Copyright © wolfSSL Inc., 2024 Page 1 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). wolfCrypt Versions 4.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.3.2, 4.3.2a, 4.3.2b, 4.3.2c 4.3.4, 4.4.1, 4.4.1a, 4.4.2, 4.5.2, 4.5.4, 4.5.4a, 4.5.4b, 4.6.1, 4.6.2 FIPS 140-2 Non-Proprietary Security Policy Document Version 3.57 February 12, 2024 Prepared for: Prepared by: wolfSSL Inc. 10016 Edmonds Way Suite C-300 Edmonds, WA 98020 wolfSSL.com +1 425.245.8247 KeyPair Consulting Inc. 846 Higuera Street Suite 2 San Luis Obispo, CA 93401 keypair.us +1 805.316.5024 Copyright © wolfSSL Inc., 2024 Page 2 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1 Introduction..........................................................................................................................3 2 Operational Environment .....................................................................................................4 3 Cryptographic Boundary and Logical Interfaces....................................................................8 4 Approved and Allowed Cryptographic Functionality.............................................................9 5 Modes of Operation, Security Rules and Guidance.............................................................15 6 Critical Security Parameters................................................................................................17 7 Roles, Services, and Authentication....................................................................................18 8 Self-tests .............................................................................................................................20 9 References, Definitions and Source Files ............................................................................21 List of Tables Table 1 - Security Level of Security Requirements........................................................................................3 Table 2 – Tested Operating Environments ...................................................................................................4 Table 3 – Ports and Interfaces ...................................................................................................................... 8 Table 4 – Approved Cryptographic Functions...............................................................................................9 Table 5 – Allowed Functions ....................................................................................................................... 15 Table 6 - Critical Security Parameters (CSPs)..............................................................................................17 Table 7 - Public Keys.................................................................................................................................... 17 Table 8 – Authorized Services available in FIPS mode................................................................................18 Table 9 – CSP and Public Key Access Rights within Services.......................................................................19 Table 10 - Power-on Self-tests.................................................................................................................... 20 Table 11 - Conditional Self-tests .................................................................................................................20 Table 12 – References................................................................................................................................. 21 Table 13 - Acronyms and Definitions..........................................................................................................22 Table 14 - Source Files ................................................................................................................................ 23 Copyright © wolfSSL Inc., 2024 Page 3 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 1 Introduction This document defines the Security Policy for the wolfSSL Inc. wolfCrypt (Software Versions 4.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.3.2, 4.3.2a, 4.3.2b, 4.3.2c, 4.3.4, 4.4.1, 4.4.1a, 4.4.2, 4.5.2, 4.5.4, 4.5.4a, 4.5.4b, 4.6.1, and 4.6.2) module, hereafter denoted the Module. The Module is a cryptography software library, designated as a multi-chip standalone embodiment in [140] terminology. The Module is intended for use by US and Canadian Federal agencies and other markets that require FIPS 140-2 validated cryptographic functionality. The Module meets FIPS 140-2 overall Level 1 requirements, with security levels as follows: Table 1 - Security Level of Security Requirements Security Requirement Security Level Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services, and Authentication 1 Finite State Model 1 Physical Security N/A Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks N/A The Module does not implement attack mitigations outside the scope of [140], hence [140] Section 4.11 Mitigation of Other Attacks is not applicable per [140IG] G.3 Partial Validations and Not Applicable Areas of FIPS 140-2. [140] Section 4.5 Physical Security is not applicable, as permitted by [140IG] 1.16, Software Module and [140IG] G.3. The Module conforms to [140IG] D.8 Key Agreement Methods Scenario X1.1: while it provides [56A] conformant schemes and API entry points oriented to TLS and KDF usage, the Module does not provide a full implementation of KDF’s listed in SP800-135rev1 or of TLS. The TLS protocol and KDF’s that are outside the module boundary have not been reviewed or tested by the CAVP and CMVP. The Module design corresponds to the Module security rules. Security rules enforced by the Module are described in the appropriate context of this document. Copyright © wolfSSL Inc., 2024 Page 4 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 2 Operational Environment Operational testing was performed for the following Operating Environments: Table 2 – Tested Operating Environments Operating System Processor Platform Version Tested 1 Linux 4.4 (Ubuntu 16.04 LTS) Intel® Core™ i5-5300U CPU @ 2.30GHz x 4 with AES-NI Intel Ultrabook 2 in 1 4.0 2 Linux 4.4 (Ubuntu 16.04 LTS) Intel® Core™ i5-5300U CPU @ 2.30GHz x 4 without AES-NI Intel Ultrabook 2 in 1 4.0 3 Windows 10 (64-bit) Intel® Core™ i5-5300U CPU @ 2.30GHz x 4 with AES-NI Intel Ultrabook 2 in 1 4.0 4 Windows 10 (64-bit) Intel® Core™ i5-5300U CPU @ 2.30GHz x 4 without AES-NI Intel Ultrabook 2 in 1 4.0 5 OpenRTOS v10.1.1 STMicroelectronics STM32L4x STMicroelectronics STM32L4R9I-DISCO (Discovery Kit) 4.0.1 6 HP Imaging & Printing Linux 4.9 ARM Cortex-A72 with PAA HP PN 3PZ95-60002 4.1.0 7 HP Imaging & Printing Linux 4.9 ARM Cortex-A72 without PAA HP PN 3PZ95-60002 4.1.0 8 Windows 10 Enterprise Intel® Core™ i7-7820 @ 2.9GHz x 4 with AES- NI Radar FCL Package Utility 4.2.0 9 Windows 10 Enterprise Intel® Core™ i7-7820 @ 2.9GHz x 4 without AES-NI Radar FCL Package Utility 4.2.0 10 Linux socfpga Cyclone V Armv7 rev 0, Cortex A-9 SEL 2700 Series 24-Port Ethernet Switch 4.3.0 11 Fusion Embedded RTOS 5.0 Analog Devices ADSP-BF516 (BlackFin) Classone® IP Radio Gateway 4.3.4 12 Linux 4.12 Yocto Standard Freescale i.MX6 DualLite ARMv7 Cortex-A9 x2 with PAA Metasys® SNC/SNE Series Network Control Engine 4.4.1 13 Linux 4.12 Yocto Standard Freescale i.MX6 DualLite ARMv7 Cortex-A9 x2 without PAA Metasys® SNC/SNE Series Network Control Engine 4.4.1 14 Nucleus 3.0 version 2013.08.1 Freescale Vybrid VF500 XL200 Radio 4.4.2 15 CodeOS v1.4 CodeCorp CT8200 (ARM FA626TE) Series CR2700 Code Reader(s) 4.5.2 16 Linux 4.14 ARMv8 Cortex A53 with PAA SEL-2742S 4.5.4 17 Linux 4.14 ARMv8 Cortex A53 without PAA SEL-2742S 4.5.4 18 Windows CE 6.0 ARM Cortex A8 HP LaserJet Enterprise 4.6.2 19 CMSIS-RTOS2 v2.1.3 Silicon Labs EFM32G (Gecko) Alto™ 4.6.1 Copyright © wolfSSL Inc., 2024 Page 5 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 20 QNX 6.6 ARM® Cortex®-A9 Zebra ZT610 4.3.2 21 QNX 7.0 ARM® Cortex®-A7 (x2) Zebra ZT421 4.3.2 22 QNX 6.5 ARM9® Zebra ZQ630 4.5.2 23 QNX 7.0 ARM® Cortex®-A7 Zebra ZD621 4.3.2 24 SUSE Linux Enterprise Server on VMWare ESXi 6.7.0 Intel® Xeon® E-2234 with PAA Dell PowerEdge T340 4.3.2 25 SUSE Linux Enterprise Server on VMWare ESXi 6.7.0 Intel® Xeon® E-2234 without PAA Dell PowerEdge T340 4.3.2 26 Linux 4.14 ARM Cortex A9 (x2) with PAA Lenovo XClarity Controller 4.4.1a 27 Linux 4.14 ARM Cortex A9 (x2) without PAA Lenovo XClarity Controller 4.4.1a 28 Windows Server 2016 Standard Intel® Xeon® E5-2603 with PAA Dell PowerEdge R430 4.3.2 29 Windows Server 2016 Standard Intel® Xeon® E5-2603 without PAA Dell PowerEdge R430 4.3.2 30 Swoop Kernel 1.5 Xilinx Zynq Ultrascale+ XCZU9EG™ ARM® Cortex®-A53 Skipper 4.5.4 31 Windows 10 Pro Intel® Core™ i7-7600 with PAA Lenovo Thinkpad T470 4.3.2 32 Windows 10 Pro Intel® Core™ i7-7600 without PAA Lenovo Thinkpad T470 4.3.2 33 Windows Server 2019 Intel® Xeon® Silver 4116 with PAA HPE ProLiant DL360 4.3.2 34 Windows Server 2019 Intel® Xeon® Silver 4116 without PAA HPE ProLiant DL360 4.3.2 35 Android 11 Qualcomm Snapdragon 865 SoC with PAA Samsung Galaxy S20 5G 4.5.4 36 Android 11 Qualcomm Snapdragon 865 SoC without PAA Samsung Galaxy S20 5G 4.5.4 37 Net+OS v7.6 Digi International NS9210 Sigma IV Infusion Pump 4.5.2 38 Linux 5.4 Intel Xeon® E-2244G with PAA Dell PowerEdge R340 Rack Server 4.3.2 39 Linux 5.4 Intel Xeon® E-2244G without PAA Dell PowerEdge R340 Rack Server 4.3.2 40 Linux 5.4 Freescale i.MX7 Dual Arm Cortex A-7 with PAA iSTAR physical access controller 4.4.1a 41 Linux 5.4 Freescale i.MX7 Dual Arm Cortex A-7 without PAA iSTAR physical access controller 4.4.1a 42 Linux 4.12 Intel® Core™ i3 – 7101 with PAA HP PageWide XL 4.3.2 43 Linux 4.12 Intel® Core™ i3 – 7101 without PAA HP PageWide XL 4.3.2 44 Linux 4.9 Freescale i.MX7 Dual ARM Cortex-A7 with PAA ZOLL Communications Module 4.4.1a 45 Linux 4.9 Freescale i.MX7 Dual ARM Cortex-A7 without PAA ZOLL Communications Module 4.4.1a Copyright © wolfSSL Inc., 2024 Page 6 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 46 NetBSD Rev 6.0.1 Intel® Atom® E3930 RICOH IM C2500 4.3.2 47 NetBSD Rev 6.0.1 Intel® Atom® E3940 RICOH IM C6000 4.3.2 48 Android 6.0 (Linux 4.1) Freescale i.MX6 Quad/DualLite with PAA RICOH IM C6000 4.4.1a 49 Android 6.0 (Linux 4.1) Freescale i.MX6 Quad/DualLite without PAA RICOH IM C6000 4.4.1a 50 iOS 14 Apple A14 Bionic with PAA iPhone 12 4.5.4a 51 iOS 14 Apple A14 Bionic without PAA iPhone 12 4.5.4a 52 Android 8.1 (Linux 4.4) Qualcomm Snapdragon 835 (APQ8098 / MSM8998) with PAA EchoNous Kosmos® Bridge 4.5.4a 53 Android 8.1 (Linux 4.4) Qualcomm Snapdragon 835 (APQ8098 / MSM8998) without PAA EchoNous Kosmos® Bridge 4.5.4a 54 CentOS 7.9 on host VMware ESXi 6.7 Intel® Xeon™ X5650 with PAA HP ProLiant DL360 4.3.2 55 CentOS 7.9 on host VMware ESXi 6.7 Intel® Xeon™ X5650 without PAA HP ProLiant DL360 4.3.2 56 Linux 3.10 (CentOS 7) Intel® Atom™ CPU D525 @ 1.80GHz with PAA Beckman Coulter PROService RAP BOX 4.3.2 57 Linux 3.10 (CentOS 7) Intel® Atom™ CPU D525 @ 1.80GHz without PAA Beckman Coulter PROService RAP BOX 4.3.2 58 Yocto (dunfell) 3.1 AMD GX-412TC SoC with PAA LinkGuard 4.3.2 59 Yocto (dunfell) 3.1 AMD GX-412TC SoC without PAA LinkGuard 4.3.2 60 Linux 5.4 Intel® Xeon® Gold 5218 CPU @ 2.30GHz LiveAction LiveNX Appliance 4.3.2 61 Windows 10 Pro Intel® Core™ i7-1255U @ 1.70 Ghz Dell Precision 3570 4.3.2 62 Debian GNU/Linux 8 (jessie) Intel® Atom™ C2558 @ 2.40GHz ufiSpace Cloud and Data Center Switch S7810-54QS 4.3.2a 63 FreeBSD 10.3 on VMWare ESXi 7.0 Intel® Xeon® Silver 4210 @ 2.20GHz Supermicro X11DPH-i 4.3.2a 64 Linux 5.15 on VMWare ESXi 7.0 Intel® Xeon® Silver 4210 @ 2.20GHz Supermicro X11DPH-i 4.3.2a 65 Debian GNU/Linux 8 (jessie) Broadcom BCM5634 Corning 1LAN-SDDP- 24POE 4.3.2a 66 Linux IPHO00550F22 4.1 Broadcom BCM6858 Corning 1LAN-SDAN-7691 4.3.2a 67 Linux IPHO00559B23 3.4 Broadcom BCM6838 Corning 1LAN-SDAN-7290 4.3.2a 68 macOS Monterey 12.5 Intel® Core™ i7-8569U @ 2.80Ghz with PAA Macbook Pro 4.3.2a 69 Windows 11 Enterprise Intel® Core™ i7-10610U @ 1.80Ghz with PAA Dell Latitude 7410 4.3.2a 70 macOS Monterey 12.5 Apple M1 Max with PAA Macbook Pro 4.5.4a 71 VxWorks 7 SR0630 Intel® Core™ i7-5850EQ @ 2.70GHz F-16 WASP 4.3.2a 72 macOS Monterey 12.5 Apple M1 with PAA Macbook Air 4.5.4b Copyright © wolfSSL Inc., 2024 Page 7 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 73 macOS Monterey 12.5 Apple M1 without PAA Macbook Air 4.5.4b 74 Vortec Scheduler StarCore SC3850 DSP Core Avaya MP160 4.3.2b 75 VxWorks 7.0 NXP T1024 G450 Media Gateway 4.3.2b 76 VxWorks 6.9 NXP MPC8560 G430 Media Gateway 4.3.2b 77 Endace-Crypto- Firmware-1.0 Intel® Xeon® Silver 4316 CPU @2.30GHz with PAA EndaceProbe 2144 4.3.2a 78 VxWorks 6.9 TNETV1050 Sectéra vIPer™ Phone 4.3.2a 79 Janteq Zynq Linux 4.19 Xilinx Zynq Ultrascale+ with PAA Bronte3 4.5.4b 80 Janteq Zynq Linux 5.4 Xilinx Zynq-7000 SoC with PAA AviTr3 4.4.1a 81 Janteq S5L Linux 4.9 Ambarella S5L SoC with PAA Maximo 4.5.4b 82 VxWorks 5.5 Marvell Poncat2 Sheeva™ ML6416E 4.3.2c 83 Janteq iMX8QM Linux 5.4 i.MX8 Quad Max SoC with PAA FLIP2 4.5.4b 84 Endace Crypto Firmware 1.0 Intel® Xeon® Gold 6338N CPU @2.20GHz with PAA EndaceProbe 2184 4.3.2a 85 Endace Crypto Firmware 1.0 Intel® Xeon® Gold 6230N CPU @2.30GHz with PAA EndaceProbe 92C8 4.3.2a 86 Endace Crypto Firmware 1.0 Intel® Xeon® Gold 5418N CPU @1.80GHz with PAA EndaceProbe 94C8 4.3.2a 87 Android 13.0 Qualcomm Snapdragon 8 SoC with PAA Samsung Galaxy S22 4.5.4a The Module conforms to [140IG] 6.1 Single Operator Mode and Concurrent Operators. The tested environments place user processes into segregated spaces. A process is logically removed from all other processes by the hardware and Operating System. Since the Module exists inside the process space of the application this environment implicitly satisfies the requirement for a single user mode. The Module conforms to [140IG] 1.21 Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI). The Intel Processor AES-NI functions are identified by [140IG] 1.21 as a known PAA. The Module is also supported on the following platform(s) for which operational testing was not performed: • The module version 4.1.0 is also supported with HP Imaging & Printing Linux 4.9 on an ARM Cortex-A53 running on HP Printing & Imaging Devices. • The module version 4.6.2 is also supported with Windows CE 6.0 on an ARM Cortex A8 running on HP FutureSmart LaserJets and PageWide Enterprise & Managed devices. Note: The CMVP makes no claim as to the correct operation of the Module on this operational environment. Copyright © wolfSSL Inc., 2024 Page 8 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 3 Cryptographic Boundary and Logical Interfaces Figure 1 depicts the Module operational environment, with the logical boundary highlighted in red inclusive of all Module entry points (API calls), conformant with [140IG] 14.3 Logical Diagram for Software, Firmware and Hybrid Modules. Figure 1 – Module Block Diagram The Module conforms to [140IG] 1.16 Software Module: • The physical cryptographic boundary is the general-purpose computer which wholly contains the Module and operating system. • The logical cryptographic boundary is the set of object files corresponding to the source code files listed in Table 14. • All components are defined per AS01.08; no components are excluded from [140] requirements. • The Module does not map any interfaces to physical ports. Table 3 defines the Module’s [140] logical interfaces. • The power-up approved integrity test is performed over all components of the logical boundary. • Updates to the Module are provided as a complete replacement in accordance with [140IG] 9.7 Software/Firmware Load Test. Table 3 – Ports and Interfaces Description Logical Interface Type API entry point Control in API function parameters Data in API return value Status out API function parameters Data out Copyright © wolfSSL Inc., 2024 Page 9 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 4 Approved and Allowed Cryptographic Functionality The Module implements the FIPS Approved and allowed cryptographic functions listed in Table 4 below. VA in the Cert column indicates Vendor Affirmed. Strength citations use [57P1] notation. Table 4 – Approved Cryptographic Functions Cert Algorithm Mode Key Lengths, Curves or Moduli (in bits) Use 5446, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 AES [197] CBC [38A] Key sizes: 128, 192, 256 Encryption, Decryption CTR [38A] Key sizes: 128, 192, 256 Encryption, Decryption CCM [38C] Key sizes: 128, 192, 256 Tag len: 32*, 48*, 64, 80*, 96*, 112*, 128 Authenticated Encryption, Authenticated Decryption, Message Authentication CMAC [38C] Key sizes: 128, 192, 256 Generation, Verification ECB [38A] Key sizes: 128, 192, 256 Encryption, Decryption GMAC Key sizes: 128, 192, 256 Message Authentication GCM [38D] Key sizes: 128, 192, 256 Tag len: 96, 104, 112, 120, 128 Authenticated Encryption, Authenticated Decryption, Message Authentication 2131, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 DRBG [90A] Hash_DRBG SHA-256 Random Bit Generation, no prediction resistance Copyright © wolfSSL Inc., 2024 Page 10 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Key Lengths, Curves or Moduli (in bits) Use 1401, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 DSA [186] L = 2048 N = 256 FFC Key Generation for KAS 1451, C663, C1051, C1438, C1568, C1727, C1746, A894, and A902, ECDSA [186] P-192 (Signature and Key Verification only), P-224, P-256, P-384, P-521 SHA- 1**, SHA-224, SHA-256, SHA-384, and SHA-512 SHA3-224†, SHA3-256†, SHA3-384†, and SHA3- 512† ECC Key Generation, Public Key Validation, Signature Generation, Signature Verification A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 ECDSA [186] P-192 (Signature and Key Verification only), P-224, P-256, P-384, P-521 SHA- 1**, SHA-224, SHA-256, SHA-384, and SHA-512 SHA3-224, SHA3-256, SHA3-384, and SHA3-512 ECC Key Generation, Public Key Validation, Signature Generation, Signature Verification Copyright © wolfSSL Inc., 2024 Page 11 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Key Lengths, Curves or Moduli (in bits) Use 3604, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 HMAC [198] SHA-1, SHA-224, SHA- 256, SHA-384, and SHA-512 SHA3-224, SHA3-256, SHA3-384, and SHA3-512 Generation, Verification, Message Authentication 1891, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 CVL (KAS) [56A] FFC FC L = 2048 N = 256 Key Agreement primitives ECC P-256, P-384, P-521 ECC CDH P-256, P-384, P-521 Copyright © wolfSSL Inc., 2024 Page 12 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Key Lengths, Curves or Moduli (in bits) Use 1892, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 CVL (RSADP) [56B] *** k = 2048 Key transport primitive RSADP A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2420, A2421, A2422, A2423, A2460 A2465, A2790, A3234, A3412 and A4369 (KAS-SSC) [56Ar3] FFC-SSC FC L = 2048 N = 256, s= 112 Key Agreement Scheme; Key establishment methodology provides between 112 and 256 bits of encryption strength ECC-SSC P-256, P-384, P-521; ephemeralUnified N = 256, 384, 512 s = 128, 192, 256 Copyright © wolfSSL Inc., 2024 Page 13 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Key Lengths, Curves or Moduli (in bits) Use 2922, C663, C1051, C1438, C1568, C1727, and C1746 RSA [186] PKCS v1.5 and PSS 1024 (verification only), 2048, 3072, 4096‡ SHA-1 (verification only) SHA-224, SHA-256, SHA-384, and SHA-512 SHA3-224†, SHA3-256†, SHA3-384†, and SHA3- 512† Key Generation, Signature Generation, Signature Verification A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 RSA [186] PKCS v1.5 and PSS 1024 (verification only), 2048, 3072, 4096 SHA-1 (verification only) SHA-224, SHA-256, SHA-384, and SHA-512 SHA3-224†, SHA3-256†, SHA3-384†, and SHA3- 512† Key Generation, Signature Generation, Signature Verification 45, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 SHA-3 [202] SHA3-224, SHA3-256, SHA3-384, SHA3-512 Message Digest Generation Copyright © wolfSSL Inc., 2024 Page 14 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). Cert Algorithm Mode Key Lengths, Curves or Moduli (in bits) Use 4365, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 SHS [180] SHA-1, SHA-224, SHA- 256, SHA-384, SHA-512 Message Digest Generation 2736, C663, C1051, C1438, C1568, C1727, C1746, A894, A902, A949, A1103, A1180, A1261, A1565, A2119, A2790, A3234, A3412 and A4369 Triple-DES [67] TCBC [38A] Key size: 192 Encryption, Decryption * Was only tested on CAVP certificates A849, A902, and A949. Copyright © wolfSSL Inc., 2024 Page 15 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). ** CAVP testing permits testing with SHA-1; see Section 5, item 3.c below for conditions. † Vendor-affirmed when used with SHA-3 (CAVP testing does not offer testing with SHA-3 variants). ‡ Vendor affirmed when used with k=4096 for key generation and signature verification; the module supports k=4096 for all operations, but CAVP testing of k = 4096 is only available for signature generation. At the time of certification, this was compliant for FIPS 186-2, but is no longer approved. *** RSADP with k=2048 is the only CAVP testable aspect of [56B] key transport and is listed in the Component Validation List (CVL). The vendor affirms conformance to [56B] for RSAEP and RSADP with other key sizes, since no CAVP test is available. As defined in [90A] Table 2, the SHA-256 Hash_DRBG requires 256 bits of entropy. For the Intel operational environments listed in Table 2 (#1, #2, #3, 4, #8, and #9), the Module provides the [140IG] 7.14 1(b) option to use a hardware NDRNG to supply all entropy necessary to instantiate Hash_DRBG. In this case, the Module collects 2048 bits of entropy input with 0.5 bits of entropy per one-bit sample, yielding 1024 bits of effective entropy. If the build setting -DHAVE_INTEL_RDSEED is not present, then the Intel NDRNG feature is not enabled, and the caller is required to define a callback function to provide the required entropy. The build setting -DHAVE_INTEL_RDSEED should not be used unless the UG specifically states it is allowed for a given OE (which is only the case for OEs listed in Table 2 corresponding to rows #1, #2, #3, #4, #8 and #9). For this case, a caveat is required per [140IG] 7.14 Entropy Caveats; following the example of [140IG] G.13 Instructions for Validation Information Formatting: “When entropy is externally loaded, no assurance of the minimum strength of generated keys.” The caller may optionally supply a nonce; if no nonce is supplied by the caller, a 1024-bit value obtained from the NDRNG is used for the nonce. The nonce and entropy input are provided to the [90A] hash derivation function as part of DRBG instantiation. Seeds used for asymmetric key generation are the unmodified output of from the approved DRBG. Table 5 – Allowed Functions Description / Usage HW NDRNG Hardware RNG (the Intel RDSEED function) when available. 5 Modes of Operation, Security Rules and Guidance The Module supports a FIPS Approved mode of operation and a non-FIPS Approved mode of operation and conforms to [140IG] 1.2 and 1.19 non-Approved Mode of Operation. FIPS Approved algorithms are listed in Table 4. The conditions for using the Module in the [140] Approved mode of operation are: 1. The Module is a cryptographic library, and it is intended to be used with a calling application. The calling application is responsible for the usage of the primitives in the correct sequence. 2. The keys used by the Module for cryptographic purposes are determined by the calling application. The calling application is required to provide keys in accordance with [140D]. 3. With the Module installed and configured in accordance with [UG] instructions, only the algorithms listed in Table 4 are available. The Module is in the Approved mode if the following conditions for algorithm use are met. a. Adherence to [140IG] A.13 SP 800-67rev1 Transition. The calling process shall limit encryption with a Triple-DES key used in a recognized IETF protocol to 220 64-bit blocks of data. The calling Copyright © wolfSSL Inc., 2024 Page 16 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). application shall limit encryption with a Triple-DES key used in any other scenario to 216 blocks of data. b. Adherence to [140IG] A.5 Key/IV Pair Uniqueness Requirements from SP 800-38D. The Module supports both internal IV generation (for use with the [56A] compliant KAS API entry points) and external IV generation (for TLS KAS usage). For internal IV generation, A.5 requires the calling application to use the internal hardware NDRNG to seed the Hash_DRBG. For external IV generation, the Module complies with A.5 1 (a), tested per option (ii) under A.5 TLS protocol IV generation. c. ECDSA and RSA signature generation must be used with a SHA-2 or SHA-3 hash function. In accordance with [131], use of SHA-1 for signature generation is disallowed, except where specifically allowed by NIST protocol-specific guidance. Otherwise, signature generation using SHA-1 for digital signature generation places the Module in the non-Approved mode. d. RSA signature generation and encryption primitives must use RSA keys with k = 2048, 3072 or 4096 bits or greater. e. The calling process shall adhere to all current [131A] algorithm usage restrictions. Copyright © wolfSSL Inc., 2024 Page 17 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 6 Critical Security Parameters All CSPs and public keys used by the Module are described in this section. The list of CSPs and public keys are arranged for consistency within Table 9, which is organized for the reviewer convenience. Table 6 - Critical Security Parameters (CSPs) CSP Description / Usage DS_SGK Private component of an RSA key pair (k = 2048, 3072 or 4096) * or ECC key pair (P-256, P-384, P-521)† for signature generation GKP_Private Private component of a general-purpose key pair generated by the Module, with use determined by the caller. May be RSA (k =2048, 3072 or 4096) * or ECC key pair (P-256, P-384, P-521)‡. KAS_Private Private component of an FFC (L = 2048 N = 256) † or ECC (P-256, P-384, P-521) key pair provided by the local participant, used for Diffie-Hellman shared secret generation. KAS_SS The Diffie-Hellman ([56Arev3] Section 5.7.1.1 FFC DH or [56Arev3] Section 5.7.1.2 ECC CDH) shared secret. FFC: 112-bit security strength†. ECC: (security strength between 128-bits and 256-bits)‡. KD_DKM Key Derivation derived keying material. The separation into specific keys is done outside the scope of the module but must be conformant to [56C]. KH_Key Keyed Hash key. May be 128-bit, 192-bit or 256-bit for use with CMAC or GMAC; or 160-bit, 256-bit or 512-bit for use with HMAC. KTS_KDK Private component of an RSA key pair (k = 2048 or greater) used for RSA key transport*. KTS_SS The RSA key transport shared secret (112-bit and 128-bit security strength). RBG_Seed Entropy input (see the [140IG] 7.14 statement above) and nonce. RBG_State Hash_DRBG (SHA-256) state V (440-bit) and C (440-bit). SC_EDK AES (128-bit, 192-bit or 256-bit) or Triple-DES (192-bit 3-Key, 112-bit equivalent strength) key used for symmetric encryption (including AES authenticated encryption). Table 7 - Public Keys Public Key Description / Usage DS_SVK Public component of an RSA key pair (k = 1024, 2048, 3072, or 4096)* or ECC key pair (P-256, P-384, or P-521)‡ for signature verification. GKP_Public Public component of a general-purpose key pair generated by the Module, with use determined by the caller. May be RSA (k =2048, 3072 or 4096)* or ECC key pair (P-256, P-384, P-521)‡. KAS_Public Public component of an FFC (L = 2048 N = 256) † or ECC (P-256, P-384, P-521) key pair received from the remote participant, used for Diffie-Hellman shared secret generation. KTS_KEK Public component of an RSA key pair (k = 2048 or greater) used for RSA key transport*. * For RSA key pairs, equivalent strength is taken from [57P1] Table 2: k = 1024-bits (80-bits; signature verification only); k = 2048 (112-bits); k = 3072 (128-bits). [57P1] defines k as the size of modulus n. † For DH key pairs, L = 2048 N = 256 is equivalent to 112-bits of security strength. ‡ For ECC key pairs, P-256, P-384, P-521 curves correspond to 128-bits, 192-bits and 256-bits of security strength, respectively. Copyright © wolfSSL Inc., 2024 Page 18 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 7 Roles, Services, and Authentication The Module supports two distinct operator roles, User and Cryptographic Officer (CO), and does not support multiple concurrent operators, a maintenance role or bypass capability. The cryptographic module does not provide an authentication or identification method of its own. The CO and the User roles are implicitly identified by the service requested. All services implemented by the Module are listed in the tables below with a description of service CSP access. The calling application may use the wolfCrypt_GetStatus_fips() API to determine the current status of the Module. A return code of 0 means the Module is in a state without errors. Any other return code is the specific error state of the Module. See [UG] for additional information on the cryptographic services listed in this section. Keys are provided to the Module by the calling application; manual key entry is not supported. Data output is inhibited during self-tests, zeroization, and error states. Table 8 – Authorized Services available in FIPS mode Service Description Role Digital signature Generate or verify ECDSA or RSA digital signatures. User Generate key pair Generate asymmetric (ECDSA or RSA) key pairs. User Key agreement Primitives used for DH key agreement on behalf of the application. The DH or EC DH keys are passed in by the calling application. User Key derivation Derive keying material from a shared secret. User Keyed hash Generate or verify data integrity with CMAC, GMAC or HMAC. User Key transport Key transport primitives (RSAEP, RSADP) used to encrypt or decrypt keying material on behalf of the caller. User Message digest Generate a message digest. User Random Generate random bits using the DRBG. User Self-test Run power-on self-test. User Show status Provide Module status. User Symmetric cipher Encrypt and decrypt data (including authenticated encrypt and decrypt). User Zeroize Functions that destroy CSPs. FreeRng_fips destroys RNG CSPs. All other services automatically overwrite memory bound CSPs. Cleanup of the stack is the duty of the application. Restarting the general-purpose computer clears all CSPs in RAM. CO Copyright © wolfSSL Inc., 2024 Page 19 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). Table 9 describes Module service access to CSPs/cryptographic keys. In each cell below, the following annotations indicate the type of access by the Module service: • E (Execute): The service uses a CSP or public key provided by the calling application as positional parameter on the stack; the calling application owns the stack; the Module zeroizes all local copies of a CSP before returning. • G (Generate): The Module generates or derives the cryptographic keys/CSPs internally. The Module does not retain copies of the key after call completion. • I (Input): The Module receives the CSP on the stack. • O (Output): The Module outputs a CSP/cryptographic key to the calling application through the logical interface. The Module does not output CSPs through a physical port. • Z (Zeroize): The Module zeroizes the CSP. Table 9 – CSP and Public Key Access Rights within Services Services DS_SGK DS_SVK GKP_Private GKP_Public KAS_Private KAS_Public KAS_ SS KD_DKM KH_Key KTS_KDK KTS_KEK KTS_SS RBG_Seed RBG State SC_EDK Digital signature EI EI -- -- -- -- -- -- -- -- -- -- -- -- -- Generate key pair -- -- GO GO -- -- -- -- -- -- -- -- -- -- -- Key agreement -- -- -- -- EI EI GO -- -- -- -- -- -- -- -- Key derivation -- -- -- -- -- -- EI GO -- -- -- EI -- -- -- Keyed hash -- -- -- -- -- -- -- -- EI -- -- -- -- -- -- Key transport -- -- -- -- -- -- -- -- -- EI EI IO -- -- -- Message digest -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Random -- -- -- -- -- -- -- -- -- -- -- -- EI EG -- Self-test -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Show status -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Symmetric cipher -- -- -- -- -- -- -- -- -- -- -- -- -- -- EI Zeroize Z -- Z -- Z -- Z -- Z Z -- Z Z Z Z Note: The caller provides the KAS_Private and KAS_Public keys for shared secret computation; the caller’s exchange and assurance of public keys with the remote participant is outside the scope of the Module. Copyright © wolfSSL Inc., 2024 Page 20 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 8 Self-tests Each time the Module is powered up it tests that the cryptographic algorithms still operate correctly, and that sensitive data has not been damaged. The Module provides a default entry point to automatically run the power on self-tests compliant with [140IG] 9.10 Power-Up Tests for Software Module Libraries. Power on self–tests are available on demand by reloading the Module. On instantiation, the Module performs the self-tests described in Table 10. All KATs must complete successfully prior to any other use of cryptography by the Module. If one of the KATs fails, the Module enters the self-test failure error state. The error state is persistent, and no services are available. All attempts to use the Module’s services result in the return of a non-zero error code, FIPS_NOT_ALLOWED_E (-197). To recover from an error state, reload the Module into memory. Table 10 - Power-on Self-tests Test Target Description Software Integrity HMAC-SHA-256 with a 256-bit key. AES Separate encryption and decryption KATs, CBC mode, 128-bit key. AES GCM Separate authenticated encryption and decryption KATs, GCM mode, 128-bit key. DRBG KAT for the HASH_DRBG using SHA-256. ECDSA Performs an ECDSA PCT using the P-256 curve. HMAC HMAC-SHA-1 (160-bit key), HMAC-SHA-512 (512-bit key), and HMAC-SHA3-256 (256-bit key) KATs. KAS ECC [56A] Section 5.7.1.2 primitive “Z” computation KAT (per [140IG] 9.6), using P-256. KAS FFC [56A] Section 5.7.1.1 primitive “Z” computation KAT (per [140IG] 9.6), using L = 2048 N = 256. RSA Separate signature generation and signature verification KATs (k = 2048), inclusive of the embedded SHA-256, RSADP and RSAEP (KTS) self-tests. Triple-DES Separate encryption and decryption KATs, TCBC mode, 3-Key. HMAC and RSA KATs include the embedded SHA self-tests per [140IG] 9.1, 9.2, and A.11. Table 11 - Conditional Self-tests Test Target Description DRBG [90A] Section 11.3 Instantiate, Generate, Reseed health tests for SHA-256 Hash_DRBG. NDRNG CRNGT of 64 bit blocks on the output of the NDRNG when available. ECC PCT ECC Key Generation Pairwise Consistency Test, performed on ECC key pair generation. FFC PCT FFC Key Generation Pairwise Consistency Test, performed on FFC key pair generation. RSA PCT RSA Key Generation Pairwise Consistency Test, performed on RSA key pair generation. PCTs are performed in accordance with [140IG] 9.9 Pair-Wise Consistency Self-Test When Generating a Key Pair. Per IG 9.8, the continuous RNG test is not required for [90A] compliant DRBG output. Copyright © wolfSSL Inc., 2024 Page 21 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). 9 References, Definitions and Source Files Table 12 – References Ref Filename / Title / Description Date [140] FIPS 140-2, Security Requirements for Cryptographic Modules 12/3/2002 [140IG] FIPS 140-2 Implementation Guidance 3/27/2018 [180] FIPS 180-4, Secure Hash Standard (SHS) 8/4/2015 [186] FIPS 186-4, Digital Signature Standard (DSS) 7/19/2013 [197] FIPS 197, Advanced Encryption Standard (AES) 7/19/2013 [198] FIPS 198-1, The Keyed Hash Message Authentication Code (HMAC) 7/16/2008 [202] FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions 8/4/2015 [38A] SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques 12/1/2001 [38C] SP 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality 7/20/2007 [38D] SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC 11/28/2007 [56A] SP 800-56A, Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography 4/16/2018 [56B] SP 800-56B, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography 10/1/2014 [56C] SP 800-56C, Recommendation for Key-Derivation through Extraction-then-Expansion 11/2011 [57P1] SP 800-57 Part 1 Revision 4, Recommendation for Key Management Part 1: General 1/2016 [67] SP 800-67 Rev. 2, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher 7/18/2017 [90A] SP 800-90Ar1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Revision 1 6/24/2015 [131A] SP 800-131A Rev. 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths 11/6/2015 [UG] wolfCrypt FIPS User’s Guide Copyright © wolfSSL Inc., 2024 Page 22 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). Table 13 - Acronyms and Definitions Acronym Definition Acronym Definition AES Advanced Encryption Standard GCM Galois/Counter Mode AES-NI Advanced Encryption Standard New Instructions GMAC Galois Message Authentication Code API Application Programming Interface HMAC Keyed-Hash Message Authentication Code CAVP Cryptographic Algorithm Validation Program IG Implementation Guidance CBC Cipher-Block Chaining IV Initialization Vector CCM Counter with CBC-MAC KAS Key Agreement Scheme CMAC Cipher-based Message Authentication Code KAT Known Answer Test CMVP Cryptographic Module Validation Program KDF Key Derivation Function CO Cryptographic Officer KTS Key Transport Scheme CPU Central Processing Unit LTS Long Term Support CSP Critical Security Parameter NDRNG Non-deterministic Random Number Generator CTR Counter-mode NIST National Institute of Standards and Technology CVL Component Validation List PAA Processor Algorithm Accelerators DES Data Encryption Standard PCT Pair-wise Consistency Test DH Diffie-Hellman RAM Random Access Memory DRBG Deterministic Random Bit Generator RNG Random Number Generator DSA Digital Signature Algorithm RSA Rivest, Shamir, and Adleman Algorithm ECB Electronic Code Book RSADP RSA Decryption Primitive ECC Elliptic Curve Cryptography RSAEP RSA Encryption Primitive ECC-CDH Elliptic Curve Cryptography Cofactor Diffie-Hellman TCBC TDEA Cipher-Block Chaining ECDH Elliptic Curve Diffie-Hellman TDEA Triple Data Encryption Algorithm ECDSA Elliptic Curve Digital Signature Algorithm TDES Triple Data Encryption Standard EMC Electromagnetic Compatibility TLS Transport Layer Security EMI Electromagnetic Interference SHA Secure Hash Algorithm FFC Finite Field Cryptography SHS Secure Hash Standard FIPS Federal Information Processing Standard Copyright © wolfSSL Inc., 2024 Page 23 of 23 wolfSSL Inc. Public Material – May be reproduced only in its original entirety (without revision). The source code files listed in Table 14 create the corresponding object files that comprise the wolfCrypt module boundary on each supported operating environment; the extensions of the object file can differ across the environments. Table 14 - Source Files Source File Name Description aes.c AES algorithm aes_asm.s AES assembler optimizations (Linux, AT&T style) aes_asm.asm AES assembler optimizations (Windows 10, Intel style) cmac.c CMAC algorithm des3.c TDES algorithm dh.c Diffie-Hellman ecc.c Elliptic curve cryptography fips.c FIPS entry point and API wrappers fips_test.c Power on Self Tests hmac.c HMAC algorithm random.c DRBG algorithm rsa.c RSA algorithm sha.c SHA algorithm sha256.c SHA-256 algorithm sha3.c SHA-3 algorithm sha512.c SHA-512 algorithm wolfcrypt_first.c First FIPS function and Read Only address wolfcrypt_last.c Last FIPS function and Read Only address