Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix symcrypt errors in crypto_test #6593

Open
maxtropets opened this issue Oct 28, 2024 · 8 comments
Open

Fix symcrypt errors in crypto_test #6593

maxtropets opened this issue Oct 28, 2024 · 8 comments
Labels

Comments

@maxtropets
Copy link
Collaborator

root [ /workspace/build ]# ./crypto_test
[doctest] doctest version is "2.4.11"
[doctest] run with "--help" for options
[ERROR] error:41080106:SCOSSL::passed invalid argument:Decoded content length does not fit in derField buffer. pbDerField [0x55ebfc892490, 0x55ebfc8924f8), pbContent [0x55ebfc892492, 0x55ebfc8924f9) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 285
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586
[ERROR] error:41080106:SCOSSL::passed invalid argument:Decoded content length does not fit in derField buffer. pbDerField [0x55ebfc85cc30, 0x55ebfc85cc77), pbContent [0x55ebfc85cc32, 0x55ebfc85cc78) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 285
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586
[ERROR] error:41080106:SCOSSL::passed invalid argument:cbR (48) or cbS (48) too big for cbSymCryptSignature (64) at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 400
[ERROR] error:410C0107:SCOSSL::operation fail:scossl_ecdsa_remove_der failed at /usr/src/azl/BUILD/SymCrypt-OpenSSL-1.5.1/ScosslCommon/src/scossl_ecc.c, line 586
@maxtropets
Copy link
Collaborator Author

Ok, seems like all the output is from these two testcases

TEST_CASE("Sign, fail to verify with bad signature")
TEST_CASE("Sign, fail to verify with wrong key on wrong curve")

Both test negative scenarios, one is corrupting a signature, another is using a wrong curve.

@maxtropets
Copy link
Collaborator Author

Both tests try out

static constexpr CurveID supported_curves[] = {
  CurveID::SECP384R1, CurveID::SECP256R1};

The corrupted signature produces error msgs for boths, however TEST_CASE("Sign, fail to verify with wrong key on wrong curve") only does it for SECP384R1

@maxtropets maxtropets self-assigned this Nov 6, 2024
@maxtropets
Copy link
Collaborator Author

Errors from TEST_CASE("Sign, fail to verify with bad signature")

From TEST_CASE("Sign, fail to verify with wrong key on wrong curve")

From CCF perspective, all produced here.

That seems logical, now the question is - do we want them to be there in production or shall we look for suppression mechanisms?

My opinion - we don't failure scenarios, so we can keep those, as they may be useful and shall not be populated to often.

Would like to hear more opinions, @eddyashton, @achamayou

@eddyashton
Copy link
Member

do we want them to be there in production or shall we look for suppression mechanisms?

We want to suppress these in production - we handle the failure ourselves and don't want to see symcrypt's internal logging. It's fine if they remain for debug builds, where there's a chance they're eventually useful.

@maxtropets
Copy link
Collaborator Author

Looked for ways to shut it up, seems like there's this function
https://github.com/microsoft/SymCrypt-OpenSSL/blob/main/ScosslCommon/inc/scossl_helpers.h#L84

but I don't see a header under /usr/...

I wonder if there's a way to access it via symcrypt somehow?..

@achamayou
Copy link
Member

@maxtropets might need to install a symcrypt-devel or similarly named to get the relevant header

@maxtropets
Copy link
Collaborator Author

SO far

  • Checked there's no devel package
  • found nm -CD /usr/lib/engines-3/symcryptengine.so | grep set_trace is there

We could've defined void SCOSSL_set_trace_level(int trace_level, int ossl_ERR_level); and call it, but linker doesn't find a symbol, obviously. Removing LINKER:--no-undefined doesn't solve the issue.

I wonder if there is a way to defer the linkage to runtime until symcrypt is loaded?.

@maxtropets
Copy link
Collaborator Author

Currently postponed as awaiting response on microsoft/SymCrypt-OpenSSL#95.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants