Could SCOSSL_set_trace_level be exported by e_scossl.h?

[achamayou]

We have found in our testing on Azure Linux 3.0, using SymCrypt-OpenSSL, that failed signature verification produced verbose logging that we do not wish to emit (microsoft/CCF#6593).

Inlined for convenience:

[ERROR] error:41080106:SCOSSL::passed invalid argument:Decoded content length does not fit in derField buffer. pbDerField [0x55ebfc892490, 0x55ebfc8924f8), pbContent [0x55ebfc892492, 0x55ebfc8924f9) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 285
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586
[ERROR] error:41080106:SCOSSL::passed invalid argument:Decoded content length does not fit in derField buffer. pbDerField [0x55ebfc85cc30, 0x55ebfc85cc77), pbContent [0x55ebfc85cc32, 0x55ebfc85cc78) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 285
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586
[ERROR] error:41080106:SCOSSL::passed invalid argument:cbR (48) or cbS (48) too big for cbSymCryptSignature (64) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 400
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586

It looks like we could control that with SCOSSL_set_trace_level(), but the public headers are unfortunately very restricted (https://github.com/microsoft/SymCrypt-OpenSSL/blob/main/SymCryptEngine/inc/e_scossl.h) and do not include it.

Could that call be exposed, or the logging level for those messages revised?

[mamckee]

I can add this to the existing PR for logging updates. The PR currently exposes this functionality for the provider but not the engine. By default, logging level will be off.

#92

[achamayou]

@mamckee changing the default to off would solve our problem, and having this functionality on the provider sounds perfect, thank you! What's the header/call to set the log level on the provider? Do we need to do anything special to make sure the Azure Linux package exposes the header?

[mamckee]

The logging level will be settable from the config (/etc/pki/tls/symcrypt_prov.cnf on AZL3). These values can be set under symcrypt_prov_sect: https://github.com/microsoft/SymCrypt-OpenSSL/blob/8578c5954d0f15b11d4f88a30d2658fb9958ec88/SymCryptProvider/src/p_scossl_base.c#L18C1-L21C39

[achamayou]

@mamckee that's perfect, do you have a sense of when this might land in Azure Linux? If not, would you mind giving us a heads up when it does?

[mamckee]

This will be included in the February release of Azure Linux.