All modules
CMVP Validated Module · FIPS 140-3 Security Policy

WTM 4000 module

Certificate#5107StandardFIPS 140-3Level1TypeSoftwareEmbodimentMultiChipStandStatusActiveVendorAviat Networks
Low review priority  ·  no TCB surface named  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMultiChipStand
StatusActive
Sunset date7/10/2029
CaveatNo assurance of the minimum strength of generated SSPs (e.g., keys)
VendorAviat Networks

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for WTM 4000 module
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Show Status<br/>UnAuth</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>library named: wolfssl</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C3,C5,C6 clue;
  class I3,I5,I6 infer;
  class R3,R5,R6 risk;
  class E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for WTM 4000 module
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Show Status<br/>UnAuth</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>library named: wolfssl</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Aviat Networks WTM 4000 module Document Version 1.0

23 May 2025

AVIAT NETWORKS 200C Parker Drive, Suite 100A Austin, TX 78728 aviatnetworks.com +1 (512) 265-3680 © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 2
Table of Contents
#SectionPage
Page 3

© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 4
List of Tables
ItemPage
Table 1: This Document History4
Table 2: Security Levels5
Table 3: Legend of Terms and references that appear in this document6
Table 4: Source Files7
Table 5: Tested Module Identification – Software, Firmware, Hybrid (Executable Code Sets)8
Table 6: Tested Operational Environments - Software, Firmware, Hybrid8
Table 7: Modes List and Description9
Table 8: Approved Algorithms12
Table 9: Vendor-Affirmed Algorithms13
Table 10: Security Function Implementations20
Table 11: Ports and Interfaces21
Table 12: Roles22
Table 13: Approved Services25
Table 14: Storage Areas27
Table 15: SSP Input-Output Methods27
Table 16: SSP Zeroization Methods28
Table 17: SSP Table 133
Table 18: SSP Table 233
Table 19: Pre-Operational Self-Tests34
Table 20: Conditional Self-Tests39
Table 21: Pre-Operational Periodic Information39
Table 22: Conditional Periodic Information40
Table 23: Periodic Method Descriptions40
Table 24: Error States42
Figure 1: Module Block Diagram7
Figure 2: Code Sample A44
Page 5
1 – General
1.1 Overview

This document defines the Security Policy for AVIAT NETWORKS WTM 4000 module, hereafter denoted the Module. The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as described in section 1.2 below.

1.2 Security Levels

Section Title Security Level

1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A

Overall Level 1 Table 2: Security Levels

1.3 Additional Information

In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply to the Module. Term/Ref Description [140-3] FIPS 140-3, Security Requirements for Cryptographic Modules [OE] The “Operating Environment” [186-4] FIPS 186-4, Digital Signature Standard (DSS) [90Arev1] NIST SP 800-90A Rev. 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators [56Arev3] NIST SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography [56Crev2] NIST SP 800-56C Rev. 2, Recommendation for KeyDerivation Methods in Key-Establishment Schemes [135rev1] NIST SP 800-135 Rev. 1, Recommendation for Existing Application-Specific Key Derivation Functions © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 6

Term/Ref Description [140Drev2] NIST SP 800-140D revision 2, CMVP Approved Sensitive Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759 [UG] AVIAT NETWORKS FIPS 140-3 User Guide (sometimes referred to as the “Cryptographic Officer Guidance Manual” in documentation not produced by this vendor) [COGM] Cryptographic Officer Guidance Manual (Another term for [UG] recognized by some in the Industry. Same meaning as [UG] [140-3 IG] FIPS 140-3, Implementation Guidance [131Arev2] NIST SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths [56Brev2] NIST SP 800-56B Rev. 2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography Table 3: Legend of Terms and references that appear in this document

2 – Cryptographic Module Specification
2.1 Description

TOEPP: The platform(s) used for testing are documented in Table 6: Tested Operational Environments - Software, Firmware, Hybrid. If the onboard CPU of a tested platform supported a known PAA [FIPS 140-3 IG 2.3.C] and was desirable for FIPS use, then in accordance with [FIPS 140-3 IG2.3.C] that platform was tested both with and without PAA unless an identical or similar platform had already been tested. When an identical or similar platform was already tested, the new platform was tested only with PAA. This is reflected by the column PAA/PAI in table 6 as marked with a Yes or No entry. The Intel and AMD AESNI (AES New Instructions) are known PAA(s). Purpose and Use: The Module is a cryptography software library. The Module is a Multi-Chip Stand Alone embodiment. The Module is intended for use by U.S. and Canadian Federal agencies in addition to any other markets that require FIPS 140-3 validated cryptographic functionality. The Module was originally designed with embedded and IoT in mind. As a side effect of this design, it also scales exceptionally well on larger desktop and server systems allowing more connections per box than similar competing solutions. The Module version under validation is Software Version v5.2.1. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 7

Figure 1 depicts the Module operational environment, with the software module cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per AS02.03. No components are excluded from [140-3] requirements. The pre-operational approved integrity test is performed over all components of the cryptographic boundary. Updates to the Module are provided as a complete replacement in accordance with AS04.27

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8

Package or File Software/ Firmware Features Integrity Test Name Version wolfssl-5.6.3- v5.2.1 FIPS 140-3 module HMAC-SHA256 commercial-fips- and SSL/TLS library linuxv5.2.1.7z Table 5: Tested Module Identification

4100 BCM56260B0IFSBG -

Saber2 Table 6: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: N/A for this module. The Module conforms to [140-3 IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The Intel Processor AES-NI functions are identified by [140-3 IG] 2.3.C as a known PAA. No vendor affirmed operational environments are claimed for this validation of the module.

2.3 Excluded Components

N/A the module does not support excluded components.

2.4 Modes of Operation

Modes List and Description: Mode Name Description Type Status Indicator Approved The Module supports an Approved Approved FIPS_MODE_NORMAL (1) mode of mode of operation. In this mode all operation services are available. Degraded The Module implements a Degraded Approved FIPS_MODE_DEGRADED mode of Mode of operation: when a CAST (2) operation fails, that CAST is marked as failed and the module will inhibit use of algorithms governed by that CAST © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 9

Table 7: Modes List and Description Mode Change Instructions and Status: Each time the module is power cycled or reloaded all CAST status are initialized to FIPS_CAST_STATE_INIT. Each algorithm invocation includes a check of the algorithms CAST status; if the CAST status is FIPS_CAST_STATE_INIT the module will automatically run the CAST and that algorithms CAST status will be updated to either FIPS_CAST_STATE_SUCCESS (if it passes) or FIPS_CAST_STATE_FAILURE (if it fails). See degraded mode for when a CAST status fails. To check the modules overall status at any time the cryptographic officer may use the Show Status service by calling wolfCrypt_GetMode_fips() this will return either: FIPS_MODE_INIT (0) - Module is currently running its’ pre-operational self-test in another thread (multi-threaded) FIPS_MODE_NORMAL (1) - Module in normal mode of operation without errors FIPS_MODE_DEGRADED (2) - Module in degraded mode of operation with some errors FIPS_MODE_FAILED (3) - Module failed the integrity check and is not usable To check the CAST state of any algorithm the cryptographic officer may use the Show Status Service by calling wc_GetCastStatus_fips(<algorithm type>) where algorithm type can be any of the following:

Page 10

Degraded Mode Description: The Module implements a degraded mode of operation: when a CAST fails, the module enters an error state. The algorithm CAST status is set to FIPS_CAST_STATE_FAILED and the module runs all CASTS prior to the first operational use of any algorithm, regardless of the CAST having passed previously. Before exiting the error state, the module status (reported in the Show Status service) is set to FIPS_MODE_DEGRADED. Upon exiting the error state, the module enters the degraded mode of operation. This sequence of events is in accordance with AS02.26. The algorithm that failed its’ CAST initially triggering the error state will no longer be available for use in degraded mode of operation and any algorithms that depend on that algorithm will also be unavailable for use. See Table 16: Conditional Self-Tests in section 10.2, column Conditions to see if a CAST failure will affect use of another algorithm. To recover from degraded mode of operation CO shall power cycle or reload the module (equivalent to a power cycle).

2.5 Algorithms

Approved Algorithms: Algorithm CAVP Properties Reference Cert AES-CBC A4308 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-CCM A4308 Key Length - 128, 192, 256 SP 800-38C AES-CMAC A4308 Direction - Generation, Verification SP 800-38B Key Length - 128, 192, 256 AES-CTR A4308 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-ECB A4308 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 AES-GCM A4308 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-GMAC A4308 Direction - Decrypt, Encrypt SP 800-38D IV Generation - External, Internal IV Generation Mode - 8.2.1, 8.2.2 Key Length - 128, 192, 256 AES-OFB A4308 Direction - Decrypt, Encrypt SP 800-38A Key Length - 128, 192, 256 DSA KeyGen A4308 L - 2048 FIPS 186-4 (FIPS186-4) N - 256 ECDSA KeyGen A4308 Curve - P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Extra Bits ECDSA KeyVer A4308 Curve - P-192, P-224, P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 11

Algorithm CAVP Properties Reference Cert ECDSA SigGen A4308 Component - No FIPS 186-4 (FIPS186-4) Curve - P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2384, SHA2-512, SHA3-224, SHA3-256, SHA3384, SHA3-512 ECDSA SigVer A4308 Component - No FIPS 186-4 (FIPS186-4) Curve - P-192, P-224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512 Hash DRBG A4308 Prediction Resistance - No SP 800-90A Mode - SHA2-256 Rev. 1 HMAC-SHA-1 A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1 HMAC-SHA2- A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1

224 8

HMAC-SHA2- A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1

256 8

HMAC-SHA2- A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1

384 8

HMAC-SHA2- A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1

512 8

HMAC-SHA3- A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1

224 8

HMAC-SHA3- A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1

256 8

HMAC-SHA3- A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1

384 8

HMAC-SHA3- A4308 Key Length - Key Length: 112-1024 Increment FIPS 198-1

512 8

KAS-ECC-SSC A4308 Domain Parameter Generation Methods - P- SP 800-56A Sp800-56Ar3 256, P-384, P-521 Rev. 3 Scheme ephemeralUnified KAS Role - initiator, responder KAS-FFC-SSC A4308 Domain Parameter Generation Methods - SP 800-56A Sp800-56Ar3 ffdhe2048 Rev. 3 Scheme dhEphem KAS Role - initiator, responder KDF SSH (CVL) A4308 Cipher - AES-128, AES-192, AES-256 SP 800-135 Hash Algorithm - SHA-1, SHA2-256, SHA2-384, Rev. 1 SHA2-512 KDF TLS (CVL) A4308 TLS Version - v1.2 SP 800-135 Hash Algorithm - SHA2-256, SHA2-384, SHA2- Rev. 1 © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 12

Algorithm CAVP Properties Reference Cert RSA KeyGen A4308 Key Generation Mode - B.3.3 FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 Primality Tests - Table C.2 Private Key Format - Standard RSA SigGen A4308 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 2048, 3072, 4096 RSA SigVer A4308 Signature Type - PKCS 1.5, PKCSPSS FIPS 186-4 (FIPS186-4) Modulo - 1024, 2048, 3072, 4096 SHA-1 A4308 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-224 A4308 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-256 A4308 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-384 A4308 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA2-512 A4308 Message Length - Message Length: 0-65536 FIPS 180-4 Increment 8 SHA3-224 A4308 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-256 A4308 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-384 A4308 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 SHA3-512 A4308 Message Length - Message Length: 0-65536 FIPS 202 Increment 8 TLS v1.2 KDF A4308 Hash Algorithm - SHA2-256, SHA2-384, SHA2- SP 800-135 RFC7627 (CVL) 512 Rev. 1 TLS v1.3 KDF A4308 HMAC Algorithm - SHA2-256, SHA2-384 SP 800-135 (CVL) KDF Running Modes - DHE, PSK, PSK-DHE Rev. 1 Table 8: Approved Algorithms NOTE: Only the algorithms specified in this section are supported by the module in approved mode of operation. No operational use of an algorithm may be performed until the corresponding CAST has passed. Vendor-Affirmed Algorithms: Name Properties Implementation Reference CKG- Asymmetric:RSA Linux 4.4 (Ubuntu 16.04 LTS) with an SP800-133r2 5.1

1 Asymmetric:ECDSA Intel Core i5-5300U CPU @2.30GHz x "Key Pairs for Digital

4 with PAA; Linux 4.4 (Ubuntu 16.04 Signature Schemes"

© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 13

Name Properties Implementation Reference LTS) with an Intel Core i5-5300U CPU @2.30GHz x 4 without PAA CKG- Asymmetric:ECC Linux 4.4 (Ubuntu 16.04 LTS) with an SP800-133r2 5.2

2 Asymmetric:FFC Intel Core i5-5300U CPU @2.30GHz x "Key Pairs for Key

4 with PAA; Linux 4.4 (Ubuntu 16.04 Establishment"

LTS) with an Intel Core i5-5300U CPU @2.30GHz x 4 without PAA CKG- Symmetric:AES Linux 4.4 (Ubuntu 16.04 LTS) with an SP800-133r2 6.2

3 Symmetric:HMAC Intel Core i5-5300U CPU @2.30GHz x "Derivation of

4 with PAA; Linux 4.4 (Ubuntu 16.04 Symmetric Keys"

LTS) with an Intel Core i5-5300U CPU @2.30GHz x 4 without PAA Table 9: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. The Module does not implement non-approved algorithms. The services listed in this Security Policy include all cryptographic and non-cryptographic functionality. NOTE: For TLS 1.2 KDF Extended master-secret shall be used in approved mode of operation. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: N/A for this module.

2.6 Security Function Implementations

Name Type Description Properties Algorithms DRBG DRBG Deterministic SHA2-256: Random Byte (A4308) Generator A4308: Hash DRBG: (A4308) A4308: Message MAC Hash-Based HMAC-SHA-1: Authentication Message (A4308) Authentication A4308: Codes, HMAC-SHA2Generation and 224: (A4308) Verification A4308: HMAC-SHA2© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 14

Name Type Description Properties Algorithms 256: (A4308) A4308: HMAC-SHA2384: (A4308) A4308: HMAC-SHA2512: (A4308) A4308: HMAC-SHA3224: (A4308) A4308: HMAC-SHA3256: (A4308) A4308: HMAC-SHA3384: (A4308) A4308: HMAC-SHA3512: (A4308) A4308: Secure Hash SHA Secure Hash SHA-1: (A4308) Function A4308: SHA2-224: (A4308) A4308: SHA2-256: (A4308) A4308: SHA2-384: (A4308) A4308: SHA2-512: (A4308) A4308: SHA3-224: (A4308) A4308: SHA3-256: (A4308) A4308: SHA3-384: (A4308) A4308: SHA3-512: (A4308) A4308: TLS 1.3 Key KAS-56CKDF KDF: Extract TLS v1.3 KDF: Agreement then Expand (A4308) (56C) A4308: © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 15

Name Type Description Properties Algorithms HMAC-SHA2256: (A4308) A4308: HMAC-SHA2384: (A4308) A4308: HMAC-SHA2512: (A4308) A4308: Primitive Key KAS-KeyGen DH: Key KAS-FFC-SSC Agreement agreement Sp800-56Ar3: primitives (A4308) A4308: KDF Derived KAS-135KDF KDF: Derive KDF SSH: Key Agreement keying material (A4308) from a shared A4308: secret (135); KDF TLS: (A4308) A4308: TLS v1.2 KDF RFC7627: (A4308) A4308: SHA-1: (A4308) A4308: SHA2-256: (A4308) A4308: SHA2-384: (A4308) A4308: SHA2-512: (A4308) A4308: KAS SSC KAS-SSC Derived keying KAS-ECC-SSC Derived Key material from a Sp800-56Ar3: Agreement shared secret (A4308) A4308: KAS-FFC-SSC Sp800-56Ar3: (A4308) A4308: 133r2 5.1 CKG SP800-133r2 RSA KeyGen Asymmetric Key 5.1 "Key Pairs (FIPS186-4): Generation for Digital (A4308) Signature A4308: Schemes" ECDSA KeyGen (FIPS186-4): (A4308) © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 16

Name Type Description Properties Algorithms A4308: Hash DRBG: (A4308) A4308: CKG-1: () 133r2 5.2 CKG SP800-133r2 KAS-ECC-SSC Asymmetric Key 5.2 "Key Pairs Sp800-56Ar3: Generation for Key (A4308) Establishment" A4308: KAS-FFC-SSC Sp800-56Ar3: (A4308) A4308: Hash DRBG: (A4308) A4308: CKG-2: () Symmetric Key CKG SP800-133r2 AES-CBC: Generation 6.2 "Derivation (A4308) of Symmetric A4308: Keys" AES-CCM: (A4308) A4308: AES-CMAC: (A4308) A4308: AES-CTR: (A4308) A4308: AES-ECB: (A4308) A4308: AES-GCM: (A4308) A4308: AES-GMAC: (A4308) A4308: AES-OFB: (A4308) A4308: HMAC-SHA-1: (A4308) A4308: HMAC-SHA2224: (A4308) A4308: HMAC-SHA2256: (A4308) © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 17

Name Type Description Properties Algorithms A4308: HMAC-SHA2384: (A4308) A4308: HMAC-SHA2512: (A4308) A4308: HMAC-SHA3224: (A4308) A4308: HMAC-SHA3256: (A4308) A4308: HMAC-SHA3384: (A4308) A4308: HMAC-SHA3512: (A4308) A4308: Hash DRBG: (A4308) A4308: CKG-3: () RSA AsymKeyPair- Generate an RSA KeyGen Asymmetric KeyGen RSA (FIPS186-4): Key-Pair Asymmetric Key (A4308) Generation Pair A4308: Hash DRBG: (A4308) A4308: DSA AsymKeyPair- Generate a DSA KAS-FFC-SSC Asymmetric KeyGen Asymmetric Key Sp800-56Ar3: Key-Pair AsymKeyPair- Pair, Validate a (A4308) Generation PubKeyVal Public DSA Key A4308: AsymKeyPair- and KAS-FFC- DSA KeyGen DomPar SSC Domain (FIPS186-4): Parameter (A4308) Generation A4308: (SP800-56Ar3) Hash DRBG: (A4308) A4308: ECC AsymKeyPair- Generate an KAS-ECC-SSC Asymmetric KeyVer ECC Sp800-56Ar3: Key-Pair AsymKeyPair- Asymmetric Key (A4308) Generation KeyGen Pair, ECC A4308: AsymKeyPair- KeyVer and ECDSA KeyGen DomPar KAS-ECC-SSC (FIPS186-4): Domain (A4308) Parameter A4308: © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 18

Name Type Description Properties Algorithms Generation Hash DRBG: (SP800-56Ar3) (A4308) A4308: Digital Signature DigSig-SigGen Digital Signature RSA SigGen Generation Generation (FIPS186-4): (A4308) A4308: ECDSA SigGen (FIPS186-4): (A4308) A4308: SHA2-224: (A4308) A4308: SHA2-256: (A4308) A4308: SHA2-384: (A4308) A4308: SHA2-512: (A4308) A4308: SHA3-224: (A4308) A4308: SHA3-256: (A4308) A4308: SHA3-384: (A4308) A4308: SHA3-512: (A4308) A4308: Hash DRBG: (A4308) A4308: Digital Signature DigSig-SigVer Digital Signature DigSig- RSA SigVer Verification Verification SigVer:1024 (FIPS186-4): (verification (A4308) only) A4308: DigSig- ECDSA SigVer SigVer:SHA-1 (FIPS186-4): (verification (A4308) only) A4308: DigSig- ECDSA KeyVer SigVer:P-192 (FIPS186-4): (Signature and (A4308) © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 19

Name Type Description Properties Algorithms Key Verification A4308: only) SHA-1: (A4308) A4308: SHA2-224: (A4308) A4308: SHA2-256: (A4308) A4308: SHA2-384: (A4308) A4308: SHA2-512: (A4308) A4308: SHA3-224: (A4308) A4308: SHA3-256: (A4308) A4308: SHA3-384: (A4308) A4308: SHA3-512: (A4308) A4308: Auth Block BC-Auth Authenticated AES-GMAC: Cipher Block Ciphers (A4308) A4308: AES-GCM: (A4308) A4308: AES-CMAC: (A4308) A4308: AES-CCM: (A4308) A4308: UnAuth Block BC-UnAuth Unauthenticated AES-CBC: Cipher Block Ciphers (A4308) A4308: AES-ECB: (A4308) A4308: AES-OFB: (A4308) A4308: AES-CTR: © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 20

Name Type Description Properties Algorithms (A4308) A4308: Table 10: Security Function Implementations

2.7 Algorithm Specific Information

The conditions for using the Module in the Approved mode of operation are:

  1. The Module is a cryptographic library and it is intended to be used with a calling application. The calling application is responsible for the usage of the primitives in the correct sequence including the IVs and sessions.
  2. The keys used by the Module for cryptographic purposes are determined by the calling application. The calling application is required to provide keys in accordance with [140Drev2].
  3. With the Module installed and configured in accordance with [UG] instructions, only the algorithms listed in the table in Section 2.5 are available. The module is in the Approved mode if the following conditions for algorithm use are met. NOTE: All conditions and restrictions below are met when the executable binary is built in accordance with the UG instructions. Applications that would be at risk of violating any restriction in this section will fail to build and link successfully against the compliant module binary executable. a. Adherence to [140-3 IG] C.H Key/IV Pair Uniqueness Requirements from SP 800-38D. The Module supports both internal IV generation (for use with the [56Arev3] compliant KAS API entry points) and external IV generation (for TLS KAS usage). For internal IV generation, the Module complies with C.H 2, users MUST specify an IV length of GCM_NONCE_MID_SZ or greater for internal IV generation otherwise specifying any length less than 96-bits is rejected by the module. For internal IV generation, C.H requires the calling application to use the modules internal approved DRBG to generate the random IV For external IV generation, the Module complies with C.H 1 (a), tested per option (ii) under C.H TLS protocol IV generation. The module performs a check for nonce_explicit rollover, returning an error if that condition is encountered. b. ECDSA and RSA signature generation must be used with a SHA-2 or SHA-3 hash function. c. RSA signature generation and encryption primitives must use RSA keys with k = 2048,
3072 or 4096 bits or greater.

d. The calling process shall adhere to all current [131Arev2] algorithm usage restrictions.

  1. Manual key entry is not supported.
  2. Data output is inhibited during self-tests, zeroization, and error states.
  3. RSA Decrypt Primitive (RSADP) with k=2048-bit is the only CAVP testable aspect of [56Brev2]. The module implements the RSA primitive operations only, there are no claims of key transport. The module implements ‘RSA Encrypt Primitive’ (RSAEP) and RSADP. The vendor affirms conformance to [56Brev2] for RSAEP and RSADP with other key sizes since no CAVP test is available for key sizes other than 2048-bit.
2.8 RBG and Entropy

© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 21

N/A for this module. N/A for this module.

2.9 Key Generation
2.10 Key Establishment
2.11 Industry Protocols

The Module conforms to [140-3 IG] D.C References to the Support of Industry Protocols: while the module provides [56A] conformant schemes and API entry points oriented to TLS and SSH usage, the Module does not contain the full implementation of TLS or SSH. The following statements are required per IG D.C case #2: No parts of the TLS protocol other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. No parts of the SSH protocol other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP.

2.12 Additional Information

The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document.

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

Physical Port Logical Data That Passes Interface(s) N/A: Internal (call Control Input API entry point: stack frame including non-sensitive stack) parameters N/A: Internal (call Control API call parameters passed by reference for structures stack) Output allocated by wolfCrypt N/A: Internal (call Data Input API call parameters passed by reference or value for stack) cryptographic service input N/A: Internal (call Data Output API call parameters passed by reference for stack) cryptographic service output N/A: Internal (call Status API return value: enumerated status resulting from call stack) Output execution Table 11: Ports and Interfaces © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 22

Table 7 defines the Module’s [140-3] logical interfaces; the Module does not interact with physical ports.

4 Roles, Services, and Authentication
4.1 Authentication Methods
4.2 Roles

Name Type Operator Type Authentication Methods CO Role CO Table 12: Roles The Module supports the Cryptographic Officer (CO) operator role, and does not support multiple concurrent operators, a maintenance role or bypass capability. The cryptographic module does not provide an authentication or identification method of its own. The CO role is implicitly identified by the service requested.

4.3 Approved Services

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Digital Generate Successf Sign: Key Sign: Status Digital CO Signature or verify ul Struct return; Signature - DS_SGK: digital completi (DS_SGK); Signature Generation W,E,Z signatures. on of the message; value. Digital - DS_SVK: service Verify: Verify: Signature W,E,Z (status signature Status Verification code >= value; return; 0) flags; sizes. Generate Generate Successf FFC, ECC: Status ECC CO Key Pair asymmetric ul curve return; Key Asymmetric key pairs. completi identifier; structure Key-Pair GKP_Privat on of the RSA: (GKP_Privat Generation e: G,R,Z service modulous e) DSA (status size; Asymmetric GKP_Publi code >= Key-Pair c: G,R,Z 0) Generation RSA Asymmetric Key-Pair Generation 133r2 5.2 © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 23

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access Asymmetric Key Generation 133r2 5.1 Asymmetric Key Generation Key DH key Successf Key Status Primitive CO Agreeme agreement ul structures return; Key nt primitives. completi (KAS_Priva KAS_SSC; Agreement KAS_Privat on of the te and e: W,E,Z service KAS_Publi (status c); flags; KAS_Public code >= : W,E,Z

  1. KAS_SSC: G,R,Z Key Derive Successf KAS_SSC; Status TLS 1.3 Key CO Derivatio keying ul flags; return; Agreement n material completi KD_DKM; KDF KAS_SSC: from a on of the Derived Key R,E,Z shared service Agreement secret (status KAS SSC code >= Derived Key
  2. Agreement Keyed Generate Successf KH_Key Status Message CO Hash or verify ul return; Tag Authenticati - KH_Key: message completi value; on W,E integrity on of the Auth Block service Cipher (status code >=
  3. Message Generate a Successf Message; Status Secure CO Digest message ul flags; return; Hash Hash digest completi value; on of the service (status code >=
  4. Random Generate Successf DRBG Status DRBG CO random bits ul structure return; - Seed: using the completi (Internal Random W,E,Z DRBG on of the State Value; - Internal service containing State: G,E (status secret(s) C - Secret C: G,E © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material – May be reproduced only in its original entirety (without revision).
Page 24

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access code >= and V); - Secret V:

  1. Seed G,E - Entropy Input String: W,E,Z Self-test Perform the Successf Flags Status Message CO designated ul return Authenticati self-test. completi on MOD_INT: on of the G,Z service - coreKey: (status E code >=
  2. Show Provide Successf None Status CO Status Module ul return status completi on of the service (status code >=
  3. Symmetri Encrypt or Successf SC_EDK; Status Auth Block CO c cipher Decrypt ul flags; return. Cipher - SC_EDK: data, completi Plaintext or UnAuth E,W including on of the ciphertext Block AEAD service data; Cipher modes (status Symmetric (CCM, code >= Key GCM)
  4. Generation Zeroise FreeRng_fi Successf DRBG Status CO ps destroys ul struct (RBG return - DS_SGK: RNG completi State) or Z CSPs. All on of the other functions service structures GKP_Privat zeroise (status containing e: Z CSPs using code >= SSPs function
  5. KAS_Privat ForceZero e: Z (overwriting with zeros) KAS_SSC: within the Z function - KD_DKM: scope after Z use. Caller - KH_Key: stack Z cleanup is - Seed: Z the duty of - Internal © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material – May be reproduced only in its original entirety (without revision).
Page 25

Name Descriptio Indicator Inputs Outputs Security SSP n Functions Access the State: Z application. - Secret C: Restarting Z the - Secret V: general- Z purpose - SC_EDK: computer Z clears all - Entropy CSPs in Input RAM. String: Z Show Provide Successf None Plaintext CO Version Module ul containing Version completi the module on of the version service (status code >=

  1. Table 13: Approved Services All services implemented by the Module are listed in Table
  2. The calling application may use the Show status service (wolfCrypt_GetStatus_fips call) to determine the status of the Module. A return code of FIPS_MODE_NORMAL means the Module is in a state without errors; Please see Section 2.4 for more information. In addition, as per [140-3 IG] 2.4.C the module supports an implicit indicator via the successful completion of a service, module does not support nonapproved services. See the AVIAT NETWORKS FIPS 140-3 User Guide [UG] for additional information on the cryptographic services listed in this section. Note that the caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of PSPs with the remote participant is outside the scope of the Module. For services Generate Key Pair, Key Agreement and Key Derivation consistent with [140-3 IG] 9.5.A, available only if the private_key_read_enable property is set to TRUE
4.4 Non-Approved Services
5 Software/Firmware Security
5.1 Integrity Techniques

© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 26

The Module uses HMAC-SHA2-256 with a 256-bit key (HMAC Cert. #A4308) as the approved integrity technique. Before the integrity technique is executed the module performs an HMACSHA2-256 KAT.

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by reloading the Module or by calling the API wolfCrypt_IntegrityTest_fips() at any time after power on. (See Section 10.5 “Operator Initiation of Self-Tests” later in this document for details of proper use of this API in an application).

5.3 Open-Source Parameters

While the module is not “open source” since it is only shipped under a commercial license, open source practice of source code delivery with a commercial license is standard for the module. As such the module (while not required to do so) will abide by ISO/IEC 19790:2012 B.2.5. Please see details in the AVIAT NETWORKS FIPS 140-3 User Guide [UG] for the [OE] listed on the FIPS certificate. Details will include information about compiler, compiler configuration settings and methods to compile the source code into an executable form in a FIPS validated manner. See also section 11.1 Installation, Initialization, and Startup Procedures later in this document.

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable

6.2 Configuration Settings and Restrictions

Any setting that affects the module directly while compiling the executable binary shall not be used. If unsure contact AVIAT NETWORKS by sending email to “TACAM at aviatnet dot com”. An AVIAT engineer will review the setting for impact on the FIPS validated sources and determine if the setting is allowed or disallowed for an approved mode of operation. NOTE: The User Guide [UG] will contain an exact list of allowed settings. CO should refer to the [UG] first before contacting AVIAT support.

6.3 Additional Information

The operational environment for the Module is modifiable. Table 6 lists the operational environments on which the Module was tested. Specification of the security rules, settings or restrictions to the configuration of the operational environment are covered in the [UG]. The configure script provided with the package detects the environment and sets the required flags. © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 27

There are no specific restrictions to the configuration of the operational environment unless stated in the [UG].

7 Physical Security
7.1 Mechanisms and Actions Required
7.5 EFP/EFT Information
7.6 Hardness Testing Temperature Ranges
8 Non-Invasive Security

The Module does not implement non-invasive security mechanisms.

9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Description Persistence Area Type Name S1 RAM (Memory) Dynamic Table 14: Storage Areas

9.2 SSP Input-Output Methods

Name From To Format Distribution Entry SFI or Type Type Type Algorithm IE1 EXT: Call stack (API) input INT Plaintext Automated Electronic parameters IE2 INT: Call stack (API) output EXT Plaintext Automated Electronic parameters IE3 EXT: Loaded from external INT Plaintext Automated Electronic entropy source Table 15: SSP Input-Output Methods

9.3 SSP Zeroization Methods

© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 28

Zeroization Description Rationale Operator Method Initiation Z1 cleared immediately after use Module does not Zeroise store SSPs persistently Z2 Per ISO/IEC 19790:2012 section 7.9.7, FIPS 140-3 IG parameters used solely for self-test purposes 9.7.B in 7.10 need not meet zeroisation requirements Table 16: SSP Zeroization Methods The module supports an implicit Zeroisation indicator. The implicit indicator is a successful completion of the service call.

9.4 SSPs

Name Description Size - Type - Generated Establishe Used By Strengt Category By d By h DS_SGK Digital RSA: Private - RSA Signature: 2048, CSP SigGen Signature 3072, (FIPS18 Generation 4096; 6-4) using Private ECDSA: ECDSA Key 224, SigGen 256, (FIPS18 384, 6-4) 521; RSA: 112, 128; ECDSA: 112, 128, 192, 256; DS_SVK Digital RSA: Public - PSP RSA Signature 1024*, SigVer Verification 2048, (FIPS18 using Public 3072, 6-4) Key 4096; ECDSA ECDSA: SigVer 192*, (FIPS18 224, 6-4) 256, 384, 521; RSA: © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 29

Name Description Size - Type - Generated Establishe Used By Strengt Category By d By h 80*, 112, 128; ECDSA: 80*, 112, 128, 192, 256; GKP_Privat Generated RSA: Private - RSA RSA e Key Pair 2048, CSP Asymmetric KeyGen (Private) 3072, Key-Pair (FIPS18 4096; Generation 6-4) ECDSA: ECC ECDSA 224, Asymmetric KeyGen 256, Key-Pair (FIPS18 384, Generation 6-4) 521; RSA: 112, 128; ECDSA: 112, 128, 192, 256; GKP_Publi Generated RSA: Public - PSP RSA RSA c Key Pair 2048, Asymmetric KeyGen (Public) 3072, Key-Pair (FIPS18 4096; Generation 6-4) ECDSA: ECC ECDSA 224, Asymmetric KeyGen 256, Key-Pair (FIPS18 384, Generation 6-4) 521; RSA: 112, 128; ECDSA: 112, 128, 192, 256; KAS_Privat Key pair FFC: Private - ECC KASe component 2048; CSP Asymmetric FFCprovided by ECC: Key-Pair SSC the local 224, Generation Sp800© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 30

Name Description Size - Type - Generated Establishe Used By Strengt Category By d By h participant, 256, DSA 56Ar3 used for 384, Asymmetric KASDiffie- 521; - Key-Pair ECCHellman FFC: Generation SSC shared 112; Primitive Sp800secret ECC: Key 56Ar3 generation. 112, Agreement 128, 192, 256; KAS_Publi Key pair FFC: Public - PSP ECC KASc component 2048; Asymmetric ECCprovided by ECC: Key-Pair SSC the local 224, Generation Sp800participant, 256, DSA 56Ar3 used for 384, Asymmetric KASDiffie- 521; - Key-Pair FFCHellman FFC: Generation SSC shared 112; Primitive Sp800secret ECC: Key 56Ar3 generation. 112, Agreement 128, 192, 256; KAS_SSC Shared FFC: Shared ECC KASsecret 2048; Secret - Asymmetri FFCcalculation; z ECC: CSP c Key-Pair SSC output value 224, Generation Sp800is expected 256, DSA 56Ar3 to be used 384, Asymmetri KASby a KDF 521; - c Key-Pair ECCFFC: Generation SSC 112; KAS SSC Sp800ECC: Derived 56Ar3 112, Key KDF TLS 128, Agreement KDF 192, SSH 256; KD_DKM Key TLS Derived Key TLS 1.3 TLS v1.2 Derivation KDF Material - Key KDF derived v1.2 CSP Agreement RFC762 keying RFC KDF 7 material 7627: Derived TLS v1.3 1024; Key KDF TLS Agreement KDF KDF SSH v1.3: © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 31

Name Description Size - Type - Generated Establishe Used By Strengt Category By d By h 256, 384; KDF SSH: 256, 384,

512 -

256-bit KH_Key Keyed Hash CMAC: Symmetric AESkey 128, Key - CSP CMAC 192, AES256; GMAC GMAC: HMAC128, SHA3192, 512 256; HMACHMAC: SHA3160, 384 256, HMAC512; - SHA3CMAC: 256 128, HMAC192, SHA3256; 224 GMAC: HMAC128, SHA2192, 512 256; HMACHMAC: SHA2128, 384 256; HMACSHA2HMACSHA2HMACSHA-1 Entropy Entropy 256-bit - Entropy - Hash Input String input bit 256-bit CSP DRBG string loaded from the external entropy source Seed DRBG 384-bit - Entropy - DRBG Hash Seed_materi 256-bit CSP DRBG © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 32

Name Description Size - Type - Generated Establishe Used By Strengt Category By d By h al consisting of entropy input string (256-bit) concatenate d with the nonce (128bit) Secret C Hash DRBG 440-bits Entropy - DRBG Hash Internal - 256-bit CSP DRBG State Secret C Secret V Hash DRBG 440-bits Entropy - DRBG Hash Internal - 256-bit CSP DRBG State Secret V Internal Hash DRBG 880-bit - Entropy - DRBG Hash State Internal 256-bit CSP DRBG State (SHA256) with secret values V and C. V is 440bits, C is 440-bits. SC_EDK AES key 128, Symmetric AESused for 192 or Key - CSP CBC symmetric 256 bits AESencryption - 128, CCM (including 192 or AESAES 256 bits CTR authenticate AESd ECB encryption). AESModes: GCM CBC, CCM, AESCTR, ECB, OFB GCM, OFB MOD_INT Module 32- Message Message HMACIntegrity bytes - Authenticati Authenticati SHA2Value 256-bit on - CSP on 256 Computed at Run Time coreKey HMAC key 32- Message HMACfor in-core bytes - Authenticati SHA2integrity 256-bit on - CSP 256 © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 33

Name Description Size - Type - Generated Establishe Used By Strengt Category By d By h check selftest Table 17: SSP Table 1 Name Input - Storage Storage Zeroization Related SSPs Output Duration DS_SGK IE1 S1:Plaintext While in Z1 use DS_SVK IE1 S1:Plaintext While in Z1 use GKP_Private IE2 S1:Plaintext While in Z1 GKP_Public:Paired use With GKP_Public IE2 S1:Plaintext While in Z1 GKP_Private:Paired use With KAS_Private IE1 S1:Plaintext While in Z1 use KAS_Public IE2 S1:Plaintext While in Z1 use KAS_SSC S1:Plaintext While in Z1 KAS_Public:Derived use From KAS_Private:Derived From KD_DKM S1:Plaintext While in Z1 use KH_Key IE1 S1:Plaintext While in Z1 use Entropy Input IE3 S1:Plaintext While in Z1 String use Seed S1:Plaintext While in Z1 use Secret C S1:Plaintext While in Z1 Seed:Derived From use Secret V S1:Plaintext While in Z1 Seed:Derived From use Internal State S1:Plaintext While in Z1 use SC_EDK IE1 S1:Plaintext While in Z1 use MOD_INT S1:Plaintext While in Z1 use coreKey S1:Plaintext While in Z2 use Table 18: SSP Table 2 © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 34

* Per SP800-131Ar2 Section 3, Table 2, key sizes (1024-bit for RSA and 192-bit for ECC) are available for legacy use verification requirements when inter-oping with legacy systems. These key sizes shall not be used for signing operations.

10 Self-Tests
10.1 Pre-Operational Self-Tests

Algorithm Test Properties Test Test Indicator Details or Test Method Type HMAC- hash type: KAT SW/FW FIPS_MODE_NORMAL or MAC SHA2-256 SHA256, key Integrity FIPS_MODE_FAILED length: 32-bytes. Please note this is the module integrity test Table 19: Pre-Operational Self-Tests Each time the Module is powered on or loaded (equivalent to a power on) the integrity of the module is tested per ISO/IEC 19790:2012 Section 7.10.2.2. The very first step of the preoperational self-test (POST) is to force every Conditional Algorithm Self-Test to be in the FIPS_CAST_STATE_INIT mode meaning the CAST for a given algorithm has not run since power on and the CAST must run and pass prior to operational use of the algorithm. The integrity test uses HMAC-SHA2-256 to ensure the modules integrity therefore per AS 10.20 HMAC CAST is triggered prior to the integrity check. The HMAC CAST uses a known answer test per ISO/IEC 19790-2012 Section 7.10.3.2. The POST executes outside user control as the module is powering on or being loaded.

10.2 Conditional Self-Tests

Algorit Test Test Test Indicator Details Conditio hm or Properties Meth Typ ns Test od e AES- key length: KAT CAS FIPS_CAST_STATE_SU Encrypt Before CBC 32-bytes T CCESS or first use FIPS_CAST_STATE_FAI of LURE algorithm( s) AESECB, AESCBC, AESCTR, AESOFB, AESGCM, AES© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 35

Algorit Test Test Test Indicator Details Conditio hm or Properties Meth Typ ns Test od e GMAC, AESCCM or AESCMAC AES- key length: KAT CAS FIPS_CAST_STATE_SU Decrypt Before CBC 32-bytes T CCESS or first use FIPS_CAST_STATE_FAI of LURE algorithm( s) AESECB, AESCBC, AESCTR, AESOFB, AESGCM, AESGMAC, AESCCM or AESCMAC AES- key length: KAT CAS FIPS_CAST_STATE_SU Decrypt Before GCM 32-bytes T CCESS or first use FIPS_CAST_STATE_FAI of LURE algorithm( s) AESGCM or AESGMAC AES- key length: KAT CAS FIPS_CAST_STATE_SU Encrypt Before GCM 32-bytes T CCESS or first use FIPS_CAST_STATE_FAI of LURE algorithm( s) AESGCM or AESGMAC HMAC- hash type: KAT CAS FIPS_CAST_STATE_SU MAC Before SHA1 SHA1; key T CCESS or first use length: 20- FIPS_CAST_STATE_FAI of bytes LURE algorithm( s) SHA1 © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 36

Algorit Test Test Test Indicator Details Conditio hm or Properties Meth Typ ns Test od e or HMACSHA1 HMAC- hash type: KAT CAS FIPS_CAST_STATE_SU MAC Before SHA2- SHA256; T CCESS or first use

256 key length: FIPS_CAST_STATE_FAI of

20-bytes LURE algorithm( s) SHA224, SHA256, HMACSHA224 or HMACSHA256 HMAC- hash type: KAT CAS FIPS_CAST_STATE_SU MAC Before SHA2- SHA2-512, T CCESS or first use

512 key length: FIPS_CAST_STATE_FAI of

20-bytes LURE algorithm( s) SHA384, SHA512, HMACSHA384 or HMACSHA512 HMAC- hash type: KAT CAS FIPS_CAST_STATE_SU MAC Before SHA3- SHA3-256, T CCESS or first use

256 key length: FIPS_CAST_STATE_FAI of

64-bytes LURE algorithm( s) SHA3224, SHA3256, SHA3-

384 or

SHA3512, HMACSHA3224, HMACSHA3256, HMACSHA3-

384 or

HMAC© 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 37

Algorit Test Test Test Indicator Details Conditio hm or Properties Meth Typ ns Test od e SHA3RSA- hash type: KAT CAS FIPS_CAST_STATE_SU Sign Before PKCSv SHA256; T CCESS or first use

1.5 key length: FIPS_CAST_STATE_FAI of

2048-bits LURE algorithm( s) RSA (PKCSv1. 5) or RSA (PSS) RSA- hash type: KAT CAS FIPS_CAST_STATE_SU Verify Before PKCSv SHA256, T CCESS or first use

1.5 key length: FIPS_CAST_STATE_FAI of

2048-bits LURE algorithm( s) RSA (PKCSv1. 5) or RSA (PSS) ECC hashType: KAT CAS FIPS_CAST_STATE_SU Computatio Before Diffie- SHA2-256; T CCESS or n Shared first use Hellman curve: P-256 FIPS_CAST_STATE_FAI Secret Z of LURE algorithm( s) ECC for shared secret generatio n FFC hashType: KAT CAS FIPS_CAST_STATE_SU Computatio Before Diffie- SHA2-256; T CCESS or n Shared first use Hellman keySize: FIPS_CAST_STATE_FAI Secret Z of 2048-bit; LURE algorithm( s) FFC for shared secret generatio n ECDSA curve: P256; KAT CAS FIPS_CAST_STATE_SU Sign Before hashType: T CCESS or first use SHA2-256 FIPS_CAST_STATE_FAI of LURE algorithm( s) ECDSA ECDSA curve: P256; KAT CAS FIPS_CAST_STATE_SU Verify Before hashType: T CCESS or first use SHA2-256 FIPS_CAST_STATE_FAI of LURE algorithm( s) ECDSA © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 38

Algorit Test Test Test Indicator Details Conditio hm or Properties Meth Typ ns Test od e TLSv1. HMAC- KAT CAS FIPS_CAST_STATE_SU Derive Before

2 KDF SHA2-256 T CCESS or Keying first use

FIPS_CAST_STATE_FAI Material of LURE TLSv1.2 KDF TLSv1. HMAC- KAT CAS FIPS_CAST_STATE_SU Derive Before

3 KDF SHA2-256 T CCESS or Keying first use

FIPS_CAST_STATE_FAI Material of LURE TLSv1.3 KDF KDF hashType: KAT CAS FIPS_CAST_STATE_SU Derive Before SSH SHA2-256 T CCESS or Keying first use FIPS_CAST_STATE_FAI Material of KDF LURE SSH RSA- key size: PCT PCT Service is successful or Sign/Verify Invoked PCT 2048,3072,4 an error code automatic

096 RSA_KEY_PAIR_E ally during

generate key pair service ECC- curve size: PCT PCT Service is successful or Sign/Verify Invoked PCT 224, 256, an error code automatic 384, 521 ECC_PCT_E ally during generate key pair service DH- key size: PCT PCT Service is successful or Modulus Invoked PCT 2048, 3072, an error code Exponentia automatic

4096 MP_CMP_E tion ally during

generate key pair service DRBG DRBG KAT CAS FIPS_CAST_STATE_SU Health-Test Before mode: T CCESS or with sub- first use SHA2-256 FIPS_CAST_STATE_FAI elements: of LURE Instantiate, algorithm( Generate, s) DBRG Reseed or Immediat ely upon registerin g an external entropy source © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 39

Algorit Test Test Test Indicator Details Conditio hm or Properties Meth Typ ns Test od e with the module Table 20: Conditional Self-Tests Once the module is powered on and has passed the POST, calls to any cryptographic algorithm will trigger the CAST on first operational use of the algorithm. The POST and CASTS are available on demand after power on and can be executed by the cryptographic officer (CO) at any time. The CO may optionally invoke any CAST ahead of algorithm use at a more convenient time rather than letting it run automatically on first use. Regardless of the CAST running manually or automatically, once it has passed the CO may manually re-run any CAST at any time in a periodic fashion, a CAST will no longer run automatically after it has passed the first time.

10.3 Periodic Self-Test Information

Algorithm or Test Method Test Type Period Periodic Test Method HMAC-SHA2- KAT SW/FW Integrity P2 Automatic or

256 Manually

Table 21: Pre-Operational Periodic Information Algorithm or Test Method Test Type Period Periodic Test Method AES-CBC KAT CAST P1 Manually AES-CBC KAT CAST P1 Manually AES-GCM KAT CAST P1 Manually AES-GCM KAT CAST P1 Manually HMAC-SHA1 KAT CAST P1 Manually HMAC-SHA2- KAT CAST P2 Automatic or

256 Manually

HMAC-SHA2- KAT CAST P1 Manually HMAC-SHA3- KAT CAST P1 Manually RSA-PKCSv1.5 KAT CAST P1 Manually RSA-PKCSv1.5 KAT CAST P1 Manually ECC Diffie- KAT CAST P1 Manually Hellman FFC Diffie- KAT CAST P1 Manually Hellman ECDSA KAT CAST P1 Manually ECDSA KAT CAST P1 Manually TLSv1.2 KDF KAT CAST P1 Manually TLSv1.3 KDF KAT CAST P1 Manually © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 40

Algorithm or Test Method Test Type Period Periodic Test Method KDF SSH KAT CAST P1 Manually RSA-PCT PCT PCT P3 Automatic ECC-PCT PCT PCT P3 Automatic DH-PCT PCT PCT P3 Automatic DRBG KAT CAST P4 Automatic or Manually Table 22: Conditional Periodic Information Name Description P1 Periodic method 1: Automatically by the module when algorithm is first invoked. CO may opt to invoke prior to first algorithm use to avoid delay at time of first operational use of an algorithm or at a later time manually. P2 Periodic method 2: Automatically by the module during power on. CO may opt to invoke manually thereafter. P3 Periodic method 3: Automatically during key generation service P4 Automatically by the module upon first operational use of the DRBG algorithm. When an external entropy source is registered with the module by application level entropy callback function it is considered the first operational use of the DRBG. Does a periodic reseed every 1 million invocations, during the reseed the DRBG health test will be automatically executed. Table 23: Periodic Method Descriptions

10.4 Error States

Name Description Conditi Recov Indicator ons ery Metho d FIPS_MODE_FAILED Module has failed HMAC- Power fipsModeId set to its software integrity SHA2- Cycle FIPS_MODE_FAILED check 256 (3) CAST Failure Module Integrity Check Failure FIPS_CAST_STATE_F One or more AES- Power One or more algorithms AILURE algorithm(s) are no CBC Cycle CAST status values set longer usable and AES- to the module mode is GCM © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 41

Name Description Conditi Recov Indicator ons ery Metho d set to HMAC- FIPS_CAST_STATE_F FIPS_MODE_DEG SHA1 AILURE (3) RADED (2) HMACSHA2HMACSHA2HMACSHA3RSAPKCSv1 .5 DRBG ECC DiffieHellman FFC DiffieHellman ECDSA TLSv1.2 KDF TLSv1.3 KDF KDF SSH FIPS_MODE_DEGRA One or more of the Any Power fipsModeId set to DED CASTS have failed CAST Cycle FIPS_MODE_DEGRA anytime following a Failure DED (2) successful power on and integrity check. Upon entering this mode the module will automatically run all CASTS prior to the operational use of any cryptographic algorithm. RSA_KEY_PAIR_E RSA Pairwise RSA- Manual RSA_KEY_PAIR_E (Consistency Test PCT self- 262) Failure test service call or © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material

Page 42

Name Description Conditi Recov Indicator ons ery Metho d power cycle ECC_PCT_E ECC Pairwise ECC- Manual ECC_PCT_E (-286) Consistency Test PCT selfFailure test service call or power cycle MP_CMP_E DH Pairwise DH-PCT Manual MP_CMP_E (-120) Consistency Test selfFailure test service call or power cycle Table 24: Error States

10.5 Operator Initiation of Self-Tests

For calling applications the following is required:

  1. Include the library configuration header wolfssl/options.h (or user_settings.h via wolfssl/wolfcrypt/settings.h) first.
  2. After including the library configuration header, include wolfssl/wolfcrypt/fips_test.h then use the API specified below to execute a given self-test. CO may initiate all CAST self-tests in one-shot. The API wc_RunAllCast_fips() is provided as a public API to applications using the module that have included the headers above in proper order. CO may initiate CAST self-tests individually using the API wc_RunCast_fips(algorithm type) with any of the below “algorithm type” inputs: • FIPS_CAST_AES_CBC • FIPS_CAST_AES_GCM • FIPS_CAST_HMAC_SHA1 • FIPS_CAST_HMAC_SHA2_256 • FIPS_CAST_HMAC_SHA2_512 • FIPS_CAST_HMAC_SHA3_256 • FIPS_CAST_DRBG • FIPS_CAST_RSA_SIGN_PKCS1v15 • FIPS_CAST_ECC_CDH • FIPS_CAST_ECC_PRIMITIVE_Z • FIPS_CAST_DH_PRIMITIVE_Z © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material – May be reproduced only in its original entirety (without revision).
Page 43

• FIPS_CAST_ECDSA • FIPS_CAST_KDF_TLS12 • FIPS_CAST_KDF_TLS13 • FIPS_CAST_KDF_SSH CO may re-run the POST at any time after power on using the public API wolfCrypt_IntegrityTest_fips(). This function always returns a value of zero regardless if the integrity check passed or failed so the CO shall then check the status of the module using the API wolfCrypt_GetStatus_fips(). The return value of the GetStatus API shall then be checked against the status indicators below: • FIPS_MODE_INIT status indicator value is

  1. This indicator means then integrity test has not completed and is likely running in another thread (multi-threaded) • FIPS_MODE_NORMAL status indicator value is
  2. This indicator means the integrity test passed and the module is in a state without errors • FIPS_MODE_FAILED status indicator value is
  3. This indicator means the integrity test failed and the module is unusable. The CO shall power cycle or reloaded (equivalent to power cycle) to restore the module.
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

The CO shall use the provided AVIAT NETWORKS FIPS 140-3 User Guide hereafter referred to as [UG]. A common name for this document is also the Cryptographic Officer Guidance Manual [COGM]. [UG] and [COGM] are one and the same for this module and include all administrative guidance. The [UG] will have a section specific to each Operational Environment [OE] that appears on the modules FIPS certificate and/or in Table 6: Tested Operational Environments - Software, Firmware, Hybrid. The instructions provided in the [UG] shall be followed or the module will never have been properly initialized and built and therefore noncompliant. To create the compliant module, as per this Security Policy, the configuration steps shall be followed.

Page 44

code into an executable format” even though the module is not claiming “open source”. The following initialization instructions apply to all use-cases for the module generically by a consuming application. [OE] specific details will be covered in the [UG].

Page 45
11.2 Administrator Guidance

The CO shall use the provided AVIAT NETWORKS FIPS 140-3 User Guide [UG].

11.3 Non-Administrator Guidance

The Module supports the Cryptographic Officer (CO) operator role and does not support nonadministrators or non-administrative roles.

11.7 Additional Information

Please defer to AVIAT NETWORKS FIPS 140-3 User Guide [UG].

12 Mitigation of Other Attacks

The module does not claim mitigation of other attacks. © 2025 AVIAT NETWORKS AVIAT NETWORKS Public Material