Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could SCOSSL_set_trace_level be exported by e_scossl.h? #95

Open
achamayou opened this issue Nov 13, 2024 · 3 comments
Open

Could SCOSSL_set_trace_level be exported by e_scossl.h? #95

achamayou opened this issue Nov 13, 2024 · 3 comments

Comments

@achamayou
Copy link
Member

We have found in our testing on Azure Linux 3.0, using SymCrypt-OpenSSL, that failed signature verification produced verbose logging that we do not wish to emit (microsoft/CCF#6593).

Inlined for convenience:

[ERROR] error:41080106:SCOSSL::passed invalid argument:Decoded content length does not fit in derField buffer. pbDerField [0x55ebfc892490, 0x55ebfc8924f8), pbContent [0x55ebfc892492, 0x55ebfc8924f9) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 285
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586
[ERROR] error:41080106:SCOSSL::passed invalid argument:Decoded content length does not fit in derField buffer. pbDerField [0x55ebfc85cc30, 0x55ebfc85cc77), pbContent [0x55ebfc85cc32, 0x55ebfc85cc78) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 285
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586
[ERROR] error:41080106:SCOSSL::passed invalid argument:cbR (48) or cbS (48) too big for cbSymCryptSignature (64) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 400
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586

It looks like we could control that with SCOSSL_set_trace_level(), but the public headers are unfortunately very restricted (https://github.com/microsoft/SymCrypt-OpenSSL/blob/main/SymCryptEngine/inc/e_scossl.h) and do not include it.

Could that call be exposed, or the logging level for those messages revised?
@maxtropets maxtropets mentioned this issue Nov 14, 2024
Open
@mamckee
Copy link
Collaborator

mamckee commented Nov 14, 2024

I can add this to the existing PR for logging updates. The PR currently exposes this functionality for the provider but not the engine. By default, logging level will be off.

#92

@achamayou
Copy link
Member Author

@mamckee changing the default to off would solve our problem, and having this functionality on the provider sounds perfect, thank you! What's the header/call to set the log level on the provider? Do we need to do anything special to make sure the Azure Linux package exposes the header?

@mamckee
Copy link
Collaborator

mamckee commented Nov 14, 2024

The logging level will be settable from the config (/etc/pki/tls/symcrypt_prov.cnf on AZL3). These values can be set under symcrypt_prov_sect: https://github.com/microsoft/SymCrypt-OpenSSL/blob/8578c5954d0f15b11d4f88a30d2658fb9958ec88/SymCryptProvider/src/p_scossl_base.c#L18C1-L21C39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@achamayou @mamckee