!11444004 added a new unit test for RSA export/import to catch regressions in this functionality, particularly those relating to FIPS PCTs which are currently in a state of flux. However, the test would sometimes choose a key that was too small for the combination of the hash and salt it used, which would cause it to fail. Since test keys are chosen randomly, this failure also happened at random.
Tested: ran export/import test hundreds of times in a loop to ensure it no longer fails intermittently
In !11324214, we added pairwise consistency tests on key import per new FIPS 140-3 requirements. For DSA and ECDSA, we only run these tests if the key object has a private key, which is the correct behavior, because the PCT cannot be performed on a public key without the corresponding private key. Unfortunately, this check was omitted for RSA, which would cause SymCrypt to fastfail when importing a public key.
Also improved parameter validation for `SymCryptEcDsaSign`, and removed extraneous debug assertions in `SymCryptEckeySetValue`, which will make these functions easier to use.
Related work items: #53695133, #53957677
In !11324214, we added Known-Answer Tests (KATs) for RSA, DSA, and ECDSA, to satisfy FIPS 140-3 requirement for Cryptographic Algorithm Self-Tests (CASTs). Prior to that change, we were using Pairwise Consistency Tests (PCTs) to satisfy that requirement, but we received feedback from evaluators that PCTs do not satisfy the CAST requirement.
Unfortunately, there was an oversight in the previous change and the CAST was only added for key import, not key generation. To fix this, we execute the CAST in `SymCryptEckeySetRandom` as well.
Related work items: #53481333
## Description:
+ Adds ML-KEM API surface
+ Implements the API with initial C implementation, with sprinkling of SSE/NEON for (I)NTT
+ Adds low level ML-KEM polynomial arithmetic testing which tests self-consistency and exercises internal assertion in debug builds
+ Adds multi-implementation functionality testing to enable comparative functionality and performance testing on E2E functionality
+ For now, comparison testing is just between SymCrypt static and dynamic, with 3rd party comparison with libcrux disabled until they publish a final ML-KEM implementation
+ Adds ML-KEM KATs from NIST
Related work items: #50913735
This change adds additional Cryptographic Algorithm Self-Tests (CASTs) for RSA, DSA and ECDSA. as required by FIPS 140-3. Specifically, it adds explicit Known Answer Tests (KATs), as the Pairwise Consistency Tests (PCTs) that we were using previously are no longer considered sufficient for CASTs.
Also adds pairwise consistency tests on key import for RSA and DSA, per recent changes in the FIPS 140-3 implementation guidance. ECDSA PCTs continue to be run prior to signing or key export, as a performance optimization. ECDH and DH do not have explicit PCTs, but they include the required checks specified in SP 800-56A rev 3.
Related work items: #53481333
## Description:
Update FIPS status indicator string to include SymCrypt version
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #53283328
OneBranchCDPXPatMigrationPlugin V1.1:
# Why this change?
This PR was automatically generated because we are deprecating the service principal token inside CDP_DEFAULT_CLIENT_PAT and CDP_DEFAULT_CLIENT_PACKAGE_PAT variables in your OneBranch Pipelines build configuration. It will be replaced by ADO's system.accesstoken
Per [Retirement of Shared Global Package PAT variables in build containers](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-engineering-systems/productivity-and-experiences/ce-legacy-infrastructure/onebranch/build/troubleshootingfaqs/retirementofcdpxpatinbuildcontainers),
OneBranch will stop providing automatic authentication for cross-organization package pull and git clone scenarios. Please see the above documentation link for instructions and references for migration.
This PR applies the `EnableCDPxPAT: false` featureFlag to your pipelines, which will show how your pipelines will work after the migration deadline of August 28th, 2024. At this time, coreXT pipelines are not included in this deadline.
**Address the build failures before you merge this pr.**
Please validate your builds against this PR before merging the change, and address any failures. A failure in a PR build with this change indicates that you depend on the CDP_DEFAULT_CLIENT_PAT variable, and will need to make your own identity or make build config changes. Please see [Retirement of Shared Global Package PAT variables in build containers](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-engineering-systems/productivity-and-experiences/ce-legacy-infrastructure/onebranch/build/troubleshootingfaqs/retirementofcdpxpatinbuildcontainers) for examples.
If you do not experience any build failures due to this change, you will not experience issues with it on the deprecation date. A successful build with this flag indicates that you will not need to do further work on this migration.
For any queries, please reach out to support via OneBranch bot at [aka.ms/onebranch/bot](https://aka.ms/onebranch/bot).
:
---
For feedback or questions about this PR, please use the [OneBranch Support bot](https://aka.ms/onebranch/bot)
---
This change was automatically generated by [1ES Gardener](https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/gardener/1es-gardener) (a [MerlinBot](https://aka.ms/MerlinBot) extension) which is an initiative by the 1ES team to help repos stay up-to-date with latest tools, features, and best practices.
## Description:
Adds support for stateful hash-based signatures XMSS and XMSS^MT per RFC 8391 and NIST SP800-208.
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #52453903
## Description:
SSKDF implementation and unit tests.
## Admin Checklist:
- [x] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [x] You have updated CHANGELOG.md to reflect any changes in behavior
- [x] You have updated symcryptunittest to exercise any new functionality
- [x] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [x] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [X] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [X] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #51795170
## Description:
FIPS 140-3 TE05.08.02 requires that "any temporary values generated during the integrity test are zeroised upon completion of the integrity test." We were not previously doing this, because the temporary values are not secrets, but it is required for certification. This PR adds the required zeroisation.
## Admin Checklist:
- [X] You have updated CHANGELOG.md to reflect any changes in behavior
(Others N/A)
Related work items: #52849999
## Description:
+ Add DATA annotation to data exports in symcrypt.dll .def file, and to a few data exports missed from symcrypttestmodule.dll. This primarily fixes use of Arm64X .dlls when loaded from an emulated AMD64 process.
+ Remove outdated DH comment (today we do input validation when importing DH keys unless the caller explicitly opts out of doing those validations)
Related work items: #50915485
## Description:
+ Improve `SymCryptFdefMontgomeryReduceAsm`
+ Reduce instruction count in the inner loop - remove superfluous `adc` with zero
+ Special case first iteration of the reduction loop to further reduce instruction count and multiplication uops
+ For ease of phrasing used non-volatile registers in aapcs64 assembly for the first time, and had to slightly extend SymCryptAsm processor script for this.
+ Improve `SymCryptFdefRawSquareAsm` by tweaking to reduce undue dependencies.
+ More room for improvements in follow-on PR, but checking in what we have to get improvements before GE deadline.
## Admin Checklist:
- [X] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [X] You have updated CHANGELOG.md to reflect any changes in behavior
- [X] You have updated symcryptunittest to exercise any new functionality
- [X] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [X] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [X] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [X] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Currently the daily build only runs if there is churn in the branch, which is a bit pointless since it's automatically kicked off by each completed PR anyway. The daily build is also intended to prevent us from being broken by container/tools changes (which has happened before), so we need to run it even if there is no churn. This PR fixes that.
## Description:
- Adds prototype API for SP800-56C KDF (aka SSKDF)
- Updates the SYMCRYPT_MAC_STATE and SYMCRYPT_MAC_EXPANDED_KEY unions to include SHA3 based MACs.
- If this was purposefully omitted from !8234403, I will revert the change, but the SymCryptSsMacKdf functions will need to be split.
## Admin Checklist:
- [X] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [X] You have updated CHANGELOG.md to reflect any changes in behavior
- [X] You have updated symcryptunittest to exercise any new functionality
- [X] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [X] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [X] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [X] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #51795162
- !10935012 added a `.gitattributes` file to try to enforce consistent Windows-style line endings, but this causes a bunch of spurious diffs to show up after checking out the latest branch (ironically, on Windows only). See [this Stack Overflow question](https://stackoverflow.com/questions/5787937/git-status-shows-files-as-changed-even-though-contents-are-the-same) which refers to a similar issue. After fighting with Git for a bit, it seems like the easiest fix is just to remove this file.
- Workaround for Python versions < 3.11 not being able to parse timestamps with the 'Z' suffix indicating UTC time (started breaking our pipeline builds due to a recent Git version update)
- Fix for Python 3.12 complaining about invalid escape characters in `symcryptasm_processor.py` (use raw strings)
- When building OpenSSL, pin to a specific tag if no branch is specified on the command line, so that we're not building against a moving target
Since the KATs for some of the PQC algorithms have very long data values, it's convenient to be able to split the data across multiple lines to avoid having excessively long lines. This change adds support for that in the KAT parser (via escaping the newline with `\`), and adds a Python script that automatically reformats existing KATs with lines that are too long.
Tested: unit tests
This PR enables building and running SymCrypt on macOS. Currently, only the static libraries and unit tests are built, and ASM optimizations are not enabled.
Thanks to [Josh Aas](https://github.com/bdaehlie/) for initial work on this port.
- Clean up files that were added accidentally
- MacOS build working again
- Unit test fixes
- Cleanup, address comments, add Mac pipeline
- Windows and Linux build fixes
- Publish pipeline artifacts
- More Windows build fixes
- Add macOS build to official pipeline
- More pipeline fiddling
- Generate symbols for unit test
- Workaround for speculative load hardening bug on Clang 12+. Updated documentation
- Test availability of macOS 14 ARM64 agent
- Revert change to pipeline; macos-14-arm64 doesn't work in ADO. Add skeleton CMakePresets.json file for work to be continued on newer Mac
- ARM64 build fixes
- Pipeline changes
- Fix PublishPipelineArtifact name
- Address comments
Get rid of misleading comment.
First step towards turning the linux build path into a generic unix build path that supports Linux and macOS.
Make a build check that is already effectively for Linux only explicitly for Linux.
Remove unnecessary/breaking Apple includes.
test_lib.h: Generally use gnuc definitions on macOS but define GENRANDOM separately for macOS and Linux.
Define GET_PERF_CLOCK on macOS/ARM
Define body of getTimeInMs on macOS
We need C++17, and in order for CMake to set that properly on macOS we need to explicitly set the compilers to clang/clang++.
Use arc4random in unittest code on macOS.
build changes
- Prepare to support undocked "logical monorepo" by moving version info into `version.json` in repo root and generating `symcrypt_internal_shared.inc` from that
- Make `apt update` in pipeline non-fatal in case some repos are unavailable
+ Enable Arm64 Windows build with CMake (not production build as it is
missing support for Arm64X)
+ Avoid naming collision in macros between test code and product code,
enabling inclusion of sc_lib.h in test_lib.h
+ Remove sc_lib-testhooks.h
## Description:
Add OpenSSL implementation for SHA2 and SHA3 algorithms
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
- As we've had a number of people reach out to us with build issues due to using unsupported compilers, this change adds minimum compiler versions to CMakeLists.txt
- When building the handwritten SLN/vcxproj files using Visual Studio or MSBuild, this should already be handled by the embedded solution version
- Updated PR template to reiterate that we typically can't take external contributions
- Update LKG compiler branch to main
## Description:
Add AlgRsaSignPss implementation for OpenSSL. We ignore Twisted Edward Curves when testing with OpenSSL because OpenSSL does not support those curves. For Weierstrass Curves that OpenSSL does not support, we create them by parameters.
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Another follow up to !10578579, this PR removes unnecessary assertions and SAL annotations from `GHashAppendData*` to be more consistent with other SymCrypt functions. It turns out that passing in data that aren't a multiple of the block size can sometimes be convenient because it allows one to make calls to the function unconditional. I added a comment at the function definition to indicate that data beyond multiples of the block size are ignored.
Tested: local unit tests (AMD64 noasm), CI pipelines
## Description:
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
`SymCryptGHashAppendDataC` has an assertion `SYMCRYPT_ASSERT(cbData >= SYMCRYPT_GF128_BLOCK_SIZE)`, because the function does nothing if the length of the provided data is less than the block size. However, `SymCryptGcmSetNonce` was unconditionally calling `SymCryptGHashAppendData` for the first `(cbNonce - cbNonceRemainder)` bytes of the nonce, even if the nonce was less than the block size. In this case, `(cbNonce - cbNonceRemainder) == 0`, so the assertion fails.
This is not a functional issue, because the subsequent call will append the remaining bytes, padded to the block size. But it does cause an assertion failure in debug builds when ASM is disabled, so it should be fixed.
This wasn't caught earlier because we don't normally run tests on debug builds without ASM optimizations. Since this is a gap in our testing, I also added a new pipeline which will be run nightly and include more thorough testing.
Tested: symcryptunittest, CI
## Description:
SymCryptCallBackAlloc failed as part of a call to SymCryptRsakeyGenerate with the new SymCrypt.
After investigation, the failure occurs since we changed the API from "posix_alloc" to "aligned_alloc".
aligned_alloc - expect to get the number of bytes to allocate as an integral multiple of the alignment.
So, when passing not a multiple of the alignment number the function failed.
I suspect this issue is important since the regular Linux product use the API without the check of the size alignment.
Hence, I created this PR with a fix that adjust the size we receive to be aligned.
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Fix CallBackAlloc to adjust the nBytes for allocation in case the size is not aligned
Signed-off-by: v-shlevy <v-shlevy@microsoft.com>
Related work items: #49419416
This change fixes a build break in the CMake pipeline by removing `SymCryptWipeKnownSize` from the exports for both the kernel and user mode modules. Since `SymCryptWipeKnownSize` is marked `FORCEINLINE`, it should be inlined everywhere and thus cannot be exported. (It's not clear why this didn't break the Windows Undocked Pipeline build--probably some difference in flags.)
In the future we'll remove this function from the Linux module exports as well. We have already documented that as an upcoming breaking change in `doc/breaking_changes.md`. Since the Windows modules haven't shipped yet, we don't have to consider this a breaking change for those modules.
Tested: unit tests with user mode + kernel mode dynamic modules
When running our unit tests on the address sanitizer build using the GLIBC_TUNABLES to disable use of AVX, we intermittently hit a bug where the console outputs AddressSanitizer:DEADLYSIGNAL in an infinite loop. This appears to be caused by an incompatibility between certain versions of GCC and certain Linux kernels. See e.g. this GitHub issue: https://github.com/actions/runner-images/issues/9524
Currently the OneBranch build pipeline uses an Ubuntu container running on a Mariner kernel. Using an Ubuntu kernel instead should resolve the issue.
Tested: pipeline builds
This change adds a new Windows user-mode module, symcrypt.dll. We plan to integrate this module into a future release of Windows as our primary FIPS-certified cryptographic module. Until that happens, we're making the module publicly available for the convenience of other projects that build on top of SymCrypt, such as our [rust-symcrypt crate](https://github.com/microsoft/rust-symcrypt).
Tested: dynamic unit tests run locally against the new module, ADO pipeline CI tests
The time has come! Now that we've fully transitioned to building in the Windows undocked pipeline with MSBuild, there's no longer any reason to retain the old Razzle dirs/sources files or scbuild scripts.
I left the sources files in `gen` and `test/indirect_call_perf` since we don't have CMake or MSBuild files for those. Since they're used extremely rarely, there's no urgency in supporting them in the new build system.
## Description:
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Add OpenSSL implementation for AesGcm test
## Description:
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Add symcrypt build for optee env
Signed-off-by: v-shlevy <v-shlevy@microsoft.com>
Related work items: #49419416
This change updates the MSBuild projects to make the inclusion of msbignum and rsa32 optional. This will allow external users to more easily use MSBuild, and also unblock testing potential future changes to undocked pipelines.
## Description:
This PR adds some ease of use functionality for building and debugging SymCrypt using VS Code on Windows.
First this PR adds a default terminal profile that runs Visual Studio's developer console so CMake and other build tools are available in the terminal environment.
This needs to be setup using the `Setup` VS Code task. The `Setup` task also sets up Python virtual environment at `.\.venv` so the project is ready to build. Tasks can be executed in the `F1` command palette menu with `Tasks: Run Task` command, followed by selecting the `Setup` task. There are also other tasks that builds SymCrypt in various configurations after `Setup` is ran e.g. `Build [Debug]`. Build tasks can also be ran using `Ctrl+Shift+B` or via build buttons which can be added to GUI in the VS Code Explorer view using the `spmeesseman.vscode-taskexplorer` extension.
This PR also adds launch configurations for running and debugging SymCrypt using `F5` key in VS Code. The run configurations can be selected in the `Run and Debug` view in VS Code.
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Add configs for build and debug with vscode
## Description:
We add OpenSSL as submodule to 3rdparty and link symcryptunittest to it so we can compare the SymCrypt implementation. We add perf and functional test for XtsAes as well.
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #49347468
## Description:
+ Reverts change to remove entry point from SymCryptK.dll, as in local testing SymCryptK.dll with an entry point works with SK, while SymCryptK.dll without an entry point does not.
Related work items: #49201043
## Description:
+ Remove many workarounds in SymCrypt undocked props files for missing flags
+ Explicitly build SymCryptK.dll with no entrypoint, remove the fake entry point from code, and call `__security_init_cookie` in `SymCryptModuleInit` to prevent binskim errors.
+ Remove reference to memset in `SymCryptEntropyAccumulatorAccumulateSample` to reduce size and complexity of resulting SymCryptK.dll with real build environment (memset is not inlined as expected).
## Admin Checklist:
- [X] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [X] You have updated CHANGELOG.md to reflect any changes in behavior
- [X] You have updated symcryptunittest to exercise any new functionality
- [X] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [X] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [X] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [X] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #49010014
## Description:
Update FIPS Status Indicator text for Windows Kernel Module
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #42949867
## Description:
NIST SP800-90B entropy source validation requires saving raw noise source samples for further analysis. This change introduces a configuration value read from registry to facilitate the collection of samples from logical processor 0 and write them to disk.
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #43489021
## Description:
Temporarily specify /cbstring- to x64 CL in SymCrypt props
## Admin Checklist:
- [X] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [X] You have updated CHANGELOG.md to reflect any changes in behavior
- [X] You have updated symcryptunittest to exercise any new functionality
- [X] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [X] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [X] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [X] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #49010014
Mitch Lindgren 🦎
Samuel Lee
Cagdas Calik
MerlinBot
Maxwell Moyer-McKee
Matthew Villegas
Josh Aas
Changyu Li
Konstantin Sharon (^_^)
Shachar Levy