The MDFPP v2.0 rewrite of FCS_CKM_EXT.4 requires that the TOE perform a “read-verify” after clearing keys in RAM.  This is new (or at least more explicit now), and causing problems as the OpenSSL library does zeroization of memory before freeing them, but does not perform a read-verify.  Changing the code to implement the read-verify would invalidate the OpenSSL FIPS 140-2 validation.

The read-verify action should not apply to volatile memory and should be removed from the requirement. It will still be required for non-volatile memory. The revised requirement will read as follows:

FCS_CKM_EXT.4.1 The TSF shall destroy cryptographic keys in accordance with the specified cryptographic key destruction methods:

• by clearing the KEK encrypting the target key,

• in accordance with the following rules:

•  
  • For volatile memory, the destruction shall be executed by a single direct overwrite [selection: consisting of a pseudo-random pattern using the TSF’s RBG, consisting of zeroes].
  • For non-volatile EEPROM, the destruction shall be executed by a single direct overwrite consisting of a pseudo random pattern using the TSF’s RBG (as specified in FCS_RBG_EXT.1), followed by a read-verify.
  • For non-volatile flash memory, the destruction shall be executed [selection: by a single direct overwrite consisting of zeros followed by a read-verify, by a block erase followed by a read-verify].
  • For non-volatile memory other than EEPROM and flash, the destruction shall be executed by overwriting three or more times with a random pattern that is changed before each write.

This was likely the result of copying from the non-volatile memory procedures, since they require read-verify.