SigVer 1024/160, 2048/224, Digital Signature Verification FIPS PUB 186-4 2048/256, 3072/256 (SHA1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 ECDSA27 KeyGen (FIPS186-4) ECDSA KeyGen B-233, B-283, B-409, B-571, Key Pair Generation FIPS PUB 186-4 Secret generation K-233, K-283, K-409, K-571, mode: Testing P-224, P-256, P-384, P-521 candidates A3254 ECDSA KeyVer (FIPS186-4) ECDSA KeyVer B-163, B-233, B-283, B-409, Public Key Validation FIPS PUB 186-4 B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 ECDSA SigGen (FIPS186-4) ECDSA SigGen B-233, B-283, B-409, B-571, Digital Signature Generation FIPS PUB 186-4 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 (SHA2-224, SHA2-256, SHA2-384, SHA2-512)

19 XOR – Exclusive OR
20 XEX – XOR Encrypt XOR

XTS

22 XOR – Exclusive OR
23 XEX – XOR Encrypt XOR
24 XTS – XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing
25 DRBG – Deterministic Random Bit Generator

DSA

27 ECDSA – Elliptic Curve Digital Signature Algorithm

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 10

CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) A3254 ECDSA SigVer (FIPS186-4) ECDSA SigVer B-163, B-233, B-283, B-409, Digital Signature Verification FIPS PUB 186-4 B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512) A3254 HMAC SHA-1 SHA-1 MAC: 80-160 Increment 8 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 The module also supports HMAC SHA-1-80. A3254 HMAC SHA2-224 SHA2-224 MAC: 224 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA2-256 SHA2-256 MAC: 256 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA2-384 SHA2-384 MAC: 384 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA2-512 SHA2-512 MAC: 512 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA3-224 SHA3-224 MAC: 224 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA3-256 SHA3-256 MAC: 256 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA3-384 SHA3-384 MAC: 384 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 HMAC SHA3-512 SHA3-512 MAC: 512 Message Authentication FIPS PUB 198-1 Key Length: 8-524288 Increment 8 A3254 KAS-ECC-SSC28 Sp800-56Ar3 ephemeralUnified B-233, B-283, B-409, B-571, Shared Secret Computation NIST SP 800-56Arev3 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 A3254 KAS-FFC-SSC29 Sp800-56Ar3 dhEphem 2048/224 (FB), 2048/256 Shared Secret Computation NIST SP 800-56Arev3 (FC) A3254 PBKDF230 Section 5.4, option SHA-1, SHA2-224, SHA2- Password-Based Key NIST SP 800-132 1a 256, SHA2-384, SHA2-512, Derivation SHA3-224, SHA3-256, SHA3-384, SHA3-512

28 KAS-ECC-SSC

KAS-FFC-SSC

30 PBKDF2 – Password-based Key Derivation Function 2

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 11

CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) A3254 RSA31 KeyGen (FIPS186-4) Key generation 2048, 3072, 4096 Key Pair Generation FIPS PUB 186-4 mode: B.3.3 A3254 RSA32 SigGen (FIPS186-4) X9.31 2048, 3072, 4096 (SHA2- Digital Signature Generation FIPS PUB 186-4 256, SHA2-384, SHA2-512) PKCS#1 v1.5 2048, 3072, 4096 (SHA2- Digital Signature Generation 224, SHA2-256, SHA2-384, SHA2-512) PSS33 2048, 3072, 4096 (SHA2- Digital Signature Generation 224, SHA2-256, SHA2-384, SHA2-512) A3254 RSA34 SigVer (FIPS186-4) X9.31 1024, 2048, 3072, 4096 Digital Signature Verification FIPS PUB 186-4 (SHA-1, SHA2-256, SHA2384, SHA2-512) PKCS#1 v1.5 1024, 2048, 3072, 4096 Digital Signature Verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) PSS35 1024, 2048, 3072, 4096 Digital Signature Verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) A3254 SHA-1 SHA-1 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA2-224 SHA2-224 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA2-256 SHA2-256 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA2-384 SHA2-384 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA2-512 SHA2-512 Message Length: Message Digest FIPS PUB 180-4 0-65528 Increment 8 A3254 SHA3-224 SHA3-224 Message Length: Message Digest FIPS PUB 202 0-65528 Increment 8 A3254 SHA3-256 SHA3-256 Message Length: Message Digest FIPS PUB 202 0-65528 Increment 8 A3254 SHA3-384 SHA3-384 Message Length: Message Digest FIPS PUB 202 0-65528 Increment 8 A3254 SHA3-512 SHA3-512 Message Length: Message Digest FIPS PUB 202 0-65528 Increment 8 A3254 SHAKE36-128 SHAKE-128 Output Length: 16-1024 Message Digest FIPS PUB 202 Increment 8

31 RSA – Rivest Shamir Adleman
32 RSA – Rivest Shamir Adleman
33 PSS – Probabilistic Signature Scheme
34 RSA – Rivest Shamir Adleman

PSS

36 SHAKE – Secure Hash Algorithm KECCAK

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 12

CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) A3254 SHAKE-256 SHAKE-256 Output Length: 16-1024 Message Digest FIPS PUB 202 Increment 8 A3254 TDES-CBC CBC 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-CFB1 CFB1 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-CFB64 CFB64 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-CFB8 CFB8 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-CMAC CMAC 112, 168 MAC verification NIST SP 800-67rev2 NIST SP 800-38B A3254 TDES-ECB ECB 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TDES-OFB OFB 168 Decryption NIST SP 800-67rev2 NIST SP 800-38A A3254 TLS v1.2 KDF RFC 7627 KDF (TLS37 v1.2) SHA2-256, SHA2-384, Key Derivation CVL SHA2-512 NIST SP 800-135rev1 No part of the TLS 1.2 protocol, RFC 7627 other than the KDF, has been tested by the CAVP and CMVP. CorSSL (libssl) A3253 TLS v1.3 KDF KDF (TLS v1.3) SHA2-256, SHA2-384 Key Derivation CVL NIST SP 800-135rev1 No part of the TLS 1.3 protocol, RFC 8446 other than the KDF, has been tested by the CAVP and CMVP. Security Function Implementations (SFIs) KAS-ECC-SSC KAS38 NIST SP 800- B-233, B-283, B-409, B-571, Key Agreement A3254 NIST SP 800-56Arev3 56Arev3. KAS-ECC K-233, K-283, K-409, K-571, NIST SP 800-135rev1 per IG D.F Scenario P-224, P-256, P-384, and PTLS v1.2 KDF RFC 7627 2 path (2) 521 curves providing RFC7627 between 112 and 256 bits A3254 of encryption strength KAS-ECC-SSC KAS NIST SP 800- B-233, B-283, B-409, B-571, Key Agreement A3254 NIST SP 800-56Arev3 56Arev3. KAS-ECC K-233, K-283, K-409, K-571, NIST SP 800-135rev1 per IG D.F Scenario P-224, P-256, P-384, and PTLS v1.3 KDF RFC 8446 2 path (2) 521 curves providing A3253 between 112 and 256 bits of encryption strength TLS

38 KAS – Key Agreement Scheme

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 13

CAVP Cert6 Algorithm and Standard Mode / Method Description / Key Size(s) / Use / Function Key Strength(s) KAS-FFC-SSC KAS NIST SP 800- 2048-bit key providing 112 Key Agreement A3254 NIST SP 800-56Arev3 56Arev3. KAS-FFC bits of encryption strength NIST SP 800-135rev1 per IG D.F Scenario TLS v1.2 KDF RFC 7627 2 path (2) RFC7627 A3254 KAS-FFC-SSC KAS NIST SP 800- 2048-bit key providing 112 Key Agreement A3254 NIST SP 800-56Arev3 56Arev3. KAS-FFC bits of encryption strength NIST SP 800-135rev1 per IG D.F Scenario TLS v1.3 KDF RFC 8446 2 path (2) A3253 AES-CCM KTS39 NIST SP 800-38C 128, 192, and 256-bit keys Key Wrap/Unwrap40 A3254 NIST SP 800-38C and NIST SP 800- provide between 128 and NIST SP 800-38F 38F. KTS (key 256 bits of encryption wrapping and strength unwrapping) per IG D.G. AES-GCM KTS NIST SP 800-38D 128, 192, and 256-bit keys Key Wrap/Unwrap41 A3254 NIST SP 800-38D and NIST SP 800- provide between 128 and NIST SP 800-38F 38F. KTS (key 256 bits of encryption wrapping and strength unwrapping) per IG D.G. AES-KW KTS NIST SP 800-38F. 128, 192, and 256-bit keys Key Wrap/Unwrap A3254 NIST SP 800-38F KTS (key wrapping provide between 128 and and unwrapping) 256 bits of encryption per IG D.G. strength AES-KWP KTS NIST SP 800-38F. 128, 192, and 256-bit keys Key Wrap/Unwrap A3254 NIST SP 800-38F KTS (key wrapping provide between 128 and and unwrapping) 256 bits of encryption per IG D.G. strength Vendor Affirmed Vendor CKG42 - - Cryptographic Key Generation Affirmed NIST SP 800-133rev2 The vendor affirms the following cryptographic security methods:

39 KTS – Key Transport Scheme

40 Per FIPS 140-3 Implementation Guidance D.G, AES-CCM is Approved for key wrap/unwrap.

Per FIPS 140-3 Implementation Guidance D.G, AES-GCM is Approved for key wrap/unwrap.

42 CKG – Cryptographic Key Generation

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 14

while having no knowledge of the entropy source and exercising no control over the amount or the quality of the obtained entropy. The calling application and its entropy sources are located within the operational environment inside the module’s physical perimeter but outside the cryptographic boundary. Thus, there is no assurance of the minimum strength of generated SSPs (e.g., keys) The module implements the Non-Approved but allowed algorithms shown in Table 4 below. Table 4

43 OCB – Offset Codebook

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 15

Algorithm / Function Use / Function DSA (non-compliant with key sizes below the Key Pair Generation; Digital Signature Generation; Digital minimums for Approved mode) Signature Verification ECDH (non-compliant with curves P-192, K-163, B- Key Agreement 163, and non-NIST curves) ECDSA (non-compliant with curves P-192, K-163, B- Key Pair Generation; Digital Signature Generation; Digital 163, and non-NIST curves) Signature Verification EdDSA44 Key Pair Generation; Digital Signature Generation; Digital Signature Verification IDEA Encryption/Decryption KDF Key Derivation Functions for TLS 1.0/1.1; HKDF; X9.42 MD2, MD4, MD5 Message Digest Poly1305 Message Authentication Code RC245, RC4, RC5 Encryption/Decryption RIPEMD Message Digest RMD160 Message Digest RSA (non-compliant with non-approved/untested key Key Pair Generation; Digital Signature Generation; Digital sizes, and functions) Signature Verification; Key Transport SEED Encryption/Decryption SHA-1 (non-compliant) Signature Generation for TLS 1.0/1.1 SM2, SM3 Message Digest SM4 Encryption/Decryption Triple-DES (non-compliant) Encryption; MAC Generation; Key Wrapping Whirlpool Message Digest

2.3 Cryptographic Boundary

As a software cryptographic module, the module has no physical components. The physical perimeter of the cryptographic module is defined by each host platform on which the module is installed. Figure 1 below illustrates a block diagram of a typical GPC and the module’s physical perimeter. EdDSA

45 RC – Rivest Cipher

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 16

Hardware Network DVD RAM Management Interface HDD Clock SCSI/SATA Generator Controller LEDs/LCD CPU Serial I/O Hub Audio Cache PCI/PCIe Slots USB BIOS Power Graphics PCI/PCIe Interface Controller Slots External Power Supply KEY: BIOS

Page 17

libssl libssl.hmac Calling Application libcrypto libcrypto.hmac KEY: Cryptographic Boundary Physical Perimeter Operating System Data Input Data Output Control Input Control Output CPU Memory Storage Ports Status Output System Calls Host Device Figure 2

2.4 Modes of Operation

The module supports two modes of operation: Approved and Non-Approved. The module operates in the Approved mode when all pre-operational self-tests have completed successfully, and only Approved services are invoked. Table 3 and Table 4 list the Approved and allowed algorithms, while Table 8 provides descriptions of the Approved services. The module alternates on a service-by-service basis between Approved and Non-Approved modes of operation. The module will implicitly switch to the Non-Approved mode upon execution of a Non-Approved service. The module will implicitly switch back to the Approved mode upon execution of an Approved service. Table 5 lists the Non-Approved algorithms implemented by the module, while Table 9 below lists the services that constitute the Non-Approved mode. When following the guidance in section 11.5 of this document, CSPs are not shared between Approved and nonApproved services and modes of operation. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 18
  1. Cryptographic Module Interfaces FIPS 140-3 defines the following logical interfaces for cryptographic modules: • Data Input • Data Output • Control Input • Control Output • Status Output As a software library, the cryptographic module has no direct access to any of the host platform’s physical ports, as it communicates only to the calling application via its well-defined API. A mapping of the FIPS-defined interfaces and the module’s logical ports and interfaces can be found in Table
  2. Note that the module does not output control information, and thus has no specified control output interface. Table 6 – Ports and Interfaces Physical Port Logical Interface Data That Passes Over Port/Interface Physical data input port(s) of Data Input • Data to be encrypted, decrypted, signed, the tested platforms • API input arguments that provide verified, or hashed input data for processing • Keys to be used in cryptographic services • Random seed material for the module’s DRBG • Keying material to be used as input to key establishment services Physical data output port(s) of Data Output • Data that has been encrypted, the tested platforms • API output arguments that return decrypted, or verified generated or processed data back • Digital signatures to the caller • Hashes • Random values generated by the module’s DRBG • Keys established using module’s key establishment methods Physical control input port(s) of Control Input • API commands invoking cryptographic the tested platforms • API input arguments that are services used to initialize and control the • Modes, key sizes, etc. used with operation of the module cryptographic services Physical status output port(s) Status Output • Status information regarding the module of the tested platforms • API call return values • Status information regarding the invoked service/operation CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.
Page 19

4. Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods.

4.1 Authorized Roles

The module supports a Crypto Officer (CO) that authorized operators can assume. The CO role performs cryptographic initialization or management functions and general security services. The module also supports the following role(s):

46 MAC – Message Authentication Code

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 20

Role Service Input Output User Verify Digital Signature API call parameters, key, Status signature, message User Perform Key Wrap API call parameters, encryption Status, encrypted key key, key User Perform Key Unwrap API call parameters, decryption Status, decrypted key key, key User Compute Shared Secret API call parameters Status, shared secret User Derive Keys via TLS KDF API call parameters, TLS pre- Status, TLS keys master secret User Perform Key Agreement Functions API call parameters Status, symmetric key User Derive Key via PBKDF2 API call parameters, password Status, key

4.2 Authentication Methods

The module does not support authentication methods; operators implicitly assume an authorized role based on the service selected.

4.3 Services

Descriptions of the approved services available to the authorized roles are provided in Table 8 below. This module is a software library that provides cryptographic functionality to calling applications. As such, the security functions provided by the module are considered the module’s security services. Indicators for Approved services (in the case of this module, those security functions with algorithm validation certificates and all required self-tests) are provided via API return value. When invoking a security function, the calling application provides inputs via an internal structure, or “context”. Upon each service invocation, the module will determine if the invoked security function is an Approved service. To access the resulting value, the calling application must pass the finalized context to the indicator API associated with that security function (note the indicator check must be performed prior to any context cleanup is performed). The indicator API will return “1” to indicate the usage of an Approved service. Indicators for services providing Non-Approved security functions (as well as for services not requiring an indicator) will have a value other than “1”, ensuring that the indicators for Approved services are unambiguous. Additional details on the APIs used for the Approved service indicators are provided in Appendix B below. The keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:

Page 21

Table 8

Page 22

Service Description Approved Security Functions Keys and/or SSPs Roles Access Rights to Keys Indicator and/or SSPs Perform Hash Compute a SHA-1 (Cert. A3254) None User N/A API return Operation message digest SHA2-224 (Cert. A3254) value SHA2-256 (Cert. A3254) SHA2-384 (Cert. A3254) SHA2-512 (Cert. A3254) SHA3-224 (Cert. A3254) SHA3-256 (Cert. A3254) SHA3-384 (Cert. A3254) SHA3-512 (Cert. A3254) Generate DSA Generate DSA DSA PQGGen (FIPS186-4) (Cert. A3254) None User N/A API return Domain domain value Parameters parameters Verify DSA Verify DSA DSA PQGVer (FIPS186-4) (Cert. A3254) None User N/A API return Domain domain value Parameters parameters Generate Generate a DSA KeyGen (FIPS186-4) (Cert. A3254) DSA public key User DSA public key

Page 23
Page 24

Service Description Algorithms Accessed Role Indicator Perform Key Pair Generation Perform key pair generation DSA (non-compliant), ECDSA User API return value (Non-Compliant) (non-compliant), EdDSA, RSA (non-compliant) CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 25

5. Software/Firmware Security All software components within the cryptographic boundary are verified using an Approved integrity technique implemented within the cryptographic module itself. The module implements independent HMAC SHA2-256 digest checks to test the integrity of each library file; failure of the integrity test for either library file will cause the module to enter a critical error state. Details regarding the keys used for the integrity checks can be found in Table 10 below. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator. The CO can initiate the pre-operational tests on demand by re-instantiating the module or issuing the FIPS_selftest() API command. CorSSL™ is not a standalone application; it is a cryptographic toolkit intended for use in a with a vendor’s solution. The module will be linked to a host application, and the host application will be pre-installed onto a target platform by the vendor or installed onto target platforms by the end-user. The module requires no configuration steps to be performed by application developers or end-users, and no action is required from developers or end-users to initialize the module for operation. The module is designed with a default entry point (DEP) that ensures that the pre-operational tests and conditional CASTs are initiated automatically when the module is loaded. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 26

6. Operational Environment The CorSSL™ comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environment provides the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 27

7. Physical Security The cryptographic module is software module and does not include physical security mechanisms. Therefore, per ISO/IEC 19790:2021 section 7.7.1, requirements for physical security are not applicable. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 28

8. Non-Invasive Security This section is not applicable. There is currently no approved non-invasive mitigation techniques referenced in ISO/IEC 19790:2021 Annex F. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 29

9. Sensitive Security Parameter Management

9.1 Keys and Other SSPs

The module supports the keys and other SSPs listed Table 10 below. Table 10

Page 30

Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroisation Use & Name/Type Cert. Number Related Keys (Cert. A3254) AES GCM Key Between 128 AES-GCM - Imported in Derived via Plaintext in Unload Authenticated (CSP) and 256 bits (Cert. A3254) plaintext via API TLS KDF volatile module; Symmetric parameter memory Remove power Encryption, KTS (AES-GCM) Decryption; (Cert. A3254) Never exported Key Transport AES XTS Key 256 bits AES-XTS - Imported in - Plaintext in Unload Symmetric (CSP) (Cert. A3254) plaintext via API volatile module; Encryption, parameter memory Remove power Decryption Never exported AES CMAC Key Between 128 AES-CMAC - Imported in - Plaintext in Unload MAC (CSP) and 256 bits (Cert. A3254) plaintext via API volatile module; Generation, parameter memory Remove power Verification Never exported AES GMAC Key Between 128 AES-GMAC - Imported in - Plaintext in Unload MAC (CSP) and 256 bits (Cert. A3254) plaintext via API volatile module; Generation, parameter memory Remove power Verification Never exported Triple-DES Key 168 bits TDES-CBC - Imported in - Plaintext in Unload Symmetric (CSP) (Cert. A3254) plaintext via API volatile module; Decryption; parameter memory Remove power Key TDES-CFB1 Unwrapping (Cert. A3254) Never exported TDES-CFB64 (Cert. A3254) TDES-CFB8 (Cert. A3254) TDES-ECB (Cert. A3254) TDES-OFB (Cert. A3254) Triple-DES 168 bits TDES-CMAC - Imported in - Plaintext in Unload MAC CMAC Key (Cert. A3254) plaintext via API volatile module; Verification (CSP) parameter memory Remove power Never exported HMAC Key 112 bits HMAC SHA-1 - Imported in Derived via Plaintext in Unload Keyed Hash (CSP) (minimum) (Cert. A3254) plaintext via API TLS KDF volatile module; parameter memory Remove power HMAC SHA2-224 (Cert. A3254) Never exported HMAC SHA2-256 (Cert. A3254) HMAC SHA2-384 (Cert. A3254) HMAC SHA2-512 (Cert. A3254) HMAC SHA3-224 (Cert. A3254) HMAC SHA3-256 (Cert. A3254) HMAC SHA3-384 (Cert. A3254) HMAC SHA3-512 (Cert. A3254) DSA Private Key 112 or 128 DSA SigGen (FIPS186- Generated Imported in - Plaintext in Unload Digital (CSP) bits 4) internally via plaintext via API volatile module; Signature (Cert. A3254) approved DRBG parameter memory Remove power Generation CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 31

Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroisation Use & Name/Type Cert. Number Related Keys Exported in Paired with: plaintext via API DSA Public Key parameter DSA Public Key 112 or 128 DSA SigVer (FIPS186- Generated Imported in - Plaintext in Unload Digital (PSP) bits 4) internally via plaintext via API volatile module; Signature (Cert. A3254) approved DRBG parameter memory Remove power Verification Exported in Paired with: plaintext via API DSA Private parameter Key ECDSA Private Between 112 ECDSA SigGen Generated Imported in - Plaintext in Unload Digital Key and 256 bits (FIPS186-4) internally via plaintext via API volatile module; Signature (CSP) (Cert. A3254) approved DRBG parameter memory Remove power Generation Exported in Paired with: plaintext via API ECDSA Public parameter Key ECDSA Public Between 112 ECDSA SigVer Generated Imported in - Plaintext in Unload Digital Key and 256 bits (FIPS186-4) internally via plaintext via API volatile module; Signature (PSP) (Cert. A3254) approved DRBG parameter memory Remove power Verification Exported in Paired with: plaintext via API ECDSA Private parameter Key RSA Private Key Between 112 RSA SigGen (FIPS186- Generated Imported in - Plaintext in Unload Digital (CSP) and 150 bits 4) internally via plaintext via API volatile module; Signature (Cert. A3254) approved DRBG parameter memory Remove power Generation Exported in Paired with: plaintext via API RSA Public Key parameter RSA Public Key Between 80 RSA SigVer (FIPS186- Generated Imported in - Plaintext in Unload Digital (PSP) and 150 bits 4) internally via plaintext via API volatile module; Signature (Cert. A3254) approved DRBG parameter memory Remove power Verification Exported in Paired with: plaintext via API RSA Private parameter Key DH Private Key 112 bits KAS-SSC-FFC Sp800- Generated Imported in - Plaintext in Unload DH Shared (CSP) 56Ar3 internally via plaintext via API volatile module; Secret (Cert. A3254) approved DRBG parameter memory Remove power Computation Exported in Paired with: plaintext via API DH Public Key parameter DH Public Key 112 bits KAS-SSC-FFC Sp800- Generated Imported in - Plaintext in Unload DH Shared (PSP) 56Ar3 internally via plaintext via API volatile module; Secret (Cert. A3254) approved DRBG parameter memory Remove power Computation Exported in Paired with: plaintext via API DH Public Key parameter ECDH Private Between 112 KAS-SSC-ECC Sp800- Generated Imported in - Plaintext in Unload ECDH Shared Key and 256 bits 56Ar3 internally via plaintext via API volatile module; Secret (CSP) (Cert. A3254) approved DRBG parameter memory Remove power Computation Exported in Paired with: plaintext via API ECDH Public parameter Key ECDH Public Key Between 112 KAS-SSC-ECC Sp800- Generated Imported in - Plaintext in Unload ECDH Shared (PSP) and 256 bits 56Ar3 internally via plaintext via API volatile module; Secret (Cert. A3254) approved DRBG parameter memory Remove power Computation Exported in Paired with: plaintext via API ECDH Private parameter Key Other SSPs Passphrase - PBKDF2 - Imported in - Plaintext in Unload Input to PBKDF (PSP) (Cert. A3254) plaintext via API volatile module; for key parameter memory Remove power derivation CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 32

Key/SSP Strength Security Function and Generation Import / Export Establishment Storage Zeroisation Use & Name/Type Cert. Number Related Keys Never exported AES GCM IV - AES-GCM Generated - - Plaintext in Unload Initialization (CSP) (Cert. A3254) internally in volatile module; vector for AES compliance with memory Remove power GCM the provisions of a peer-to-peer Paired with: industry standard AES GCM Key protocol TLS pre-master - TLS v1.2 KDF - Imported in - Plaintext in Unload Derivation of secret RFC7627) plaintext via API volatile module; the TLS master (CSP) (Cert. A3254) parameter memory Remove power secret TLS v1.3 KDF Never exported (Cert. A3253) TLS master - TLS v1.2 KDF - - Derived Plaintext in Unload Derivation of secret RFC7627) internally via volatile module; the AES key, (CSP) (Cert. A3254) TLS KDF memory Remove power AES-GCM key, and HMAC key TLS v1.3 KDF used for (Cert. A3253) securing TLS connections Derived from: TLS pre-master secret DRBG entropy - Counter DRBG - Imported in - Plaintext in Unload Entropy input (Cert. A3254) plaintext via API volatile module; material for (CSP) parameter47 memory Remove power DRBG Never exported DRBG seed - Counter DRBG Generated - - Plaintext in Unload Seeding (CSP) (Cert. A3254) internally using volatile module; material for nonce along with memory Remove power DRBG DRBG entropy input DRBG ‘V’ value - Counter DRBG Generated - - Plaintext in Unload State values (CSP) (Cert. A3254) internally volatile module; for DRBG memory Remove power DRBG ‘Key’ - Counter DRBG Generated - - Plaintext in Unload State values value (Cert. A3254) internally volatile module; for DRBG (CSP) memory Remove power

9.2 DRBGs

The module implements the following Approved DRBG:

Page 33
9.3 SSP Storage Techniques

There is no mechanism within the module’s cryptographic boundary for the persistent storage of SSPs. The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call.

9.4 SSP Zeroization Methods

Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s cryptographic boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can unload the module from memory or reboot/power-cycle the host device.

9.5 RBG Entropy Sources

Table 11 below specifies the module’s entropy sources. Table 11

Page 34

10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions.

10.1 Pre-Operational Self-Tests

The module performs the following pre-operational self-test(s):

10.2 Conditional Self-Tests

The module performs the following conditional self-tests:

49 KAT – Known Answer Test

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 35
10.3 On-Demand Self-Testing

The CO can initiate the pre-operational self-tests and conditional CASTs on demand for periodic testing of the module by re-instantiating the module, rebooting/power-cycling the host device, or issuing the FIPS_selftest() API command.

10.4 Self-Test Failure Handling

The module reaches the critical error state when any self-test fails. Upon test failure, the module immediately terminates the calling application’s API call with a returned error code and sets an internal flag, signaling the error condition. For any subsequent request made by the calling application for cryptographic services, the module will return a failure indicator, thereby disabling all access to its cryptographic functions, sensitive security parameters (SSPs), and data output services while the error condition persists. To recover, the module must be re-instantiated by the calling application. If the pre-operational self-tests complete successfully, then the module can resume normal operations. If the module continues to experience self-test failures after reinitializing, then the module will not be able to resume normal operations, and the CO should contact Corsec Security, Inc. for assistance.

50 PCT – Pairwise Consistency Test

CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 36

11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:

11.1 Secure Installation

The module is distributed as a package containing the binaries and HMAC digest files that the Crypto Officer is to install onto a target platform specified in section 2.1 or one where portability is maintained.

11.2 Initialization

This module is designed to support third-party vendor applications, and these applications are the sole consumers of the cryptographic services provided by the module. No end-user action is required to initialize the module for operation; the calling application performs any actions required to initialization the module. The pre-operational integrity test and conditional CASTs are performed automatically via a default entry point (DEP) when the module is loaded for execution, without any specific action from the calling application or the end-user. End-users have no means to short-circuit or bypass these actions. Failure of any of the initialization actions will result in a failure of the module to load for execution.

11.3 Startup

No startup steps are required to be performed by end-users.

11.4 Administrator Guidance

There are no specific management activities required of the CO role to ensure that the module runs securely. If any irregular activity is observed, or if the module is consistently reporting errors, then Corsec Customer Support should be contacted. The following list provides additional guidance for the CO:

Page 37
11.5 Non-Administrator Guidance

The following list provides additional policies for the User role:

Page 38

The module supports acceptable AES GCM cipher suites from section 3.3.1 of NIST SP 800-52rev2. The AES GCM IV generation is performed internally, is compliant with the RFC 5288, and shall only be used for the TLS 1.2 protocol to be compliant with scenario 1 in FIPS 140-3 IG C.H; thus, the module is compliant with NIST SP 800-52rev2.

11.6 Common Vulnerabilities and Exposures

The Common Vulnerabilities and Exposures (CVE) program is a dictionary or glossary of vulnerabilities that have been identified for specific code bases, such as software applications or open libraries. This list allows interested parties to acquire the details of vulnerabilities by referring to a unique identifier known as the CVE ID.

11.6.1 Applicable CVEs

The following table lists the applicable CVEs impacting the module, as well as methods of mitigation. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 39

Table 12

11.6.2 CVE Mitigation Plan

Post-submission, the module has been continually updated to provide mitigations for the CVEs listed above. These mitigations will be included in a future revalidation of the module. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 40

12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 41

Appendix A. Acronyms and Abbreviations Table 13 below provides definitions for the acronyms and abbreviations used in this document. Table 13

Page 42

Term Definition GMAC Galois Message Authentication Code GPC General-Purpose Computer HMAC (keyed-) Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MD Message Digest NIST National Institute of Standards and Technology OCB Offset Codebook OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PCT Pairwise Consistency Test PKCS Public Key Cryptography Standard PSS Probabilistic Signature Scheme PUB Publication RC Rivest Cipher RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm KECCAK SHS Secure Hash Standard SP Special Publication TLS Transport Layer Security XEX XOR Encrypt XOR XTS XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 43

Appendix B. Approved Service Indicators This appendix specifies the APIs that are externally accessible and return the Approved service indicators. Synopsis #include <openssl/service_indicator.h> #include <openssl/ssl.h> int EVP_cipher_get_service_indicator(EVP_CIPHER_CTX *ctx); int DSA_get_service_indicator(DSA * ptr_dsa, DSA_MODES_t mode); int RSA_key_get_service_indicator(RSA * ptr_rsa); int PBKDF_get_service_indicator(); int EVP_Digest_get_service_indicator(EVP_MD_CTX *ctx); int EC_key_get_service_indicator(EC_KEY *ec_key); int CMAC_get_service_indicator(CMAC_CTX *cmac_ctx, CMAC_MODE_t mode); int HMAC_get_service_indicator(HMAC_CTX *ctx); int TLSKDF_get_service_indicator(EVP_PKEY_CTX *tls_ctx); int TLS1_3_kdf_get_service_indicator(EVP_MD *md); int TLS1_3_get_service_indicator(SSL *s); int DRBG_get_service_indicator(RAND_DRBG *drbg); Description These APIs are high-level interfaces that return the Approved service indicator value based on the parameter(s) passed to them.

Page 44
Page 45

//Decrypt ctx = EVP_CIPHER_CTX_new(); EVP_DecryptInit_ex(ctx, cipher, NULL, key, NULL); EVP_CIPHER_CTX_set_key_length(ctx, 24); EVP_DecryptUpdate(ctx, pltmp, &outLen, citmp, 8); // Check the indicator fprintf(stdout,"EVP_des_ede3_ecb (NID %i) decrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); EVP_CIPHER_CTX_free(ctx); } CorSSL™ 1.1.1s.005 ©2024 Corsec Security, Inc.

Page 46

Prepared by: Corsec Security, Inc.

12600 Fair Lakes Circle, Suite 210

Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com