All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Oracle Linux 9 libgcrypt Cryptographic Module

Certificate#4993StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorOracle Corporation
Low review priority  ·  no TCB surface named  ·  libgcrypt upstream has published 2 CVEs since this module's initial validation  ·  last validated 8 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date3/27/2030
CaveatWhen operated in approved mode. When installed, initialized and configured as specified in Section 11.1 of the Security Policy. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorOracle Corporation

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Oracle Linux 9 libgcrypt Cryptographic Module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Recovery<br/>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Oracle Linux 9 libgcrypt Cryptographic Module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Recovery<br/>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status Output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>HTTPS<br/>no library/version identified</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Oracle Corporation Oracle Linux 9 libgcrypt Cryptographic Module Software Version: 1.10.0-3957adb8de08b15a Prepared by: atsec information security corporation

4516 Seton Center Parkway, Suite 250

Austin, TX 78759 www.atsec.com Document Version 1.4. ©Oracle Corporation

Page 2

Title: Oracle Linux 9 libgcrypt Cryptographic Module Security Policy Date: October 1st, 2025 Contributing Authors: Oracle Linux Engineering Security Evaluations

2300 Oracle Way

Austin, TX 78741 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 www.oracle.com hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy i

Page 3
Table of Contents
#SectionPage
Page 4

Oracle Linux 9 libgcrypt Cryptographic Module Security Policy iii

Page 5
List of Tables
ItemPage
Table 1: Security Levels1
Table 2: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)3
Table 3: Tested Operational Environments - Software, Firmware, Hybrid3
Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid4
Table 5: Modes List and Description4
Table 6: Approved Algorithms19
Table 7: Vendor-Affirmed Algorithms20
Table 8: Non-Approved, Not Allowed Algorithms20
Table 9: Security Function Implementations25
Table 10: Entropy Certificates25
Table 11: Ports and Interfaces27
Table 12: Roles28
Table 13: Approved Services31
Table 14: Non-Approved Services32
Table 15: Storage Areas38
Table 16: SSP Input-Output Methods38
Table 17: SSP Zeroization Methods39
Table 18: SSP Table 140
Table 19: SSP Table 242
Table 20: Pre-Operational Self-Tests43
Table 21: Conditional Self-Tests61
Table 22: Pre-Operational Periodic Information61
Table 23: Conditional Periodic Information65
Table 24: Error States65
Page 6
List of Figures
ItemPage
Figure 1: Block Diagram2
Page 7
1 General
1.1 Overview

This document is the non-proprietary FIPS 140-3 Security Policy for version 1.10.0-3957adb8de08b15a of the Oracle Linux 9 libgcrypt Cryptographic Module. It contains the security rules under which the module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 1 module. including this notice. Other documentation is proprietary to their authors.

1.1.1 How This Security Policy was Prepared

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing.

1.2 Security Levels

Section Title Security Level

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks 1

Overall Level 1 Table 1: Security Levels Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 8
2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Oracle Linux 9 libgcrypt Cryptographic Module (hereafter referred to as “the module”) is a Software multi-chip standalone cryptographic module. The module is a software library implementing general purpose cryptographic algorithms. The module provides cryptographic services to applications running in the user space of the underlying operating system through an application program interface (API). Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: Figure 1 shows the cryptographic boundary of the module in orange, its interfaces with the operational environment and the flow of information between the module and operator (depicted through the arrows). The software component of the cryptographic module is listed in the Tested Module Identification

Page 9
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 10

Operating Hardware Platform System Oracle Linux 9 Nvidia Bluefield-3 (ARM v8.x) SmartNIC Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when so ported if the specific operational environment is not listed on the validation certificate.

2.3 Excluded Components

There are no components within the cryptographic boundary excluded from the FIPS 140-3 requirements.

2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved Automatically entered whenever an Approved Equivalent to the indicator of the mode approved service is requested requested service as defined in section 4.3 Non-approved Automatically entered whenever a Non- Equivalent to the indicator of the mode non-approved service is requested Approved requested service as defined in section 4.4 Table 5: Modes List and Description Mode Change Instructions and Status: After passing all pre-operational self-test and cryptographic algorithm self-tests (CASTs) executed on start-up, the module automatically transitions to the approved mode. No operator intervention is required to reach this point. The module automatically switches between the approved and nonapproved modes.

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A4773 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4774 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4776 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CBC A4777 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 11

Algorithm CAVP Properties Reference Cert AES-CCM A4773 Key Length - 128, 192, 256 SP 800-38C Tag Length - 112, 128, 32, 48, 64, 80, 96 IV Length - IV Length: 56, 64, 72, 80, 88, 96, 104 Payload Length - Payload Length: 0-256 Increment 8 AAD Length - AAD Length: 0, 256, 65536 AES-CCM A4774 Key Length - 128, 192, 256 SP 800-38C Tag Length - 112, 128, 32, 48, 64, 80, 96 IV Length - IV Length: 56, 64, 72, 80, 88, 96, 104 Payload Length - Payload Length: 0-256 Increment 8 AAD Length - AAD Length: 0-524288 Increment 8, AAD Length: 0, 256, 65536 AES-CCM A4776 Key Length - 128, 192, 256 SP 800-38C Tag Length - 112, 128, 32, 48, 64, 80, 96 IV Length - IV Length: 56, 64, 72, 80, 88, 96, 104 Payload Length - Payload Length: 0-256 Increment 8 AAD Length - AAD Length: 0, 256, 65536 AES-CCM A4777 Key Length - 128, 192, 256 SP 800-38C Tag Length - 112, 128, 32, 48, 64, 80, 96 IV Length - IV Length: 56, 64, 72, 80, 88, 96, 104 Payload Length - Payload Length: 0-256 Increment 8 AAD Length - AAD Length: 0, 256, 65536 AES-CFB128 A4773 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A4774 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A4776 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB128 A4777 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4773 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4774 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4776 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CFB8 A4777 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CMAC A4773 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 MAC Length - MAC Length: 128 Message Length - Message Length: 8-524288 Increment 8 AES-CMAC A4774 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 MAC Length - MAC Length: 128 Message Length - Message Length: 8-524288 Increment 8 AES-CMAC A4776 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 MAC Length - MAC Length: 128 Message Length - Message Length: 8-524288 Increment 8 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 12

Algorithm CAVP Properties Reference Cert AES-CMAC A4777 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 MAC Length - MAC Length: 128 Message Length - Message Length: 8-524288 Increment 8 AES-CTR A4773 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Payload Length - Payload Length: 8-128 Increment 8 Supports Counter larger than maximum value - No Incremental Counter - Yes Counter Tests Performed - Yes AES-CTR A4774 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Payload Length - Payload Length: 8-128 Increment 8 Supports Counter larger than maximum value - No Incremental Counter - Yes Counter Tests Performed - Yes AES-CTR A4776 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Payload Length - Payload Length: 8-128 Increment 8 Supports Counter larger than maximum value - No Incremental Counter - Yes Counter Tests Performed - Yes AES-CTR A4777 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 Payload Length - Payload Length: 8-128 Increment 8 Supports Counter larger than maximum value - No Incremental Counter - Yes Counter Tests Performed - Yes AES-ECB A4773 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4774 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4776 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4777 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-KW A4773 Direction - Decrypt, Encrypt SP 800-38F Cipher - Cipher Key Length - 128, 192, 256 Payload Length - Payload Length: 128-4096 Increment 128 AES-KW A4774 Direction - Decrypt, Encrypt SP 800-38F Cipher - Cipher Key Length - 128, 192, 256 Payload Length - Payload Length: 128-4096 Increment 128 AES-KW A4776 Direction - Decrypt, Encrypt SP 800-38F Cipher - Cipher Key Length - 128, 192, 256 Payload Length - Payload Length: 128-4096 Increment 128 AES-KW A4777 Direction - Decrypt, Encrypt SP 800-38F Cipher - Cipher Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 13

Algorithm CAVP Properties Reference Cert Key Length - 128, 192, 256 Payload Length - Payload Length: 128-4096 Increment 128 AES-OFB A4773 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-OFB A4774 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-OFB A4776 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-OFB A4777 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-XTS Testing A4773 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Payload Length - Payload Length: 128-65536 Increment 128 Tweak Mode - Hex Data Unit Length Matches Payload Length - Yes AES-XTS Testing A4774 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Payload Length - Payload Length: 128-65536 Increment 128, Payload Length: 128-65536 Increment 8 Tweak Mode - Hex Data Unit Length Matches Payload Length - Yes AES-XTS Testing A4776 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Payload Length - Payload Length: 128-65536 Increment 128 Tweak Mode - Hex Data Unit Length Matches Payload Length - Yes AES-XTS Testing A4777 Direction - Decrypt, Encrypt SP 800-38E Revision 2.0 Key Length - 128, 256 Payload Length - Payload Length: 128-65536 Increment 128 Tweak Mode - Hex Data Unit Length Matches Payload Length - Yes Counter DRBG A4773 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - Yes Additional Input - Additional Input: 0 Entropy Input - Entropy Input: 128, Entropy Input: 192, Entropy Input: 256 Nonce - Nonce: 128, Nonce: 64 Personalization String Length - Personalization String Length: 0 Returned Bits - 1024, 512 Counter DRBG A4774 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - Yes Additional Input - Additional Input: 0 Entropy Input - Entropy Input: 128, Entropy Input: 192, Entropy Input: 256 Nonce - Nonce: 128, Nonce: 64 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 14

Algorithm CAVP Properties Reference Cert Personalization String Length - Personalization String Length: 0 Returned Bits - 1024, 512 Counter DRBG A4776 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - Yes Additional Input - Additional Input: 0 Entropy Input - Entropy Input: 128, Entropy Input: 192, Entropy Input: 256 Nonce - Nonce: 128, Nonce: 64 Personalization String Length - Personalization String Length: 0 Returned Bits - 1024, 512 Counter DRBG A4777 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - Yes Additional Input - Additional Input: 0 Entropy Input - Entropy Input: 128, Entropy Input: 192, Entropy Input: 256 Nonce - Nonce: 128, Nonce: 64 Personalization String Length - Personalization String Length: 0 Returned Bits - 1024, 512 ECDSA KeyGen A4773 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A4774 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A4776 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A4777 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyGen A4778 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Testing Candidates ECDSA KeyVer A4773 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4774 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4776 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4777 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA KeyVer A4778 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) ECDSA SigGen A4773 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigGen A4774 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 15

Algorithm CAVP Properties Reference Cert SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigGen A4776 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigGen A4777 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigGen A4778 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A4773 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A4774 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A4776 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A4777 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 ECDSA SigVer A4778 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Hash DRBG A4773 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 16

Algorithm CAVP Properties Reference Cert Returned Bits - 320, 512, 768 Hash DRBG A4774 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Returned Bits - 320, 512, 768 Hash DRBG A4776 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Returned Bits - 320, 512, 768 Hash DRBG A4777 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Returned Bits - 320, 512, 768 Hash DRBG A4778 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Returned Bits - 320, 512, 768 HMAC DRBG A4773 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 17

Algorithm CAVP Properties Reference Cert Returned Bits - 320, 512, 768 HMAC DRBG A4774 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Returned Bits - 320, 512, 768 HMAC DRBG A4776 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Returned Bits - 320, 512, 768 HMAC DRBG A4777 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Returned Bits - 320, 512, 768 HMAC DRBG A4778 Prediction Resistance - No, Yes SP 800-90A Supports Reseed - No Rev. 1 Mode - SHA-1, SHA2-256, SHA2-512 Entropy Input - Entropy Input: 160, Entropy Input: 256 Nonce - Nonce: 160, Nonce: 256 Personalization String Length - Personalization String Length: 0, 160, Personalization String Length: 0, 256 Additional Input - Additional Input: 0, 160, Additional Input: 0, Returned Bits - 320, 512, 768 HMAC-SHA-1 A4772 MAC - MAC: 160 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA-1 A4773 MAC - MAC: 160 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA-1 A4774 MAC - MAC: 160 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA-1 A4775 MAC - MAC: 160 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 18

Algorithm CAVP Properties Reference Cert HMAC-SHA-1 A4776 MAC - MAC: 160 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA-1 A4777 MAC - MAC: 160 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA-1 A4778 MAC - MAC: 160 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4773 MAC - MAC: 224 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4774 MAC - MAC: 224 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4776 MAC - MAC: 224 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4777 MAC - MAC: 224 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-224 A4778 MAC - MAC: 224 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4773 MAC - MAC: 256 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4774 MAC - MAC: 256 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4776 MAC - MAC: 256 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4777 MAC - MAC: 256 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-256 A4778 MAC - MAC: 256 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4773 MAC - MAC: 384 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4774 MAC - MAC: 384 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4776 MAC - MAC: 384 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4777 MAC - MAC: 384 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-384 A4778 MAC - MAC: 384 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4773 MAC - MAC: 512 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4774 MAC - MAC: 512 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4776 MAC - MAC: 512 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4777 MAC - MAC: 512 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2-512 A4778 MAC - MAC: 512 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4773 MAC - MAC: 224 FIPS 198-1 512/224 Key Length - Key Length: 112-524288 Increment 8 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 19

Algorithm CAVP Properties Reference Cert HMAC-SHA2- A4774 MAC - MAC: 224 FIPS 198-1 512/224 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4776 MAC - MAC: 224 FIPS 198-1 512/224 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4777 MAC - MAC: 224 FIPS 198-1 512/224 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4778 MAC - MAC: 224 FIPS 198-1 512/224 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4773 MAC - MAC: 256 FIPS 198-1 512/256 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4774 MAC - MAC: 256 FIPS 198-1 512/256 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4776 MAC - MAC: 256 FIPS 198-1 512/256 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4777 MAC - MAC: 256 FIPS 198-1 512/256 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA2- A4778 MAC - MAC: 256 FIPS 198-1 512/256 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-224 A4773 MAC - MAC: 224 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-224 A4774 MAC - MAC: 224 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-224 A4778 MAC - MAC: 224 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-256 A4773 MAC - MAC: 256 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-256 A4774 MAC - MAC: 256 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-256 A4778 MAC - MAC: 256 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-384 A4773 MAC - MAC: 384 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-384 A4774 MAC - MAC: 384 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-384 A4778 MAC - MAC: 384 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-512 A4773 MAC - MAC: 512 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-512 A4774 MAC - MAC: 512 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 HMAC-SHA3-512 A4778 MAC - MAC: 512 FIPS 198-1 Key Length - Key Length: 112-524288 Increment 8 PBKDF A4773 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Password Length - Password Length: 8-128 Increment 1 Salt Length - Salt Length: 128-4096 Increment 8 Key Data Length - Key Data Length: 128-4096 Increment 8 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 20

Algorithm CAVP Properties Reference Cert PBKDF A4774 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Password Length - Password Length: 8-128 Increment 1 Salt Length - Salt Length: 128-4096 Increment 8 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A4776 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Password Length - Password Length: 8-128 Increment 1 Salt Length - Salt Length: 128-4096 Increment 8 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A4777 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Password Length - Password Length: 8-128 Increment 1 Salt Length - Salt Length: 128-4096 Increment 8 Key Data Length - Key Data Length: 128-4096 Increment 8 PBKDF A4778 Iteration Count - Iteration Count: 1000-10000000 Increment 1 SP 800-132 HMAC Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Password Length - Password Length: 8-128 Increment 1 Salt Length - Salt Length: 128-4096 Increment 8 Key Data Length - Key Data Length: 128-4096 Increment 8 RSA KeyGen A4773 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Info Generated By Server - No Public Exponent Mode - Random Private Key Format - Standard RSA KeyGen A4774 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Info Generated By Server - No Public Exponent Mode - Random Private Key Format - Standard RSA KeyGen A4776 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Info Generated By Server - No Public Exponent Mode - Random Private Key Format - Standard RSA KeyGen A4777 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Info Generated By Server - No Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 21

Algorithm CAVP Properties Reference Cert Public Exponent Mode - Random Private Key Format - Standard RSA KeyGen A4778 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Info Generated By Server - No Public Exponent Mode - Random Private Key Format - Standard RSA SigGen A4773 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 RSA SigGen A4774 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 RSA SigGen A4776 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 RSA SigGen A4777 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 RSA SigGen A4778 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 RSA SigVer A4773 Public Exponent Mode - Fixed FIPS 186-4 (FIPS186-2) Fixed Public Exponent - 010001 Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 RSA SigVer A4774 Public Exponent Mode - Fixed FIPS 186-4 (FIPS186-2) Fixed Public Exponent - 010001 Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 RSA SigVer A4776 Public Exponent Mode - Fixed FIPS 186-4 (FIPS186-2) Fixed Public Exponent - 010001 Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 22

Algorithm CAVP Properties Reference Cert RSA SigVer A4777 Public Exponent Mode - Fixed FIPS 186-4 (FIPS186-2) Fixed Public Exponent - 010001 Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 RSA SigVer A4778 Public Exponent Mode - Fixed FIPS 186-4 (FIPS186-2) Fixed Public Exponent - 010001 Signature Type - PKCS 1.5, PKCSPSS Modulo - 1024, 1536 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 RSA SigVer A4773 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 Public Exponent Mode - Fixed Fixed Public Exponent - 010001 RSA SigVer A4774 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 Public Exponent Mode - Fixed Fixed Public Exponent - 010001 RSA SigVer A4776 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 Public Exponent Mode - Fixed Fixed Public Exponent - 010001 RSA SigVer A4777 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 Public Exponent Mode - Fixed Fixed Public Exponent - 010001 RSA SigVer A4778 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Hash Pair Hash Algorithm - SHA2-224 Salt Length - 28 Public Exponent Mode - Fixed Fixed Public Exponent - 010001 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 23

Algorithm CAVP Properties Reference Cert SHA-1 A4772 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4775 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4776 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4777 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA-1 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4776 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4777 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-224 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4776 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4777 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-256 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4776 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4777 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-384 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 24

Algorithm CAVP Properties Reference Cert SHA2-512 A4776 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4777 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4776 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4777 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/224 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4776 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4777 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA2-512/256 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 180-4 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-224 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-256 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-384 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A4773 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHA3-512 A4774 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 25

Algorithm CAVP Properties Reference Cert SHA3-512 A4778 Message Length - Message Length: 0-65536 Increment 8 FIPS 202 Large Message Sizes - 1, 2, 4, 8 SHAKE-128 A4773 Supports Bit-Oriented Messages - No FIPS 202 Supports Empty Message - Yes Supports Bit-Oriented Output - No Output Length - Output Length: 16-65536 Increment 8 SHAKE-128 A4774 Supports Bit-Oriented Messages - No FIPS 202 Supports Empty Message - Yes Supports Bit-Oriented Output - No Output Length - Output Length: 16-65536 Increment 8 SHAKE-128 A4778 Supports Bit-Oriented Messages - No FIPS 202 Supports Empty Message - Yes Supports Bit-Oriented Output - No Output Length - Output Length: 16-65536 Increment 8 SHAKE-256 A4773 Supports Bit-Oriented Messages - No FIPS 202 Supports Empty Message - Yes Supports Bit-Oriented Output - No Output Length - Output Length: 16-65536 Increment 8 SHAKE-256 A4774 Supports Bit-Oriented Messages - No FIPS 202 Supports Empty Message - Yes Supports Bit-Oriented Output - No Output Length - Output Length: 16-65536 Increment 8 SHAKE-256 A4778 Supports Bit-Oriented Messages - No FIPS 202 Supports Empty Message - Yes Supports Bit-Oriented Output - No Output Length - Output Length: 16-65536 Increment 8 Table 6: Approved Algorithms Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG RSA:2048, 3072, 4096 (112, 128, Oracle Linux 9 libgcrypt Cryptographic FIPS 186-4, SP 800-

149 bits) Module (Full Acceleration) 133rev2 Section 5.1

ECDSA:P-224, P-256, P-384, P-512 (112, 128, 192, 256 bits) CKG RSA:2048, 3072, 4096 (112, 128, Oracle Linux 9 libgcrypt Cryptographic FIPS 186-4, SP 800-

149 bits) Module (No Acceleration) 133rev2 Section 5.1

ECDSA:P-224, P-256, P-384, P-512 (112, 128, 192, 256 bits) CKG RSA:2048, 3072, 4096 (112, 128, Oracle Linux 9 libgcrypt Cryptographic FIPS 186-4, SP 800-

149 bits) Module (AESNI AVX) 133rev2 Section 5.1

ECDSA:P-224, P-256, P-384. P-521 (112, 128, 192, 256 bits) CKG RSA:2048, 3072, 4096 (112, 128, Oracle Linux 9 libgcrypt Cryptographic FIPS 186-4, SP 800-

149 bits) Module (SHLD) 133rev2 Section 5.1

ECDSA:P-224, P-256, P-384, P-521 (112, 128, 192, 256 bits) CKG RSA:2048, 3072, 4096 (112, 128, Oracle Linux 9 libgcrypt Cryptographic FIPS 186-4, SP 800-

149 bits) Module (SSSE3) 133rev2 Section 5.1

Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 26

Name Properties Implementation Reference ECDSA:P-224, P-256, P-384, P-521 (112, 128, 192, 256 bits) Table 7: Vendor-Affirmed Algorithms Non-Approved, Not Allowed Algorithms: Name Use and Function MD5 Message digest ECDH noncompliant with SP 800-56Arev3 Shared secret computation assurances AES GCM noncompliant with IG C.H. Authenticated symmetric encryption, Authenticated symmetric decryption AES GCM-SIV Authenticated symmetric encryption, Authenticated symmetric decryption AES OCB Authenticated symmetric encryption, Authenticated symmetric decryption AES-EAX Authenticated symmetric encryption, Authenticated symmetric decryption RSA Signature generation primitive; Signature verification primitive; Encryption primitive; Decryption primitive RSA with non-approved flags that are not Key generation; Signature generation; Signature verification listed in Appendix A ECDSA Signature generation primitives, Signature verification primitives ECDSA with non-approved flags that are Key generation; Key verification; Signature generation; Signature not listed in Appendix A verification Table 8: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Name Type Description Properties Algorithms Key wrapping using KTS-Wrap Key wrapping using Key:128, 192, 256-bit AES-CCM: (A4773, AES CCM AES CCM keys with 128, 192, A4774, A4776,

256 bits of key A4777)

strength, respectively Key unwrapping KTS-Wrap Key unwrapping Key:128, 192, 256-bit AES-CCM: (A4773, using AES CCM using AES CCM keys with 128, 192, A4774, A4776,

256 bits of key A4777)

strength, respectively Key wrapping using KTS-Wrap Key wrapping using Key:128, 192, 256-bit AES-KW: (A4773, AES KW AES KW keys with 128, 192, A4774, A4776,

256 bits of key A4777)

strength, respectively Key unwrapping KTS-Wrap Key unwrapping Key:128, 192, 256-bit AES-KW: (A4773, using AES KW using AES KW keys with 128, 192, A4774, A4776,

256 bits of key A4777)

strength, respectively Encryption with BC-UnAuth Encryption using Keys:128, 192, 256-bit AES-CBC: (A4773, AES AES keys with 128, 192, A4774, A4776,

256 bits of key A4777)

strength, respectively AES-CFB128: (A4773, A4774, Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 27

Name Type Description Properties Algorithms A4776, A4777) AES-CFB8: (A4773, A4774, A4776, A4777) AES-CTR: (A4773, A4774, A4776, A4777) AES-ECB: (A4773, A4774, A4776, A4777) AES-OFB: (A4773, A4774, A4776, A4777) AES-XTS Testing Revision 2.0: (A4773, A4774, A4776, A4777) Authenticated BC-Auth Authenticated Keys:128, 192, 256-bit AES-CCM: (A4773, encryption with encryption using keys with 128, 192, A4774, A4776, AES AES 256 bits of key A4777) strength, respectively AES-KW: (A4773, A4774, A4776, A4777) Decryption with BC-UnAuth Decryption using Keys:128, 192, 256-bit AES-CBC: (A4773, AES AES keys with 128, 192, A4774, A4776,

256 bits of key A4777)

strength, respectively AES-CFB128: (A4773, A4774, A4776, A4777) AES-CFB8: (A4773, A4774, A4776, A4777) AES-CTR: (A4773, A4774, A4776, A4777) AES-ECB: (A4773, A4774, A4776, A4777) AES-OFB: (A4773, A4774, A4776, A4777) AES-XTS Testing Revision 2.0: (A4773, A4774, A4776, A4777) Authenticated BC-Auth Authenticated Keys:128, 192, 256-bit AES-CCM: (A4773, decryption with decryption using keys with 128, 192, A4774, A4776, AES AES 256 bits of key A4777) strength, respectively AES-KW: (A4773, A4774, A4776, A4777) Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 28

Name Type Description Properties Algorithms Key Pair CKG Key pair generation Mode:B.3.3 Random RSA KeyGen Generation with for RSA Probable Primes (FIPS186-4): RSA Modulus:2048, 3072, (A4773, A4774,

4096 bits (112, 128, A4776, A4777,
149 bits) A4778)

Key Pair CKG Key pair generation Mode:B.4.2 Testing ECDSA KeyGen Generation with for ECDSA Candidates (FIPS186-4): ECDSA Curves:P-224, P-256, (A4773, A4774, P-384, P-521 (112, A4776, A4777, 128, 192, 256 bits) A4778) Public Key AsymKeyPair- Verify public key Curves:P-224, P-256, ECDSA KeyVer Verification with KeyVer for ECDSA P-384, P-521 (112, (FIPS186-4): ECDSA 128, 192, 256 bits) (A4773, A4774, A4776, A4777, A4778) Signature DigSig-SigGen Digital signature Padding:PKCS#1 v1.5, RSA SigGen Generation with generation using PSS (FIPS186-4): RSA RSA Keys:2048, 3072, 4096 (A4773, A4774, bits (112, 128, 149 A4776, A4777, bits) A4778) Hashes:SHA-224, SHA256, SHA-384, SHA512, SHA-512/224, SHA-512/256 Signature DigSig-SigVer Digital signature Padding:PKCS#1 v1.5, RSA SigVer Verification with verification using PSS (FIPS186-4): RSA RSA Keys:1024, 1536, (A4773, A4774, 2048, 3072, 4096 bits A4776, A4777, (80, 96, 112, 128, 149 A4778) bits) RSA SigVer Hashes:SHA-224, SHA- (FIPS186-2): 256, SHA-384, SHA- (A4773, A4774, 512, SHA-512/224, A4776, A4777, SHA-512/256 A4778) Signature DigSig-SigGen Digital signature Curves:P-224, P-256, ECDSA SigGen Generation with generation using P-384, P-521 (112, (FIPS186-4): ECDSA ECDSA 128, 192, 256 bits) (A4773, A4774, Hashes:SHA-224, SHA- A4776, A4777, 256, SHA-384, SHA- A4778) 512, SHA-512/224, SHA-512/256, SHA3224, SHA3-256, SHA3384, SHA3-512 Signature DigSig-SigVer Digital signature Curves:P-224, P-256, ECDSA SigVer Verification with verification using P-384, P-521 (112, (FIPS186-4): ECDSA ECDSA 128, 192, 256 bits) (A4773, A4774, Hashes:SHA-224, SHA- A4776, A4777, 256, SHA-384, SHA- A4778) 512, SHA-512/224, SHA-512/256, SHA3Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 29

Name Type Description Properties Algorithms 224, SHA3-256, SHA3384, SHA3-512 Hashes SHA Compute a SHA-1: (A4772, message digest A4773, A4774, using Secure Hash A4775, A4776, Algorithms A4777, A4778) SHA2-224: (A4773, A4774, A4776, A4777, A4778) SHA2-256: (A4773, A4774, A4776, A4777, A4778) SHA2-384: (A4773, A4774, A4776, A4777, A4778) SHA2-512: (A4773, A4774, A4776, A4777, A4778) SHA2-512/224: (A4773, A4774, A4776, A4777, A4778) SHA2-512/256: (A4773, A4774, A4776, A4777, A4778) SHA3-224: (A4773, A4774, A4778) SHA3-256: (A4773, A4774, A4778) SHA3-384: (A4773, A4774, A4778) SHA3-512: (A4773, A4774, A4778) Extendable Output XOF Compute message SHAKE-128: Function digest from XOFs (A4773, A4774, A4778) SHAKE-256: (A4773, A4774, A4778) Message MAC Compute MAC tags Keys:112-256 bits AES-CMAC: (A4773, Authentication using AES-based A4774, A4776, Code CMAC or HMAC A4777) HMAC-SHA-1: (A4772, A4773, A4774, A4775, A4776, A4777, A4778) HMAC-SHA2-224: (A4773, A4774, A4776, A4777, Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 30

Name Type Description Properties Algorithms A4778) HMAC-SHA2-256: (A4773, A4774, A4776, A4777, A4778) HMAC-SHA2-384: (A4773, A4774, A4776, A4777, A4778) HMAC-SHA2-512: (A4773, A4774, A4776, A4777, A4778) HMAC-SHA2512/224: (A4773, A4774, A4776, A4777, A4778) HMAC-SHA2512/256: (A4773, A4774, A4776, A4777, A4778) HMAC-SHA3-224: (A4773, A4774, A4778) HMAC-SHA3-256: (A4773, A4774, A4778) HMAC-SHA3-384: (A4773, A4774, A4778) HMAC-SHA3-512: (A4773, A4774, A4778) Random Number DRBG Random number Compliance:Compliant Counter DRBG: Generation with generation using with SP800-90Arev1 (A4773, A4774, DRBG DRBG A4776, A4777) Hash DRBG: (A4773, A4774, A4776, A4777, A4778) HMAC DRBG: (A4773, A4774, A4776, A4777, A4778) Key Derivation with PBKDF Key derivation Derived keys:112-256 PBKDF: (A4773, PBKDF using PBKDF bits A4774, A4776, HMAC modes:SHA-1, A4777, A4778) SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2512/256, SHA3-224, Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 31

Name Type Description Properties Algorithms SHA3-256, SHA3-384, SHA3-512 Table 9: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES XTS

The length of a single data unit encrypted or decrypted with AES XTS shall not exceed 220 AES blocks, that is 16MB, of data per XTS instance. An XTS instance is defined in Section 4 of SP 800-38E. To meet the requirement stated in IG C.I, the module implements a check to ensure that the two AES keys used in AES XTS mode are not identical. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

2.7.2 Key Derivation using SP 800-132 PBKDF

The module provides password-based key derivation (PBKDF), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met.

2.8 RBG and Entropy

Cert Vendor Name Number E99 Oracle Corporation Table 10: Entropy Certificates N/A for this module. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 32

The module provides an SP 800-90Arev1-compliant Deterministic Random Bit Generator (DRBG) for creation of key components of asymmetric keys, and random number generation. This entropy source is located within the module’s physical perimeter, but outside of the module’s cryptographic boundary. The module obtains 384 bits to seed the DRBG, and 256 bits to reseed it. The seeding (and automatic reseeding) of the DRBG is done with getrandom(). The DRBG supports the Hash_DRBG, HMAC_DRBG, and CTR_DRBG mechanisms. The DRBG is initialized during module initialization; the module loads by default the DRBG and using the HMAC_DRBG mechanism with SHA-256 and without prediction resistance. A different DRBG mechanism can be chosen by invoking the gcry_control(GCRYCTL_DRBG_REINIT) function. The module performs the DRBG health tests as defined in Section 11.3 of SP 800-90Arev1.

2.9 Key Generation

The module provides an SP 800-90Arev1-compliant DRBG for the creation of the key components of asymmetric keys, and random number generation. The Cryptographic Key Generation (CKG) methods implemented in the module for Approved Services in the approved mode are compliant with Section 5.1 of SP 800-133rev2. For generating RSA and ECDSA keys, the module implements asymmetric key generation services compliant with FIPS 186-4. A seed (i.e. the random value) used in asymmetric key generation is directly obtained from the SP 800-90Arev1 DRBG. Additionally, according to section 6.2 of SP 800-133rev2, the module implements the PBKDF2 key derivation method compliant with option 1a of SP 800-132. This implementation shall only be used to derive keys for use in storage applications.

2.10 Key Establishment

As permitted by IG D.G, the module provides key transport either by using an approved authenticated encryption mode or by a combination of any approved symmetric encryption mode and an approved authentication method. The SSP transport methods are specified in the Security Function Implementations table.

2.11 Industry Protocols

The module does not support any industry protocols listed within the publication of SP 800-135rev1. Therefore, this section is not applicable. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 33
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Logical Data That Passes Port Interface(s) N/A Data Input API input parameters for data N/A Data Output API output parameters for data N/A Control Input API function calls, API input parameters for control input N/A Status Output API return codes, API output parameters for status output Table 11: Ports and Interfaces The logical interfaces are the APIs through which the applications request services. These logical interfaces are logically separated from each other by the API design. The module does not implement a control output interface. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 34
4 Roles, Services, and Authentication
4.2 Roles

Name Type Operator Type Authentication Methods Crypto Officer Role CO None Table 12: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module. The module does not support multiple concurrent operators.

4.3 Approved Services

Name Descripti Indicator Inputs Outputs Security SSP Access on Functions Symmetric Perform gcry_control() returns AES key, Cipherte Encryption Crypto encryption AES 0 Plaintext xt with AES Officer encryptio - AES key: n W,E Symmetric Perform gcry_control() returns AES key, Plaintext Decryption Crypto decryption AES 0 Ciphertext with AES Officer decryptio - AES key: n W,E Authentica Authentic gcry_control() returns AES key, Cipherte Authentica Crypto ted ate and 0 Plaintext, IV xt, MAC ted Officer symmetric encrypt a tag encryption - AES key: encryption plaintext with AES W,E using AES Authentica Authentic gcry_control() returns AES key, Plaintext Authentica Crypto ted ate and 0 Ciphertext, MAC ted Officer symmetric decrypt a tag decryption - AES key: decryption plaintext with AES W,E using AES RSA Key Generate gcry_control() returns Key size RSA Key Pair Crypto generation RSA key 0 public Generation Officer pairs key, RSA with RSA - RSA public private key: G,R key - RSA private key: G,R ECDSA Key Generate gcry_control() returns Key size ECDSA Key Pair Crypto generation ECDSA 0 public Generation Officer key pairs key, with ECDSA - ECDSA ECDSA public key: private G,R key - ECDSA private key: G,R RSA Digital RSA gcry_control() returns RSA private key, Signatur Signature Crypto signature signature 0 Message, Hash e Generation Officer generation generatio algorithm with RSA - RSA private n key: W,E Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 35

Name Descripti Indicator Inputs Outputs Security SSP Access on Functions ECDSA ECDSA gcry_control() returns ECDSA private Signatur Signature Crypto Digital signature 0 Key, Message, e Generation Officer signature generatio Hash algorithm with ECDSA - ECDSA generation n private key: W,E RSA Digital RSA gcry_control() returns Signature, Hash Signatur Signature Crypto signature signature 0 algorithm, RSA e Verification Officer verification verificatio public key verificati with RSA - RSA public n on result key: W,E ECDSA ECDSA gcry_control() returns Signature, Hash Signatur Signature Crypto Digital signature 0 algorithm, ECDSA e Verification Officer signature verificatio public key verificati with ECDSA - ECDSA verification n on result public key: W,E Public key Verify gcry_mpi_ec_curve_p ECDSA public Return Public Key Crypto verification ECDSA oint() returns 0 key, ECDSA codes/lo Verification Officer public key private key g with ECDSA - ECDSA message public key: s W,E Random Generate gcry_randomize(), Size Random Random Crypto number random gcry_random_bytes(), number Number Officer generation bitstrings gcry_random_bytes_s Generation - Entropy ecure() returns 0 with DRBG input: W,E - DRBG seed: G,E - DRBG internal state: (V value, C value): G,W,E - DRBG internal state: (V value, key): G,W,E Message Compute gcry_control() returns Message Message Hashes Crypto digest SHA 0 digest Extendable Officer hashes Output Function Message Compute gcry_control() returns Message, Key MAC tag Message Crypto authenticat HMAC or 0 Authentica Officer ion code AES- tion Code - HMAC key: (MAC) based W,E CMAC - AES key: W,E Key Perform gcry_control() returns Key wrapping Wrappe Key Crypto wrapping AES- 0 key, key to be d key wrapping Officer based key wrapped using AES - AES key: wrapping CCM W,E Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 36

Name Descripti Indicator Inputs Outputs Security SSP Access on Functions Key wrapping using AES KW Key Perform gcry_control() returns Wrapped key, Unwrap Key Crypto unwrappin AES- 0 key unwrapping ped key unwrappin Officer g based key key g using AES - AES key: unwrappi CCM W,E ng Key unwrappin g using AES KW Key Perform gcry_control() returns Password/passph Derived Key Crypto derivation key 0 rase; Derived key key Derivation Officer derivatio with PBKDF - Password n or passphrase: W,E - Derived key: G,R Show Show N/A None Current None Crypto status module status of Officer status the module Zeroization Zeroize N/A N/A N/A None Crypto SSPs Officer - AES key: Z - HMAC key: Z - Password or passphrase: Z - Derived key: Z - Entropy input: Z - DRBG internal state: (V value, key): Z - DRBG internal state: (V value, C value): Z - DRBG seed: Z - ECDSA public key: Z Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 37

Name Descripti Indicator Inputs Outputs Security SSP Access on Functions - ECDSA private key: Z - RSA public key: Z - RSA private key: Z Self-tests Perform N/A Booting the N/A None Unauthentic self-tests module ated Show Show N/A N/A Display None Unauthentic module module module ated name and name and name version version and version Table 13: Approved Services For all approved services, GPG_ERR_NO_ERROR (i.e., “0”) return code indicates the service is approved. In case the above-mentioned controls are used in conjunction, the operator is responsible to check that all the called functions return GPG_ERR_NO_ERROR (i.e., “0”). For all non-approved services, a "nonzero" return code indicates the service is not approved. The table above lists the approved services. For each service, the table lists the associated cryptographic algorithm(s), the role to perform the service, the cryptographic keys or CSPs involved, and their access type(s). The following convention is used to specify access rights to SSPs: • Generate (G): The module generates or derives the SSP. • Read (R): The SSP is read from the module (e.g. the SSP is output). • Write (W): The SSP is updated, imported, or written to the module. • Execute (E): The module uses the SSP in performing a cryptographic operation. • Zeroize (Z): The module zeroizes the SSP. • N/A: the calling application does not access any CSP or key during its operation. The details of the approved cryptographic algorithms including the CAVP certificate numbers can be found in Section 2.5. In order to check whether it utilizes an approved security function or not, the operator is responsible to invoke the gcry_control() API along with dedicated controls in the form of API input parameters. The module implements the following controls depending on the requested service:

  1. GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER - For symmetric algorithms and the related modes.
  2. GCRYCTL_FIPS_SERVICE_INDICATOR_KDF - For KDF operations.
  3. GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS - For asymmetric operations. 1
  4. GCRYCTL_FIPS_SERVICE_INDICATOR_MD - For digest operations.
  5. GCRYCTL_FIPS_SERVICE_INDICATOR_MAC - For MAC operations. The list of public key flags allowed in approved mode of operation is described in Section 4.4. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy
Page 38

In addition to that, for the below-mentioned services, the approved service indicator corresponds to the GPG_ERR_NO_ERROR returned from listed functions in the indicator column below. They don’t use gcry_control() API:

  1. Random number generation service: gcry_randomize(), gcry_random_bytes(), gcry_random_bytes_secure().
  2. Public key validation service: gcry_mpi_ec_curve_point().
4.4 Non-Approved Services

Name Description Algorithms Role Authenticated symmetric AES encryption using non-approved AES GCM noncompliant with CO encryption AES modes IG C.H. AES GCM-SIV AES OCB AES-EAX Authenticated symmetric AES decryption using non-approved AES GCM noncompliant with CO decryption AES modes IG C.H. AES GCM-SIV AES OCB AES-EAX Message digest using non- Message digest MD5 CO approved algorithms Shared secret computation ECDH Shared secret computation ECDH noncompliant with SP CO 800-56Arev3 assurances Key generation Generate RSA/ECDSA key pairs with RSA with non-approved flags CO public key flags not listed in Appendix A that are not listed in Appendix A ECDSA with non-approved flags that are not listed in Appendix A Digital signature generation RSA/ECDSA signature generation with RSA with non-approved flags CO public key flags not listed in Appendix A that are not listed in Appendix A ECDSA with non-approved flags that are not listed in Appendix A Digital signature verification RSA/ECDSA signature verification with RSA with non-approved flags CO public key flags not listed in Appendix A that are not listed in Appendix A ECDSA with non-approved flags that are not listed in Appendix A Asymmetric encryption and RSA encryption and decryption RSA CO decryption primitives primitives Signature RSA/ECDSA signature RSA CO generation/verification generation/verification primitives ECDSA primitives Table 14: Non-Approved Services The table above lists the non-approved services. The details of the non-approved cryptographic algorithms available in non-approved mode can be found in Section 2.5. For the services listed above, Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 39

the module implements an additional service indicator in the form of a control named GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. The operator is responsible to invoke the gcry_control() API along with the following input parameters: GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION control; the name of the API 2 representing the service. The list of APIs is supported by the module can be found in the documentation included in the optional libgcryptdevel package. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 40
5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing a HMAC SHA-256 values calculated at run time with the HMAC SHA-256 value embedded within the module binary. If the HMAC values do not match, the test fails, and the module enters the Error state.

5.2 Initiate on Demand

The integrity test is performed as part of the pre-operational self-test, which is executed when the module is initialized. In addition, the module provides the Self-Test service to perform self-tests on demand which includes the pre-operational test (i.e., integrity test) and cryptographic algorithm self-tests (CASTs). This service can be invoked relying on the gcry_control(GCRYCTL_SELFTEST) API function call or by powering-off and reloading the module. During the execution of the on-demand self-tests, services are not available, and data output or input is not possible. In order to verify whether the self-tests have succeeded and the module is in the Operational state, the calling application may invoke the gcry_control(GCRYTCL_OPERATIONAL_P) API. The function will return TRUE if the module is in the Operational state and FALSE if the module is in the Error state. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 41
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: The module shall be installed as stated in Section 11. If properly installed, the operating system provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data, and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

The module shall be installed as stated in Section 11.1. Instrumentation tools like the ptrace system call, gdb and strace, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a nonvalidated operational environment. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 42
7 Physical Security

The module is comprised of software only, and therefore this section is not applicable. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 43
8 Non-Invasive Security

This module does not implement any non-invasive security mechanism, and therefore this section is not applicable. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 44
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name RAM Temporary storage for SSPs used by the module as part of service execution Dynamic Table 15: Storage Areas The module does not perform persistent storage of SSPs. The SSPs are temporarily stored in the RAM in plaintext form. SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls.

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm API input Operating calling Cryptographic Plaintext Manual Electronic parameters application (TOEPP) module API output Cryptographic Operator calling Plaintext Manual Electronic parameters module application (TOEPP) Table 16: SSP Input-Output Methods The module does not support manual SSP input or intermediate SSP generation output. The SSPs are provided to the module via API input parameters in plaintext form and output via API output parameters in plaintext form within the physical perimeter of the operational environment. This is allowed by FIPS 140-3 IG 9.5.A, according to the “CM Software to/from App via TOEPP Path” entry in the table above.

9.3 SSP Zeroization Methods

Zeroization Description Rationale Operator Initiation Method Free cipher Zeroizes the Memory occupied by By calling the appropriate zeroization functions: AES handle SSPs SSPs is overwritten key: gcry_cipher_close gcry_free() HMAC key: contained with zeroes, which gcry_mac_close, gcry_free Key-derivation key: within the renders the SSP gcry_free Derived key: gcry_free RSA keys: provided values irretrievable. gcry_mpi_release, gcry_sexp_release, gcry_free EC cipher handle The completion of a keys: gcry_mpi_release, gcry_free, zeroization routine gcry_mpi_point_release, gcry_sexp_release, will indicate that a gcry_ctx_release Entropy input: zeroization procedure gcry_ctrl(GCRYCTL_TERM_SECMEM) Internal state: succeeded. gcry_ctrl(GCRYCTL_TERM_SECMEM) Remove De-allocates Volatile memory used By unloading the module power from the volatile by the module is the module memory used overwritten within to store SSPs nanoseconds when power is removed. Module power off indicates that the Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 45

Zeroization Description Rationale Operator Initiation Method zeroization procedure succeeded. Table 17: SSP Zeroization Methods All data output is inhibited during zeroization.

9.4 SSPs

Name Description Size - Strength Type - Generated Established Used By Category By By AES key AES key used XTS: 256, 512 Symmetric key Key wrapping for bits; Other - CSP using AES CCM encryption, modes: 128, Key wrapping decryption, 192, 256 bits - using AES KW and XTS: 128, 256 Key computing bits; Other unwrapping MAC tags modes: 128, using AES CCM 192, 256 bits Key unwrapping using AES KW Encryption with AES Decryption with AES HMAC key HMAC key 112-256 bits - Authentication Message 112-256 bits key - CSP Authentication Code Password PBKDF2 At least 8 Password or Key Derivation or password or characters - N/A passphrase - with PBKDF passphrase passphrase CSP Derived PBKDF2 112-256 bits - Symmetric key Key Key Derivation key derived key 112-256 bits - CSP Derivation with PBKDF with PBKDF Entropy Obtained 128-448 bits Entropy input - Random input from the (128-256 bits) - CSP Number entropy 256 bits Generation source, used with DRBG to seed the DRBGs DRBG Internal state CTR_DRBG: 256, Internal state - Random Random internal of CTR_DRBG 320, 384 bits; CSP Number Number state: (V and HMAC_DRBG: Generation Generation value, key) HMAC_DRBG 320, 512, 1024 with DRBG with DRBG bits CTR_DRBG: 128, 192, 256 bits; HMAC_DRBG: 128, 256 bits Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 46

Name Description Size - Strength Type - Generated Established Used By Category By By DRBG Internal state 880, 1776 bits - Internal state - Random Random internal of 128, 256 bits CSP Number Number state: (V Hash_DRBG Generation Generation value, C with DRBG with DRBG value) DRBG seed DRBG seed CTR_DRBG: 256, Seed - CSP Random Random derived from 320, 384 bits; Number Number entropy input Hash_DRBG: Generation Generation 440, 888 bits; with DRBG with DRBG HMAC_DRBG: 440, 888 bits CTR_DRBG: 128, 192, 256 bits; Hash_DRBG: 128, 256 bits; HMAC_DRBG: 128, 256 bits ECDSA Public key P-224, P-256, P- Public key - Key Pair Key Pair public key used for 384, P-521 - PSP Generation Generation ECDSA 112, 128, 192, with ECDSA with ECDSA signature 256 bits Public Key verification Verification with ECDSA Signature Verification with ECDSA ECDSA Private key P-224, P-256, P- Private key - Key Pair Key Pair private key used for 384, P-521 - CSP Generation Generation ECDSA 112, 128, 192, with ECDSA with ECDSA signature 256 bits Public Key generation Verification with ECDSA Signature Generation with ECDSA RSA public Public key 1024, 1536, Public key - Key Pair Key Pair key used for RSA 2048, 3072, PSP Generation Generation signature 4096 bits - 80, with RSA with RSA verification 96, 112, 128, Signature

140 bits Verification

with RSA RSA private Private key 2048, 3072, Private key - Key Pair Key Pair key used for RSA 4096 bits - 112, CSP Generation Generation signature 128, 140 bits with RSA with RSA generation Signature Generation with RSA Table 18: SSP Table 1 Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 47

Name Input - Storage Storage Zeroization Related SSPs Output Duration AES key API input RAM:Plaintext From service Free cipher parameters invoked to handle service Remove completed power from the module HMAC key API input RAM:Plaintext From service Free cipher parameters invoked to handle service Remove completed power from the module Password or API output RAM:Plaintext From service Free cipher Derived key:Generates passphrase parameters invoked to handle service Remove completed power from the module Derived key API input RAM:Plaintext From service Free cipher Password or parameters invoked to handle passphrase:Derived service Remove From completed power from the module Entropy input RAM:Plaintext From service Free cipher DRBG internal state: (V invoked to handle value, key):Generates service Remove DRBG internal state: (V completed power from value, C the module value):Generates DRBG seed:Generates DRBG internal RAM:Plaintext From service Free cipher Entropy input:Derived state: (V value, invoked to handle From key) service Remove DRBG seed:Derived completed power from From the module DRBG internal RAM:Plaintext From service Free cipher Entropy input:Derived state: (V value, invoked to handle From C value) service Remove DRBG seed:Derived completed power from From the module DRBG seed RAM:Plaintext Free cipher Entropy input:Derived handle From Remove DRBG internal state: (V power from value, key):Generates the module DRBG internal state: (V value, C value):Generates ECDSA public API input RAM:Plaintext From service Free cipher DRBG internal state: (V key parameters invoked to handle value, key):Derived API output service Remove From parameters completed power from ECDSA private the module key:Paired With ECDSA private API input RAM:Plaintext From service Free cipher DRBG internal state: (V key parameters invoked to handle value, key):Derived Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 48

Name Input - Storage Storage Zeroization Related SSPs Output Duration API output service Remove From parameters completed power from ECDSA public key:Paired the module With RSA public key API input RAM:Plaintext From service Free cipher DRBG internal state: (V parameters invoked to handle value, key):Derived API output service Remove From parameters completed power from RSA private key:Paired the module With RSA private key API input RAM:Plaintext From service Free cipher RSA public key:Paired parameters invoked to handle With API output service Remove DRBG internal state: (V parameters completed power from value, key):Derived the module From Table 19: SSP Table 2

9.5 Transitions

The SHA-1 algorithm, as implemented by the module, will be non-approved for all purposes starting January 1, 2031. The RSA and ECDSA algorithms as implemented by the module conforms to FIPS 186-4, which has been superseded by FIPS 186-5. The transition started on July 25, 2023, and ended on February 4, 2024. FIPS 186-4 has been withdrawn since February 3, 2024. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 49
10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm or Test Test Method Test Type Indicator Details Test Properties HMAC-SHA2- Key size: Message SW/FW The module becomes Integrity test for

256 (A4773) 376-bit key Authentication Integrity

operational and the libgcrypt.so.20.4.0 services are available for use Table 20: Pre-Operational Self-Tests The pre-operational software integrity test is performed automatically when the module is powered on before the module transitions into the Operational state. While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module transitions to the Operational state only after the pre-operational self-test passes successfully.

10.2 Conditional Self-Tests

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type AES-ECB AES ECB mode with 128, KAT CAST The module Encryption, Module (A4773) 192, 256-bit keys, becomes Decryption initialization or encryption, and operational on demand decryption (separately and the through API tested) services are function call available for use AES-ECB AES ECB mode with 128, KAT CAST The module Encryption, Module (A4774) 192, 256-bit keys, becomes Decryption initialization or encryption, and operational on demand decryption (separately and the through API tested) services are function call available for use AES-ECB AES ECB mode with 128, KAT CAST The module Encryption, Module (A4776) 192, 256-bit keys, becomes Decryption initialization or encryption, and operational on demand decryption (separately and the through API tested) services are function call available for use AES-ECB AES ECB mode with 128, KAT CAST The module Encryption, Module (A4777) 192, 256-bit keys, becomes Decryption initialization or encryption, and operational on demand decryption (separately and the through API tested) services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 50

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type AES-CMAC AES CMAC with 128-bit KAT CAST The module Message Module (A4773) key, MAC generation becomes Authentication initialization or operational on demand and the through API services are function call available for use AES-CMAC AES CMAC with 128-bit KAT CAST The module Message Module (A4774) key, MAC generation becomes Authentication initialization or operational on demand and the through API services are function call available for use AES-CMAC AES CMAC with 128-bit KAT CAST The module Message Module (A4776) key, MAC generation becomes Authentication initialization or operational on demand and the through API services are function call available for use AES-CMAC AES CMAC with 128-bit KAT CAST The module Message Module (A4777) key, MAC generation becomes Authentication initialization or operational on demand and the through API services are function call available for use Counter CTR_DRBG with AES with KAT CAST The module Generate, Module DRBG 128-bit key with DF, with becomes Reseed initialization or (A4773) and without PR operational on demand and the through API services are function call available for use Counter CTR_DRBG with AES with KAT CAST The module Generate, Module DRBG 128-bit key with DF, with becomes Reseed initialization or (A4774) and without PR operational on demand and the through API services are function call available for use Counter CTR_DRBG with AES with KAT CAST The module Generate, Module DRBG 128-bit key with DF, with becomes Reseed initialization or (A4776) and without PR operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 51

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type Counter CTR_DRBG with AES with KAT CAST The module Generate, Module DRBG 128-bit key with DF, with becomes Reseed initialization or (A4777) and without PR operational on demand and the through API services are function call available for use Hash DRBG SHA-1 without PR KAT CAST The module Generate, Module (A4773) becomes Reseed initialization or operational on demand and the through API services are function call available for use Hash DRBG SHA-1 without PR KAT CAST The module Generate, Module (A4774) becomes Reseed initialization or operational on demand and the through API services are function call available for use Hash DRBG SHA-1 without PR KAT CAST The module Generate, Module (A4776) becomes Reseed initialization or operational on demand and the through API services are function call available for use Hash DRBG SHA-1 without PR KAT CAST The module Generate, Module (A4777) becomes Reseed initialization or operational on demand and the through API services are function call available for use Hash DRBG SHA-1 without PR KAT CAST The module Generate, Module (A4778) becomes Reseed initialization or operational on demand and the through API services are function call available for use Hash DRBG SHA-256 with and KAT CAST The module Generate, Module (A4773) without PR becomes Reseed initialization or operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 52

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type Hash DRBG SHA-256 with and KAT CAST The module Generate, Module (A4774) without PR becomes Reseed initialization or operational on demand and the through API services are function call available for use Hash DRBG SHA-256 with and KAT CAST The module Generate, Module (A4776) without PR becomes Reseed initialization or operational on demand and the through API services are function call available for use Hash DRBG SHA-256 with and KAT CAST The module Generate, Module (A4777) without PR becomes Reseed initialization or operational on demand and the through API services are function call available for use Hash DRBG SHA-256 with and KAT CAST The module Generate, Module (A4778) without PR becomes Reseed initialization or operational on demand and the through API services are function call available for use HMAC SHA-256 with and KAT CAST The module Generate, Module DRBG without PR becomes Reseed initialization or (A4773) operational on demand and the through API services are function call available for use HMAC SHA-256 with and KAT CAST The module Generate, Module DRBG without PR becomes Reseed initialization or (A4774) operational on demand and the through API services are function call available for use HMAC SHA-256 with and KAT CAST The module Generate, Module DRBG without PR becomes Reseed initialization or (A4776) operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 53

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC SHA-256 with and KAT CAST The module Generate, Module DRBG without PR becomes Reseed initialization or (A4777) operational on demand and the through API services are function call available for use HMAC SHA-256 with and KAT CAST The module Generate, Module DRBG without PR becomes Reseed initialization or (A4778) operational on demand and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigGen becomes generation initialization or (FIPS186-4) operational on demand (A4773) and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigGen becomes generation initialization or (FIPS186-4) operational on demand (A4774) and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigGen becomes generation initialization or (FIPS186-4) operational on demand (A4776) and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigGen becomes generation initialization or (FIPS186-4) operational on demand (A4777) and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigGen becomes generation initialization or (FIPS186-4) operational on demand (A4778) and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 54

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigVer becomes verification initialization or (FIPS186-4) operational on demand (A4773) and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigVer becomes verification initialization or (FIPS186-4) operational on demand (A4774s) and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigVer becomes verification initialization or (FIPS186-4) operational on demand (A4776) and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigVer becomes verification initialization or (FIPS186-4) operational on demand (A4777) and the through API services are function call available for use ECDSA P-256 with SHA-256 KAT CAST The module Signature Module SigVer becomes verification initialization or (FIPS186-4) operational on demand (A4778) and the through API services are function call available for use HMAC- HMAC-SHA-1 KAT CAST The module Message Module SHA-1 becomes authentication initialization or (A4772) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-1 KAT CAST The module Message Module SHA-1 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 55

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA-1 KAT CAST The module Message Module SHA-1 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-1 KAT CAST The module Message Module SHA-1 becomes authentication initialization or (A4776) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-1 KAT CAST The module Message Module SHA-1 becomes authentication initialization or (A4777) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-1 KAT CAST The module Message Module SHA-1 becomes authentication initialization or (A4778) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-224 KAT CAST The module Message Module SHA2-224 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-224 KAT CAST The module Message Module SHA2-224 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-224 KAT CAST The module Message Module SHA2-224 becomes authentication initialization or (A4776) operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 56

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA-224 KAT CAST The module Message Module SHA2-224 becomes authentication initialization or (A4777) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-224 KAT CAST The module Message Module SHA2-224 becomes authentication initialization or (A4778) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-256 KAT CAST The module Message Module SHA2-256 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-256 KAT CAST The module Message Module SHA2-256 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-256 KAT CAST The module Message Module SHA2-256 becomes authentication initialization or (A4776) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-256 KAT CAST The module Message Module SHA2-256 becomes authentication initialization or (A4777) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-256 KAT CAST The module Message Module SHA2-256 becomes authentication initialization or (A4778) operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 57

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA-384 KAT CAST The module Message Module SHA2-384 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-384 KAT CAST The module Message Module SHA2-384 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-384 KAT CAST The module Message Module SHA2-384 becomes authentication initialization or (A4776) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-384 KAT CAST The module Message Module SHA2-384 becomes authentication initialization or (A4777) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-384 KAT CAST The module Message Module SHA2-384 becomes authentication initialization or (A4778) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-512 KAT CAST The module Message Module SHA2-512 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-512 KAT CAST The module Message Module SHA2-512 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 58

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA-512 KAT CAST The module Message Module SHA2-512 becomes authentication initialization or (A4776) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-512 KAT CAST The module Message Module SHA2-512 becomes authentication initialization or (A4777) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA-512 KAT CAST The module Message Module SHA2-512 becomes authentication initialization or (A4778) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-224 KAT CAST The module Message Module SHA3-224 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-224 KAT CAST The module Message Module SHA3-224 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-224 KAT CAST The module Message Module SHA3-224 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-256 KAT CAST The module Message Module SHA3-256 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 59

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA3-256 KAT CAST The module Message Module SHA3-256 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-256 KAT CAST The module Message Module SHA3-256 becomes authentication initialization or (A4778) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-384 KAT CAST The module Message Module SHA3-384 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-384 KAT CAST The module Message Module SHA3-384 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-384 KAT CAST The module Message Module SHA3-384 becomes authentication initialization or (A4778) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-512 KAT CAST The module Message Module SHA3-512 becomes authentication initialization or (A4773) operational on demand and the through API services are function call available for use HMAC- HMAC-SHA3-512 KAT CAST The module Message Module SHA3-512 becomes authentication initialization or (A4774) operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 60

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type HMAC- HMAC-SHA3-512 KAT CAST The module Message Module SHA3-512 becomes authentication initialization or (A4778) operational on demand and the through API services are function call available for use RSA SigGen PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes generation initialization or (A4773) operational on demand and the through API services are function call available for use RSA SigGen PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes generation initialization or (A4774) operational on demand and the through API services are function call available for use RSA SigGen PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes generation initialization or (A4776) operational on demand and the through API services are function call available for use RSA SigGen PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes generation initialization or (A4777) operational on demand and the through API services are function call available for use RSA SigGen PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes generation initialization or (A4778) operational on demand and the through API services are function call available for use RSA SigVer PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes verification initialization or (A4773) operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 61

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type RSA SigVer PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes verification initialization or (A4774) operational on demand and the through API services are function call available for use RSA SigVer PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes verification initialization or (A4776) operational on demand and the through API services are function call available for use RSA SigVer PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes verification initialization or (A4777) operational on demand and the through API services are function call available for use RSA SigVer PKCS #1 v1.5 with 2048- KAT CAST The module Signature Module (FIPS186-4) bit key and SHA-256 becomes verification initialization or (A4778) operational on demand and the through API services are function call available for use SHA-1 SHA-1 KAT CAST The module Message digest Module (A4772) becomes initialization or operational on demand and the through API services are function call available for use SHA-1 SHA-1 KAT CAST The module Message digest Module (A4773) becomes initialization or operational on demand and the through API services are function call available for use SHA-1 SHA-1 KAT CAST The module Message digest Module (A4774) becomes initialization or operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 62

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type SHA-1 SHA-1 KAT CAST The module Message digest Module (A4775) becomes initialization or operational on demand and the through API services are function call available for use SHA-1 SHA-1 KAT CAST The module Message digest Module (A4776) becomes initialization or operational on demand and the through API services are function call available for use SHA-1 SHA-1 KAT CAST The module Message digest Module (A4777) becomes initialization or operational on demand and the through API services are function call available for use SHA-1 SHA-1 KAT CAST The module Message digest Module (A4778) becomes initialization or operational on demand and the through API services are function call available for use SHA2-224 SHA-224 KAT CAST The module Message digest Module (A4773) becomes initialization or operational on demand and the through API services are function call available for use SHA2-224 SHA-224 KAT CAST The module Message digest Module (A4774) becomes initialization or operational on demand and the through API services are function call available for use SHA2-224 SHA-224 KAT CAST The module Message digest Module (A4776) becomes initialization or operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 63

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type SHA2-224 SHA-224 KAT CAST The module Message digest Module (A4777) becomes initialization or operational on demand and the through API services are function call available for use SHA2-224 SHA-224 KAT CAST The module Message digest Module (A4778) becomes initialization or operational on demand and the through API services are function call available for use SHA2-256 SHA-256 KAT CAST The module Message digest Module (A4773) becomes initialization or operational on demand and the through API services are function call available for use SHA2-256 SHA-256 KAT CAST The module Message digest Module (A4774) becomes initialization or operational on demand and the through API services are function call available for use SHA2-256 SHA-256 KAT CAST The module Message digest Module (A4776) becomes initialization or operational on demand and the through API services are function call available for use SHA2-256 SHA-256 KAT CAST The module Message digest Module (A4777) becomes initialization or operational on demand and the through API services are function call available for use SHA2-256 SHA-256 KAT CAST The module Message digest Module (A4778) becomes initialization or operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 64

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type SHA2-384 SHA-384 KAT CAST The module Message digest Module (A4773) becomes initialization or operational on demand and the through API services are function call available for use SHA2-384 SHA-384 KAT CAST The module Message digest Module (A4774) becomes initialization or operational on demand and the through API services are function call available for use SHA2-384 SHA-384 KAT CAST The module Message digest Module (A4776) becomes initialization or operational on demand and the through API services are function call available for use SHA2-384 SHA-384 KAT CAST The module Message digest Module (A4777) becomes initialization or operational on demand and the through API services are function call available for use SHA2-384 SHA-384 KAT CAST The module Message digest Module (A4778) becomes initialization or operational on demand and the through API services are function call available for use SHA2-512 SHA-512 KAT CAST The module Message digest Module (A4773) becomes initialization or operational on demand and the through API services are function call available for use SHA2-512 SHA-512 KAT CAST The module Message digest Module (A4774) becomes initialization or operational on demand and the through API services are function call available for use Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 65

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type SHA2-512 SHA-512 KAT CAST The module Message digest Module (A4776) becomes initialization or operational on demand and the through API services are function call available for use SHA2-512 SHA-512 KAT CAST The module Message digest Module (A4778) becomes initialization or operational on demand and the through API services are function call available for use PBKDF SHA-1 password length KAT CAST The module Key derivation Module (A4773) 24 characters, master becomes initialization or key length of 200 bits, operational on demand iteration count of 4096, and the through API and salt length of 288 services are function call bits; SHA-256 password available for length 24 characters, use master key length of 320 bits, iteration count of 4096, and salt length of

288 bits

PBKDF SHA-1 password length KAT CAST The module Key derivation Module (A4774) 24 characters, master becomes initialization or key length of 200 bits, operational on demand iteration count of 4096, and the through API and salt length of 288 services are function call bits; SHA-256 password available for length 24 characters, use master key length of 320 bits, iteration count of 4096, and salt length of

288 bits

PBKDF SHA-1 password length KAT CAST The module Key derivation Module (A4776) 24 characters, master becomes initialization or key length of 200 bits, operational on demand iteration count of 4096, and the through API and salt length of 288 services are function call bits; SHA-256 password available for length 24 characters, use master key length of 320 bits, iteration count of 4096, and salt length of

288 bits

PBKDF SHA-1 password length KAT CAST The module Key derivation Module (A4777) 24 characters, master becomes initialization or key length of 200 bits, operational on demand Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 66

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type iteration count of 4096, and the through API and salt length of 288 services are function call bits; SHA-256 password available for length 24 characters, use master key length of 320 bits, iteration count of 4096, and salt length of

288 bits

PBKDF SHA-1 password length KAT CAST The module Key derivation Module (A4778) 24 characters, master becomes initialization or key length of 200 bits, operational on demand iteration count of 4096, and the through API and salt length of 288 services are function call bits; SHA-256 password available for length 24 characters, use master key length of 320 bits, iteration count of 4096, and salt length of

288 bits

ECDSA Signature generation and PCT PCT Successful key Key generation EC key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4773) ECDSA Signature generation and PCT PCT Successful key Key generation EC key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4774) ECDSA Signature generation and PCT PCT Successful key Key generation EC key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4776) ECDSA Signature generation and PCT PCT Successful key Key generation EC key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4777) ECDSA Signature generation and PCT PCT Successful key Key generation EC key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4778) RSA Signature generation of PCT PCT Successful key Key generation RSA key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4773) RSA Signature generation of PCT PCT Successful key Key generation RSA key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4774) RSA Signature generation of PCT PCT Successful key Key generation RSA key pair KeyGen verification with SHA-256 generation generation Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 67

Algorithm Test Properties Test Test Indicator Details Conditions or Test Method Type (FIPS186-4) (A4776) RSA Signature generation of PCT PCT Successful key Key generation RSA key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4777) RSA Signature generation of PCT PCT Successful key Key generation RSA key pair KeyGen verification with SHA-256 generation generation (FIPS186-4) (A4778) Table 21: Conditional Self-Tests The module performs self-tests on all approved cryptographic algorithms as part of the approved services supported in the approved mode of operation, using the tests shown in table above. Services are not available, and data output (via the data output interface) is inhibited during the self-tests. If any of these tests fails, the module transitions to the Error state.

10.3 Periodic Self-Test Information

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-256 Message SW/FW Integrity Whenever module Upon every power (A4773) Authentication is powered on on Table 22: Pre-Operational Periodic Information Algorithm or Test Test Method Test Type Period Periodic Method AES-ECB (A4773) KAT CAST On demand Manually AES-ECB (A4774) KAT CAST On demand Manually AES-ECB (A4776) KAT CAST On demand Manually AES-ECB (A4777) KAT CAST On demand Manually AES-CMAC (A4773) KAT CAST On demand Manually AES-CMAC (A4774) KAT CAST On demand Manually AES-CMAC (A4776) KAT CAST On demand Manually AES-CMAC (A4777) KAT CAST On demand Manually Counter DRBG KAT CAST On demand Manually (A4773) Counter DRBG KAT CAST On demand Manually (A4774) Counter DRBG KAT CAST On demand Manually (A4776) Counter DRBG KAT CAST On demand Manually (A4777) Hash DRBG (A4773) KAT CAST On demand Manually Hash DRBG (A4774) KAT CAST On demand Manually Hash DRBG (A4776) KAT CAST On demand Manually Hash DRBG (A4777) KAT CAST On demand Manually Hash DRBG (A4778) KAT CAST On demand Manually Hash DRBG (A4773) KAT CAST On demand Manually Hash DRBG (A4774) KAT CAST On demand Manually Hash DRBG (A4776) KAT CAST On demand Manually Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 68

Algorithm or Test Test Method Test Type Period Periodic Method Hash DRBG (A4777) KAT CAST On demand Manually Hash DRBG (A4778) KAT CAST On demand Manually HMAC DRBG KAT CAST On demand Manually (A4773) HMAC DRBG KAT CAST On demand Manually (A4774) HMAC DRBG KAT CAST On demand Manually (A4776) HMAC DRBG KAT CAST On demand Manually (A4777) HMAC DRBG KAT CAST On demand Manually (A4778) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4773) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4774) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4776) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4777) ECDSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4778) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4773) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4774s) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4776) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4777) ECDSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4778) HMAC-SHA-1 KAT CAST On demand Manually (A4772) HMAC-SHA-1 KAT CAST On demand Manually (A4773) HMAC-SHA-1 KAT CAST On demand Manually (A4774) HMAC-SHA-1 KAT CAST On demand Manually (A4776) HMAC-SHA-1 KAT CAST On demand Manually (A4777) HMAC-SHA-1 KAT CAST On demand Manually (A4778) HMAC-SHA2-224 KAT CAST On demand Manually (A4773) HMAC-SHA2-224 KAT CAST On demand Manually (A4774) Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 69

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA2-224 KAT CAST On demand Manually (A4776) HMAC-SHA2-224 KAT CAST On demand Manually (A4777) HMAC-SHA2-224 KAT CAST On demand Manually (A4778) HMAC-SHA2-256 KAT CAST On demand Manually (A4773) HMAC-SHA2-256 KAT CAST On demand Manually (A4774) HMAC-SHA2-256 KAT CAST On demand Manually (A4776) HMAC-SHA2-256 KAT CAST On demand Manually (A4777) HMAC-SHA2-256 KAT CAST On demand Manually (A4778) HMAC-SHA2-384 KAT CAST On demand Manually (A4773) HMAC-SHA2-384 KAT CAST On demand Manually (A4774) HMAC-SHA2-384 KAT CAST On demand Manually (A4776) HMAC-SHA2-384 KAT CAST On demand Manually (A4777) HMAC-SHA2-384 KAT CAST On demand Manually (A4778) HMAC-SHA2-512 KAT CAST On demand Manually (A4773) HMAC-SHA2-512 KAT CAST On demand Manually (A4774) HMAC-SHA2-512 KAT CAST On demand Manually (A4776) HMAC-SHA2-512 KAT CAST On demand Manually (A4777) HMAC-SHA2-512 KAT CAST On demand Manually (A4778) HMAC-SHA3-224 KAT CAST On demand Manually (A4773) HMAC-SHA3-224 KAT CAST On demand Manually (A4774) HMAC-SHA3-224 KAT CAST On demand Manually (A4773) HMAC-SHA3-256 KAT CAST On demand Manually (A4773) HMAC-SHA3-256 KAT CAST On demand Manually (A4774) HMAC-SHA3-256 KAT CAST On demand Manually (A4778) HMAC-SHA3-384 KAT CAST On demand Manually (A4773) Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 70

Algorithm or Test Test Method Test Type Period Periodic Method HMAC-SHA3-384 KAT CAST On demand Manually (A4774) HMAC-SHA3-384 KAT CAST On demand Manually (A4778) HMAC-SHA3-512 KAT CAST On demand Manually (A4773) HMAC-SHA3-512 KAT CAST On demand Manually (A4774) HMAC-SHA3-512 KAT CAST On demand Manually (A4778) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4773) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4774) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4776) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4777) RSA SigGen KAT CAST On demand Manually (FIPS186-4) (A4778) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4773) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4774) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4776) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4777) RSA SigVer KAT CAST On demand Manually (FIPS186-4) (A4778) SHA-1 (A4772) KAT CAST On demand Manually SHA-1 (A4773) KAT CAST On demand Manually SHA-1 (A4774) KAT CAST On demand Manually SHA-1 (A4775) KAT CAST On demand Manually SHA-1 (A4776) KAT CAST On demand Manually SHA-1 (A4777) KAT CAST On demand Manually SHA-1 (A4778) KAT CAST On demand Manually SHA2-224 (A4773) KAT CAST On demand Manually SHA2-224 (A4774) KAT CAST On demand Manually SHA2-224 (A4776) KAT CAST On demand Manually SHA2-224 (A4777) KAT CAST On demand Manually SHA2-224 (A4778) KAT CAST On demand Manually SHA2-256 (A4773) KAT CAST On demand Manually SHA2-256 (A4774) KAT CAST On demand Manually SHA2-256 (A4776) KAT CAST On demand Manually SHA2-256 (A4777) KAT CAST On demand Manually SHA2-256 (A4778) KAT CAST On demand Manually SHA2-384 (A4773) KAT CAST On demand Manually SHA2-384 (A4774) KAT CAST On demand Manually SHA2-384 (A4776) KAT CAST On demand Manually Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 71

Algorithm or Test Test Method Test Type Period Periodic Method SHA2-384 (A4777) KAT CAST On demand Manually SHA2-384 (A4778) KAT CAST On demand Manually SHA2-512 (A4773) KAT CAST On demand Manually SHA2-512 (A4774) KAT CAST On demand Manually SHA2-512 (A4776) KAT CAST On demand Manually SHA2-512 (A4778) KAT CAST On demand Manually PBKDF (A4773) KAT CAST On demand Manually PBKDF (A4774) KAT CAST On demand Manually PBKDF (A4776) KAT CAST On demand Manually PBKDF (A4777) KAT CAST On demand Manually PBKDF (A4778) KAT CAST On demand Manually ECDSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4773) an ECDSA key pair an ECDSA key pair ECDSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4774) an ECDSA key pair an ECDSA key pair ECDSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4776) an ECDSA key pair an ECDSA key pair ECDSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4777) an ECDSA key pair an ECDSA key pair ECDSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4778) an ECDSA key pair an ECDSA key pair RSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4773) an RSA key pair an RSA key pair RSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4774) an RSA key pair an RSA key pair RSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4776) an RSA key pair an RSA key pair RSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4777) an RSA key pair an RSA key pair RSA KeyGen PCT PCT Upon generation of Upon generation of (FIPS186-4) (A4778) an RSA key pair an RSA key pair Table 23: Conditional Periodic Information

10.4 Error States

Name Description Conditions Recovery Indicator Method Error The module immediately Software integrity test failure Restarting Module will not State stops functioning due to a CAST failure the module load; Module stops self-test failure; PCT failure PCT failure functioning for PCT failure Fatal The module immediately Random numbers are Restarting Module is aborted Error enters a non-recoverable requested in the error state the module and is not available State error state and automatically or cipher operations are for use transits to shutdown requested on a deallocated handle Table 24: Error States The table above shows the error codes and the corresponding condition. When the module fails any preoperational self-test or conditional test, the module returns an error code to indicate the error and will Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 72

enter the Error state. Any further cryptographic operation is inhibited. The calling application can obtain the module state by calling the gcry_control(GCRYCTL_OPERATIONAL_P) API function. The function returns FALSE if the module is in the Error state and TRUE if the module is in the Operational state. In the Error state, all data output is inhibited, no cryptographic operation is allowed, and the module accepts no more inputs or requests (as the module is no longer running). Recovery from the Error state includes restarting (i.e., powering off and powering on) of the module or running self-tests. Recovery from the Fatal Error state can only be done by restarting the module.

10.5 Operator Initiation of Self-Tests

The software integrity tests, cryptographic algorithm self-tests, and entropy source start-up tests can be invoked on demand by unloading and subsequently re-initializing the module. The pair-wise consistency tests can be invoked on demand by requesting the key pair generation service. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 73
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The module is distributed as part of the Oracle Linux 9 (OL9) RPM package in the form of libgcrypt1.10.0-10.0.1.el9_2_fips RPM package that is located in the “Oracle Linux 9 Security Validation (Update 3)” yum repository (ol9_u3_security_validation). The operational environment needs to be set up in the FIPS validated configuration by installing the module as follows:

11.2 Administrator Guidance

The binaries of the module are contained in the RPM packages for delivery. The Crypto Officer shall follow Section 11.1 to configure the operational environment and install the module to be operated as a FIPS 140-3 validated module. The following RPM packages contain the FIPS validated module:

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. Then, if desired, the libgcrypt-1.10.010.0.1.el9_2_fips RPM packages can be uninstalled from the Oracle Linux 9 system. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 74
12 Mitigation of Other Attacks
12.1 Attack List

The module implements blinding against RSA Timing Attacks. RSA is vulnerable to timing attacks. In a setup where attackers can measure the time of RSA decryption or signature operations, blinding must be used to protect the RSA operation from that attack.

12.2 Mitigation Effectiveness

By default, the module uses the following blinding technique: instead of using the RSA decryption directly, a blinded value y = x re mod n is decrypted and the unblinded value x' = y' r−1 mod n returned. The blinding value r is a random value with the size of the modulus n. Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 75

Appendix A. Approved Public Key Flags Listed below are the approved public key flags for an input s-expression: curve d data e ecdsa flags sig-val genkey hash n nbits pkcs1 private-key value pss public-key q r raw rsa salt-length rsa-use-e s Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 76

Appendix B. Glossary and Abbreviations AES Advanced Encryption Standard AES-NI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCM Counter with Cipher Block Chaining-Message Authentication Code CFB Cipher Feedback CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm FIPS Federal Information Processing Standards GCM Galois Counter Mode HMAC Keyed-Hash Message Authentication Code KAT Known Answer Test MAC Message Authentication Code NIST National Institute of Science and Technology PAA Processor Algorithm Acceleration PBKDF2 Password-based Key Derivation Function v2 PKCS Public-Key Cryptography Standards RSA Rivest, Shamir, Adleman SHA Secure Hash Algorithm SSP Sensitive Security Parameter XTS XEX-based Tweaked-codebook mode with cipher text Stealing Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 77

Appendix C. References FIPS 140-3 FIPS PUB 140-3 - Security Requirements For Cryptographic Modules March 2019 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-igannouncements FIPS 180-4 Secure Hash Standard (SHS) March 2012 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf FIPS 197 Advanced Encryption Standard November 2001 https://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS 198-1 The Keyed Hash Message Authentication Code (HMAC) July 2008 https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf SP 800-38A Recommendation for Block Cipher Modes of Operation Methods and Techniques December 2001 https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf SP 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication May 2005 https://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping December 2012 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf SP 800-56Ar3 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography April 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf SP 800-108r1 NIST Special Publication 800-108 - Recommendation for Key Derivation Using Pseudorandom Functions August 2022 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf Oracle Linux 9 libgcrypt Cryptographic Module Security Policy

Page 78

SP 800-132 Recommendation for Password-Based Key Derivation - Part 1: Storage Applications December 2010 https://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf SP 800-135r1 Recommendation for Existing Application-Specific Key Derivation Functions December 2011 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-135r1.pdf Oracle Linux 9 libgcrypt Cryptographic Module Security Policy