## Description:
+ Adds ML-KEM API surface
+ Implements the API with initial C implementation, with sprinkling of SSE/NEON for (I)NTT
+ Adds low level ML-KEM polynomial arithmetic testing which tests self-consistency and exercises internal assertion in debug builds
+ Adds multi-implementation functionality testing to enable comparative functionality and performance testing on E2E functionality
+ For now, comparison testing is just between SymCrypt static and dynamic, with 3rd party comparison with libcrux disabled until they publish a final ML-KEM implementation
+ Adds ML-KEM KATs from NIST
Related work items: #50913735
This change adds additional Cryptographic Algorithm Self-Tests (CASTs) for RSA, DSA and ECDSA. as required by FIPS 140-3. Specifically, it adds explicit Known Answer Tests (KATs), as the Pairwise Consistency Tests (PCTs) that we were using previously are no longer considered sufficient for CASTs.
Also adds pairwise consistency tests on key import for RSA and DSA, per recent changes in the FIPS 140-3 implementation guidance. ECDSA PCTs continue to be run prior to signing or key export, as a performance optimization. ECDH and DH do not have explicit PCTs, but they include the required checks specified in SP 800-56A rev 3.
Related work items: #53481333
## Description:
Adds support for stateful hash-based signatures XMSS and XMSS^MT per RFC 8391 and NIST SP800-208.
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #52453903
## Description:
SSKDF implementation and unit tests.
## Admin Checklist:
- [x] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [x] You have updated CHANGELOG.md to reflect any changes in behavior
- [x] You have updated symcryptunittest to exercise any new functionality
- [x] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [x] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [X] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [X] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #51795170
## Description:
- Adds prototype API for SP800-56C KDF (aka SSKDF)
- Updates the SYMCRYPT_MAC_STATE and SYMCRYPT_MAC_EXPANDED_KEY unions to include SHA3 based MACs.
- If this was purposefully omitted from !8234403, I will revert the change, but the SymCryptSsMacKdf functions will need to be split.
## Admin Checklist:
- [X] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [X] You have updated CHANGELOG.md to reflect any changes in behavior
- [X] You have updated symcryptunittest to exercise any new functionality
- [X] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [X] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [X] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [X] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Related work items: #51795162
This change adds a new Windows user-mode module, symcrypt.dll. We plan to integrate this module into a future release of Windows as our primary FIPS-certified cryptographic module. Until that happens, we're making the module publicly available for the convenience of other projects that build on top of SymCrypt, such as our [rust-symcrypt crate](https://github.com/microsoft/rust-symcrypt).
Tested: dynamic unit tests run locally against the new module, ADO pipeline CI tests
## Description:
## Admin Checklist:
- [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior
- [ ] You have updated CHANGELOG.md to reflect any changes in behavior
- [ ] You have updated symcryptunittest to exercise any new functionality
- [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest
- [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features
- [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations
- [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary
Add symcrypt build for optee env
Signed-off-by: v-shlevy <v-shlevy@microsoft.com>
Related work items: #49419416
Per [this GitHub issue](https://github.com/microsoft/SymCrypt/issues/34), the advice on key generation for RC4 is outdated and no longer best practice. RC4 should never be used except for backwards compatibility, but this part of the comment is unhelpful in any case, so this PR removes it.
Thanks to [Myriachan](https://github.com/Myriachan) for reporting this issue.
This change adds support for nonces larger or smaller than 12-bytes for AES-GCM (and GCM generally, if it's ever used with other block ciphers). It adds 32-bit CTR functions, as required in the GCM spec. Previously we used a 64-bit CTR function, which worked for 12-byte nonces because the counter block always started at 1 and the message length limit for GCM is 2^36 - 32 bytes, so the 32-bit counter would never overflow. Using a 64-bit counter does not work for non-12-byte nonces because the counter block starts at an arbitrary value computed by GHASHing the nonce.
It also updates the "stitched" implementations of AES-GCM to use 32-bit addition intrinsics instead of 64-bit addition.
Tested with unit tests:
- AMD64 with all features enabled
- AMD64 without aesni
- AMD64 without pclmulqdq
- AMD64 with everything disabled except for rdrand, rdseed, savexmmnofail
- ARM64 hardware (Galaxy Book 2) + qemu (via pipeline)
Related work items: #33824154
Adding support for salt length detection in RSA-PSS verification
+ Add SYMCRYPT_FLAG_RSA_PSS_VERIFY_WITH_MINIMUM_SALT flag to
SymCryptRsaPssVerify and SymCryptRsaPssVerifySignaturePadding
+ When verifying a PSS signature with this flag specified, allow salt
length >= the caller specified cbSalt
+ In symcryptunittest, test that verification succeeds and fails w.r.t. the cbSalt
and flag in the correct way
+ Some small unrelated changes
Related work items: #33692439
+ Add SymCryptXtsAes(En|De)cryptEx to induce XTS-AES with 128b tweak
+ Add SymCryptXtsAesExpandKeyEx to do FIPS IG check for non-equal
halves of XTS key
+ Refactor Multi-DataUnit logic to reduce code duplication using
new xtsaes_pattern.c file to instantiate the logic with various
specializations
+ Add support for ciphertext stealing in both old and new API surface,
allowing data unit sizes which are not a multiple of 16 bytes
+ Add IEEE test vectors for odd data unit sizes
+ Update randomized tests to exercise both 64-bit and 128-bit tweak
interfaces, and new supported data unit sizes
+ Update XTS tests to allow CNG to fail with unsupported parameters
+ Update XTS FIPS self-test to use FIPS-approved key expansion function
+ Fix a couple of typos found while making changes
Related work items: #43854713
+ Specify void argument for C functions with no parameters
+ Enable -Wstrict-prototypes to prevent regression
+ Do not rely on __m128i struct definition
+ Fixup fastcall attribute
+ Fixup alignment attribute for union and struct typedefs which were
previously missed
+ Quash warnings about tautological comparisons with size_t and constant
values larger than 32b by including explicitly constant compile time
comparisons
+ Enable clang x86 build in ADO pipeline
Related work items: #44081913
Add HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 implementations.
Other changes:
- Add generic HMAC API
- Introduce a unique state for each of the Keccak based algorithms
- Convert tabs to spaces in symcryptasm files
Related work items: #41559779
+ New dynamic module SymCryptKernelTestModule_UM.dll and kernel driver
SymCryptKernelTestModule.sys which enable unit tests to call into
driver using the existing SymCrypt dynamic module flow
+ Update a few places in tests which assume objects created by module
under test can have their internals inspected (which is not the case
when the object lives in kernel and the unit tests are running in user
mode)
+ SymCryptKernelTestModule.sys tracks all allocations it makes and ensures it
frees everything when it is unloaded
Related work items: #38706387
+ Enable measurements of Linux RNG system
+ Make various performance improvements to defer costly calls into JitterEntropy until they are strictly required,
and reduce cost of calls when they are made.
Related work items: #42441472, #42441492
- Add SRTP-KDF and SSH-KDF implementations
- Update `SYMCRYPT_HASH` structure to contain hash state copying function member
Related work items: #38101963, #38102026
+ Avoid Unnecessary Pairwise Conditional Tests on (EC)DH key generation
+ Enable deferred testing of PCTs for all asymmetric key generation
+ Introduce a new UINT32 field in the (Dl|Ec|Rsa)key structures to track what algorithms the key may be used for, and which key PCTs have been run
+ For ECDSA, perform PCT before first use of private key in an sign
operation
+ For RSA and DSA, just perform the PCT unconditionally at key generation time
+ Remove the (EC)DH PCT functions entirely. They are not necessary for
FIPS and no calling application should be using them as they were very
recently introduced.
+ Fix corner case bug with DH and explicitly set private key lengths not having the correct validation.
Related work items: #37791870, #39478648
+ Return SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE from SymCryptRsaPssVerify
+ Also change tests to alias the error codes so that
multi-implementation test with SymCrypt and CNG do not break while the
change to SymCrypt rolls out.
+ BCrypt callers should already handle STATUS_INVALID_SIGNATURE as this
is the error code that they should expect from documentation
Related work items: #39175561
Add AES-GCM session implementation
+ The GCM encryption session implementation enables FIPS certification of AES-GCM as the nonce generation is within the FIPS boundary
+ The GCM decryption session enables replay protection for callers. It is designed to be useful for fresh a higher level protocol like QCC
Related work items: #38643032
In addition to the algorithm self-tests that must be run once prior to each algorithm being used, FIPS 140-3 also requires pairwise consistency tests for all keys generated:
> “If a cryptographic module generates public or private key pairs, a pair-wise consistency test shall [10.35] be performed for every generated public and private key pair…”
This change implements these self-tests for DL, ECC and RSA keys.
Related work items: #38587829
- Moved shared CMake logic into a single common file that can be included from individual module directories.
- Renamed some directories to hopefully make the directory structure more logical.
- Updated CMake commands to include appropriate versioning info in modules. This causes CMake to automatically build the module with a versioned shared object name (libsymcrypt.so -> libsymcrypt.so.100 -> libsymcrypt.so.100.21.0). The appropriate SONAME is also set in the module's DYNAMIC section, so that applications or modules taking a dependency on us will correctly link to libsymcrypt.so.100.
+ The definition of HKDF as two steps in RFC 5869 is slightly different
to the two steps currently implemented in SymCrypt
+ In the RFC the pseudorandom key (PRK) is defined as the output of
HKDF-Extract, and an input to HKDF-Expand
+ In SymCrypt we currently merge the use of the PRK to create an
expanded HMAC key into the HkdfExpandKey function, so a caller never
sees the generated PRK with the current API
+ So that we can use SymCrypt for callers which expose the RFC's steps
more rigidly we need to introduce a new function: `SymCryptHkdfExtractPrk`
+ This allows callers to handle the PRK produced by the HKDF-Extract
step explicitly
+ The underlying implementation is slightly refactored for this new API,
with HkdfExpandKey calling HkdfExtractPrk then HkdfPrkExpandKey, using
a stack buffer to store the temporary PRK. The functionality is
otherwise unchanged
+ The 3 ways to perform HKDF end to end with SymCrypt are now:
a) HkdfExtractPrk -> HkdfPrkExpandKey -> HkdfDerive
b) HkdfExpandKey -> HkdfDerive
c) Hkdf
Related work items: #37166888
+ KMAN uses SP800-108 with HmacSha512 - we will need to certify this in the SymCrypt module for Overlake / Mariner, so add SelfTests for this combination.
+ Also tidy up some comments which are clearly copy-paste errors
+ Ignore build artifacts that are in the jitterentropy submodule
Related work items: #37166368
+ The definition of HKDF as two steps in RFC 5869 is slightly different
to the two steps currently implemented in SymCrypt
+ In the RFC the pseudorandom key (PRK) is defined as the output of
HKDF-Extract, and an input to HKDF-Expand
+ In SymCrypt we currently merge the use of the PRK to create an
expanded HMAC key into the HkdfExpandKey function, so a caller never
sees the generated PRK with the current API
+ So that we can use SymCrypt for callers which expose the RFC's steps
more rigidly we need to introduce a new function: `SymCryptHkdfExtractPrk`
+ This allows callers to handle the PRK produced by the HKDF-Extract
step explicitly
+ The underlying implementation is slightly refactored for this new API,
with HkdfExpandKey calling HkdfExtractPrk then HkdfPrkExpandKey, using
a stack buffer to store the temporary PRK. The functionality is
otherwise unchanged
+ The 3 ways to perform HKDF end to end with SymCrypt are now:
a) HkdfExtractPrk -> HkdfPrkExpandKey -> HkdfDerive
b) HkdfExpandKey -> HkdfDerive
c) Hkdf
+ Move nBitsPriv to be on a per-Dlkey basis, with fields in the Dlgroup
informing the range it can take and setting a default value to avoid
changes for existing callers
+ Use the new API in a new test case - still have to write a more
involved test case using SymCryptDlkeySetValue as well
+ Callers would invariably check for NULL after Allocate / Create
anyway, so this would be a duplicate check
+ Also resolve some nitpick issues in build for razzle / build with
Linux with jitterentropy
+ In some cases replace with C_ASSERTs
+ In some cases replace with SYMCRYPT_ASSERTs (fail only in CHK build)
+ In some cases replace with SYMCRYPT_ASSERT and replace a faulty input
with an input which will give a result which is incorrect but won't
crash
Related work items: #37153656, #35463330
Added embedded modules. Generalized RNG functions. Added Jitter as submodule and implemented entropy sourcing from Jitter for embedded and generic Linux modules
Related work items: #36787279
+ SYMCRYPT_DEBUG is only defined in the C preprocessor for assembly,
ensure that it is set up correctly in assembly by defining DBG in the
USER_C_FLAGS in a non-release build
+ Resolves all issues flagged by runoacr in symcrypt\lib
+ Leaves some oacr issues in test code
+ Also includes some unrelated fixes to typos etc.
Related work items: #35052770
+ Fix SYMCRYPT_INTERNAL_LOAD_LSBFIRST32 macro for generic build
+ Re-enable generic build in the pipeline
+ Only trigger for CI builds normally to avoid blocking PRs needlessly
+ Also trigger on PR builds to publish branch, to catch any regression we may not have noticed before publishing to GitHub
+ Fix a bunch of non-functional typos that I have noticed recently
+ Only run the module test when the task is running on a machine with RDSEED - the module test currently requires RDSEED.
Related work items: #34245222
Samuel Lee
Mitch Lindgren 🦎
Cagdas Calik
Maxwell Moyer-McKee
Shachar Levy
Spencer Nofzinger
Yuval Harpaz