Merged PR 11162679: Fix DATA annotations on Windows .def files

## Description:

+ Add DATA annotation to data exports in symcrypt.dll .def file, and to a few data exports missed from symcrypttestmodule.dll. This primarily fixes use of Arm64X .dlls when loaded from an emulated AMD64 process.
+ Remove outdated DH comment (today we do input validation when importing DH keys unless the caller explicitly opts out of doing those validations)

Related work items: #50915485

Author: samuel-lee-msft

doc/breaking_changes.md

@@ -24,4 +24,7 @@ buffers (e.g. SymCryptRsakeyCreate).
 This is a potentially ABI-breaking change on Windows x86.
 
 ### SYMCRYPT_VERSION_API will be renamed to SYMCRYPT_VERSION_MAJOR
-This is for consistency with the Semantic Versioning specification, as well as various tooling.
+This is for consistency with the Semantic Versioning specification, as well as various tooling.
+
+### extern variables defined in SymCrypt headers will be removed and replaced by equivalent getter functions
+This simplifies how we define dynamic module exports in a cross-platform way.

lib/dh.c

@@ -7,80 +7,6 @@
 
 #include "precomp.h"
 
-/*
-Input validation in DH
-
-Jack Lloyd pointed out that we do not have any validation of the public key in our SymCryptDhSecretAgreement
-function. In particular, he suggested verifying that Y is not 0, 1, or P-1. This seems a natural improvement,
-but things get a little bit more complicated.
-
-The primary purpose of SymCrypt is to be the core crypto library for Windows. The original Windows DH code dates
-back to the 20th century, and SymCrypt has to be compatible. Adding a new check on Y, rejecting inputs that used
-to work, is a big problem because something, somewhere, will break, and customers really don't like that.
-To maintain backward compatibility we don't introduce breaking API changes unless we have a compelling reason.
-So the question is: is there a compelling reason to veryfy that Y is not 0, 1, or P-1?
-
-First, let's look at validation and authentication in a DH exchange. We'll use P for the group prime, G for
-the generator, Q for the order of G mod P, Y for the public key, and x for the private key. The shared secret
-S = Y^x mod P.
-
-The group parameters (P, G, Q) need to be properly chosen. Malicous group parameters destroy the security of DH.
-Proper validation is:
-    - P is a prime of the right size (e.g. 2048 bits)
-    - Q is a prime of the right size (e.g. 256 bits, or 2047 bits)
-    - Q is a divisor of P-1
-    - 2 <= G < P
-    - G^Q mod P = 1
-In some protocols the value of Q is not provided, which makes checking G much more complicated.
-
-These validations are far too expensive to perform for every DH exchange. And in almost all protocols there is no
-need to validate them. Some protocols use trusted group parameters that are part of the code. Other protocols have
-one party authenticate the selected group parameters. (If a party authenticates bad group parameters then it is
-malicous, and there is no point in trying to be secure when one of the parties involved is malicious.)
-In practical terms, a protocol that uses DH with attacker-modifyable group parameters is simply insecure.
-
-Now let's look at the public key Y. The recipient computes S := Y^x mod P. There are various unsuitable values that
-the attacker can send instead of Y
-    - Y = 0 leads to S = 0
-    - Y = 1 leads to S = 1
-    - Y = P-1 leads to S = 1 or P-1
-    - a Y with small order modulo P leads to S being in a small set of known values
-    - Y could be outside the subgroup generated by G. This is a breach of the protocol, but absent Y being in
-        a small subgroup it is unclear whether this is a security issue.
-If P is a 'safe' prime where Q = (P-1)/2 and Q is prime, there are no small subgroups apart from {1, P-1}.
-However, many DH systems use DSA-like group structures for efficiency (the private key is smaller)
-and those are not 'safe' primes so this only helps in some cases.
-
-Let's see under what circumstances checking Y = 0, 1, or P-1 would help an application:
-    - The group parameters are trusted or authenticated.
-    - The group mod P does not have any small subgroups.
-    - The protocol does not authenticate the public key Y
-    - The protocol does authenticate S.
-The last item is crucual. If S is not authenticated then an attacker can simply replace Y with its own G^z mod P
-and use the private key z to recover S, so adding checks for Y in {0,1,P-1} would not fix the problem.
-
-We are not aware of any of our products that uses DH in this way. The closest we can think of are some old secure
-phones that would do a DH exchange and then authenticate S by having the parties verify a few digits of Hash(S) by
-voice.
-
-One imporant case to check is TLS which supports the DHE-RSA cipher suites.
-In TLS the DHE_RSA cipher suite uses DH. The server's DH public key is authenticated by the server's signature.
-Typically there is no client authentication. The client can't be fooled because of the server's signature, but
-the attacker could set the client's DH public key and force the server to a known shared secret. But the attacker
-could also just send a proper Y corresponding to its own private key and achieve the same effect, so the proposed
-new checks don't actually help. Furthermore, without client authentication the attacker could just be the client.
-If client authentication is used, the client signs the client's DH public key, so there is no problem at all.
-
-Conclusion:
-DH is hard to use right, and the protocol implementation has to consider many things. Y = 0, 1, or P-1 is just
-one of many potential problems. Most protocol countermeasures against the other attacks also protect against the
-Y = 0, 1, or P-1 issue. Absent a more concrete security problem with Y = 0, 1, or P-1 we do not see a
-justification for making a backward-incompatible change at this layer of the code.
-
-Niels, 20190704
-
- */
-
 SYMCRYPT_ERROR
 SYMCRYPT_CALL
 SymCryptDhSecretAgreement(

modules/windows/user/symcrypt.def

@@ -1,19 +1,62 @@
 NAME symcrypt.dll
 
 EXPORTS
-    SymCrypt3DesBlockCipher
+    SymCrypt3DesBlockCipher         DATA
+    SymCryptAesBlockCipher          DATA
+    SymCryptAesCmacAlgorithm        DATA
+    SymCryptDesBlockCipher          DATA
+    SymCryptDesxBlockCipher         DATA
+    SymCryptEcurveParamsCurve25519  DATA
+    SymCryptEcurveParamsNistP192    DATA
+    SymCryptEcurveParamsNistP224    DATA
+    SymCryptEcurveParamsNistP256    DATA
+    SymCryptEcurveParamsNistP384    DATA
+    SymCryptEcurveParamsNistP521    DATA
+    SymCryptEcurveParamsNumsP256t1  DATA
+    SymCryptEcurveParamsNumsP384t1  DATA
+    SymCryptEcurveParamsNumsP512t1  DATA
+    SymCryptHmacMd5Algorithm        DATA
+    SymCryptHmacSha1Algorithm       DATA
+    SymCryptHmacSha256Algorithm     DATA
+    SymCryptHmacSha3_256Algorithm   DATA
+    SymCryptHmacSha3_384Algorithm   DATA
+    SymCryptHmacSha3_512Algorithm   DATA
+    SymCryptHmacSha384Algorithm     DATA
+    SymCryptHmacSha512Algorithm     DATA
+    SymCryptKmac128Algorithm        DATA
+    SymCryptKmac256Algorithm        DATA
+    SymCryptMarvin32DefaultSeed     DATA
+    SymCryptMd2Algorithm            DATA
+    SymCryptMd4Algorithm            DATA
+    SymCryptMd5Algorithm            DATA
+    SymCryptMd5OidList              DATA
+    SymCryptRc2BlockCipher          DATA
+    SymCryptSha1Algorithm           DATA
+    SymCryptSha1OidList             DATA
+    SymCryptSha256Algorithm         DATA
+    SymCryptSha256OidList           DATA
+    SymCryptSha3_256Algorithm       DATA
+    SymCryptSha3_256OidList         DATA
+    SymCryptSha3_384Algorithm       DATA
+    SymCryptSha3_384OidList         DATA
+    SymCryptSha3_512Algorithm       DATA
+    SymCryptSha3_512OidList         DATA
+    SymCryptSha384Algorithm         DATA
+    SymCryptSha384OidList           DATA
+    SymCryptSha512Algorithm         DATA
+    SymCryptSha512OidList           DATA
+    SymCryptShake128HashAlgorithm   DATA
+    SymCryptShake256HashAlgorithm   DATA
     SymCrypt3DesCbcDecrypt
     SymCrypt3DesCbcEncrypt
     SymCrypt3DesDecrypt
     SymCrypt3DesEncrypt
     SymCrypt3DesExpandKey
     SymCrypt3DesSelftest
-    SymCryptAesBlockCipher
     SymCryptAesCbcDecrypt
     SymCryptAesCbcEncrypt
     SymCryptAesCbcMac
     SymCryptAesCmac
-    SymCryptAesCmacAlgorithm
     SymCryptAesCmacAppend
     SymCryptAesCmacExpandKey
     SymCryptAesCmacInit
@@ -67,12 +110,10 @@ EXPORTS
     SymCryptCShake256StateCopy
     SymCryptCtrMsb64
     SymCryptDeprecatedStatusIndicator
-    SymCryptDesBlockCipher
     SymCryptDesDecrypt
     SymCryptDesEncrypt
     SymCryptDesExpandKey
     SymCryptDesSelftest
-    SymCryptDesxBlockCipher
     SymCryptDesxDecrypt
     SymCryptDesxEncrypt
     SymCryptDesxExpandKey
@@ -134,15 +175,6 @@ EXPORTS
     SymCryptEcurveHighBitRestrictionPosition
     SymCryptEcurveHighBitRestrictionValue
     SymCryptEcurveIsSame
-    SymCryptEcurveParamsCurve25519
-    SymCryptEcurveParamsNistP192
-    SymCryptEcurveParamsNistP224
-    SymCryptEcurveParamsNistP256
-    SymCryptEcurveParamsNistP384
-    SymCryptEcurveParamsNistP521
-    SymCryptEcurveParamsNumsP256t1
-    SymCryptEcurveParamsNumsP384t1
-    SymCryptEcurveParamsNumsP512t1
     SymCryptEcurvePrivateKeyDefaultFormat
     SymCryptEcurveSizeofFieldElement
     SymCryptEcurveSizeofScalarMultiplier
@@ -175,7 +207,6 @@ EXPORTS
     SymCryptHkdfPrkExpandKey
     SymCryptHkdfSelfTest
     SymCryptHmacMd5
-    SymCryptHmacMd5Algorithm
     SymCryptHmacMd5Append
     SymCryptHmacMd5ExpandKey
     SymCryptHmacMd5Init
@@ -184,7 +215,6 @@ EXPORTS
     SymCryptHmacMd5Selftest
     SymCryptHmacMd5StateCopy
     SymCryptHmacSha1
-    SymCryptHmacSha1Algorithm
     SymCryptHmacSha1Append
     SymCryptHmacSha1ExpandKey
     SymCryptHmacSha1Init
@@ -193,7 +223,6 @@ EXPORTS
     SymCryptHmacSha1Selftest
     SymCryptHmacSha1StateCopy
     SymCryptHmacSha256
-    SymCryptHmacSha256Algorithm
     SymCryptHmacSha256Append
     SymCryptHmacSha256ExpandKey
     SymCryptHmacSha256Init
@@ -202,7 +231,6 @@ EXPORTS
     SymCryptHmacSha256Selftest
     SymCryptHmacSha256StateCopy
     SymCryptHmacSha3_256
-    SymCryptHmacSha3_256Algorithm
     SymCryptHmacSha3_256Append
     SymCryptHmacSha3_256ExpandKey
     SymCryptHmacSha3_256Init
@@ -211,7 +239,6 @@ EXPORTS
     SymCryptHmacSha3_256Selftest
     SymCryptHmacSha3_256StateCopy
     SymCryptHmacSha3_384
-    SymCryptHmacSha3_384Algorithm
     SymCryptHmacSha3_384Append
     SymCryptHmacSha3_384ExpandKey
     SymCryptHmacSha3_384Init
@@ -220,7 +247,6 @@ EXPORTS
     SymCryptHmacSha3_384Selftest
     SymCryptHmacSha3_384StateCopy
     SymCryptHmacSha3_512
-    SymCryptHmacSha3_512Algorithm
     SymCryptHmacSha3_512Append
     SymCryptHmacSha3_512ExpandKey
     SymCryptHmacSha3_512Init
@@ -229,7 +255,6 @@ EXPORTS
     SymCryptHmacSha3_512Selftest
     SymCryptHmacSha3_512StateCopy
     SymCryptHmacSha384
-    SymCryptHmacSha384Algorithm
     SymCryptHmacSha384Append
     SymCryptHmacSha384ExpandKey
     SymCryptHmacSha384Init
@@ -238,7 +263,6 @@ EXPORTS
     SymCryptHmacSha384Selftest
     SymCryptHmacSha384StateCopy
     SymCryptHmacSha512
-    SymCryptHmacSha512Algorithm
     SymCryptHmacSha512Append
     SymCryptHmacSha512ExpandKey
     SymCryptHmacSha512Init
@@ -247,7 +271,6 @@ EXPORTS
     SymCryptHmacSha512Selftest
     SymCryptHmacSha512StateCopy
     SymCryptKmac128
-    SymCryptKmac128Algorithm
     SymCryptKmac128Append
     SymCryptKmac128Ex
     SymCryptKmac128ExpandKey
@@ -260,7 +283,6 @@ EXPORTS
     SymCryptKmac128Selftest
     SymCryptKmac128StateCopy
     SymCryptKmac256
-    SymCryptKmac256Algorithm
     SymCryptKmac256Append
     SymCryptKmac256Ex
     SymCryptKmac256ExpandKey
@@ -279,15 +301,13 @@ EXPORTS
     SymCryptMapUint32
     SymCryptMarvin32
     SymCryptMarvin32Append
-    SymCryptMarvin32DefaultSeed
     SymCryptMarvin32ExpandSeed
     SymCryptMarvin32Init
     SymCryptMarvin32Result
     SymCryptMarvin32SeedCopy
     SymCryptMarvin32Selftest
     SymCryptMarvin32StateCopy
     SymCryptMd2
-    SymCryptMd2Algorithm
     SymCryptMd2Append
     SymCryptMd2Init
     SymCryptMd2Result
@@ -296,7 +316,6 @@ EXPORTS
     SymCryptMd2StateExport
     SymCryptMd2StateImport
     SymCryptMd4
-    SymCryptMd4Algorithm
     SymCryptMd4Append
     SymCryptMd4Init
     SymCryptMd4Result
@@ -305,10 +324,8 @@ EXPORTS
     SymCryptMd4StateExport
     SymCryptMd4StateImport
     SymCryptMd5
-    SymCryptMd5Algorithm
     SymCryptMd5Append
     SymCryptMd5Init
-    SymCryptMd5OidList
     SymCryptMd5Result
     SymCryptMd5Selftest
     SymCryptMd5StateCopy
@@ -338,7 +355,6 @@ EXPORTS
     SymCryptPoly1305Selftest
     SymCryptProvideEntropy
     SymCryptRandom
-    SymCryptRc2BlockCipher
     SymCryptRc2Decrypt
     SymCryptRc2Encrypt
     SymCryptRc2ExpandKey
@@ -391,67 +407,53 @@ EXPORTS
     SymCryptSessionReceiverInit
     SymCryptSessionSenderInit
     SymCryptSha1
-    SymCryptSha1Algorithm
     SymCryptSha1Append
     SymCryptSha1Init
-    SymCryptSha1OidList
     SymCryptSha1Result
     SymCryptSha1Selftest
     SymCryptSha1StateCopy
     SymCryptSha1StateExport
     SymCryptSha1StateImport
     SymCryptSha256
-    SymCryptSha256Algorithm
     SymCryptSha256Append
     SymCryptSha256Init
-    SymCryptSha256OidList
     SymCryptSha256Result
     SymCryptSha256Selftest
     SymCryptSha256StateCopy
     SymCryptSha256StateExport
     SymCryptSha256StateImport
     SymCryptSha3_256
-    SymCryptSha3_256Algorithm
     SymCryptSha3_256Append
     SymCryptSha3_256Init
-    SymCryptSha3_256OidList
     SymCryptSha3_256Result
     SymCryptSha3_256StateCopy
     SymCryptSha3_256StateExport
     SymCryptSha3_256StateImport
     SymCryptSha3_384
-    SymCryptSha3_384Algorithm
     SymCryptSha3_384Append
     SymCryptSha3_384Init
-    SymCryptSha3_384OidList
     SymCryptSha3_384Result
     SymCryptSha3_384StateCopy
     SymCryptSha3_384StateExport
     SymCryptSha3_384StateImport
     SymCryptSha3_512
-    SymCryptSha3_512Algorithm
     SymCryptSha3_512Append
     SymCryptSha3_512Init
-    SymCryptSha3_512OidList
     SymCryptSha3_512Result
     SymCryptSha3_512StateCopy
     SymCryptSha3_512StateExport
     SymCryptSha3_512StateImport
     SymCryptSha384
-    SymCryptSha384Algorithm
     SymCryptSha384Append
     SymCryptSha384Init
-    SymCryptSha384OidList
     SymCryptSha384Result
     SymCryptSha384Selftest
     SymCryptSha384StateCopy
     SymCryptSha384StateExport
     SymCryptSha384StateImport
     SymCryptSha512
-    SymCryptSha512Algorithm
     SymCryptSha512Append
     SymCryptSha512Init
-    SymCryptSha512OidList
     SymCryptSha512Result
     SymCryptSha512Selftest
     SymCryptSha512StateCopy
@@ -461,7 +463,6 @@ EXPORTS
     SymCryptShake128Append
     SymCryptShake128Default
     SymCryptShake128Extract
-    SymCryptShake128HashAlgorithm
     SymCryptShake128Init
     SymCryptShake128Result
     SymCryptShake128Selftest
@@ -470,7 +471,6 @@ EXPORTS
     SymCryptShake256Append
     SymCryptShake256Default
     SymCryptShake256Extract
-    SymCryptShake256HashAlgorithm
     SymCryptShake256Init
     SymCryptShake256Result
     SymCryptShake256Selftest