Ensure service indicator is incremented only once, update RSA and ED25519 to ensure the state is locked

[andrewhop]

Issues:

Resolves P186477736

Description of changes:

Currently the service indicator checks that before != after and multiple approved APIs might call each other. If a lock is missed a lower approved algorithm will increment the count which incorrectly marks the higher level API as approved. This is happening in three spots:

1. Approved API's self tests run and increment the service indicator on first use
2. In Ed25519 sign/verify the calls to SHA were incrementing the indicator
3. In the Ec25519 and RSA keygen the PCT sign/verify was incrementing the count

This change updates the service indicator to enforce before + 1 == after with a debug assert.

Call-outs

This doesn't change the external behavior of the service indicator, what algorithms are approved, or what APIs are approved. The service indicator tests are unchanged. This change just ensures what we expect to be modifying the indicator is in the thing doing the update.

Testing:

The existing service indicator tests cover all approved APIs, and the new requirement that before + 1 = after ensures only one thing per call increments the count.

I took out a lock and verified it failed as expected:

[ RUN      ] ServiceIndicatorTest.ED25519KeyGen
Assertion failed: (before + 1 == after), function TestBody, file service_indicator_test.cc, line 5184.
OPENSSL_armcap=0x3D crypto/crypto_test [shard 8/10]
crypto/crypto_test failed to complete: signal: abort trap

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 78.96%. Comparing base (e7bd073) to head (80ecc1d).

Files with missing lines	Patch %	Lines
crypto/curve25519_extra/curve25519_extra.c	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2112      +/-   ##
==========================================
- Coverage   78.97%   78.96%   -0.01%     
==========================================
  Files         611      611              
  Lines      105748   105752       +4     
  Branches    14973    14973              
==========================================
  Hits        83511    83511              
- Misses      21583    21588       +5     
+ Partials      654      653       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[skmcgrail]

You'll want to rebase since Ed25519ph got merged in, but I think we are aligned / should be fixed now in the functions you touched.

[skmcgrail]

Here I thought I got it right in all of the places :)