Merged PR 11324214: FIPS 140-3 CASTs for RSA, DSA, ECDSA

This change adds additional Cryptographic Algorithm Self-Tests (CASTs) for RSA, DSA and ECDSA. as required by FIPS 140-3. Specifically, it adds explicit Known Answer Tests (KATs), as the Pairwise Consistency Tests (PCTs) that we were using previously are no longer considered sufficient for CASTs.

Also adds pairwise consistency tests on key import for RSA and DSA, per recent changes in the FIPS 140-3 implementation guidance. ECDSA PCTs continue to be run prior to signing or key export, as a performance optimization. ECDH and DH do not have explicit PCTs, but they include the required checks specified in SP 800-56A rev 3.

Related work items: #53481333

Author: mlindgren

doc/breaking_changes.md

@@ -27,4 +27,9 @@ This is a potentially ABI-breaking change on Windows x86.
 This is for consistency with the Semantic Versioning specification, as well as various tooling.
 
 ### extern variables defined in SymCrypt headers will be removed and replaced by equivalent getter functions
-This simplifies how we define dynamic module exports in a cross-platform way.
+This simplifies how we define dynamic module exports in a cross-platform way.
+
+### Self-test functions and definitions will no longer be exposed/exported
+Various functions and definitions related to FIPS self-tests are exposed to callers in
+symcrypt_internal.h, and exported from the shared object libraries/DLLs. These functions are only
+intended to be used internally for FIPS compliance, so they will be removed from external visibility.

inc/symcrypt.h

@@ -7367,7 +7367,7 @@ SymCryptDlkeyExtendKeyUsage(
 // Enable an existing key which has been generated or imported to be used in specified algorithms.
 // Some callers may not know at key generation or import time what algorithms a key will be used for
 // and this API allows the key to be extended for use in additional algorithms. Use of this API may
-// not be compliant with FIPS 140-3
+// not be compliant with FIPS 140-3.
 //
 // - flags must be some bitwise OR of the following flags:
 //      SYMCRYPT_FLAG_DLKEY_DSA

inc/symcrypt_internal.h

@@ -2417,7 +2417,7 @@ typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_RSAKEY {
                     UINT32              fAlgorithmInfo;     // Tracks which algorithms the key can be used in
                                                             // Also tracks which per-key selftests have been performed on this key
                                                             // A bitwise OR of SYMCRYPT_FLAG_KEY_*, SYMCRYPT_FLAG_RSAKEY_*, and
-                                                            // SYMCRYPT_SELFTEST_KEY_* values
+                                                            // SYMCRYPT_PCT_* values
 
                     UINT32              cbTotalSize;        // Total size of the rsa key
                     BOOLEAN             hasPrivateKey;      // Set to true if there is private key information set
@@ -2571,7 +2571,7 @@ typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_DLKEY {
                     UINT32                  fAlgorithmInfo; // Tracks which algorithms the key can be used in
                                                             // Also tracks which per-key selftests have been performed on this key
                                                             // A bitwise OR of SYMCRYPT_FLAG_KEY_*, SYMCRYPT_FLAG_DLKEY_*, and
-                                                            // SYMCRYPT_SELFTEST_KEY_* values
+                                                            // SYMCRYPT_PCT_* values
 
                     BOOLEAN                 fHasPrivateKey; // Set to true if there is a private key set
                     BOOLEAN                 fPrivateModQ;   // Set to true if the private key is at most Q-1, otherwise it is at most P-2
@@ -2760,7 +2760,7 @@ typedef SYMCRYPT_ASYM_ALIGN_STRUCT _SYMCRYPT_ECKEY {
                     UINT32              fAlgorithmInfo; // Tracks which algorithms the key can be used in
                                                         // Also tracks which per-key selftests have been performed on this key
                                                         // A bitwise OR of SYMCRYPT_FLAG_KEY_*, SYMCRYPT_FLAG_ECKEY_*, and
-                                                        // SYMCRYPT_SELFTEST_KEY_* values
+                                                        // SYMCRYPT_PCT_* values
                     BOOLEAN             hasPrivateKey;  // Set to true if there is a private key set
                     PCSYMCRYPT_ECURVE   pCurve;         // Handle to the curve which created the key
 
@@ -3130,18 +3130,25 @@ SymCryptFipsGetSelftestsPerformed(void);
 // defer running expensive tests until we know they are required (e.g. if we generate an Eckey which
 // may be used in ECDH or ECDSA, and only use it for ECDH, the ECDSA PCT is deferred until we first
 // attempt to use the key in ECDSA, or export the private key).
+//
+// For clarity, SYMCRYPT_PCT_* should be used instead of SYMCRYPT_SELFTEST_KEY_* going forward.
+// The latter is retained for compatibility with existing code, but may be removed in a future
+// breaking change.
 
 // Dlkey selftest flags
 // DSA Pairwise Consistency Test to be run generated keys
 #define SYMCRYPT_SELFTEST_KEY_DSA       (0x1)
+#define SYMCRYPT_PCT_DSA                SYMCRYPT_SELFTEST_KEY_DSA
 
 // Eckey selftest flags
 // ECDSA Pairwise Consistency Test to be run generated keys
 #define SYMCRYPT_SELFTEST_KEY_ECDSA     (0x1)
+#define SYMCRYPT_PCT_ECDSA              SYMCRYPT_SELFTEST_KEY_ECDSA
 
 // Rsakey selftest flags
 // RSA Pairwise Consistency Test to be run generated keys
 #define SYMCRYPT_SELFTEST_KEY_RSA_SIGN  (0x1)
+#define SYMCRYPT_PCT_RSA_SIGN           SYMCRYPT_SELFTEST_KEY_RSA_SIGN
 
 UINT32
 SYMCRYPT_CALL

lib/dlkey.c

@@ -480,12 +480,16 @@ SymCryptDlkeyGenerate(
     {
         if( ( flags & SYMCRYPT_FLAG_DLKEY_DSA ) != 0 )
         {
+            // Ensure DSA algorithm selftest is run before first use of DSA algorithm
+            SYMCRYPT_RUN_SELFTEST_ONCE(
+                SymCryptDsaSelftest,
+                SYMCRYPT_SELFTEST_ALGORITHM_DSA );
+
             // Run PCT eagerly as the key can only be used for DSA - there is no value in deferring
-            SYMCRYPT_RUN_KEYGEN_PCT(
-                SymCryptDsaSignVerifyTest,
+            SYMCRYPT_RUN_KEY_PCT(
+                SymCryptDsaPct,
                 pkDlkey,
-                SYMCRYPT_SELFTEST_ALGORITHM_DSA,
-                SYMCRYPT_SELFTEST_KEY_DSA );
+                SYMCRYPT_PCT_DSA );
         }
 
         if( ( flags & SYMCRYPT_FLAG_DLKEY_DH ) != 0 )
@@ -796,8 +800,10 @@ SymCryptDlkeySetValue(
 
             if( pkDlkey->fHasPrivateKey )
             {
-                // We do not need to run a DSA PCT on import, indicate that the test has been run
-                pkDlkey->fAlgorithmInfo |= SYMCRYPT_SELFTEST_KEY_DSA;
+                SYMCRYPT_RUN_KEY_PCT(
+                    SymCryptDsaPct,
+                    pkDlkey,
+                    SYMCRYPT_PCT_DSA );
             }
         }
 

lib/ec_dsa.c

@@ -418,11 +418,10 @@ SymCryptEcDsaSign(
     }
 
     // If the key was generated and a PCT has not yet been performed - perform PCT before first use
-    SYMCRYPT_RUN_KEYGEN_PCT(
-        SymCryptEcDsaSignVerifyTest,
+    SYMCRYPT_RUN_KEY_PCT(
+        SymCryptEcDsaPct,
         pKey,
-        SYMCRYPT_SELFTEST_ALGORITHM_ECDSA,
-        SYMCRYPT_SELFTEST_KEY_ECDSA );
+        SYMCRYPT_PCT_ECDSA );
 
     return SymCryptEcDsaSignEx( pKey, pbHashValue, cbHashValue, NULL, format, flags, pbSignature, cbSignature );
 }

lib/eckey.c

@@ -547,11 +547,8 @@ SymCryptEckeySetValue(
                 SymCryptEcDsaSelftest,
                 SYMCRYPT_SELFTEST_ALGORITHM_ECDSA );
 
-            if( pEckey->hasPrivateKey )
-            {
-                // We do not need to run an ECDSA PCT on import, indicate that the test has been run
-                pEckey->fAlgorithmInfo |= SYMCRYPT_SELFTEST_KEY_ECDSA;
-            }
+            // ECDSA PCT is deferred until the key is used or exported - see SymCryptEcDsaSign and
+            // SymCryptEckeyGetValue
         }
 
         if ( ( flags & SYMCRYPT_FLAG_ECKEY_ECDH ) != 0 )
@@ -658,11 +655,10 @@ SymCryptEckeyGetValue(
         if ( ((pEckey->fAlgorithmInfo & SYMCRYPT_FLAG_ECKEY_ECDSA) != 0) &&
              ((pEckey->fAlgorithmInfo & SYMCRYPT_FLAG_KEY_NO_FIPS) == 0) )
         {
-            SYMCRYPT_RUN_KEYGEN_PCT(
-                SymCryptEcDsaSignVerifyTest,
+            SYMCRYPT_RUN_KEY_PCT(
+                SymCryptEcDsaPct,
                 pEckey,
-                SYMCRYPT_SELFTEST_ALGORITHM_ECDSA,
-                SYMCRYPT_SELFTEST_KEY_ECDSA );
+                SYMCRYPT_PCT_ECDSA );
         }
 
         // Copy the key into the temporary integer