All modules
CMVP Validated Module · FIPS 140-3 Security Policy

wolfCrypt

Certificate#5041StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorwolfSSL Inc.
Medium review priority  ·  no TCB surface named  ·  wolfSSL upstream has published 79 CVEs since this module's initial validation  ·  last validated 12 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/17/2030
CaveatWhen operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g. keys).
VendorwolfSSL Inc.

Approved Algorithms (42)

AlgorithmACVP Cert
AES-CBCA2461
AES-CCMA2461
AES-CMACA2461
AES-CTRA2461
AES-ECBA2461
AES-GCMA2461
AES-GMACA2461
AES-OFBA2461
DSA KeyGen (FIPS186-4)A2461
ECDSA KeyGen (FIPS186-4)A2461
ECDSA KeyVer (FIPS186-4)A2461
ECDSA SigGen (FIPS186-4)A2461
ECDSA SigVer (FIPS186-4)A2461
Hash DRBGA2461
HMAC-SHA-1A2461
HMAC-SHA2-224A2461
HMAC-SHA2-256A2461
HMAC-SHA2-384A2461
HMAC-SHA2-512A2461
HMAC-SHA3-224A2461
HMAC-SHA3-256A2461
HMAC-SHA3-384A2461
HMAC-SHA3-512A2461
KAS-ECC-SSC Sp800-56Ar3A2461
KAS-FFC-SSC Sp800-56Ar3A2461
KDF SSHA2461
KDF TLSA2461
RSA Decryption PrimitiveA2461
RSA KeyGen (FIPS186-4)A2461
RSA SigGen (FIPS186-4)A2461
RSA SigVer (FIPS186-4)A2461
SHA-1A2461
SHA2-224A2461
SHA2-256A2461
SHA2-384A2461
SHA2-512A2461
SHA3-224A2461
SHA3-256A2461
SHA3-384A2461
SHA3-512A2461
TLS v1.2 KDF RFC7627A2461
TLS v1.3 KDFA2461

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for wolfCrypt
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Show Status<br/>Self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for wolfCrypt
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Show Status<br/>Self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>DTLS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

wolfCrypt Document Version 1.0 July 9, 2025 wolfSSL Inc.

10016 Edmonds Way

Suite C-300 Edmonds, WA 98020 wolfssl.com +1 425-245-8247 wolfSSL Inc. Public Material

Page 2

FIPS 140-3 Security Policy wolfCrypt Table of Contents wolfSSL Inc. Public Material

Page 3

FIPS 140-3 Security Policy wolfCrypt List of Tables List of Figures wolfSSL Inc. Public Material

Page 4

FIPS 140-3 Security Policy wolfCrypt

1 General

This document defines the Security Policy for the wolfCrypt cryptographic module by wolfSSL Inc., hereafter denoted the Module. The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as described below.

1.1 Cryptographic Boundary

The Module is a cryptography software library, defined as a software module per AS02.03 with a multi-chip standalone embodiment. The Module is intended for use by U.S. and Canadian Federal agencies in addition to other markets that require FIPS 140-3 validated cryptographic functionality. The Module version under validation is Software Version v5.2.0.1. The package/file name is wolfssl-5.7.2-commercial-fips-linuxv5.2.0.1.7z. Table 1

1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-Invasive Security N/A
9 Sensitive Security Parameter Management 1
10 Self-Tests 1
11 Life-Cycle Assurance 1
12 Mitigation of Other Attacks N/A

In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply to the Module. In accordance with current CMVP policy, Non-Invasive Security is not applicable. The Module does not implement attack mitigations outside the scope of [FIPS140-3].

2 Cryptographic Module Specification

The Module conforms to [FIPS140-3_IG] §D.C References to the Support of Industry Protocols: while it provides [SP800-56Ar3] conformant schemes and API entry points oriented to TLS and SSH usage, the Module does not contain the full implementation of TLS or SSH. The following caveat is required: No parts of the TLS and SSH protocols, other than the approved cryptographic algorithms and KDFs, have been tested byt the CAVP or CMVP. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. wolfSSL Inc. Public Material

Page 5

FIPS 140-3 Security Policy wolfCrypt

2.1 Cryptographic Boundary

Figure 1 depicts the Module operational environment with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The physical perimeter of the module is the general purpose computer on which the software module resides. No components are excluded from [FIPS140-3] requirements. The pre-operational approved integrity test is performed over all components of the cryptographic boundary. Figure 1

Page 6

FIPS 140-3 Security Policy wolfCrypt

2.2 Modes of Operation, Security Rules, and Guidance

The Module supports an Approved mode of operation and a non-Approved mode of operation. Approved algorithms are listed in Table

  1. Non-Approved algorithms are listed in Table
  2. The Module is a cryptographic library providing primitives used by a calling application. The conditions for using the Module in the Approved mode of operation are:
  3. The Module is a cryptographic library, and it is intended to be used with a calling application. The calling application is responsible for the usage of the primitives in the correct sequence.
  4. The keys used by the Module for cryptographic purposes are determined by the calling application. The calling application is required to provide keys in accordance with [SP800-140Dr2], and to destroy the key structures via the corresponding Free calls after use.
  5. With the Module installed and configured in accordance with [UG] instructions and Section 11 of this document, only the algorithms listed in Table 3 (Approved algorithms) and Table 4 (non-Approved algorithms) are available. The Approved mode of operation is invoked by calling the services listed in Table 7 below. The module operates in the non-Approved mode when the service in Table 8 is invoked. The Module is in the Approved mode if the following conditions for algorithm use are met: a. Adherence to [FIPS140-3_IG] §C.H Key/IV Pair Uniqueness Requirements from SP 800-38D. The Module supports both internal IV generation (for use with the [SP800-56Ar3] compliant KAS API entry points) and external IV generation (for TLS KAS usage). For internal IV generation, the Module complies with C.H scenario 2: users MUST specify an IV length of GCM_NONCE_MID_SZ or greater for internal IV generation (specifying any length less than 96 bits means the Module is no longer in an approved mode of operation). For internal IV generation, C.H requires the calling application to use the Module’s internal approved DRBG to generate the random IV. For external IV generation, the Module complies with C.H scenario 1(a), tested per option (ii) under C.H TLS/DTLS 1.2 protocol IV generation. The Module performs a check for nonce_explicit rollover, returning an error if that condition is encountered. The module is compatible with TLS/DTLS 1.2 protocol and provides the primitives to support the AES-GCM ciphersuites from [SP800-52r2] Section 3.3.1. If the module’s power is lost and then restored, the key used for the AES GCM encryption/decryption shall be re-distributed. This condition is not enforced by the module but is met implicitly. The module does not retain any state across reset or power-cycles: AES-GCM key/IVs are not stored in non-volatile persistent memory (i.e., disk), hence no reconnection can occur without a fresh key establishment operation and the associated SSPs. b. ECDSA and RSA signature generation must be used with a SHA-2 or SHA-3 hash function. c. RSA signature generation and encryption primitives must use RSA keys with k = 2048, 3072 or

4096 bits or greater. If RSA uses keys with k < 2048, the module enters the non-Approved mode.

d. The calling process shall adhere to all current [SP800-131Ar2] algorithm usage restrictions. 4. Manual key entry is not supported. wolfSSL Inc. Public Material

Page 7

FIPS 140-3 Security Policy wolfCrypt

  1. The module does not support a non-compliant state. Once the module is compiled per the build instructions defined in the wolfCrypt FIPS 140-3 User Guide, it is not possible for the module to be in a non-compliant state.
  2. Data output and control output are inhibited during self-tests, zeroisation, and error states. The Module obtains the [FIPS140-3_IG] §D.F required key agreement assurances in accordance with [SP80056Ar3] Section 5.6.2. The module complies to [FIPS140-3_IG] §D.F Scenario 2, path 1.
2.3 Degraded Mode Operation

The Module implements a degraded mode of operation: when a CAST fails, the Module enters an error state. The algorithm CAST status is set to FIPS_CAST_STATE_FAILED and the Module runs all CASTs prior to the first operational use of any algorithm, regardless of the CAST having passed previously. Before exiting the error state, the Module status (reported in the Show Status service) is set to FIPS_MODE_DEGRADED. Upon exiting the error state, the Module enters the degraded mode of operation. The sequence of events is in accordance with AS02.26. The algorithm that failed its CAST, initially triggering the error state, will no longer be available for use in the degraded mode of operation and any algorithms that depend on that algorithm will also be unavailable for use. To recover from the degraded mode operation, the CO shall power cycle or reload the Module (equivalent to a power cycle).

2.4 Operational Environment

The TOEPP is the General Purpose Computer on which the module is running on. Operational testing was performed for the following modifiable Operational Environments (with no restrictions on operational environments configuration): Table 2

1 Linux 4.4 (Ubuntu 16.04 LTS) Intel Ultrabook 2 in 1 Intel® Core™ i5-5300U CPU @2.30GHz x 4 PAA

2 Linux 4.4 (Ubuntu 16.04 LTS) Intel Ultrabook 2 in 1 Intel® Core™ i5-5300U CPU @2.30GHz x 4 None

3 Windows 10 Intel Ultrabook 2 in 1 Intel® Core™ i5-5300U CPU @2.30GHz x 4 PAA

4 Windows 10 Intel Ultrabook 2 in 1 Intel® Core™ i5-5300U CPU @2.30GHz x 4 None

A unique set of object files was compiled for each operating environment listed above, with a total of four (4) sets. The Module conforms to [FIPS140-3_IG] §2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The Intel Processor AES-NI functions are identified by [FIPS140-3_IG] §2.3.C as a known PAA. No vendor affirmed operational environments are claimed for this validation of the Module. wolfSSL Inc. Public Material

Page 8

FIPS 140-3 Security Policy wolfCrypt

2.5 Approved and Allowed Cryptographic Functionality

The Module implements the Approved and allowed cryptographic functions listed in the table below. Equivalent strength in bits is given for each key or algorithm type (as some algorithms do not use or produce keys). The term s is used throughout to indicate security strength, following the notation used in the majority of the sources (refer to the notes below Table 3). This table is referenced by Table 9 (SSPs). Table 3

Page 9

FIPS 140-3 Security Policy wolfCrypt CAVP Algorithm and Mode/Method Description/Key Size(s)/ Use/Function Cert Standard Key Strength(s) A2461 HMAC-SHA-1 Generate HMAC-SHA-1 MAC, SHA-1 (s = 160) Generation, verification, [FIPS198-1] with SHA-1 mode message authentication A2461 HMAC-SHA2 Generate HMAC-SHA2 MAC SHA2-224 (s = 224), Generation, verification, [FIPS198-1] with the listed SHA2 modes SHA2-256 (s = 256), message authentication SHA2-384 (s = 384), SHA2-512 (s = 512) A2461 HMAC-SHA3 Generate HMAC-SHA3 MAC SHA3-224 (s = 224), Generation, verification, [FIPS198-1] with the listed SHA3 modes SHA3-256 (s = 256), message authentication SHA3-384 (s = 384), SHA3-512 (s = 512) A2461 KAS-ECC-SSC Scheme: ephemeralUnified P-256 (s ~= 128), Shared secret [SP800-56Ar3] KAS Role: Initiator, responder P-384 (s ~= 192), computation P-521 (s ~= 256) See Note 2 and Note 3 A2461 KAS-FFC-SSC Scheme: dhEphem ffdhe2048 (s = 112), Shared secret [SP800-56Ar3] KAS Role: Initiator, responder ffdhe3072 (112 ≤ s ≤ 128), computation ffdhe4096 (112 ≤ s ≤ 152), ffdhe6144 (112 ≤ s ≤ 176), ffdhe8192 (112 ≤ s ≤ 200) See Note 5 CVL KDF SSH Derivation of key blocks for the AES-128 (s = 128), Key derivation for use A2461 [SP800-135r1] listed AES cipher key types and AES-192 (s = 192), with the SSH v2 protocol hash algorithms AES-256 (s = 256); SHA-1 (s = 160), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512) CVL KDF TLS TLS key derivation using the SHA2-256 (s = 256), Key derivation for use A2461 [SP800-135r1] listed hash algorithms SHA2-384 (s = 384), with the TLS v1.2 protocol SHA2-512 (s = 512) CVL RSA Decryption RSA primitive operations only k = 2048 (s ~= 112) Key transport primitive A2461 Primitive (no claims of key transport) See Note 6 RSADP [SP800-56Br2] Vendor RSA Encryption RSA primitive operations only k=2048 (s ~= 112), Key transport primitive Affirmed Primitive (no claims of key transport) k=3072 (s ~= 128), RSAEP [SP800-56Br2] k=4096 (s ~= 152) See Note 6 A2461 RSA KeyGen Key generation mode: B.3.3 k=2048 (s ~= 112), Key generation [FIPS186-4] Primality tests per Table C.2, k=3072 (s ~= 128), with listed moduli k=4096 (s ~= 152) See Note 4, Note 6, and Note 10 A2461 RSA SigGen Signature types: PKCS 1.5 and k=2048 (s ~= 112), Signature generation [FIPS186-4] PKCSPSS tested with the listed k=3072 (s ~= 128), moduli and the following hash k=4096 (s ~= 152) algorithms: SHA2-224, See Note 4, Note 6, and Note 10 SHA2-256, SHA2-384, SHA2-512 wolfSSL Inc. Public Material

Page 10

FIPS 140-3 Security Policy wolfCrypt CAVP Algorithm and Mode/Method Description/Key Size(s)/ Use/Function Cert Standard Key Strength(s) Signature types: PKCS 1.5 and PKCSPSS with the listed moduli and the following hash algorithms: SHA3-224, SHA3-256, SHA3-384, SHA3-512 (no ACVP testing is currently available, See Note

  1. A2461 RSA SigVer Signature types: PKCS 1.5 and k=1024 (s ≤ 112), Signature verification [FIPS186-4] PKCSPSS tested with the listed k=2048 (s ~= 112), (verification with SHA-1 moduli and the following hash k=3072 (s ~= 128), and modulus length algorithms: SHA-1, SHA2-224, k=4096 (s ~= 152) k=1024 is for legacy use SHA2-256, SHA2-384, See Note 4 and Note 6 only) SHA2-512 Signature types: PKCS 1.5 and PKCSPSS with the listed moduli and the following hash algorithms: SHA3-224, SHA3-256, SHA3-384, SHA3-512 (no ACVP testing is currently available, See Note
  2. A2461 SHA-1 SHA-1 mode listed at right SHA-1 (s = 160) Message digest [FIPS180-4] See Note 1 generation A2461 SHA2 SHA2 modes listed at right SHA2-224 (s = 224), Message digest [FIPS180-4] SHA2-256 (s = 256), generation SHA2-384 (s = 384), SHA2-512 (s = 512) See Note 1 A2461 SHA3 SHA3 modes listed at right SHA3-224 (s = 224), Message digest [FIPS202] See Note 9 SHA3-256 (s = 256), generation SHA3-384 (s = 384), SHA3-512 (s = 512) See Note 1 CVL TLS v1.2 KDF TLS [RFC7627] key derivation SHA2-256 (s = 256), Key derivation for use A2461 [RFC7627] with Extended Master Secret SHA2-384 (s = 384), with the TLS v1.2 protocol (EMS) support, using the listed SHA2-512 (s = 512) hash algorithms CVL TLS v1.3 KDF KDF running modes: DHE, PSK, HMAC-SHA2-256 (s = 256), Key derivation for use A2461 [RFC8446] PSK-DHE, using the listed HMAC-SHA2-384 (s = 384) with the TLS v1.3 protocol HMAC algorithms Note 1: Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in [SP800-57P1r5] Table
  3. Note 2: Elliptic curve strengths are annotated as approximate (i.e., s ~=) since [SP800-186] Table 1 provides approximate security strengths. Note 3: Approved elliptic curves for ECC key agreement are given in [SP800-56Ar3] Table
  4. Note 4: In Digital Signature applications, security strength is primarily associated with the asymmetric key pair specification. The hash function used must have equivalent strength equal to or greater than the security strength of the associated key pair. Note 5: Approved key types for FFC key agreement are given in [SP800-56Ar3] Tables 25,
  5. The group notation of Table 26 is used for consistency with CAVP algorithm listings and ACVP capability registration. wolfSSL Inc. Public Material – May be reproduced in its original entirety without revision.
Page 11

FIPS 140-3 Security Policy wolfCrypt Note 6: Estimated security strengths of common RSA moduli are given in [SP800-56Br2] Table

  1. IFC key types approved for Digital Signature Generation and Verification are given also in [SP800-57P1r5] Table
  2. Equivalent strengths are annotated as approximate (i.e., s ~=) since [SP800-56Br2] Table 4 provides approximate security strengths. Note 7: Security strength for L=2048/N=256 is determined in accordance with [FIPS140-3_IG] D.B Strength of SSP Establishment Methods as y = min(x, N/2), where x is 112 and therefore y = min(112, 128) = 112. Note 8: The Module is compliant with [FIPS140-3_IG] C.F. extending prime generation and signature generation techniques to the RSA modulus sizes not listed in [FIPS186-4]. With regards to primality testing the Module tests p and q (no auxiliary primes) with 8 rounds of MR Test Only regardless of p and q size. 8 Rounds is three more rounds than the minimum required when p and q are 1024-bits respectively and double the rounds required when p and q are 1536-bits (or greater) respectively. The minimum requirements come from in [FIPS186-5] Table B.1 as related to using a prime generation method that does not rely on the use of auxiliary primes. The Module does more than the minimum required rounds in all cases of p and q size. Note 9: SHA3 was CAVP tested as standalone functions. SHA3 has not been CAVP tested with ECDSA or RSA as no CAVP testing is currently available. This meets the use and testing requirements in [FIPS140-3_IG] C.C. Note 10: The Module cannot generate signatures in the Approved mode using a 1024-bit key and cannot generate 1024-bit keys. The Module can verify signatures signed with a 1024-bit key. Reference sources for the strengths provided in Table 3 are as follows: • AES (AES-128, AES-192, AES-256): [SP800-57P1r5] Table 2. • ECC (P-192, P-224, P-256, P-384, P-521): [SP800-186] Table 1. • FFC (L=1024/N=160, L=2048/N=224, L=2048/N=256, L=3072/N=256): [SP800-57P1r5] Table 2. • FFC (ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192): [SP800-56Ar3] Table 26. • IFC (k=1024, k=2048, k=3072, k=4096): [SP800-56Br2] Table 4. • SHA-1, SHA2 (SHA2-224, SHA2-256, SHA2-384, SHA2-512): [SP800-107] Table 1. • SHA3 (SHA3-224, SHA3-256, SHA3-384, SHA3-512): [SP800-57P1r5] Table
  3. Table 4 - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Algorithm/Function Use/Function RSA SigGen using 1024 bit keys RSA Signature Generation The Module does not implement the following: • Non-Approved Algorithms Allowed in the Approved Mode of Operation. • Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed.
3 Cryptographic Module Interfaces

Table 5 defines the Module’s [FIPS140-3] logical interfaces; the Module does not interact with physical ports. Table 5

4 Roles, Services, and Authentication

The Module supports the Cryptographic Officer (CO) operator role, and does not support multiple concurrent operators, a maintenance role or bypass capability. wolfSSL Inc. Public Material

Page 12

FIPS 140-3 Security Policy wolfCrypt The Module does not provide an authentication or identification method of its own. The CO role is implicitly identified by the service requested. The cryptographic module does not support loading software from an external source.

4.1 Approved Services

All services implemented by the Module are listed in Table 6. The calling application may use the Show status service (wolfCrypt_GetStatus_fips call) to determine the status of the Module. A return code of FIPS_MODE_NORMAL means the Module is in a state without errors; the return code FIPS_MODE_DEGRADED means a CAST has failed

Page 13

FIPS 140-3 Security Policy wolfCrypt Table 7

Page 14

FIPS 140-3 Security Policy wolfCrypt Service Description Approved Security Keys and/or SSPs Roles Access Indicator Functions Rights to Keys and/or SSPs Symmetric Encrypt or decrypt AES-CBC, AES-CCM, SC_EDK/AES CO E,W f cipher data, including AEAD AES-CTR, AES-ECB, modes (CCM, GCM) AES-GCM, AES-OFB Zeroise wc_FreeRng_fips() -- Entropy Input CO Z f destroys RNG CSPs RBG_State Z All functions zeroise DS_SGK/ECC Z CSPs using function DS_SGK/IFC Z ForceZero() GKP_Private/ECC Z (overwriting with GKP_Private/IFC Z zeroes) within the KAS_Private/ECC Z function scope after KAS_Private/FFC Z use KAS_SS/ECC Z KAS_SS/FFC Z Caller stack cleanup KH_Key/AES-CMAC Z is the duty of the KH_Key/AES-GMAC Z application KH_Key/HMAC Z GPC restart/power- RBG_Seed Z cycle clears all CSPs SC_EDK/AES in RAM Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of SSPs with the remote participant is outside the scope of the Module. † Consistent with [FIPS140-3_IG] §9.5.A, available only if the private_key_read_enable property is set to TRUE. ‡ Not claiming key transport, but the RSADP and RSAEP are available for interoperation with peers using the TLS protocol stack without an approved cryptography implementation. wolfSSL Inc. Public Material

Page 15

FIPS 140-3 Security Policy wolfCrypt Table 8

5 Software/Firmware Security
5.1 Integrity Techniques

The Module uses HMAC-SHA2-256 with a 256-bit key (HMAC Cert. #A2461) as the approved integrity technique. The object files from section 2 are linked into the library. The code section is delimited by two functions that do not perform any actions; they are used only for their addresses. The constant data section is delimited by two constant arrays of unused data; they are only used for their addresses. The code is first added to the hash, then the constant data is added to the hash. The verify hash stored in the code is excluded from the HMAC-SHA2-256 calculation. The calculated HMAC is compared to the HMAC stored in the constant data section. Before the integrity technique is executed, the Module performs an HMAC-SHA2-256 KAT.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by reloading the Module.

5.3 Open-Source Parameters

While the Module is not “open-source” since it is only shipped under a commercial license, the open-source practice of source code delivery with a commercial license is standard for the Module. While not required to do so, the Module will abide by [ISO19790] §B.2.5. Please see details in the wolfCrypt FIPS 140-3 User Guide [UG] for the OEs listed on the validation certificate. Details will include information about compiler, compiler configuration settings and methods to compile the source code into an executable form in an approved mode of operation. See also §11.1 below.

6 Operational Environment

Table 2 lists the operational environments on which the Module was tested. The module runs on a modifiable operating environment. The operational environment that is designed to accept functional changes that may contain non-controlled software. For Linux builds, the configure script provided with the package detects the environment and sets the required flags. On Windows, a header file is provided to set the required flags.

7 Physical Security

N/A. The Module does not implement physical security.

8 Non-Invasive Security

N/A. The Module does not implement non-invasive security mechanisms. wolfSSL Inc. Public Material

Page 16

FIPS 140-3 Security Policy wolfCrypt

9 Sensitive Security Parameter Management

All Sensitive Security Parameters (SSPs) used by the Module are described in this section, arranged for consistency with Table 7. The text ‘--’ indicates the table cell contents are intentionally not present. Table 9

256 DS_SVK/ECC

DS_SVK/ECC <112, 112, ECDSA SigVer #A2461 -- IE1 -- S1 Z1 SigVer (public) key, related to 128, 192, 256 DS_SGK/ECC; key type with security strength <112 bits (P-192) used only for legacy signature verification DS_SGK/IFC 112, 128, 152 RSA SigGen #A2461 -- IE1 -- S1 Z1 SigGen (private) key, related to DS_SVK/IFC DS_SVK/IFC <112, 112, RSA SigVer #A2461 -- IE1 -- S1 Z1 SigVer (public) key, related to 128, 152 DS_SGK/IFC; key type with security strength <112 bits (k=1024) used only for legacy signature verification GKP_Private/ECC 112, 128, 192, ECDSA KeyGen #A2461, G2 IE2 -- S1 Z1 General ECDSA (private) key, related to

256 ECDSA KeyVer #A2461 GKP_Public/ECC

GKP_Public/ECC <112, 112, ECDSA KeyGen #A2461, G2 IE2 -- S1 Z1 General ECDSA (public) key, related to 128, 192, 256 ECDSA KeyVer #A2461 GKP_Private/ECC; key type with security strength <112 bits (P-192) used only for legacy public key validation (KeyVer) GKP_Private/FFC 112 DSA KeyGen #A2461 G3 IE2 -- S1 Z1 General DSA (private) key, related to GKP_Public/FFC GKP_Public/FFC 112 DSA KeyGen #A2461 G3 IE2 -- S1 Z1 General DSA (public) key, related to GKP_Private/FFC GKP_Private/IFC 112, 128, 152 RSA KeyGen #A2461 G1 IE2 -- S1 Z1 General RSA (private) key, related to GKP_Public/IFC GKP_Public/IFC 112, 128, 152 RSA KeyGen #A2461 G1 IE2 -- S1 Z1 General RSA (public) key, related to GKP_Private/IFC KAS_Private/ECC 128, 192, 256 KAS-ECC-SSC #A2461 -- IE1 -- S1 Z1 Key pair component used for shared secret generation KAS_Public/ECC 128, 192, 256 KAS-ECC-SSC #A2461 -- IE1 -- S1 Z1 Peer key pair component used for shared secret generation KAS_Private/FFC 112 ≤ s ≤ 200 KAS-FFC-SSC #A2461 -- IE1 -- S1 Z1 Key pair component used for shared secret generation KAS_Public/FFC 112 ≤ s ≤ 200 KAS-FFC-SSC #A2461 -- IE1 -- S1 Z1 Peer key pair component used for shared secret generation KAS_SS/ECC 128, 192, 256 KAS-ECC-SSC #A2461 -- -- E2 S1 Z1 Shared secret calculation z output value (for KDF) KAS_SS/FFC 112 ≤ s ≤ 200 KAS-FFC-SSC #A2461 -- -- E1 S1 Z1 Shared secret calculation z output value (for KDF) Strength is provided in bits. Please refer to Table 3 and the notes below it for the strength provenance (traceability to applicable standards and special publications). wolfSSL Inc. Public Material

Page 17

FIPS 140-3 Security Policy wolfCrypt Generation Import/Export Establishment Zeroisation Key/SSP Security Function and Cert Strength1 Use & Related Keys Name/Type Number Storage KD_DKM 160, 128, 192, KDF SSH #A2461, -- -- E3 S1 Z1 Key Derivation derived keying material2 256, 384, 512 KDF TLS #A2461, TLS v1.2 KDF RFC7627 #A2461, TLS v1.3 KDF #A2461 KH_Key/ 128, 192, 256 AES-CMAC #A2461 -- IE1 -- S1 Z1 Keyed Hash key AES-CMAC KH_Key/ 128, 192, 256 AES-GMAC #A2461 -- IE1 -- S1 Z1 Keyed Hash key AES-GMAC KH_Key/HMAC 112 to 1024 in HMAC SHA-1 -- IE1 -- S1 Z1 Keyed Hash key 8-bit HMAC SHA2-224 increments HMAC SHA2-256 HMAC SHA2-384 HMAC SHA2-512 HMAC SHA3-224 HMAC SHA3-256 HMAC SHA3-384 HMAC SHA3-512 #A2461 KTS_KDK/IFC 112, 128, 152 RSA Decryption Primitive -- IE1 -- S1 Z1 RSA key de-encapsulation Key (for KDF) #A2461 KTS_KEK/IFC 112, 128, 152 RSA Encryption Primitive -- IE1 -- S1 Z1 RSA key encapsulation Key (for KDF) KTS_SS/IFC 112, 128, 152 RSA Decryption Primitive -- IE1 -- S1 Z1 RSA key transport shared secret (for #A2461, RSA Encryption KDF) Primitive Entropy Input 112 External source (see Table -- IE1 -- S1 Z1, Entropy input string 9) Z2 RBG_Seed 112 Hash DRBG #A2461 G4 -- -- S1 Z1, DRBG seed used for DRBG instantiate Z2 and reseed RBG_State 256 Hash DRBG #A2461 G5 -- E4 S1 Z1, Hash DRBG (SHA2-256) state: V (440) Z2 and C (440) SC_EDK/AES 128, 192, 256 AES-CBC #A2461, -- IE1 -- S1 Z1 AES key used for symmetric encryption AES-CCM #A2461, and decryption (including AES AES-CTR #A2461, authenticated encryption and AES-ECB #A2461, decryption) AES-GCM #A2461, AES-OFB #A2461 Legend Generation Establishment Storage G1: [FIPS186-4] RSA keypair generation, E1: [SP800-56Ar3] §5.7.1.1 FFC DH S1: RAM in plaintext [SP800-133r2] Section 5 compliant E2: [SP800-56Ar3] §5.7.1.1 ECC CDH G2: [FIPS186-4] ECDSA keypair generation E3: [SP800-56Cr2] Extract-then-expand Zeroisation [SP800-133r2] Section 5 compliant KDF Z1: Cleared after use via Free, or as part of G3: [FIPS186-4] DSA keypair generation, E4: [SP800-90Ar1] Hash_df; Instantiate; function cleanup before return. [SP800-133r2] Section 5 compliant. Generate; Reseed Z2: the internal RBG is zeroized upon G4: [SP800-90B] DRBG seed material, module shutdown. [SP800-133r2] Section 4 compliant The separation into specific keys is done outside the scope of the module but must be conformant to [SP800-56Cr2]. wolfSSL Inc. Public Material

Page 18

FIPS 140-3 Security Policy wolfCrypt G5: [SP800-90Ar1] DRBG state Import/Export (instantiation or update); [SP800-133r2] IE1: Call stack (API) input parameters Section 4 compliant. (electronic entry) IE2: Call stack (API) output parameters (electronic entry) The Module:

10 Self-Tests
10.1 Pre-Operational and Conditional Self-Tests

Each time the Module is powered up, it tests that the cryptographic algorithms still operate correctly, and that sensitive data has not been damaged. The pre-operational self-tests are available on demand by reloading the Module. On instantiation, the Module performs the pre-operational self-tests described below. All cryptographic functions include a check of a self-test flag; a self-test will be invoked if it has not yet been performed. All KATs must complete successfully prior to any other use of cryptography by the Module. The error state is persistent, and no services are available. All attempts to use the Module’s services result in the return of a non-zero error code, FIPS_NOT_ALLOWED_E (-197). To recover from an error state, reload the Module into memory. The module error state is called “Err”. Once the Module is powered on and has passed the pre-operational self-tests, calls to any cryptographic algorithm will trigger the CAST on first operational use of the algorithm. The CASTs are available on demand after power-on and can be executed by the Cryptographic Officer (CO) at any time. The CO may optionally invoke any CAST ahead of algorithm use at a more convenient time rather than letting it run automatically on first use. Regardless of the CAST running manually or automatically, once it has passed, the CO may manually re-run any CAST at any time in a periodic fashion. A CAST will no longer run automatically after it has passed the first time. wolfSSL Inc. Public Material

Page 19

FIPS 140-3 Security Policy wolfCrypt wolfSSL Inc. highly recommends a periodic power cycle or reload of the Module (once in a 24-hour period) as a best security practice. If a periodic power cycle is not possible, a periodic call to the function wc_RunAllCast_fips() is recommended as an alternative (at least once in a 24-hour period). See §10.2 below for details on proper use of the API from a calling application. Pre-Operational Self-Tests

Page 20

FIPS 140-3 Security Policy wolfCrypt

10.2 Operator Initiation of Self-Tests

For calling applications, the following is required:

  1. Include the library configuration header <wolfssl/options.h> (or user_settings.h via wolfssl/wolfcrypt/settings.h) first.
  2. After including the library configuration header, include <wolfssl/wolfcrypt/fips_test.h>, then use the API specified below to execute a given self-test. The CO may initiate all CASTs at once. The API wc_RunAllCast_fips() is provided as a public API to applications using the Module that have included the headers above in the proper order. The CO may initiate CASTs individually using the API wc_RunCast_fips(algorithm type) with any of the below algorithm type inputs: • FIPS_CAST_AES_CBC • FIPS_CAST_AES_GCM • FIPS_CAST_HMAC_SHA1 • FIPS_CAST_HMAC_SHA2_256 • FIPS_CAST_HMAC_SHA2_512 • FIPS_CAST_HMAC_SHA3_256 • FIPS_CAST_DRBG • FIPS_CAST_RSA_SIGN_PKCS1v15 • FIPS_CAST_ECC_CDH • FIPS_CAST_ECC_PRIMITIVE_Z • FIPS_CAST_DH_PRIMITIVE_Z • FIPS_CAST_ECDSA • FIPS_CAST_KDF_TLS12 • FIPS_CAST_KDF_TLS13 • FIPS_CAST_KDF_SSH The CO may re-run the pre-operational self-tests at any time after power-on using the public API wolfCrypt_IntegrityTest_fips(). This function always returns a value of zero regardless if the integrity check passed or failed, so the CO shall then check the status of the Module using the API wolfCrypt_GetStatus_fips(). The return value of the wolfCrypt_GetStatus_fips() API shall then be checked against the status indicators below: • FIPS_MODE_INIT status indicator value is
  3. This indicator means the integrity test has not completed and is likely running in another thread (multi-threaded). • FIPS_MODE_NORMAL status indicator value is
  4. This indicator means the integrity test passed and the Module is in a state without errors. • FIPS_MODE_FAILED status indicator value is
  5. This indicator means the integrity test failed and the Module is unusable. The CO shall power cycle or reload (equivalent to power cycle) to restore the Module. wolfSSL Inc. Public Material – May be reproduced in its original entirety without revision.
Page 21

FIPS 140-3 Security Policy wolfCrypt

11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The CO shall use the provided FIPS 140-3 User Guide, hereafter referred to as [UG]. A common name for this document is also the Cryptographic Officer Guidance Manual (COGM). [UG] and COGM are one and the same for this Module. The [UG] has a section specific to each Operational Environment (OE), also referred to as the “Tested Configuration”, that appears on the Module’s certificate and in the above Table 2

Page 22

FIPS 140-3 Security Policy wolfCrypt

11.1.1 Linux Installation

Operation of wolfCrypt in the FIPS 140-3 Approved Mode requires the wolfCrypt library version 5.2.0.1. To verify the fingerprint of the package, calculate the SHA2-256 sum using a FIPS 140-2 or FIPS 140-3 validated cryptographic module. The following command serves as an example: $ shasum -a 256 wolfssl-5.2.0.1-commercial-fips-linuxv5.7z 746341ac6d88b0d6de02277af5b86275361ed106c9ec07559aa57508e218b3f5 Compare the sum to the sum provided with the package. If the sums do not match stop using the Module and contact wolfSSL. To unpack the bundle: $ 7za x wolfssl-5.7.2-commercial-fips-linuxv5.2.0.1.7z 7-Zip... Extracting archive: wolfssl-5.7.2-commercial-fips-linuxv5.2.0.1.7z ... Enter password (will not be echoed): When prompted, enter the password. The password is provided in the distribution email. To build and install wolfCrypt in Approved mode: $ ./configure --enable-fips=v5 $ ./wolfcrypt/test/testwolfcrypt $ sudo make install If you have not received the library with FIPS 140-3 support the ./configure step will fail. Please contact wolfSSL. The enable and disable options required for running in the Approved Mode are automatically set by the FIPS enable option. Any encryption algorithms that are not enabled by the configuration must not be enabled separately. Options affecting wolfSSL usage are still allowed. make check will verify the build and that the library is operating correctly. If make check fails this probably means the In Core Integrity check has failed, which is expected. To verify this do: $ ./wolfcrypt/test/testwolfcrypt wolfSSL Inc. Public Material

Page 23

FIPS 140-3 Security Policy wolfCrypt ... in my Fips callback, ok = 0, err = 203 message = In Core Integrity check FIPS error hash = 622B4F8714276FF8845DD49DD3AA27FF68A8226C50D5651D320D914A5660B3F5 In core integrity hash check failure, copy above hash into verifyCore[] in fips_test.c and rebuild Copy the value given for the hash in the output, and replace the value of verifyCore[] in ./wolfcrypt/src/fips_test.c with this new value. After updating verifyCore[], recompile the wolfSSL library by running make check again. The In Core Integrity checksum will vary with compiler versions, runtime library versions, target hardware, and build type.

11.1.2 Windows 10 Installation

Operation of wolfCrypt in the FIPS 140-3 Approved Mode requires the wolfCrypt library version 5.2.0.1. To verify the fingerprint of the package, calculate the SHA2-256 sum using a FIPS 140-2 or FIPS 140-3 validated cryptographic module. The following command serves as an example: % shasum –a 256 wolfssl-5.7.2-commercial-fips-linuxv5.2.0.1.7z 02da35d0a4d6b8e777236fe30da7a6ff93834fb16939ea16da663773f1b34cf0 And compare the sum to the sum provided with the package. If for some reason the sums do not match stop using the Module and contact wolfSSL. A GUI-based 7-zip extraction may be used. To unpack the bundle from a command shell: % 7za x wolfssl-5.7.2-commercial-fips-linuxv5.2.0.1.7z 7-Zip... Extracting archive: wolfssl-5.7.2-commercial-fips-linuxv5.2.0.1.7z ... Enter password (will not be echoed): When prompted, enter the password. The password is provided in the distribution email. To build and install wolfCrypt for use in a FIPS 140-3 approved mode:

  1. In Visual Studio open IDE\WIN10\wolfssl-fips.sln.
  2. Select the Release DLL and x64 as the build type and target.
  3. Build the solution
  4. The library should be in the directory IDE\WIN10\DLL Release\x64 as a pair of files: wolfssl-fips.lib is the linking library and wolfssl-fips.dll is the shared library proper, it can be added to your project.
  5. In your application project, add a preprocessor macro for HAVE_FIPS. This will ensure the compiler is loading all the correct settings from the user_settings.h header file in the library.
  6. Build the solution.
  7. Run the code from the DLL Release\x64 directory, the default check failure should be output in the shell. The enable and disable options required for Approved mode are automatically set in the user settings file mentioned in step 5 above. Any encryption algorithms that are not enabled by the Approved mode must not be enabled separately. Options affecting wolfSSL usage are still allowed. The first run should indicate the In Core Integrity check has failed: in my Fips callback, ok = 0, err = -203 message = In Core Integrity check FIPS error hash = 622B4F8714276FF8845DD49DD3AA27FF68A8226C50D5651D320D914A5660B3F5 In core integrity hash check failure, copy above hash into verifyCore[] in fips_test.c and rebuild wolfSSL Inc. Public Material – May be reproduced in its original entirety without revision.
Page 24

FIPS 140-3 Security Policy wolfCrypt The In Core Integrity checksum will vary with compiler versions, runtime library versions, target hardware, and build type.

11.1.3 Linux Secure Startup

The library uses an allocator method to initialize itself after loading, without programmer interaction. The library will perform its own self-test in a thread safe manner.

11.1.4 Windows 10 Secure Startup

The library uses the DllMain() function to initialize itself after loading, without programmer interaction. The library will perform its own self-test in a thread safe manner.

11.2 Administrator Guidance

The CO shall use the provided [UG].

11.3 Non-Administrator Guidance

The Module supports the Cryptographic Officer (CO) operator role and does not support non-administrators.

12 Mitigation of Other Attacks

N/A. The Module does not claim mitigation of other attacks. wolfSSL Inc. Public Material

Page 25

FIPS 140-3 Security Policy wolfCrypt References

Page 26

FIPS 140-3 Security Policy wolfCrypt

Page 27

FIPS 140-3 Security Policy wolfCrypt Acronyms and Definitions

Page 28

FIPS 140-3 Security Policy wolfCrypt