Update error handling and debug logging (#92)

* Add RSA fallback test * Update error function codes to match refactor * Surface SymCrypt errors from provider * Allow logging configuration * Add debug logging to keysinuse init * Add RSA and ECC keysinuse debug logs * PR comments * Add FIPS compliance logging to unpadded RSA encrypt/decrypt * PR comments * Create separate provider loggin calls without func code
microsoft · Jan 15, 2025 · e60a335 · e60a335
1 parent a8e9f21
commit e60a335
Show file tree

Hide file tree

Showing 38 changed files with 836 additions and 623 deletions.
diff --git a/ScosslCommon/inc/scossl_helpers.h b/ScosslCommon/inc/scossl_helpers.h
@@ -43,7 +43,7 @@ typedef _Return_type_success_(return >= 0) int SCOSSL_RETURNLENGTH; // For funct
 // pointer before using it with SymCrypt.
 //
 // In the SCOSSL provider, it is our responsibility to perform the allocation and free ourselves.
-// Here we allocate SYMCRYPT_ALIGN_VALUE extra bytes, and store the offset into our allocation in the byte before the aligned 
+// Here we allocate SYMCRYPT_ALIGN_VALUE extra bytes, and store the offset into our allocation in the byte before the aligned
 // pointer we use in SymCrypt. On free, we look at the byte before the aligned pointer we have been using, to determine the start
 // of the allocation and free it correctly.
 //
@@ -91,62 +91,94 @@ void scossl_destroy_logging();
 
 // SCOSSL function codes
 typedef enum {
+    // ScosslCommon
     SCOSSL_ERR_F_ENUM_START= 100,
     SCOSSL_ERR_F_AES_CCM_CIPHER,
-    SCOSSL_ERR_F_AES_CCM_CTRL,
+    SCOSSL_ERR_F_AES_CCM_SET_IV_FIXED,
+    SCOSSL_ERR_F_AES_CCM_SET_IV_LEN,
+    SCOSSL_ERR_F_AES_CCM_SET_TLS1_AAD,
     SCOSSL_ERR_F_AES_CCM_TLS,
-    SCOSSL_ERR_F_AES_GCM_CTRL,
+    SCOSSL_ERR_F_AES_GCM_CIPHER,
+    SCOSSL_ERR_F_AES_GCM_IV_GEN,
+    SCOSSL_ERR_F_AES_GCM_SET_IV_FIXED,
+    SCOSSL_ERR_F_AES_GCM_SET_IV_INV,
+    SCOSSL_ERR_F_AES_GCM_SET_IV_LEN,
+    SCOSSL_ERR_F_AES_GCM_SET_TLS1_AAD,
     SCOSSL_ERR_F_AES_GCM_TLS,
-    SCOSSL_ERR_F_AES_XTS_CIPHER,
-    SCOSSL_ERR_F_AES_XTS_CTRL,
-    SCOSSL_ERR_F_DH_COMPUTE_KEY,
-    SCOSSL_ERR_F_DH_GENERATE_KEY,
     SCOSSL_ERR_F_DH_GENERATE_KEYPAIR,
+    SCOSSL_ERR_F_DH_GET_GROUP_BY_NID,
     SCOSSL_ERR_F_DH_IMPORT_KEYPAIR,
-    SCOSSL_ERR_F_DIGESTS,
-    SCOSSL_ERR_F_ECC_GENERATE_KEYPAIR,
-    SCOSSL_ERR_F_ECC_IMPORT_KEYPAIR,
+    SCOSSL_ERR_F_ECC_GROUP_TO_SYMCRYPT_CURVE,
+    SCOSSL_ERR_F_ECC_POINT_TO_PUBKEY,
     SCOSSL_ERR_F_ECDSA_APPLY_DER,
     SCOSSL_ERR_F_ECDSA_DER_CHECK_TAG_AND_GET_VALUE_AND_LENGTH,
     SCOSSL_ERR_F_ECDSA_REMOVE_DER,
-    SCOSSL_ERR_F_ECKEY_COMPUTE_KEY,
-    SCOSSL_ERR_F_ECKEY_KEYGEN,
-    SCOSSL_ERR_F_ECKEY_SIGN,
-    SCOSSL_ERR_F_ECKEY_SIGN_SETUP,
-    SCOSSL_ERR_F_ECKEY_SIGN_SIG,
-    SCOSSL_ERR_F_ECKEY_VERIFY,
-    SCOSSL_ERR_F_ECKEY_VERIFY_SIG,
-    SCOSSL_ERR_F_GET_DH_CONTEXT_EX,
-    SCOSSL_ERR_F_GET_ECC_CONTEXT_EX,
+    SCOSSL_ERR_F_ECDSA_SIGN,
+    SCOSSL_ERR_F_ECDSA_VERIFY,
     SCOSSL_ERR_F_GET_SYMCRYPT_HASH_ALGORITHM,
     SCOSSL_ERR_F_GET_SYMCRYPT_MAC_ALGORITHM,
-    SCOSSL_ERR_F_HKDF_CTRL,
     SCOSSL_ERR_F_HKDF_DERIVE,
-    SCOSSL_ERR_F_HKDF_INIT,
-    SCOSSL_ERR_F_INITIALIZE_RSA_KEY,
-    SCOSSL_ERR_F_PKEY_METHODS,
-    SCOSSL_ERR_F_PKEY_RSA_SIGN,
-    SCOSSL_ERR_F_PKEY_RSA_VERIFY,
-    SCOSSL_ERR_F_RSA_INIT,
-    SCOSSL_ERR_F_RSA_KEYGEN,
-    SCOSSL_ERR_F_RSA_PRIV_DEC,
-    SCOSSL_ERR_F_RSA_PRIV_ENC,
-    SCOSSL_ERR_F_RSA_PUB_DEC,
-    SCOSSL_ERR_F_RSA_PUB_ENC,
-    SCOSSL_ERR_F_RSA_SIGN,
-    SCOSSL_ERR_F_RSA_VERIFY,
+    SCOSSL_ERR_F_MAC_INIT,
+    SCOSSL_ERR_F_MAC_SET_HMAC_MD,
+    SCOSSL_ERR_F_RSA_DECRYPT,
+    SCOSSL_ERR_F_RSA_ENCRYPT,
+    SCOSSL_ERR_F_RSA_EXPORT_KEY,
+    SCOSSL_ERR_F_RSA_NEW_EXPORT_PARAMS,
+    SCOSSL_ERR_F_RSA_PKCS1_SIGN,
+    SCOSSL_ERR_F_RSA_PKCS1_VERIFY,
     SCOSSL_ERR_F_RSAPSS_SIGN,
     SCOSSL_ERR_F_RSAPSS_VERIFY,
-    SCOSSL_ERR_F_TLS1PRF_CTRL,
-    SCOSSL_ERR_F_TLS1PRF_DERIVE,
-    SCOSSL_ERR_F_TLS1PRF_INIT,
-    SCOSSL_ERR_F_HMAC_INIT,
-    SCOSSL_ERR_F_HMAC_CTRL,
-    SCOSSL_ERR_F_HMAC_CTRL_STR,
-    SCOSSL_ERR_F_SSHKDF_NEW,
-    SCOSSL_ERR_F_SSHKDF_CTRL,
-    SCOSSL_ERR_F_SSHKDF_CTRL_STR,
     SCOSSL_ERR_F_SSHKDF_DERIVE,
+    SCOSSL_ERR_F_TLS1PRF_DERIVE,
+    // SymCryptEngine
+    SCOSSL_ERR_F_ENG_AES_CCM_CTRL,
+    SCOSSL_ERR_F_ENG_AES_GCM_CTRL,
+    SCOSSL_ERR_F_ENG_AES_XTS_CIPHER,
+    SCOSSL_ERR_F_ENG_AES_XTS_CTRL,
+    SCOSSL_ERR_F_ENG_DH_COMPUTE_KEY,
+    SCOSSL_ERR_F_ENG_DH_GENERATE_KEY,
+    SCOSSL_ERR_F_ENG_DH_GENERATE_KEYPAIR,
+    SCOSSL_ERR_F_ENG_DH_IMPORT_KEYPAIR,
+    SCOSSL_ERR_F_ENG_DIGESTS,
+    SCOSSL_ERR_F_ENG_ECC_GENERATE_KEYPAIR,
+    SCOSSL_ERR_F_ENG_ECC_IMPORT_KEYPAIR,
+    SCOSSL_ERR_F_ENG_ECKEY_COMPUTE_KEY,
+    SCOSSL_ERR_F_ENG_ECKEY_KEYGEN,
+    SCOSSL_ERR_F_ENG_ECKEY_SIGN,
+    SCOSSL_ERR_F_ENG_ECKEY_SIGN_SETUP,
+    SCOSSL_ERR_F_ENG_ECKEY_SIGN_SIG,
+    SCOSSL_ERR_F_ENG_ECKEY_VERIFY,
+    SCOSSL_ERR_F_ENG_ECKEY_VERIFY_SIG,
+    SCOSSL_ERR_F_ENG_GET_DH_CONTEXT_EX,
+    SCOSSL_ERR_F_ENG_GET_ECC_CONTEXT_EX,
+    SCOSSL_ERR_F_ENG_GET_SYMCRYPT_HASH_ALGORITHM,
+    SCOSSL_ERR_F_ENG_HKDF_CTRL,
+    SCOSSL_ERR_F_ENG_HKDF_DERIVE,
+    SCOSSL_ERR_F_ENG_HKDF_INIT,
+    SCOSSL_ERR_F_ENG_HMAC_COPY,
+    SCOSSL_ERR_F_ENG_HMAC_CTRL,
+    SCOSSL_ERR_F_ENG_HMAC_INIT,
+    SCOSSL_ERR_F_ENG_INITIALIZE_RSA_KEY,
+    SCOSSL_ERR_F_ENG_PKEY_METHODS,
+    SCOSSL_ERR_F_ENG_PKEY_RSA_SIGN,
+    SCOSSL_ERR_F_ENG_PKEY_RSA_VERIFY,
+    SCOSSL_ERR_F_ENG_PKEY_RSAPSS_VERIFY,
+    SCOSSL_ERR_F_ENG_RSA_INIT,
+    SCOSSL_ERR_F_ENG_RSA_KEYGEN,
+    SCOSSL_ERR_F_ENG_RSA_PRIV_DEC,
+    SCOSSL_ERR_F_ENG_RSA_PRIV_ENC,
+    SCOSSL_ERR_F_ENG_RSA_PUB_DEC,
+    SCOSSL_ERR_F_ENG_RSA_PUB_ENC,
+    SCOSSL_ERR_F_ENG_RSA_SIGN,
+    SCOSSL_ERR_F_ENG_RSA_VERIFY,
+    SCOSSL_ERR_F_ENG_RSAPSS_SIGN,
+    SCOSSL_ERR_F_ENG_RSAPSS_VERIFY,
+    SCOSSL_ERR_F_ENG_SSHKDF_CTRL,
+    SCOSSL_ERR_F_ENG_SSHKDF_CTRL_STR,
+    SCOSSL_ERR_F_ENG_SSHKDF_DERIVE,
+    SCOSSL_ERR_F_ENG_SSHKDF_NEW,
+    SCOSSL_ERR_F_ENG_TLS1PRF_CTRL,
+    SCOSSL_ERR_F_ENG_TLS1PRF_INIT,
     SCOSSL_ERR_F_ENUM_END
 } SCOSSL_ERR_FUNC;
 
@@ -158,6 +190,7 @@ typedef enum {
     SCOSSL_ERR_R_NOT_FIPS_ALGORITHM,
     SCOSSL_ERR_R_OPENSSL_FALLBACK,
     SCOSSL_ERR_R_SYMCRYPT_FAILURE,
+    SCOSSL_ERR_R_KEYSINUSE_FAILURE,
     SCOSSL_ERR_R_ENUM_END
 } SCOSSL_ERR_REASON;
 
@@ -179,19 +212,9 @@ void _scossl_log_bytes(
     int len,
     const char *format, ...);
 
-void _scossl_log_bignum(
-    int trace_level,
-    SCOSSL_ERR_FUNC func_code,
-    SCOSSL_ERR_REASON reason_code,
-    const char *file,
-    int line,
-    char *description,
-    BIGNUM *bn);
-
 void _scossl_log_SYMCRYPT_ERROR(
     int trace_level,
     SCOSSL_ERR_FUNC func_code,
-    SCOSSL_ERR_REASON reason_code,
     const char *file,
     int line,
     char *description,
@@ -211,26 +234,18 @@ void _scossl_log_SYMCRYPT_ERROR(
     #define SCOSSL_LOG_BYTES_INFO(func_code, reason_code, description, s, len) \
         _scossl_log_bytes(SCOSSL_LOG_LEVEL_INFO, func_code, reason_code, __FILE__, __LINE__, (const char*) s, len, description)
 
-    #define SCOSSL_LOG_BIGNUM_DEBUG(func_code, reason_code, description, bn) \
-        _scossl_log_bignum(SCOSSL_LOG_LEVEL_DEBUG, func_code, reason_code, __FILE__, __LINE__, description, bn)
-
-    #define SCOSSL_LOG_BIGNUM_INFO(func_code, reason_code, description, s, len) \
-        _scossl_log_bignum(SCOSSL_LOG_LEVEL_INFO, func_code, reason_code, __FILE__, __LINE__, description, bn)
+    #define SCOSSL_LOG_SYMCRYPT_DEBUG(func_code, description, scError) \
+        _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_DEBUG, func_code, __FILE__, __LINE__, description, scError)
 
-    #define SCOSSL_LOG_SYMCRYPT_DEBUG(func_code, reason_code, description, scError) \
-        _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_DEBUG, func_code, reason_code, __FILE__, __LINE__, description, scError)
-
-    #define SCOSSL_LOG_SYMCRYPT_INFO(func_code, reason_code, description, scError) \
-        _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_INFO, func_code, reason_code, __FILE__, __LINE__, description, scError)
+    #define SCOSSL_LOG_SYMCRYPT_INFO(func_code, description, scError) \
+        _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_INFO, func_code, __FILE__, __LINE__, description, scError)
 #else
     #define SCOSSL_LOG_DEBUG(func_code, reason_code, ...)
     #define SCOSSL_LOG_INFO(func_code, reason_code, ...)
     #define SCOSSL_LOG_BYTES_DEBUG(func_code, reason_code, description, s, len)
     #define SCOSSL_LOG_BYTES_INFO(func_code, reason_code, description, s, len)
-    #define SCOSSL_LOG_BIGNUM_DEBUG(func_code, reason_code, description, bn)
-    #define SCOSSL_LOG_BIGNUM_INFO(func_code, reason_code, description, s, len)
-    #define SCOSSL_LOG_SYMCRYPT_DEBUG(func_code, reason_code, description, scError)
-    #define SCOSSL_LOG_SYMCRYPT_INFO(func_code, reason_code, description, scError)
+    #define SCOSSL_LOG_SYMCRYPT_DEBUG(func_code, description, scError)
+    #define SCOSSL_LOG_SYMCRYPT_INFO(func_code, description, scError)
 #endif
 
 #define SCOSSL_LOG_ERROR(func_code, reason_code, ...) \
@@ -239,11 +254,48 @@ void _scossl_log_SYMCRYPT_ERROR(
 #define SCOSSL_LOG_BYTES_ERROR(func_code, reason_code, description, s, len) \
     _scossl_log_bytes(SCOSSL_LOG_LEVEL_ERROR, func_code, reason_code, __FILE__, __LINE__, (const char*) s, len, description)
 
-#define SCOSSL_LOG_BIGNUM_ERROR(func_code, reason_code, description, s, len) \
-    _scossl_log_bignum(SCOSSL_LOG_LEVEL_ERROR, func_code, reason_code, __FILE__, __LINE__, description, bn)
+#define SCOSSL_LOG_SYMCRYPT_ERROR(func_code, description, scError) \
+    _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_ERROR, func_code, __FILE__, __LINE__, description, scError)
+
+#if OPENSSL_API_LEVEL >= 30000
+        // Enable debug and info messages in debug builds, but compile them out in release builds
+    #if DBG
+        #define SCOSSL_PROV_LOG_DEBUG(reason_code, ...) \
+            _scossl_log(SCOSSL_LOG_LEVEL_DEBUG, 0, reason_code, __FILE__, __LINE__, __VA_ARGS__)
+
+        #define SCOSSL_PROV_LOG_INFO(reason_code, ...) \
+            _scossl_log(SCOSSL_LOG_LEVEL_INFO, 0, reason_code, __FILE__, __LINE__, __VA_ARGS__)
+
+        #define SCOSSL_PROV_LOG_BYTES_DEBUG(reason_code, description, s, len) \
+            _scossl_log_bytes(SCOSSL_LOG_LEVEL_DEBUG, 0, reason_code, __FILE__, __LINE__, (const char*) s, len, description)
+
+        #define SCOSSL_PROV_LOG_BYTES_INFO(reason_code, description, s, len) \
+            _scossl_log_bytes(SCOSSL_LOG_LEVEL_INFO, 0, reason_code, __FILE__, __LINE__, (const char*) s, len, description)
+
+        #define SCOSSL_PROV_LOG_SYMCRYPT_DEBUG(description, scError) \
+            _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_DEBUG, 0, __FILE__, __LINE__, description, scError)
 
-#define SCOSSL_LOG_SYMCRYPT_ERROR(func_code, reason_code, description, scError) \
-    _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_ERROR, func_code, reason_code, __FILE__, __LINE__, description, scError)
+        #define SCOSSL_PROV_LOG_SYMCRYPT_INFO(description, scError) \
+            _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_INFO, 0, __FILE__, __LINE__, description, scError)
+    #else
+        #define SCOSSL_PROV_LOG_DEBUG(reason_code, ...)
+        #define SCOSSL_PROV_LOG_INFO(reason_code, ...)
+        #define SCOSSL_PROV_LOG_BYTES_DEBUG(reason_code, description, s, len)
+        #define SCOSSL_PROV_LOG_BYTES_INFO(reason_code, description, s, len)
+        #define SCOSSL_PROV_LOG_SYMCRYPT_DEBUG(description, scError)
+        #define SCOSSL_PROV_LOG_SYMCRYPT_INFO(description, scError)
+    #endif
+
+    #define SCOSSL_PROV_LOG_ERROR(reason_code, ...) \
+        _scossl_log(SCOSSL_LOG_LEVEL_ERROR, 0, reason_code, __FILE__, __LINE__, __VA_ARGS__)
+
+    #define SCOSSL_PROV_LOG_BYTES_ERROR(reason_code, description, s, len) \
+        _scossl_log_bytes(SCOSSL_LOG_LEVEL_ERROR, 0, reason_code, __FILE__, __LINE__, (const char*) s, len, description)
+
+    #define SCOSSL_PROV_LOG_SYMCRYPT_ERROR(description, scError) \
+        _scossl_log_SYMCRYPT_ERROR(SCOSSL_LOG_LEVEL_ERROR, 0, __FILE__, __LINE__, description, scError)
+
+#endif
 
 //
 // Common helper functions