| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 3/10/2030 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys). |
| Vendor | Broadcom Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3548 |
| AES-CBC-CS1 | A3548 |
| AES-CBC-CS2 | A3548 |
| AES-CBC-CS3 | A3548 |
| AES-CCM | A3548 |
| AES-CFB1 | A3548 |
| AES-CFB128 | A3548 |
| AES-CFB8 | A3548 |
| AES-CMAC | A3548 |
| AES-CTR | A3548 |
| AES-ECB | A3548 |
| AES-GCM | A3548 |
| AES-GMAC | A3548 |
| AES-KW | A3548 |
| AES-KWP | A3548 |
| AES-OFB | A3548 |
| AES-XTS Testing Revision 2.0 | A3548 |
| Counter DRBG | A3548 |
| DSA KeyGen (FIPS186-4) | A3548 |
| DSA PQGGen (FIPS186-4) | A3548 |
| DSA PQGVer (FIPS186-4) | A3548 |
| DSA SigGen (FIPS186-4) | A3548 |
| DSA SigVer (FIPS186-4) | A3548 |
| ECDSA KeyGen (FIPS186-4) | A3548 |
| ECDSA KeyVer (FIPS186-4) | A3548 |
| ECDSA SigGen (FIPS186-4) | A3548 |
| ECDSA SigVer (FIPS186-4) | A3548 |
| Hash DRBG | A3548 |
| HMAC DRBG | A3548 |
| HMAC-SHA-1 | A3548 |
| HMAC-SHA2-224 | A3548 |
| HMAC-SHA2-256 | A3548 |
| HMAC-SHA2-384 | A3548 |
| HMAC-SHA2-512 | A3548 |
| HMAC-SHA2- 512/224 | A3548 |
| HMAC-SHA2- 512/256 | A3548 |
| HMAC-SHA3-224 | A3548 |
| HMAC-SHA3-256 | A3548 |
| HMAC-SHA3-384 | A3548 |
| HMAC-SHA3-512 | A3548 |
| KAS-ECC CDH- Component SP800-56Ar3 (CVL) | A3548 |
| KAS-ECC-SSC Sp800-56Ar3 | A3548 |
| KAS-FFC-SSC Sp800-56Ar3 | A3548 |
| KAS-IFC-SSC | A3548 |
| KDA HKDF SP800-56Cr2 | A3548 |
| KDA OneStep SP800-56Cr2 | A3548 |
| KDA TwoStep SP800-56Cr2 | A3548 |
| KDF ANS 9.42 (CVL) | A3548 |
| KDF ANS 9.63 (CVL) | A3548 |
| KDF KMAC Sp800-108r1 | A3548 |
| KDF SP800-108 | A3548 |
| KDF SSH (CVL) | A3548 |
| KTS-IFC | A3548 |
| PBKDF | A3548 |
| RSA KeyGen (FIPS186-4) | A3548 |
| RSA SigGen (FIPS186-4) | A3548 |
| RSA Signature Primitive (CVL) | A3548 |
| RSA SigVer (FIPS186-4) | A3548 |
| SHA-1 | A3548 |
| SHA2-224 | A3548 |
| SHA2-256 | A3548 |
| SHA2-384 | A3548 |
| SHA2-512 | A3548 |
| SHA2-512/224 | A3548 |
| SHA2-512/256 | A3548 |
| SHA3-224 | A3548 |
| SHA3-256 | A3548 |
| SHA3-384 | A3548 |
| SHA3-512 | A3548 |
| SHAKE-128 | A3548 |
| SHAKE-256 | A3548 |
| TLS v1.2 KDF RFC7627 (CVL) | A3548 |
| TLS v1.3 KDF (CVL) | A3548 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Symmetric Encryption and Decryption<br/>Perform self- tests (All)<br/>Core (all except Teardown) (Show Status, Show…</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Symmetric Encryption and Decryption<br/>Perform self- tests (All)<br/>Core (all except Teardown) (Show Status, Show…</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IPSEC</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3 clueHigh;
class C5,C6 clueLow;Broadcom Inc. VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Document Version 1.0 September 2025 Prepared by: www.lightshipsec.com
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Table of Contents Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider List of Tables List of Figures Figure 1: VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Block Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 3 |
| 12 | 12 | Mitigation of other attacks | 1 |
| Overall Level | Overall Level | 1 |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
Introduction Federal Information Processing Standards Publication 140-3
The Module meets FIPS 140-3 overall Level 1 requirements, with security levels as follows: Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Table 1: Security Levels N/A N/A
In accordance with AS02.05, [ISO19790] §7.7 Physical Security is optional and does not apply to the Module. In accordance with current CMVP policy, [ISO19790] §7.8 Non-Invasive Security is not applicable. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
Purpose and Use: The Module is a cryptographic software library providing a C-language application program interface (API) for use by applications that require cryptographic functionality and is designated as a software module with a multi-chip standalone embodiment based on the descriptions of [ISO19790] AS02.03. The Module is intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-3 validated cryptographic functionality. The Module’s formal name and version are “VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider” and “3.1.2”, respectively. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Module Type: Software Module Embodiment: MultiChipStand Cryptographic Boundary: Figure 1 depicts the Module operational environment, with the cryptographic boundary highlighted in red inclusive of all Module entry points (API calls). The Module is defined as a Software module per [ISO19790] AS02.03. The cryptographic boundary of the Module is the FIPS Provider, a dynamically loadable library. The Module performs no communication other than with the calling application via APIs that invoke the Module. The pre-operational approved integrity test is performed over all components within the cryptographic boundary. Tested Operational Environment’s Physical Perimeter (TOEPP): The Tested Operational Environment’s Physical Perimeter (TOEPP) is the General Purpose Computer. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Firmware Version | Features | Package | Integrity Test |
|---|---|---|---|---|
| fips.so | 3.1.2 | fips.so for Unix/Linux platforms | fips.so | HMAC-SHA2-256 |
| fips.dll | 3.1.2 | fips.dll for Windows platforms | fips.dll | HMAC-SHA2-256 |
| fips.dylib | 3.1.2 | fips.dylib for Mac platforms | fips.dylib | HMAC-SHA2-256 |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Figure 1: VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Block Diagram
Tested Module Identification
| Name | Operating System | Hardware Platform | Software Version | Processor | Paa Pai | Hypervisor |
|---|---|---|---|---|---|---|
| Ubuntu Linux 22.04.1 Server | Ubuntu Linux 22.04.1 Server | Dell Inspiron 7573 | 3.1.2 | Intel i7- 8550U | No | N/A |
| Ubuntu Linux 22.04.1 Server | Ubuntu Linux 22.04.1 Server | Dell Inspiron 7573 | 3.1.2 | Intel i7- 8550U | Yes | N/A |
| Debian 11.5 | Debian 11.5 | Dell Inspiron 7573 | 3.1.2 | Intel i7- 8550U | No | N/A |
| Debian 11.5 | Debian 11.5 | Dell Inspiron 7573 | 3.1.2 | Intel i7- 8550U | Yes | N/A |
| FreeBSD 13.1 | FreeBSD 13.1 | Dell Inspiron 7591 2 in 1 | 3.1.2 | Intel i7- 10510U | No | N/A |
| FreeBSD 13.1 | FreeBSD 13.1 | Dell Inspiron 7591 2 in 1 | 3.1.2 | Intel i7- 10510U | Yes | N/A |
| Windows 10 Pro | Windows 10 Pro | Dell Inspiron 7591 2 in 1 | 3.1.2 | Intel i7- 10510U | No | N/A |
| Windows 10 Pro | Windows 10 Pro | Dell Inspiron 7591 2 in 1 | 3.1.2 | Intel i7- 10510U | Yes | N/A |
| macOS 11.5.2 | macOS 11.5.2 | Apple M1 Mac Mini | 3.1.2 | M1 | No | N/A |
| macOS 11.5.2 | macOS 11.5.2 | Apple M1 Mac Mini | 3.1.2 | M1 | Yes | N/A |
| macOS 11.5.2 | macOS 11.5.2 | Apple i7 Mac Mini | 3.1.2 | Intel i7 | No | N/A |
| macOS 11.5.2 | macOS 11.5.2 | Apple i7 Mac Mini | 3.1.2 | Intel i7 | Yes | N/A |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Intel i78550U Intel i78550U Intel i78550U Intel i78550U Intel i710510U Intel i710510U Intel i710510U Intel i710510U N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 N/A 3.1.2 Table 3: Tested Operational Environments - Software, Firmware, Hybrid Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid: No operational environments are vendor affirmed.
No components are excluded from [FIPS140-3] requirements.
Modes List and Description: Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non- Approved mode | The module is in the Approved mode of operation by default. Use of the non-Approved Algorithms Not Allowed in the Approved Mode will place the module in the non-approved mode of operation. | fips=no | Non- Approved |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider NonApproved NonApproved Table 4: Modes List and Description
| Name | CAVP Cert | Properties | Reference |
|---|---|---|---|
| AES-CBC | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC-CS1 | A3548 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC-CS2 | A3548 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CBC-CS3 | A3548 | Direction - decrypt, encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CCM | A3548 | Key Length - 128, 192, 256 | SP 800-38C |
| AES-CFB1 | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CFB128 | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CFB8 | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-CMAC | A3548 | Direction - Generation, Verification Key Length - 128, 192, 256 | SP 800-38B |
| AES-CTR | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-ECB | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-GCM | A3548 | Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 | SP 800-38D |
| AES-GMAC | A3548 | Direction - Decrypt, Encrypt IV Generation - External, Internal IV Generation Mode - 8.2.1 Key Length - 128, 192, 256 | SP 800-38D |
| AES-KW | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38F |
| AES-KWP | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38F |
| AES-OFB | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 192, 256 | SP 800-38A |
| AES-XTS Testing Revision 2.0 | A3548 | Direction - Decrypt, Encrypt Key Length - 128, 256 | SP 800-38E |
| Counter DRBG | A3548 | Prediction Resistance - Yes Mode - AES-128, AES-192, AES-256 Derivation Function Enabled - No, Yes | SP 800-90A Rev. 1 |
| DSA KeyGen (FIPS186-4) | A3548 | L - 2048, 3072 N - 224, 256 | FIPS 186-4 |
| DSA PQGGen (FIPS186-4) | A3548 | L - 2048, 3072 N - 224, 256 | FIPS 186-4 |
| DSA PQGVer (FIPS186-4) | A3548 | L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | FIPS 186-4 |
| DSA SigGen (FIPS186-4) | A3548 | L - 2048, 3072 N - 224, 256 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256 | FIPS 186-4 |
| DSA SigVer (FIPS186-4) | A3548 | L - 1024, 2048, 3072 N - 160, 224, 256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 | FIPS 186-4 |
| ECDSA KeyGen (FIPS186-4) | A3548 | Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Secret Generation Mode - Testing Candidates | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-4) | A3548 | Curve - B-163, B-233, B-283, B-409, B-571, K- 163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521 | FIPS 186-4 |
| ECDSA SigGen (FIPS186-4) | A3548 | Component - No, Yes Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-4) | A3548 | Component - No, Yes Curve - B-163, B-233, B-283, B-409, B-571, K- 163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512 | FIPS 186-4 |
| Hash DRBG | A3548 | Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-256, SHA3-512 | SP 800-90A Rev. 1 |
| HMAC DRBG | A3548 | Prediction Resistance - Yes Mode - SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2- 512/256, SHA3-256, SHA3-512 | SP 800-90A Rev. 1 |
| HMAC-SHA-1 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-224 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-256 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-384 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2-512 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2- 512/224 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA2- 512/256 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-224 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-256 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-384 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| HMAC-SHA3-512 | A3548 | Key Length - Key Length: 8-524288 Increment 8 | FIPS 198-1 |
| KAS-ECC CDH- Component SP800-56Ar3 (CVL) | A3548 | Curve - B-233, B-283, B-409, B-571, K-233, K- 283, K-409, K-571, P-224, P-256, P-384, P-521 | SP 800-56A Rev. 3 |
| KAS-ECC-SSC Sp800-56Ar3 | A3548 | Domain Parameter Generation Methods - B- 233, B-283, B-409, B-571, K-233, K-283, K- 409, K-571, P-224, P-256, P-384, P-521 Scheme - ephemeralUnified - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A3548 | Domain Parameter Generation Methods - FB, FC, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP- 3072, MODP-4096, MODP-6144, MODP-8192 Scheme - dhEphem - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KAS-IFC-SSC | A3548 | Modulo - 2048, 3072, 4096, 6144, 8192 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KAS1 - KAS Role - initiator, responder KAS2 - KAS Role - initiator, responder | SP 800-56A Rev. 3 |
| KDA HKDF SP800-56Cr2 | A3548 | Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: | SP 800-56C Rev. 2 |
| KDA OneStep SP800-56Cr2 | A3548 | Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 | SP 800-56C Rev. 2 |
| KDA TwoStep SP800-56Cr2 | A3548 | MAC Salting Methods - default, random KDF Mode - feedback Derived Key Length - 2048 Shared Secret Length - Shared Secret Length: 224-8192 Increment 8 | SP 800-56C Rev. 2 |
| KDF ANS 9.42 (CVL) | A3548 | KDF Type - DER Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512 Key Data Length - Key Data Length: 8-4096 Increment 8 | SP 800-135 Rev. 1 |
| KDF ANS 9.63 (CVL) | A3548 | Hash Algorithm - SHA2-224, SHA2-256, SHA2- 384, SHA2-512 Key Data Length - Key Data Length: 128, 4096 | SP 800-135 Rev. 1 |
| KDF KMAC Sp800-108r1 | A3548 | Derived Key Length - Derived Key Length: 112- 4096 Increment 8 | SP 800-108 Rev. 1 |
| KDF SP800-108 | A3548 | KDF Mode - Counter, Feedback Supported Lengths - Supported Lengths: 8, 72, 128, 776, 3456, 4096 | SP 800-108 Rev. 1 |
| KDF SSH (CVL) | A3548 | Cipher - AES-128, AES-192, AES-256 Hash Algorithm - SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512 | SP 800-135 Rev. 1 |
| KMAC-128 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 | SP 800-185 |
| KMAC-256 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Key Data Length - Key Data Length: 128-1024 Increment 8 | SP 800-185 |
| KTS-IFC | A3548 | Modulo - 2048, 3072, 4096, 6144 Key Generation Methods - rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme - KTS-OAEP-basic - KAS Role - initiator, responder Key Transport Method - Key Length - 1024 | SP 800-56B Rev. 2 |
| PBKDF | A3548 | Iteration Count - Iteration Count: 1-10000 Increment 1 Password Length - Password Length: 8-128 Increment 8 | SP 800-132 |
| RSA KeyGen (FIPS186-4) | A3548 | Key Generation Mode - B.3.3, B.3.6 Modulo - 2048, 3072, 4096 Primality Tests - Table C.2, Table C.3 Private Key Format - Standard | FIPS 186-4 |
| RSA SigGen (FIPS186-4) | A3548 | Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS Modulo - 2048, 3072, 4096 | FIPS 186-4 |
| RSA Signature Primitive (CVL) | A3548 | Private Key Format - CRT | FIPS 186-4 |
| RSA SigVer (FIPS186-4) | A3548 | Signature Type - ANSI X9.31, PKCS 1.5, PKCSPSS Modulo - 1024, 2048, 3072, 4096 | FIPS 186-4 |
| Safe Primes Key Generation | A3548 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | SP 800-56A Rev. 3 |
| Safe Primes Key Verification | A3548 | Safe Prime Groups - ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP-2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192 | SP 800-56A Rev. 3 |
| SHA-1 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-224 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-256 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-384 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-512 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-512/224 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA2-512/256 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 180-4 |
| SHA3-224 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-256 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-384 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHA3-512 | A3548 | Message Length - Message Length: 0-65536 Increment 8 Large Message Sizes - 1, 2, 4, 8 | FIPS 202 |
| SHAKE-128 | A3548 | Output Length - Output Length: 16-65536 Increment 8 | FIPS 202 |
| SHAKE-256 | A3548 | Output Length - Output Length: 16-65536 Increment 8 | FIPS 202 |
| TLS v1.2 KDF RFC7627 (CVL) | A3548 | Hash Algorithm - SHA2-256, SHA2-384, SHA2- 512 | SP 800-135 Rev. 1 |
| TLS v1.3 KDF (CVL) | A3548 | HMAC Algorithm - SHA2-256, SHA2-384 KDF Running Modes - DHE, PSK, PSK-DHE | SP 800-135 Rev. 1 |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
Approved Algorithms: Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Properties | ||
|---|---|---|---|
| DSA PQGGen [FIPS 186- 4] | Key Size, Key Strength:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:PQGGen using SHA3 | OpenSSL Project OpenSSL 3.x FIPS Provider | Vendor affirmed per IG C.C and IG C.B Resolution (bullet point #3) |
| DSA PQGVer [FIPS 186- 4] | Key Size, Key Strength:L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:PQGVer using SHA3 | OpenSSL Project OpenSSL 3.x FIPS Provider | Vendor affirmed per IG C.C and IG C.B Resolution (bullet point #3) |
| DSA SigGen [FIPS 186- 4] | Key Size, Key Strength:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method:SigGen using SHA3 | OpenSSL Project OpenSSL 3.x FIPS Provider | Vendor affirmed per IG C.C and IG C.B Resolution (bullet point #3) |
| DSA SigVer [FIPS186- 4] | Key Size, Key Strength:L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) | OpenSSL Project OpenSSL 3.x FIPS Provider | Vendor affirmed per IG C.C and IG C.B Resolution (bullet point #3) |
| CKG - Section 4 and 5.1 | Key Type :Asymmetric | N/A | NIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 5.1: Key Pairs for Digital Signature Schemes |
| CKG - Section 4 and 5.2 | Key Type:Asymmetric | N/A | NIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 5.2: Key Pairs for Key Establishment |
| CKG - Section 4 and Section 6.1 | Key Type:Symmetric | N/A | NIST SP800-133r2 Section 4: Using the Output of a Random Bit Generator; Section 6.1: Direct Generation of Symmetric Keys |
| CKG - Section 6.2 | Key Type:Symmetric | N/A | NIST SP 800-133r2 Section 6.2: Derivation of Symmetric keys |
| CKG - Section 6.3 | Key Type:Symmetric | N/A | NIST SP 800-133rev2, Section 6.3: Symmetric Keys Produced by Combining Multiple Keys and Other Data |
| CKG – Section 4 | Key Type:Symmetric | N/A | NIST SP800-133r2 Section 4: Using the Output of a Random Bit Random bits returned to the calling application |
| AES | AES (Any non-authenticated mode), (Cert.#A3548):Symmetric key unwrapping | OpenSSL Project OpenSSL 3.x FIPS Provider | Per IG D.G Additional Comment 5 |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Table 5: Approved Algorithms The Module implements the Approved cryptographic functions listed in Table 5. 4] 4] 4] 4] #3) #3) #3) #3) Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider N/A N/A 6.1 N/A N/A N/A N/A Table 6: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: Table 7: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| Triple-DES | Provides 3-Key ECB and CBC mode, but indicated as fips=no, Encryption, Decryption | |||
| Ed448 | SHAKE256, Ed448 provides 224 bits of security, Digital Signature Generation | |||
| Ed25519 | SHA2-512, Ed25519 provides 128 bits of security, Digital Signature Generation | |||
| X448 | Provides 224 bits of security, Key Agreement | |||
| X25519 | Provides 128 bits of security, Key Agreement | |||
| ECDSA SigVer Component | Provides between 80 and 256 bits for security, Curves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521, Digital Signature Verification | |||
| FIPS 186-2 RSA SigGen/SigVer | Provides >= 80 bits of security, RSA signature generation/verification per FIPS 186-2 | |||
| FIPS 186-2 RSA KeyGen | Provides >= 112 bits of security, RSA key generation per FIPS 186-2 | |||
| X942KDF- CONCAT | Usage of X942KDF-CONCAT with PRF SHA-1, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256 | |||
| X963KDF | Usage of X963KDF with PRF SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256 | |||
| HKDF | Provides < 112 bits of security, Usage of HKDF with key length less than 112 bits | |||
| OneStep KDF | Usage of OneStep KDF with PRF SHAKE128, SHAKE256 | |||
| HMAC | Provides < 112 bits of security, Usage of HMAC with key length less than 112 bits for MAC generation | |||
| Hash and HMAC DRBG | Usage of Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256 | |||
| Symmetric Encryption and Decryption | Symmetric Encryption and Decryption | AES-CBC AES-CBC- CS1 AES-CBC- CS2 AES-CBC- CS3 AES-CCM AES-CFB1 AES-CFB128 AES-CFB8 AES-CMAC | BC-Auth BC-UnAuth | Key Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits |
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| Triple-DES | Provides 3-Key ECB and CBC mode, but indicated as fips=no, Encryption, Decryption | |||
| Ed448 | SHAKE256, Ed448 provides 224 bits of security, Digital Signature Generation | |||
| Ed25519 | SHA2-512, Ed25519 provides 128 bits of security, Digital Signature Generation | |||
| X448 | Provides 224 bits of security, Key Agreement | |||
| X25519 | Provides 128 bits of security, Key Agreement | |||
| ECDSA SigVer Component | Provides between 80 and 256 bits for security, Curves: B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P- 224, P-256, P-384, P-521, Digital Signature Verification | |||
| FIPS 186-2 RSA SigGen/SigVer | Provides >= 80 bits of security, RSA signature generation/verification per FIPS 186-2 | |||
| FIPS 186-2 RSA KeyGen | Provides >= 112 bits of security, RSA key generation per FIPS 186-2 | |||
| X942KDF- CONCAT | Usage of X942KDF-CONCAT with PRF SHA-1, SHA2-512/224, SHA2- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256 | |||
| X963KDF | Usage of X963KDF with PRF SHA-1, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, KECCAK-KMAC128 and KECCAK-KMAC256 | |||
| HKDF | Provides < 112 bits of security, Usage of HKDF with key length less than 112 bits | |||
| OneStep KDF | Usage of OneStep KDF with PRF SHAKE128, SHAKE256 | |||
| HMAC | Provides < 112 bits of security, Usage of HMAC with key length less than 112 bits for MAC generation | |||
| Hash and HMAC DRBG | Usage of Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256 | |||
| Symmetric Encryption and Decryption | Symmetric Encryption and Decryption | AES-CBC AES-CBC- CS1 AES-CBC- CS2 AES-CBC- CS3 AES-CCM AES-CFB1 AES-CFB128 AES-CFB8 AES-CMAC | BC-Auth BC-UnAuth | Key Length:128, 192 and 256 bits Key Length (XTS):128 and 256 bits |
| Message Digest | Message Digest | SHA-1 SHA2-224 SHA2-256 SHA2-384 SHA2-512 SHA2-512/224 SHA3-224 SHA3-256 SHA3-384 SHA3-512 SHAKE-128 SHAKE-256 SHA2-512/256 | SHA | SHA-1 :(s = 160) Large Message Sizes: 1, 2, 4, 8gigabytes SHA2:SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2-512/224 (s = 224), SHA2- 512/256 (s = 256). Large Message Sizes: 1, 2, 4, 8gigabytes SHA3:SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512). See Note 1. Large Message Sizes: 1, 2, 4, 8gigabytes SHAKE:SHAKE-128 (s = 128), SHAKE- 256 (s = 256). See Note 1. |
| Keyed Hash | Keyed Hash | HMAC-SHA-1 HMAC-SHA2- 224 HMAC-SHA2- 256 HMAC-SHA2- 384 HMAC-SHA2- 512 HMAC-SHA2- 512/224 HMAC-SHA2- 512/256 HMAC-SHA3- 224 HMAC-SHA3- | BC-Auth MAC | HMAC-SHA-1 [FIPS198-1]:SHA-1 (s = 160) HMAC-SHA2 [FIPS198-1]:SHA2- 224 (s = 224), SHA2- 256 (s = 256), SHA2- 384 (s = 384), SHA2- 512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256) HMAC-SHA3 [FIPS198-1]:SHA3- 224 (s = 224), SHA3- 256 (s = 256), SHA3- |
| 384 (s = 384), SHA3- 512 (s = 512) KMAC:KMAC-128 (112 ≤ s ≤ 128), KMAC-256 (112 ≤ s ≤ 256). See Note 8. | 256 HMAC-SHA3- 384 HMAC-SHA3- 512 AES-CMAC KMAC-128 KMAC-256 AES-GMAC | 384 (s = 384), SHA3- 512 (s = 512) KMAC:KMAC-128 (112 ≤ s ≤ 128), KMAC-256 (112 ≤ s ≤ 256). See Note 8. | ||
| RSA Digital Signature Generation and Verification | RSA Digital Signature Generation and Verification | RSA SigGen (FIPS186-4) RSA SigVer (FIPS186-4) | DigSig- SigGen DigSig-SigVer | Signature type: ANSI X9.31 tested with the listed moduli and the following hash algorithms: SHA2- 256, SHA2-384, SHA2-512:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCS 1.5 tested with the listed moduli and the following hash algorithms: SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: PKCSPSS tested with the listed moduli and the following hash algorithms: SHA2- 224, SHA2- 256, SHA2-384, SHA2- 512, SHA2- 512/224, SHA2- 512/256:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) Signature type: ANSI X9.31 tested with the listed moduli and the following hash algorithms: SHA-1*, |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider The module does not support any Non-Approved Algorithms Allowed in the Approved Mode of Operation Non-Approved, Not Allowed Algorithms: Table 8: Non-Approved, Not Allowed Algorithms Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. AES-CBCCS1 AES-CBCCS2 AES-CBCCS3
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider [FIPS198-1]:SHA2224 (s = 224), SHA2256 (s = 256), SHA2384 (s = 384), SHA2512 (s = 512), SHA2512/224 (s = 224), Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider DigSigSigGen Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. HMAC-SHA3384 HMAC-SHA3512
| Name | Description | Csps Accessed | Approved Functions | Type |
|---|---|---|---|---|
| ECDSA Signature Generation and Signature Verification | ECDSA Signature Generation and Signature Verification | SigGen (includes SigGen Component) (tested with SHA2- 224, SHA2-256, SHA2-384, SHA2- 512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3- 256, SHA3-384, SHA3-512):B-233, K- 233, P-224 (s ~= 112); B-283, K-283, P-256 (s ~= 128); B- | ECDSA SigGen (FIPS186-4) ECDSA SigVer (FIPS186-4) | DigSig- SigGen DigSig-SigVer |
| DSA Digital Signature Generation and Verification | DSA Digital Signature Generation and Verification | SigGen (tested with SHA2-224, SHA2- 256, SHA2-384, SHA2-512, SHA2- 512/224, SHA2- 512/256); SigGen using SHA3; no ACVP testing is available:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) SigVer (tested with SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2-512/224, SHA2-512/256); SigVer using SHA3; no ACVP testing is available:L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) | DSA SigGen (FIPS186-4) DSA SigVer (FIPS186-4) DSA SigGen [FIPS 186-4] Key Size, Key Strength: L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: SigGen using SHA3 DSA SigVer [FIPS186-4] Key Size, Key Strength: L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) | DigSig- SigGen DigSig-SigVer |
| RSA Signature Primitive | Signature primitive | Private Key format:CRT Public Exponent Mode:Fixed : k = 2048 | RSA Signature Primitive | DigSig- SigGen |
| Asymmetric Key Pair Generation | Generation of asymmetric key pairs | RSA KeyGen:k=2048 (s ~= 112), k=3072 (s ~= 128), k=4096 (s ~= 152) DSA KeyGen:L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) ECDSA KeyGen: Secret Generation Mode: Testing Candidates:B-233, K- 233, P-224 (s ~= 112); B-283, K-283, P-256 (s ~= 128); B- 409, K-409, P-384 (s ~= 192); B-571, K- 571, P-521 (s ~= 256) Safe Primes Key Generation, Safe Primes Key Verification:ffdhe2048 (s = 112), ffdhe3072 (112 ≤ s ≤ 128), ffdhe4096 (112 ≤ s ≤ 152), ffdhe6144 (112 ≤ s ≤ 176), ffdhe8192 (112 ≤ s ≤ 200), MODP-2048 (s = 112), MODP-3072 (112 ≤ s ≤ 128), MODP-4096 (112 ≤ s ≤ 152), MODP-6144 (112 ≤ s ≤ 176), MODP-8192 (112 ≤ s ≤ 200) ECDSA KeyVer:B- 163, K-163, P-192 (s < 112); B-233, K-233, | RSA KeyGen (FIPS186-4) DSA KeyGen (FIPS186-4) ECDSA KeyGen (FIPS186-4) Safe Primes Key Generation ECDSA KeyVer (FIPS186-4) Safe Primes Key Verification CKG - Section 4 and 5.1 Key Type : Asymmetric CKG - Section 4 and 5.2 Key Type: Asymmetric DSA PQGGen (FIPS186-4) DSA PQGVer (FIPS186-4) DSA PQGGen [FIPS 186-4] Key Size, Key Strength: L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: PQGGen using SHA3 DSA PQGVer | AsymKeyPair- KeyGen AsymKeyPair- KeyVer |
| P-224 (s ~= 112); B- 283, K-283, P-256 (s ~= 128); B-409, K- 409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256) DSA PQGGen (FIPS186-4), DSA PQGGen [FIPS 186- 4] (VA):L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) DSA PQGVer (FIPS186-4), DSA PQGVer [FIPS 186-4] (VA):L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) | P-224 (s ~= 112); B- 283, K-283, P-256 (s ~= 128); B-409, K- 409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256) DSA PQGGen (FIPS186-4), DSA PQGGen [FIPS 186- 4] (VA):L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) DSA PQGVer (FIPS186-4), DSA PQGVer [FIPS 186-4] (VA):L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) | [FIPS 186-4] Key Size, Key Strength: L = 1024/N = 160 (s < 112) L = 2048/N = 224 (s = 112), L = 2048/N = 256 (s = 112) L = 3072/N = 256 (s = 128) Mode/Method: PQGVer using SHA3 | ||
| Random Number Generation | Random Number Generation - Hash_DRBG, CTR_DRBG and HMAC_DRBG | Counter DRBG [SP800-90Ar1]:AES- 128 (s = 128), AES- 192 (s = 192), AES- 256 (s = 256) Hash DRBG [SP800- 90Ar1]:SHA-1 (s = 160), SHA2-256 (s = 256), SHA2-512 (s = 512) SHA3-256 (s = 256), SHA3-512 (s = 512) HMAC DRBG [SP800-90Ar1]:SHA- 1 (s = 160), SHA2- 256 (s = 256), SHA2- 512 (s = 512) SHA3- 256 (s = 256), SHA3- 512 (s = 512) | Counter DRBG Hash DRBG HMAC DRBG CKG – Section 4 Key Type: Symmetric | DRBG |
| Key Derivation | Derive Keying Material | KDA HKDF:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2- 512/224 (s = 224), | KDA HKDF SP800-56Cr2 KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 KDF ANS 9.42 | KBKDF PBKDF |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider DigSigSigGen Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider DigSigSigGen Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider DigSigSigGen AsymKeyPairKeyGen AsymKeyPairKeyVer Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider [SP800-90Ar1]:SHA1 (s = 160), SHA2256 (s = 256), SHA2512 (s = 512) SHA3256 (s = 256), SHA3512 (s = 512) Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Description | Approved Functions |
|---|---|---|
| SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512) KDA OneStep:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512); HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224), HMAC-SHA2- 512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3- 256 (s = 256), HMAC-SHA3-384 (s = 384), HMAC-SHA3- 512 (s = 512); KMAC-128 (112 ≤ s ≤ 128), KMAC-256 (112 ≤ s ≤ 256) KDA TwoStep [SP800- 56Cr2]:HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224), HMAC-SHA2- | SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512) KDA OneStep:SHA-1 (s = 160), SHA2-224 (s = 224), SHA2-256 (s = 256), SHA2-384 (s = 384), SHA2-512 (s = 512), SHA2- 512/224 (s = 224), SHA2-512/256 (s = 256), SHA3-224 (s = 224), SHA3-256 (s = 256), SHA3-384 (s = 384), SHA3-512 (s = 512); HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224), HMAC-SHA2- 512/256 (s = 256), HMAC-SHA3-224 (s = 224), HMAC-SHA3- 256 (s = 256), HMAC-SHA3-384 (s = 384), HMAC-SHA3- 512 (s = 512); KMAC-128 (112 ≤ s ≤ 128), KMAC-256 (112 ≤ s ≤ 256) KDA TwoStep [SP800- 56Cr2]:HMAC-SHA-1 (s = 160), HMAC- SHA2-224 (s = 224), HMAC-SHA2-256 (s = 256), HMAC-SHA2- 384 (s = 384), HMAC-SHA2-512 (s = 512), HMAC-SHA2- 512/224 (s = 224), HMAC-SHA2- | KDF ANS 9.63 KDF KMAC Sp800-108r1 KDF SP800- 108 KDF SSH PBKDF TLS v1.2 KDF RFC7627 TLS v1.3 KDF CKG - Section 6.2 Key Type: Symmetric |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. KDF SP800108 6.2
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider KDF [SP800108r1]:CMACAES128 (s = 128), Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Description | Approved Functions | Type | Properties |
|---|---|---|---|---|
| KAS-1 | Scheme: EphemeralUnified, KAS Role: Initiator, Responder | SP800-56Ar3 KAS- ECC-SSC per IG D.F Scenario 2 path (1):B-233, K-233, P- 224, B-283, K-283, P- | KAS-SSC | KAS-ECC- SSC Sp800- 56Ar3 |
| KAS-2 | Scheme: dhEphem. KAS Role: Initiator, Responder | SP800-56Ar3 KAS- FFC-SSC IG D.F Scenario 2 path (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strength | KAS-SSC | KAS-FFC- SSC Sp800- 56Ar3 |
| KAS-3 | Scheme: KAS1, KAS2. KAS Role: Initiator, Responder | SP800-56Br2 KAS- IFC-SSC IG D.F Scenario 1 path (1):2048, 3072, 4096, 6144, and 8192-bit key providing 112, 128, 152, 176, or 200 bits of encryption strength | KAS-SSC | KAS-IFC-SSC |
| KTS-1 | Key Transport in compliance with [SP800- 38F] when approved using AES KW or KWP | SP 800-38F KTS (key wrapping) per IG D.G :128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strength | KTS-Wrap | AES-KW AES-KWP |
| KTS-2 | Key Transport in compliance with [SP800- 38F] when approved AES (any mode) and approved HMAC, KMAC, GMAC or CMAC are used in combination | SP 800-38F KTS (key wrapping) per IG D.G : 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strength | KTS-Wrap | AES-CBC AES-CFB1 AES-CFB128 AES-CFB8 AES-CTR AES-ECB AES-OFB AES-XTS Testing Revision 2.0 AES-CBC- CS2 AES-CBC- CS3 AES-CCM AES-CMAC AES-GCM AES-GMAC |
| KTS-3 | Key Transport in compliance with [SP800- 38F] when approved using an Authenticated AES mode (AES CCM; AES GCM; AES GMAC; AES CMAC) | SP 800-38F KTS (key wrapping) per IG D.G : 128, 192, and 256-bit keys providing 128, 192, or 256 bits of encryption strength | KTS-Wrap | AES-CCM AES-CMAC AES-GCM AES-GMAC |
| KTS-4 | Key Transport; Scheme: KTS- OAEP-basic (no key confirmation): RSA-OAEP, Key Encapsulation, Key Unencapsulation Key Generation Methods: rsakpg1-basic, rsakpg1-crt, rsakpg1-prime- | SP 800-56Brev2 KTS-IFC (key encapsulation and un-encapsulation) per IG D.G:2048, 3072, 4096, and 6144-bit key providing 112, 128, 152, or 176 bits of encryption strength | KTS-Encap | KTS-IFC |
| KAS ECC CDH Component | KAS-ECC-SSC primitive | Curves:B-233, K-233, P-224 (s ~= 112); B- 283, K-283, P-256 (s ~= 128); B-409, K- 409, P-384 (s ~= 192); B-571, K-571, P-521 (s ~= 256). | KAS-SSC | KAS-ECC CDH- Component SP800-56Ar3 |
| Perform self- tests (All) | All self-tests executed by the module at boot | BC-Auth BC-UnAuth DigSig- SigGen DigSig-SigVer DRBG KAS-SSC KBKDF MAC PBKDF SHA XOF | AES-ECB AES-GCM Hash DRBG Counter DRBG HMAC DRBG DSA SigGen (FIPS186-4) DSA SigVer (FIPS186-4) ECDSA SigGen (FIPS186-4) ECDSA SigVer (FIPS186-4) RSA SigGen (FIPS186-4) RSA SigVer (FIPS186-4) HMAC-SHA2- 256 SHA-1 SHA3-256 SHA2-512 KDF ANS 9.42 KDF ANS 9.63 KAS-ECC- SSC Sp800- 56Ar3 KAS-FFC- SSC Sp800- 56Ar3 KAS-IFC-SSC KDA OneStep SP800-56Cr2 KDA TwoStep SP800-56Cr2 KDF SSH | |
| Cryptographic Key Generation (CKG) | Direct generation of symmetric keys per NIST SP 800- 133r2 | CKG | CKG - Section 4 and Section 6.1 | |
| Software Integrity Test | HMAC-SHA2-256 used to perform the software integrity test | Key size: 256 bits | MAC | HMAC-SHA2- 256 |
| Cryptographic Key Generation (CKG) - AES XTS | AES XTS Key generated to comply with the approved key generation guidelines of NIST SP 800-133rev2, Section 6.3, Symmetric Keys Produced by Combining Multiple Keys and Other Data | Key size:128, 256 bits | CKG | CKG - Section 6.3 |
| KTS-5 | Key Unwrapping using any non- authenticated AES mode | KTS (key unwrapping) per IG D.G:128, 192, and 256-bit keys providing 128, 192, or 256 bits of decryption strength | KTS-Unwrap | AES-CBC AES-CFB1 AES-CFB128 AES-CFB8 AES-CTR AES-ECB AES-OFB AES-CBC- CS1 AES-CBC- CS2 AES-CBC- CS3 |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider (1):B-233, K-233, PResponder Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. KAS-ECCSSC Sp80056Ar3
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. KAS-FFCSSC Sp80056Ar3 AES-CBCCS2 AES-CBCCS3
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider HMAC-SHA2224 HMAC-SHA2256 HMAC-SHA2384 HMAC-SHA2512 HMAC-SHA3224 HMAC-SHA3256 HMAC-SHA3384 HMAC-SHA3512 AES-CBCCS1 Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider DigSigSigGen rsakpg2- primefactor CDHComponent Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. HMAC-SHA2256 KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider KDF SP800108 6.1 HMAC-SHA2256 6.3 AES-CBCCS1 AES-CBCCS2 AES-CBCCS3 Table 9: Security Function Implementations Equivalent strength in bits is given for each key or algorithm type (as some algorithms do not use or produce keys). The term s is used throughout to indicate security strength, following the notation used in the majority Note 1: Preimage resistance strength applies to hash algorithms used in DRBG, KDFs. Described also in [SP800-57P1r5] Table 3. Note 2: Elliptic curve strengths are annotated as approximate (i.e., s ~=) since [SP800-186] Table 1 provides approximate security strengths. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Note 3: [SP800-186] (cited in [SP800-140Cr2]) and [FIPS140-3_IG] C.K indicate that the Binary (B-) and Koblitz (K-) curves are deprecated. Note 4: Approved elliptic curves for ECC key agreement are given in [SP800-56Ar3] Table
a. AES-GCM Usage AES GCM IV generation must be compliant to [FIPS140-3_IG] C.H Key/IV Pair Uniqueness Requirements from SP 800-38D Scenario 1(a), tested per option (ii) under C.H TLS/DTLS 1.2 protocol IV generation per RFC7627, Scenario 1(d) SSHv2 per RFC4252, RFC4253 and RFC5647 and Scenario 5 TLS 1.3 per RFC8446. IV constructed in compliance with a protocol shall only be used in the context of the AES-GCM mode encryptions within the protocol. The Module does not implement the TLS and SSH protocols itself, however, it provides the cryptographic functions required for implementing the protocols. AES GCM encryption is used in the context of the SSH and TLS protocol versions 1.2 and 1.3. The module provides the primitives to support the AES GCM ciphersuites from [SP800-52r1] Section 3.3.1. The module’s implementation of AES-GCM is used together with an application that runs outside the module’s cryptographic boundary. The application negotiates the protocol session’s keys and the 32-bit nonce value of the IV. When the IV exhausts the maximum number of possible values for a given session key (2^64 - 1), this results in a failure in encryption and a handshake to establish a new encryption key will be required. It is the responsibility of the user of the module, i.e., the first party, client or server, to encounter this condition, to trigger this handshake in accordance with the TLS/SSH protocol. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider The Module also supports internal IV generation using the module’s approved DRBG. The IV is at least 96 bits in length per [SP800-38D] Section 8.2.2. Per [FIPS140-3_IG] C.H Scenario 2 and [SP800-38D], the approved DRBG generates outputs such that the (key, IV) pair collision probability is less than 2^-32. In each case, in the event that the Module power is lost and restored the user must ensure that the AES GCM encryption/decryption keys are re-distributed in accordance with IG C.H Scenario 3. The module does not support persistent storage of SSPs. The Module also supports importing of GCM IVs when an IV is not generated within the Module. In the approved mode, an IV must not be imported for encryption from outside the cryptographic boundary of the Module as this will result in a non-conformance. This is in accordance with IG 2.4.A: If the module operator (e.g., calling application) can do things outside of the module’s control/visibility that can take an otherwise approved algorithm and use it in a non-approved way (e.g., use PBKDF and/or AES XTS outside of storage applications), the corresponding module service may still be considered approved (and if so, shall have an approved indicator per AS02.24) and the Security Policy shall clarify how to use the service in an approved manner (per ISO 19790 B.2.2 on Overall security design and the rules of operation). b. PBKDF Usage The lower limit on the supported length of a password/passphrase used in key derivation is 1character. The ASCII system comprises of 94 printable characters (letters, digits, punctuation, and symbols). For a 1-character password/passphrase chosen from 94 printable ASCII characters, the total combinations are: 94^1. Thus, the probability of guessing the correct password/passphrase on a random attempt is: 1/94^1 ~0.010. The module being a software module, does not restrict the usage of a password/string used as the password and input to the PBKDF. The onus is on the calling application to provide a password of an appropriate length based on the intended security strength (and size) of the key to be derived. In accordance with NIST SP 800-132, passwords shorter than 10 characters are usually considered to be weak. There are many other properties that may render a password weak. For example, it is not advisable to use sequences of numbers or sequences of letters as passwords. Easily accessed personal information, such as the user’s name, phone number, and date of birth, should not be used directly as a password. Passphrases frequently consist solely of letters, but they make up for their lack of entropy by being much longer than passwords, typically 20 to 30 characters. Passphrases shorter than 20 characters are usually considered weak. The module complies with NIST SP 800-132 Section 5.4 Option 1 a and IG D.N. The iteration count values used range from 1 to 10000 per NIST SP 800-132 Section 5.2 whereby the iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. Keys derived from passwords, as shown in SP 800132, may only be used in storage applications. The security strength of the derived key is at least
c. AES-XTS Usage Usage In accordance with [SP800-38E], the XTS-AES algorithm shall only be used for confidentiality on storage devices. The Module complies with [FIPS140-3_IG] C.I by explicitly checking that Key_1 ≠ Key_2 before using the keys in the XTS-AES algorithm to process data with them. The module implements CKG per NIST SP 800-133r2 Section 6.3. d. Legacy Usage Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider The module supports the following implementations for legacy use/support per NIST SP 800131Ar2:
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider The module implements SHA-1 for usage in the following (this can be vetted from the SFI Table 9 in the Security Policy): I. As a PRF in the KDFs X942 KDF-CONCAT, X963 KDF, KDA HKDF, KDA OneStep, KDF, ANS 9.42 [SP800-135r1], KDF SSH [SP800-135r1], PBKDF [SP800-132], II. As a standalone SHA-1 hash function III. As a PRF in HMAC-SHA-1 IV. As the underlying hash function for RSA SigVer, ECDSA SigVer and DSA SigVer for legacy use/support per NIST SP 800-131Ar2 as specified in the Security Policy Section 2.7 d. V. As the underlying hash function in Hash DRBG and HMAC DRBG
The Module relies on the use of a [SP800-90B] compliant entropy source outside the Module boundary. The calling application is responsible for use of an [SP800-90B] compliant entropy source with sufficient entropy based on the required security strength. Entropy is supplied to the Module via callback functions (see Section 2.4 2. c). Minimum Number of Bits of Entropy, depending on the target security strength of generated SSPs are 128, 192 or 256 bits. When using the Counter DRBG implementation without the derivation function enabled, full entropy from the entropy source is required. The following caveat applies to the module: No assurance of the minimum strength of generated SSPs (e.g., keys). N/A for this module. N/A for this module.
The module implements NIST SP 800-90Ar1 DRBGs and supports the following sections per NIST SP 800-133r2 (CKG): Sections 4, 5.1, 5.2, 6.1, 6.2 and 6.3.
Key Agreement Per IG D.F: The module supports Key Agreement Schemes per NIST SP800-56Ar3 and [FIPS140-3_IG] D.F Scenario 2 (path 1) and NIST SP 800-56Br2 and [FIPS140-3_IG] D.F Scenario 1 (path 1). The KAS-1, KAS-2, KAS-3 in the SFI Table 9 have been documented accordingly. The Approved Algorithm list includes the tested components (KAS-ECC-SSC, KAS-FFC-SSC and KAS-IFC-SSC) as individual entries. The Module obtains the [FIPS140-3_IG] D.F required key agreement assurances: [SP800-56Ar3] in accordance with Section 5.6.2. [SP800-56Br2] in accordance with Section 6.4. Per IG C.F Additional Comment 1.e: The elliptic curve used in the key agreement scheme and the associated domain parameters provide more than 112 bits of security as seen in the KAS-1 entry per Table 9. Per IG C.F Additional Comment 2: Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider The KAS-ECC-SSC and KAS-FFC-SSC implementations each support a scheme of the Diffie-Helllman variety. Per IG D.G: The module supports the Key Transport per NIST SP 800-56Br2 (RSA-OAEP) denoted by KTS-4 in the SFI Table 9. The RSA modulus sizes and key generation method have been documented in the table as well. The module can also optionally be used in the context of IETF protocols and provide key transport using any approved AES mode(s) and an approved MAC. The corresponding entries KTS-1, KTS-2, KTS-3 and KTS-5 in the SFI Table 9 have been documented accordingly. All KTS entries have been documented in accordance with Additional Comment 4 in the IG. The module also supports the following untested approved moduli for KTS-4: 6144 < nlen <=16384, where nlen denotes the modulus. Per IG D.A and IG D.B: The strengths of the established key have been documented in accordance with IG D.A Additional Comment 4. and per the Resolution in IG D.B.
The Module conforms to Resolution 3 per [FIPS140-3_IG] D.C References to the Support of Industry Protocols: while it provides [SP800-56Ar3] conformant schemes and API entry points oriented to SSH and TLS usage, the Module does not contain the full implementation of SSH or TLS. The following caveat is required: No parts of the SSH and TLS protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Control Input | API entry point: stack frame including non-sensitive parameters |
| N/A | N/A | Data Input | API call parameters passed by reference or value for cryptographic service input |
| N/A | N/A | Status Output | API return value: enumerated status resulting from call execution |
| N/A | N/A | Data Output | API call parameters passed by reference for cryptographic service output |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
N/A N/A N/A N/A Table 10: Ports and Interfaces Table 10 defines the Module’s [FIPS140-3] logical interfaces; the Module does not interact with physical ports. The Control Output logical interface is not applicable to the Module and is intentionally omitted from Table 10. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | Crypto Officer | Role | None | ||||||
| Initialize | Module initialization | Crypto Officer - DRBG_E I: G,W,E,Z - DRBG_S tate: G - Software Integrity key: E | Random Number Generatio n | FIPS_O K | Core handle, dispatch in and out, provider context | Initializatio n status (1 = pass, 0 = fail) | |||
| Core (all except Teardown) (Show Status, Show Version) | Show status; Core operations dispatched by FIPS provider: Metadata (Gettable parameters; Get parameters; Get capabilities); Query; Self- test | Crypto Officer | None | FIPS_O K | Provider context, paramete rs types (array), capability , callback pointer and argument s, operation ID | Parameter types (array) with: Name, Version, BuildInfo, Status, SecurityCh ecks; Status return, TLS group capabilities , Null or array of available operations |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | Crypto Officer | Role | None | ||||||
| Initialize | Module initialization | Crypto Officer - DRBG_E I: G,W,E,Z - DRBG_S tate: G - Software Integrity key: E | Random Number Generatio n | FIPS_O K | Core handle, dispatch in and out, provider context | Initializatio n status (1 = pass, 0 = fail) | |||
| Core (all except Teardown) (Show Status, Show Version) | Show status; Core operations dispatched by FIPS provider: Metadata (Gettable parameters; Get parameters; Get capabilities); Query; Self- test | Crypto Officer | None | FIPS_O K | Provider context, paramete rs types (array), capability , callback pointer and argument s, operation ID | Parameter types (array) with: Name, Version, BuildInfo, Status, SecurityCh ecks; Status return, TLS group capabilities , Null or array of available operations | |||
| Core: Perform self-tests | Run the self- test sequence | Crypto Officer | Perform self-tests (All) Software Integrity Test | FIPS_O K | Provider context | Status (1 = pass, 0 = fail) | |||
| Core: Teardown (Perform zeroisation) | Uninstantiate the module; includes Zeroise | Crypto Officer - DS_SGK : Z - DS_SVK: Z - GKP_Pri vate: Z - GKP_Pu blic: Z - KAS_Priv ate: Z - KAS_Pu blic: Z - KAS_SS: Z - KD_DKM : Z - KH_Key: Z - KTS_KD K: Z - KTS_KE K: Z - KTS_SS: Z - DRBG_E I: Z - | None | FIPS_O K | Provider context | None | |||
| Asymmetric cipher (Key Transport) (Perform approved security functions) | Encapsulate or decapsulate key material on behalf of the calling process (does not establish keys into the module) | Crypto Officer - KTS_KD K: E - KTS_KE K: E - KTS_SS: R | KTS-4 | [KTS- IFC: RSA, 4, (2048, 3072, 4096, 6144, 8192)] | Encapsul ate: Key struct (KTS_KD K); Decapsul ate (KTS_KE K) | Status return; KTS_SS | |||
| Cipher (Encryption/Dec ryption and Key Wrapping) (Perform approved security functions) | Encrypt or decrypt data, including AEAD modes (CCM, GCM) and key wrap (KW, KWP) (CSPs are passed in by the calling process or generated within the module) | Crypto Officer - SC_EDK: E - KH_Key: E | Symmetri c Encryptio n and Decryptio n Keyed Hash KTS-1 KTS-2 KTS-3 Cryptogra phic Key Generatio n (CKG) Cryptogra phic Key Generatio n (CKG) - AES XTS KTS-5 | [AES- ECB: AES- 128- ECB, AES- 192- ECB, AES- 256- ECB]; [AES- CBC: AES- 128- CBC, AES- 192- CBC, AES- 256- CBC]; [AES- CBC- CS: | SC_EDK and KH_Key (for key wrapping ); flags | Status return. Plaintext or ciphertext data, or wrapped key |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
The Module does not provide an authentication or identification method of its own. The CO role is assumed by meeting the conditions of Section 11 of this document. N/A for this module.
Table 11: Roles The Module supports the mandatory Cryptographic Officer (CO) operational role only (implicitly identified) and does not support a maintenance role or a bypass capability.
r K Query; Selftest K s, Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s n I: G,W,E,Z
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r K K Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s :Z Z Z :Z Z K: Z K: Z Z I: Z
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r s [KTSIFC: K); K) [AESECB: AES128ECB, AES192ECB, AES256ECB]; [AESCBC: AES128CBC, AES192CBC, AES256CBC]; [AESCBCCS: c n Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. Z K: E K: E R E E
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r AES128CBCCTS, AES192CBCCTS, AES256CBCCTS]; [AESOFB: AES128OFB, AES192OFB, AES256OFB]; [AESCFB1: AES128CFB1, AES192CFB1, AES256CFB1]; [AESCFB8: AES128CFB8, AES192CFB8, AES256CFB8]; [AESCFB128: AESBroadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r 128CFB, AES192CFB, AES256CFB]; [AESCTR: AES128CTR, AES192CTR, AES256CTR]; [AESCCM: AES128CCM, AES192CCM, AES256CCM]; [AESGCM: AES128GCM, AES192GCM, AES256GCM]; [AESXTS: AES128XTS, AES256Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Key derivation (Perform approved security functions) | Derive keying material | Crypto Officer - KAS_SS: W,E - KD_DKM : G,R - KTS_SS: W,E - PBKDF Passwor d: W,E,Z | Key Derivatio n | [PBKDF: PBKDF2 , (SHA- 1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512)]; [TLS1- PRF, (SHA2- 256, SHA2- 384, SHA2- 512)]; [TLS13- KDF, (SHA2- 256, SHA2- 384)]; | KAS_SS; flags | Status return; KD_DKM |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r [AESKW, AES128WRAP, AES256WRAP] , (SHA1, SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; [TLS1PRF, (SHA2256, SHA2384, SHA2512)]; [TLS13KDF, (SHA2256, SHA2384)]; s n W,E : G,R W,E d: W,E,Z Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r [X963KDF, (SHA2224, SHA2256, SHA2384, SHA2512)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512)]; SP 800108r1 (KMAC128, KMAC256)]; SP 800108r1 Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r AES128CBC, AES192CBC, AES256CBC, HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r HMACSHA3512]; F, SHA2224, SHA2256, SHA2384, SHA2512)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, HMACSHA1, HMACSHA2224, HMACSHA2256, Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, KMAC128, KMAC256)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Key exchange (Perform approved security functions) | Perform key agreement primitives on behalf of the calling process (does not establish keys into the module) | Crypto Officer - KAS_Priv ate: E - KAS_Pu blic: E - KAS_SS: G | KAS-1 KAS-2 KAS-3 KAS ECC CDH Compone nt | [KAS- FFC- SSC: DHX]; [KAS- ECC- SSC: EC] | Key structs (KAS_Pri vate and KAS_Pu blic); flags | Status return; KAS_SS |
| Key management (Perform approved security functions) | Generate asymmetric key pairs | Crypto Officer - GKP_Pri vate: G - GKP_Pu blic: G | Asymmet ric Key Pair Generatio n | [SafePri mes: DHX]; [RSA KeyGen: RSA, (2048, 3072, 4096)]; [ECDSA | ECDSA: curve identifier. DSA/RS A: modulus size | Status return; Key struct (GKP_Priv ate, GKP_Publi c) |
| Message authentication (Perform approved security functions) | Generate or verify data integrity. (CSPs are passed in by the calling process or generated within the module) | Crypto Officer - KH_Key: E | Keyed Hash Cryptogra phic Key Generatio n (CKG) | [HMAC: HMAC- SHA1, HMAC- SHA2- 224, HMAC- SHA2- 256, HMAC- SHA2- 384, HMAC- SHA2- 512, HMAC- SHA2- 512/224, HMAC- SHA2- 512/256, HMAC- SHA3- 224, HMAC- SHA3- 256, HMAC- SHA3- 384, HMAC- SHA3- 512]; [CMAC]; [KMAC: KMAC- 128, KMAC- | KH_Key | Status return; Tag value |
| Message digest (Perform approved security functions) | Generate a message digest | Crypto Officer | Message Digest | [SHA-1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256, SHA3- 224, SHA3- 256, SHA3- 384, SHA3- 512, SHAKE- 128, SHAKE- 256] | Message ; flags | Status return; Hash value |
| Random (Perform approved security functions) | Generate random bits using the DRBG | Crypto Officer - DRBG_E I: E - DRBG_S eed: E - DRBG_S tate: E | Random Number Generatio n | [Hash DRBG: HASH- DRBG, (SHA1, SHA2- 256, SHA2- 512)]; [HMAC- DRBG, (SHA1, | DRBG struct (RBG State); DRBG_E I | Status return; Random value |
| Signature (Perform approved security functions) | Generate or verify digital signatures (SSPs are passed in by the calling process) | Crypto Officer - DS_SGK : E - DS_SVK: E | RSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n DSA Digital Signature Generatio n and Verificatio n RSA Signature Primitive | [RSA SigGen: RSA, (2048, 3072, 4096), (SHA2- 224, SHA2- 256, SHA2- 384, SHA2- 512, SHA2- 512/224, SHA2- 512/256) ]; [RSA SigVer: RSA, (1024, 2048, 3072, 4096), (SHA1, SHA2- 224, SHA2- 256, SHA2- 384, SHA2- | Sign: Key struct (DS_SG K); message ; Verify: signature value; Key struct (DS_SV K); flags; sizes | Status return; Signature value |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r SHA3512]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512]; [KASFFCSSC: [KASECCSSC: s A: c) Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. G n
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r HMACSHA1, HMACSHA2224, HMACSHA2256, HMACSHA2384, HMACSHA2512, HMACSHA2512/224, HMACSHA2512/256, HMACSHA3224, HMACSHA3256, HMACSHA3384, HMACSHA3512]; KMAC128, s E Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r AES128GCM, AES192GCM, AES256GCM] SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256, SHA3224, SHA3256, SHA3384, SHA3512, SHAKE128, SHAKE256] HASHDRBG, SHA2256, SHA2512)]; [HMACDRBG, s I n I: E Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r SHA2256, SHA2512)]; [CTRDRBG, (AES128CTR, AES192CTR, AES256CTR)] (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) SHA2224, SHA2256, SHA2384, s K); n n n :E E Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r SHA2512/224, SHA2512/256) e m: (SHA2224, SHA2256, SHA2384, SHA2512, SHA3224, SHA3256, SHA3384, SHA3512)]; SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r SHA2512/256) ]; (L= SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) , =SHA2256, SHA2384, SHA2512, SHA2512/256) Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Zeroise (Perform zeroisation) | •The core Teardown operation | Crypto Officer - | None | ZERO_ OK | Memory pointer | Void |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r (L= (SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) SHA2224, SHA2256, SHA2384, SHA2512, SHA2512/224, SHA2512/256) ] s Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Description | Csps Accessed |
|---|---|---|
| zeroizes all Module scope SSPs •Call stack cleanup is the duty of the application •Restarting the general- purpose computer clears all SSPs in RAM •OPENSSL_cl eanse provides zeroisation of SSPs managed by the caller; See the notes below this table for additional explanation | zeroizes all Module scope SSPs •Call stack cleanup is the duty of the application •Restarting the general- purpose computer clears all SSPs in RAM •OPENSSL_cl eanse provides zeroisation of SSPs managed by the caller; See the notes below this table for additional explanation | DS_SGK : Z - DS_SVK: Z - GKP_Pri vate: Z - GKP_Pu blic: Z - KAS_Priv ate: Z - KAS_Pu blic: Z - KAS_SS: Z - KD_DKM : Z - KH_Key: Z - KTS_KD K: Z - KTS_KE K: Z - KTS_SS: Z - DRBG_E I: Z - DRBG_S eed: Z - DRBG_S tate: Z - SC_EDK: Z - |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r the generalpurpose Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. s :Z Z Z :Z Z K: Z K: Z Z I: Z Z
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider r Table 12: Approved Services s Note: The Indicators in Table 12 above follow the format: [Algorithm name: Indicator 1, Indicator 2, etc.] where Indicator 1 is an algorithm identifier and Indicators 2, 3 etc. depending on the algorithm are the specifics i.e. modes/supported curves/SafePrime groups/PRFs, etc.) per algorithm. Each combination of the Indicator 1 along with Indicators 2, 3, etc. in the comma separated list can be observed when the corresponding modes/curves/SafePrimes, PRFs etc. are invoked for a given algorithm in the context of a given service. The service indicators must be requested by the calling applications as by calling the following EVP APIs of the module in the context of each service:
| Name | Description | Roles | Approved Functions |
|---|---|---|---|
| Signature | Generate or verify digital signatures (SSPs are passed in by the calling process) | Crypto Officer | Ed448 Ed25519 FIPS 186-2 RSA SigGen/SigVer |
| Key Exchange | Perform key agreement primitives on behalf of the calling process | Crypto Officer | X448 X25519 |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Description | Roles | Csps Accessed |
|---|---|---|---|
| Cipher (Encryption/Decryption) | Triple-DES | Crypto Officer | Encrypt or decrypt data (CSPs are passed in by the calling process) |
| ECDSA SigVer Component | ECDSA SigVer Component | Crypto Officer | Verify ECDSA digital signatures (SSPs are passed in by the calling process) |
| Key Derivation | X942KDF- CONCAT X963KDF HKDF OneStep KDF | Crypto Officer | Derive keys (key derivation key passed in by the calling process) |
| Keyed Hash | HMAC | Crypto Officer | Generate HMAC using key length less than 112 bits |
| Random | Hash and HMAC DRBG | Crypto Officer | Generate random bits using the non-approved Hash and HMAC DRBGs with PRFs SHA2-224, SHA2-384, SHA2-512/224 and SHA2-512/256 |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider X942KDFCONCAT Table 13: Non-Approved Services
The module does not support loading of any additional software.
The module does not support self-initiated cryptographic output. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
The Module uses HMAC-SHA2-256 as the approved integrity technique; the file fipsmodule.cnf contains the integrity reference value. The HMAC key used for the integrity test is considered a non-SSP. The HMAC-SHA2-256 CAST is performed prior to the software integrity test. The Module is provided in an executable form (as fips.so shared object for use in Linux environments, fips.dylib for use in Mac environments and fips.dll for use in Windows environments). The module does not support loading of any additional software.
The operator can initiate the integrity test on demand by calling fips_self_test (invoked using OSSL_PROVIDER_self_test called with the Module’s global handle) or reloading the Module.
In accordance with [ISO19790] Annex B, as the Module is open source, the tools used to build the Module as tested are:
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
Type of Operational Environment: Modifiable How Requirements are Satisfied: The operational environment for the Module is modifiable as it runs in General Purpose Computers (GPC). The Module conforms to [FIPS140-3_IG] 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The AES-NI functions are identified by [FIPS140-3_IG] 2.3.C as a known PAA.
Table 3 lists the operational environments on which the Module was tested; no operational environment restrictions are required for operation in the approved mode. All conditions for operation of the Module in the approved mode are given in Section 2. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
Physical Security requirements are not applicable for this software Module. N/A for this module. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
In accordance with current CMVP policy, Non-Invasive Security is not applicable. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Type | Description |
|---|---|---|
| RAM | Dynamic | Temporary, plaintext storage |
| Stored in the module's configuration file | Static | Persistent, plaintext storage |
| Name | Approved Functions | Type | From | To | Distributio n Type |
|---|---|---|---|---|---|
| CALL STACK (API) INPUT PARAMETER S | Electroni c | Plaintex t | Calling application | Module | Manual |
| CALL STACK (API) OUTPUT PARAMETER S | Electroni c | Plaintex t | Module | Calling application | Manual |
| Stored at manufacture | N/A | Plaintex t | Manufacture r | Stored in the module's configuratio n file | N/A |
| Zeroization Method | Description | Rationale | Operator | |
|---|---|---|---|---|
| Initiation | ||||
| OPENSSL_cleanse | Zeroisation of SSPs managed by the caller | The OPENSSL_cleanse provides zeroisation of SSPs managed by the caller | Module initiated | |
| cleared after use | Temporary copies of CSPs are zeroised within the relevant function for the scope within which they are used | CSPs with a lifetime associated with an OpenSSL object will be zeroized when reinitialized | Module initiated | |
| Teardown | This operation triggers Module uninstantiation | CSPs with a lifetime associated with the Module are zeroised on Module uninstantiation | Operator initiated |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
S S t c t c r t N/A N/A m Table 15: SSP Input-Output Methods The module is complaint with FIPS 140-3 IG 9.5.A MD/EE (CM Software to/from App via TOEPP Path).
Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Type | Description | Strength | Generation | Establishment | Storage | Zeroization | Use | Input | Related SSPs | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| DS_SGK | Private key - CSP | Private key for signature generation | RSA: 2048, 3072 and 4096 bits DSA: 2048 and 3072 bits ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 or 128 ECDSA: 112, 128, 192, 521 | RSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n DSA Digital Signature Generatio n and Verificatio n RSA Signature Primitive | |||||||
| DS_SVK | Public key - PSP | Public key for signature verification | RSA: 1024, 2048, 3072 and 4096 bits DSA: 1024, 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, | RSA Digital Signature Generatio n and Verificatio n ECDSA Signature Generatio n and Signature Verificatio n DSA | |||||||
| P-521 - RSA: 80, 112, 128 or 152 DSA: 80, 112 or 128 ECDSA: 112, 128, 192, 256 | P-521 - RSA: 80, 112, 128 or 152 DSA: 80, 112 or 128 ECDSA: 112, 128, 192, 256 | Digital Signature Generatio n and Verificatio n | |||||||||
| GKP_Priva te | Private key - CSP | Key pair (Private: DS_SGK, Public: DS_SVK) generated per caller request; the keypair purpose is unspecified | RSA: 2048, 3072, 4096 bits DSA: 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 or 128 ECDSA: 112, 128, 192, 256 | Asymmetric Key Pair Generation Random Number Generation | |||||||
| GKP_Publi c | Public key - PSP | Key pair (Private: GPK_Privat e, Public: GPK_Publi c) generated per caller request; the keypair purpose is unspecified | RSA: 2048, 3072, 4096 bits DSA: 2048 and 3072 bits ECDSA: ECDSA: B- 233, K-233, P-224; B- 283, K-283, P-256; B- 409, K-409, P-384; B- 571, K-571, P-521 - RSA: 112, 128 or 152 DSA: 112 or 128 ECDSA: | Asymmetric Key Pair Generation Random Number Generation | |||||||
| KAS_Privat e | Private key - CSP | Key pair component provided by the local participant, used for Diffie- Hellman shared secret generation | FFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096, ffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192, 256 IFC [SP800- 56Br2]: 112, 128 | Asymmetric Key Pair Generation Random Number Generation | KAS-1 KAS-2 KAS-3 | ||||||
| KAS_Publi c | Public key - PSP | Key pair component provided by the local participant, used for Diffie- Hellman shared secret generation | FFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096, ffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P- 224, B-283, | Asymmetric Key Pair Generation Random Number Generation | KAS-1 KAS-2 KAS-3 | ||||||
| KAS_SS | Shared secret - CSP | Shared secret calculation; z output value is expected to be used by a KDF | FFC: FB, FC, MODP2048, ffdhe2048, MODP3072, ffdhe3072, MODP4096, ffdhe4096, MODP6144, ffdhe6144, MODP8192, ffdhe 8192 ECC: B-233, K-233, P- 224, B-283, K-283, P- 256, B-409, K-409, P- 384, B-571, K-571, P- 521, IFC: k=2048, 3072, 4096, 6144, 8192 bits - FFC: between 112 and 200 ECC: 112, 128, 192, 256 IFC: 112, 128 | KAS-1 KAS-2 KAS-3 | |||||||
| KD_DKM | Derived Keying Material - CSP | Key Derivation derived keying material | HMAC PRF: 160, 224, 256, 384, 512 - HMAC PRF: 160, 224, 256, 384, 512 | Key Derivation | |||||||
| KH_Key | Symmetr ic key - CSP | Keyed Hash key | CMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256 - CMAC: 128, 192, 256 GMAC: 128, 192, 256 HMAC: 160, 256, 512. KMAC: 128, 256 | Random Number Generation Cryptograph ic Key Generation (CKG) | Keyed Hash KTS-2 | ||||||
| KTS_KDK | Private key - CSP | Private (KDK) component of an RSA key pair used for [SP800- 56Br2] RSA key transport | 2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176 | KTS-4 | |||||||
| KTS_KEK | Public key - PSP | Public (KEK) component of an RSA key pair used for [SP800- 56Br2] RSA key transport | 2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176 | KTS-4 | |||||||
| KTS_SS | Shared secret - CSP | The RSA key transport shared secret | 2048, 3072, 4096 and 6144 bits - 112, 128, 152, 176 | KTS-4 | |||||||
| DRBG_EI | Entropy input - CSP | Entropy input from an external source used for DRBG seeding | 128 – 256 bits - 128 – 256 bits | Random Number Generatio n | |||||||
| DRBG_Se ed | DRBG seed - CSP | Seed generated from the entropy input for the DRBG | 128 – 256 bits - 128 – 256 bits | Random Number Generatio n | |||||||
| DRBG_Sta te | DRBG state - CSP | Hash DRBG: V and C. HMAC DRBG: V and Key CTR DRBG: V and Key | Hash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, 256 - Hash DRBG: 160, 224, 256, 384, 512 HMAC DRBG: 160, 224, 256, 384, 512. CTR DRBG: 128, 192, 256 | Random Number Generation | Random Number Generatio n | ||||||
| SC_EDK | Symmetr ic key - CSP | AES key used for symmetric encryption and decryption (including use in key wrapping) | AES: 128, 192, 256 AES CCM: 128, 192, 256 AES GCM: 128, 192, 256 AES XTS: 128, 256. - AES: 128, 192, 256 AES CCM: 128, 192, 256 AES | Random Number Generation Cryptograph ic Key Generation (CKG) Cryptograph ic Key Generation (CKG) - AES XTS | Symmetri c Encryptio n and Decryptio n KTS-1 KTS-2 KTS-3 KTS-5 | ||||||
| PBKDF Password | Symmetr ic key - CSP | Input provided to the PBKDF | Recommend ed size is greater than 10 characters for passwords and greater than 20 characters for passphrases - 112 bits or greater | Key Derivatio n | |||||||
| Software Integrity key | 256 bits - Neither | HMAC- SHA2-256 key used to perform the Software Integrity Test | 256 bits - 256 bits | Software Integrity Test | |||||||
| DS_SGK | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | DS_SVK:Paired With | ||||||
| DS_SVK | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | DS_SGK:Paired With |
| Zeroization Method | Description | Rationale | Operator Initiation |
|---|---|---|---|
| Restarting the general-purpose computer | RAM (memory) is used for temporary storage of SSPs | Restarting the general- purpose computer clears all SSPs in RAM | Operator initiated |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Table 16: SSP Zeroization Methods n y Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision. n n n n n
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider n c c) y n Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider n e DiffieHellman c DiffieHellman [SP80056Br2]: 112, y Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider n [SP80056Br2]: 112, y Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider n [SP80056Br2] RSA [SP80056Br2] RSA y Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider n y n c n n n Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Type | Description | Strength | Storage | Zeroization | Use | Input | Related SSPs | |
|---|---|---|---|---|---|---|---|---|---|
| PBKDF Password | Symmetr ic key - CSP | Input provided to the PBKDF | Recommend ed size is greater than 10 characters for passwords and greater than 20 characters for passphrases - 112 bits or greater | Key Derivatio n | |||||
| Software Integrity key | 256 bits - Neither | HMAC- SHA2-256 key used to perform the Software Integrity Test | 256 bits - 256 bits | Software Integrity Test | |||||
| DS_SGK | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | DS_SVK:Paired With | ||||
| DS_SVK | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | DS_SGK:Paired With | ||||
| GKP_Priv ate | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) OUTPUT PARAMETE RS | cleared after use | GKP_Public:Paired With | ||||
| GKP_Publ ic | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) OUTPUT PARAMETE RS | cleared after use | GKP_Private:Paired With | ||||
| KAS_Priva te | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | KAS_Public:Paired With | ||||
| KAS_Publi c | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | KAS_Private:Paired With | ||||
| KAS_SS | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | cleared after use | KAS_Private:Establi shed using KAS_Public:Establis hed using | |||||
| KD_DKM | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the | CALL STACK (API) OUTPUT PARAMETE RS | cleared after use | |||||
| KH_Key | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | |||||
| KTS_KDK | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | KTS_KEK:Paired With | ||||
| KTS_KEK | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | KTS_KDK:Paired With | ||||
| KTS_SS | RAM:Plaint ext | OPENSSL_clea nse Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS CALL STACK (API) OUTPUT PARAMETE RS | cleared after use | |||||
| DRBG_EI | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | DRBG_Seed:Used to derive | ||||
| DRBG_Se ed | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | cleared after use | DRBG_EI:Derived From | |||||
| DRBG_St ate | RAM:Plaint ext | Teardown Restarting the general-purpose computer | Until power- cycling of the underlyi ng host platform | DRBG_Seed:Derive d From | |||||
| SC_EDK | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS CALL STACK (API) OUTPUT PARAMETE RS | cleared after use | |||||
| PBKDF Password | RAM:Plaint ext | OPENSSL_clea nse cleared after use Teardown Restarting the general-purpose computer | CALL STACK (API) INPUT PARAMETE RS | cleared after use | |||||
| Software Integrity key | Stored in the module's configuratio n file :Plaintext | Teardown | Stored at manufacture | Until teardow n operatio n is perform ed |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider n HMACSHA2-256 y n Table 17: SSP Table 1 n Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider c n Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider n Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider n powercycling n Table 18: SSP Table 2 All SSPs used by the Module are described in this section, arranged for consistency with Table 12; ‘--’ indicates the cell is intentionally empty, not applicable, or not relevant. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Keys used for CASTs and the temporary value used in the integrity test are not SSPs; however, the latter is deleted after use as required by AS05.10. Equivalent strength is given for each key or algorithm type (as some algorithms do not use or produce keys). The Module maintains only the DRBG CSPs used for key generation as persistent CSPs; these are used exclusively for approved services. DRBG outputs are used internally to the Module for asymmetric key pair generation and used by calling applications to generate a random value (potentially for use as a symmetric key). The Module:
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|
| HMAC-SHA2- 256 (A3548) | HMAC-SHA2- 256 (A3548) | KAT | SW/FW Integrity | MAC (HMAC- SHA2-256, A3548) | Key Length: 256 bits | Success: All self- tests passed (as expected) | |
| AES-ECB (A3548) | AES-ECB (A3548) | KAT | CAST | Decrypt | Key Length: 128 bits | FIPS_OK | On reloading the module |
| AES-GCM (A3548) | AES-GCM (A3548) | KAT | CAST | Encrypt | Key Length: 256 bits | FIPS_OK | On reloading the module |
| AES-GCM (A3548) | AES-GCM (A3548) | KAT | CAST | Decrypt | Key Length: 256 bits | FIPS_OK | On reloading the module |
| Counter DRBG (A3548) | Counter DRBG (A3548) | KAT | CAST | Generate, Reseed, Instantiate functions | AES CTR (128 bits) with derivation function | FIPS_OK | On reloading the module |
| DSA SigGen (FIPS186- 4) (A3548) | DSA SigGen (FIPS186- 4) (A3548) | KAT | CAST | Sign | Modulus: 2048 bits; Hash: SHA2-384 | FIPS_OK | On reloading the module |
| DSA SigVer (FIPS186- 4) (A3548) | DSA SigVer (FIPS186- 4) (A3548) | KAT | CAST | Verify | Modulus: 2048 bits; Hash: SHA2-384 | FIPS_OK | On reloading the module |
| ECDSA SigGen (FIPS186- 4) (A3548) | ECDSA SigGen (FIPS186- 4) (A3548) | KAT | CAST | Sign | Curve: P- 224; Hash: SHA2-512 | FIPS_OK | On reloading the module |
| ECDSA SigVer (FIPS186- 4) (A3548) | ECDSA SigVer (FIPS186- 4) (A3548) | KAT | CAST | Verify | Curve: P- 224; Hash: SHA2-512 | FIPS_OK | On reloading the module |
| Hash DRBG (A3548) | Hash DRBG (A3548) | KAT | CAST | Generate, Reseed, | PRF: SHA2-256 | FIPS_OK | On reloading the module |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Conditions | |
|---|---|---|---|---|---|---|---|
| HMAC-SHA2- 256 (A3548) | HMAC-SHA2- 256 (A3548) | KAT | SW/FW Integrity | MAC (HMAC- SHA2-256, A3548) | Key Length: 256 bits | Success: All self- tests passed (as expected) | |
| AES-ECB (A3548) | AES-ECB (A3548) | KAT | CAST | Decrypt | Key Length: 128 bits | FIPS_OK | On reloading the module |
| AES-GCM (A3548) | AES-GCM (A3548) | KAT | CAST | Encrypt | Key Length: 256 bits | FIPS_OK | On reloading the module |
| AES-GCM (A3548) | AES-GCM (A3548) | KAT | CAST | Decrypt | Key Length: 256 bits | FIPS_OK | On reloading the module |
| Counter DRBG (A3548) | Counter DRBG (A3548) | KAT | CAST | Generate, Reseed, Instantiate functions | AES CTR (128 bits) with derivation function | FIPS_OK | On reloading the module |
| DSA SigGen (FIPS186- 4) (A3548) | DSA SigGen (FIPS186- 4) (A3548) | KAT | CAST | Sign | Modulus: 2048 bits; Hash: SHA2-384 | FIPS_OK | On reloading the module |
| DSA SigVer (FIPS186- 4) (A3548) | DSA SigVer (FIPS186- 4) (A3548) | KAT | CAST | Verify | Modulus: 2048 bits; Hash: SHA2-384 | FIPS_OK | On reloading the module |
| ECDSA SigGen (FIPS186- 4) (A3548) | ECDSA SigGen (FIPS186- 4) (A3548) | KAT | CAST | Sign | Curve: P- 224; Hash: SHA2-512 | FIPS_OK | On reloading the module |
| ECDSA SigVer (FIPS186- 4) (A3548) | ECDSA SigVer (FIPS186- 4) (A3548) | KAT | CAST | Verify | Curve: P- 224; Hash: SHA2-512 | FIPS_OK | On reloading the module |
| Hash DRBG (A3548) | Hash DRBG (A3548) | KAT | CAST | Generate, Reseed, | PRF: SHA2-256 | FIPS_OK | On reloading the module |
| HMAC DRBG (A3548) | HMAC DRBG (A3548) | KAT | CAST | Generate, Reseed, Instantiate functions | PRF: HMAC- SHA-1 | FIPS_OK | On reloading the module |
| HMAC- SHA2-256 (A3548) | HMAC- SHA2-256 (A3548) | KAT | CAST | HMAC tag Generation | PRF: SHA2-256 | FIPS_OK | Performed prior to the software integrity test |
| KAS- ECC-SSC Sp800- 56Ar3 (A3548) | KAS- ECC-SSC Sp800- 56Ar3 (A3548) | KAT | CAST | Key Agreement - Shared Secret Computation | Scheme: Ephemeral Unified, Curve: P- 256 | FIPS_OK | On reloading the module |
| KAS-FFC- SSC Sp800- 56Ar3 (A3548) | KAS-FFC- SSC Sp800- 56Ar3 (A3548) | KAT | CAST | Key Agreement - Shared Secret Computation | Scheme: dhEphem; Modulus: L = 2048 bits, N = 256 bit | FIPS_OK | On reloading the module |
| KAS-IFC- SSC (A3548) | KAS-IFC- SSC (A3548) | KAT | CAST | Key Agreement - Shared Secret Computation | Schemes: Basic, CRT, Modulus: L = 2048 bits | FIPS_OK | On reloading the module |
| KDF SP800- 108 (A3548) | KDF SP800- 108 (A3548) | KAT | CAST | Counter Mode (HMAC- SHA2-256). | Mode: Counter, PRF: HMAC- SHA2-256 | FIPS_OK | On reloading the module |
| KDA OneStep SP800- 56Cr2 (A3548) | KDA OneStep SP800- 56Cr2 (A3548) | KAT | CAST | Key Derivation | Auxiliary Function, H = SHA2- 224 | FIPS_OK | On reloading the module |
| KDA TwoStep SP800- 56Cr2 (A3548) | KDA TwoStep SP800- 56Cr2 (A3548) | KAT | CAST | Key Derivation | Auxiliary Function, H = HMAC- SHA2-256 | FIPS_OK | On reloading the module |
| KTS-IFC (A3548) | KTS-IFC (A3548) | KAT | CAST | Encrypt | Schemes: Basic Modulus: L = 2048 bits | FIPS_OK | On reloading the module |
| KTS-IFC (A3548) | KTS-IFC (A3548) | KAT | CAST | Decrypt | Schemes: Basic, CRT, | FIPS_OK | On reloading the module |
| PBKDF (A3548) | PBKDF (A3548) | KAT | CAST | Key Derivation | Derivation of the Master Key (MK), PRF: SHA2-256 | FIPS_OK | On reloading the module |
| RSA SigGen (FIPS186- 4) (A3548) | RSA SigGen (FIPS186- 4) (A3548) | KAT | CAST | Sign | Scheme: PKCS#1, Modulus: L = 2048, Hash: SHA2-256 | FIPS_OK | On reloading the module |
| RSA SigVer (FIPS186- 4) (A3548) | RSA SigVer (FIPS186- 4) (A3548) | KAT | CAST | Verify | Scheme: PKCS#1, Modulus: L = 2048, Hash: SHA2-256 | FIPS_OK | On reloading the module |
| SHA-1 (A3548) | SHA-1 (A3548) | KAT | CAST | Hash | SHA-1 | FIPS_OK | On reloading the module |
| SHA2-512 (A3548) | SHA2-512 (A3548) | KAT | CAST | Hash | SHA2-512 | FIPS_OK | On reloading the module |
| SHA3-256 (A3548) | SHA3-256 (A3548) | KAT | CAST | Hash | SHA3-256 | FIPS_OK | On reloading the module |
| KDF ANS 9.42 (A3548) | KDF ANS 9.42 (A3548) | KAT | CAST | Key Derivation | PRFs: AES KW (128 bits), SHA-1 | FIPS_OK | On reloading the module |
| KDF ANS 9.63 (A3548) | KDF ANS 9.63 (A3548) | KAT | CAST | Key Derivation | PRF: SHA2-256 | FIPS_OK | On reloading the module |
| KDF SSH (A3548) | KDF SSH (A3548) | KAT | CAST | Key Derivation | PRF: SHA- 1 | FIPS_OK | On reloading the module |
| TLS v1.2 KDF RFC7627 (A3548) | TLS v1.2 KDF RFC7627 (A3548) | KAT | CAST | Key Derivation | PRF: SHA2-256 | FIPS_OK | On reloading the module |
| TLS v1.3 KDF (A3548) | TLS v1.3 KDF (A3548) | KAT | CAST | Key Derivation | PRF: SHA2-256 | FIPS_OK | On reloading the module |
| RSA KeyGen (FIPS186- 4) (A3548) | RSA KeyGen (FIPS186- 4) (A3548) | PCT | PCT | Key Generation | Performed post key generation | FIPS_OK | On generating keys for Key Transport (KTS IFC)/Key Agreement (KAS IFC)/Signature |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
Table 19: Pre-Operational Self-Tests The module is complaint with FIPS 140-3 IG 10.2.A in that it performs a self-test, a Known Answer Test
(FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider HMACSHA-1 HMACSHA2-256 KASECC-SSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 Curve: P256 HMACSHA2-256 H = SHA2224 H= HMACSHA2-256 KAS-IFCSSC SP800108 SP80056Cr2 SP80056Cr2 (HMACSHA2-256). Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) PRF: SHA1 Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions Generation/Signature Verification | |
|---|---|---|---|---|---|---|---|---|---|
| ECDSA KeyGen (FIPS186- 4) (A3548) | ECDSA KeyGen (FIPS186- 4) (A3548) | PCT | PCT | Key Generation | Performed post key generation | FIPS_OK | On generating keys for Key Agreement (KAS ECC)/Signature Generation/Signature Verification | ||
| DSA KeyGen (FIPS186- 4) (A3548) | DSA KeyGen (FIPS186- 4) (A3548) | PCT | PCT | Key Generation | Performed post key generation | FIPS_OK | On generating keys for Key Agreement (KAS FFC)/Signature Generation/Signature Verification | ||
| ECDSA SigGen (FIPS186- 4) (A3548) | ECDSA SigGen (FIPS186- 4) (A3548) | KAT | CAST | Sign | Curve: K- 233; Hash: SHA2-512 | FIPS_OK | On reloading the module | ||
| ECDSA SigVer (FIPS186- 4) (A3548) | ECDSA SigVer (FIPS186- 4) (A3548) | KAT | CAST | Verify | Curve: K- 233; Hash: SHA2-512 | FIPS_OK | On reloading the module | ||
| HMAC-SHA2- 256 (A3548) | HMAC-SHA2- 256 (A3548) | KAT | SW/FW Integrity | On Demand | Manually by reloading the module or calling the fips_self_test function | ||||
| AES-ECB (A3548) | AES-ECB (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Indicator | Conditions Generation/Signature Verification | |
|---|---|---|---|---|---|---|---|---|---|
| ECDSA KeyGen (FIPS186- 4) (A3548) | ECDSA KeyGen (FIPS186- 4) (A3548) | PCT | PCT | Key Generation | Performed post key generation | FIPS_OK | On generating keys for Key Agreement (KAS ECC)/Signature Generation/Signature Verification | ||
| DSA KeyGen (FIPS186- 4) (A3548) | DSA KeyGen (FIPS186- 4) (A3548) | PCT | PCT | Key Generation | Performed post key generation | FIPS_OK | On generating keys for Key Agreement (KAS FFC)/Signature Generation/Signature Verification | ||
| ECDSA SigGen (FIPS186- 4) (A3548) | ECDSA SigGen (FIPS186- 4) (A3548) | KAT | CAST | Sign | Curve: K- 233; Hash: SHA2-512 | FIPS_OK | On reloading the module | ||
| ECDSA SigVer (FIPS186- 4) (A3548) | ECDSA SigVer (FIPS186- 4) (A3548) | KAT | CAST | Verify | Curve: K- 233; Hash: SHA2-512 | FIPS_OK | On reloading the module | ||
| HMAC-SHA2- 256 (A3548) | HMAC-SHA2- 256 (A3548) | KAT | SW/FW Integrity | On Demand | Manually by reloading the module or calling the fips_self_test function | ||||
| AES-ECB (A3548) | AES-ECB (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) (FIPS1864) (A3548) Table 20: Conditional Self-Tests Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly and that sensitive data has not been damaged. On instantiation, the Module performs the pre-operational self-tests and all CASTs listed above. All KATs must complete successfully prior to any other use of cryptography by Table 21: Pre-Operational Periodic Information Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| AES-GCM (A3548) | AES-GCM (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| AES-GCM (A3548) | AES-GCM (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| Counter DRBG (A3548) | Counter DRBG (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| DSA SigGen (FIPS186-4) (A3548) | DSA SigGen (FIPS186-4) (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| DSA SigVer (FIPS186-4) (A3548) | DSA SigVer (FIPS186-4) (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| ECDSA SigGen (FIPS186-4) (A3548) | ECDSA SigGen (FIPS186-4) (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| ECDSA SigVer (FIPS186-4) (A3548) | ECDSA SigVer (FIPS186-4) (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| Hash DRBG (A3548) | Hash DRBG (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| HMAC DRBG (A3548) | HMAC DRBG (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| HMAC-SHA2- 256 (A3548) | HMAC-SHA2- 256 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KAS-ECC-SSC Sp800-56Ar3 (A3548) | KAS-ECC-SSC Sp800-56Ar3 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KAS-FFC-SSC Sp800-56Ar3 (A3548) | KAS-FFC-SSC Sp800-56Ar3 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KAS-IFC-SSC (A3548) | KAS-IFC-SSC (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KDF SP800-108 (A3548) | KDF SP800-108 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KDA OneStep SP800-56Cr2 (A3548) | KDA OneStep SP800-56Cr2 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KDA TwoStep SP800-56Cr2 (A3548) | KDA TwoStep SP800-56Cr2 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KTS-IFC (A3548) | KTS-IFC (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KTS-IFC (A3548) | KTS-IFC (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| PBKDF (A3548) | PBKDF (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| RSA SigGen (FIPS186-4) (A3548) | RSA SigGen (FIPS186-4) (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| RSA SigVer (FIPS186-4) (A3548) | RSA SigVer (FIPS186-4) (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| SHA-1 (A3548) | SHA-1 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| SHA2-512 (A3548) | SHA2-512 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| SHA3-256 (A3548) | SHA3-256 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KDF ANS 9.42 (A3548) | KDF ANS 9.42 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KDF ANS 9.63 (A3548) | KDF ANS 9.63 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| KDF SSH (A3548) | KDF SSH (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| TLS v1.2 KDF RFC7627 (A3548) | TLS v1.2 KDF RFC7627 (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| TLS v1.3 KDF (A3548) | TLS v1.3 KDF (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| RSA KeyGen (FIPS186-4) (A3548) | RSA KeyGen (FIPS186-4) (A3548) | PCT | PCT | On Demand | On generation of keys |
| ECDSA KeyGen (FIPS186-4) (A3548) | ECDSA KeyGen (FIPS186-4) (A3548) | PCT | PCT | On Demand | On generation of keys |
| DSA KeyGen (FIPS186-4) (A3548) | DSA KeyGen (FIPS186-4) (A3548) | PCT | PCT | On Demand | On generation of keys |
| ECDSA SigGen (FIPS186-4) (A3548) | ECDSA SigGen (FIPS186-4) (A3548) | KAT | CAST | On Demand | Manually by reloading the module or calling the fips_self_test function |
| ECDSA SigVer (FIPS186-4) (A3548) | ECDSA SigVer (FIPS186-4) (A3548) | KAT | CAST | On Demand | Manually by reloading the module or |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
| Name | Algorithm Or Test | Periodic Method |
|---|---|---|
| Test | Test | Method |
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| ERR OR STA TE | •The error state is persistent and no services are available •All attempts to use the Module’s services result in the return of a non-zero error code, PROV_R_FIPS_MODULE_IN_ ERROR_STATE | If one of the KATs or if the Softwar e Integrit y Test fails, the Module enters the self-test failure error state | PROV_R_FIPS_MODULE_IN_ ERROR_STATE | To recove r from an error state, reload the Modul e into memo ry |
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider Table 22: Conditional Periodic Information
verification) can also be called on demand, fulfilling AS05.11. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
The Module is provided to vendors who integrate it into their product, typically in a manufacturing environment, and is not provided directly to US or Canadian Federal agencies. Adherence to the instructions in this document maintains security throughout the distribution, build, installation and configuration processes. An authorized Cryptographic Officer is required to perform these steps on each platform where it is intended to be used. The config file output contains information about the Module (such as the self-test status and the Module checksum) and must not be manually modified without using the openssl fipsinstall command. Crypto Officer Guidance a. Installation and Usage Guidance The Module is installed as part of the OpenSSL 3.1.2 library. The source distribution package is located at https://www.openssl.org/source/openssl-3.1.2.tar.gz. The VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider can be installed on the Tested Configurations listed in Table 3 by performing the following steps:
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider The Installation of the VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider that occurs as a result of Step 1 above ensures that the shared library and the configuration file containing information about the Module (e.g., the Module checksum) is copied to its installed location. To install the configuration file to a non-default location, this can be achieved by running the ‘fipsinstall’ command line application manually: $ openssl fipsinstall -pedantic Please see fipsinstall.html /docs/man3.1/man1/openssl-fipsinstall.html for options supported for the ‘openssl fipsinstall’ command. Note: The software integrity check (per Section 5 of this document) is performed using HMAC-SHA2-256 on the Module file to validate that the Module has not been modified. The integrity value is compared to a value written to the config file during installation. b. CVEs The publication of a CVE does not require immediate re-validation or maintenance in the CMVP process. The module may be updated in the field as needed depending on the severity or consequences of the CVE. The Module will be kept up to date with re-validation and maintenance as required, generally bundling fixes for known CVEs in a next release. The OpenSSL organization maintains a Vulnerabilities page which describes known vulnerabilities and potential resolution. These are reported to the NVD, where they are independently assessed. The OpenSSL group publishes fixes for these vulnerabilities according to their triage process. c. Miscellaneous The module performs run-time checks related to enforcement of security parameters such as the minimum-security strength of keys, valid key sizes, and usage of approved curves. These checks shall not be disabled (by using OPENSSL_NO_FIPS_SECURITYCHECKS or any other method). Validation of domain parameters prior to generating keys using functions provided by the module is the responsibility of the Cryptographic Officer and not enforced by the module itself.
No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.
No additional guidance applies for the operation of the module apart from that specified in Sections 2, 3 of this document and other subsections under this section.
No additional rules apply for the operation of the module apart from those specified in the remainder of this section and Section 2.4 of this document. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
No maintenance requirements apply for operation of the module in the Approved/non-Approved modes as defined above.
Module Sanitization and Destruction Sanitization is defined in [ISO19790] as “... the process of removing sensitive information (e.g. SSPs, user data, etc.) from the module, so that it may either be distributed to other operators or disposed.” The Module itself does not manage persistent SSPs, authentication data or any user data. The Module may be securely sanitized by deletion of the folder in which the Module was located. There are no additional procedures required for secure destruction of the Module. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.
VMware’s OpenSSL FIPS Provider based on the OpenSSL FIPS Provider
The Module implements mitigations for some types of attacks using the constant-time implementations and blinding. Constant-time implementations protect cryptographic implementations in the Module against timing analysis since such attacks exploit differences in execution time depending on the cryptographic operation, and constant-time implementations ensure that the variations in execution time cannot be traced back to the key, CSP or secret data. Numeric blinding protects the RSA, DSA and ECDSA algorithms from timing attacks. These algorithms are vulnerable to such attacks since attackers can measure the time of signature operations or RSA decryption. To mitigate this, the Module generates a random blinding factor which is provided as an input to the decryption/signature operation and is discarded once the operation has completed and resulted in an output. This makes it difficult for attackers to attempt timing attacks on such operations without the knowledge of the blinding factor, and therefore the execution time cannot be correlated to the RSA/DSA/ECDSA key. Broadcom Inc. 2025 This document may be reproduced and distributed only in its original entirety without revision.