From 952884d61d091e00bf1621b32d126b7940a1335a Mon Sep 17 00:00:00 2001 From: Anthony Rossi Date: Thu, 16 Sep 2021 14:52:51 -0700 Subject: [PATCH 1/8] Support non-RSA keys in OpenSSL-CAPI interop layer --- src/platform/cert_capi_openssl.c | 93 ++++++-------------------------- src/platform/tls_openssl.c | 16 +++--- 2 files changed, 25 insertions(+), 84 deletions(-) diff --git a/src/platform/cert_capi_openssl.c b/src/platform/cert_capi_openssl.c index 938f5ee56f..298d58d6e5 100644 --- a/src/platform/cert_capi_openssl.c +++ b/src/platform/cert_capi_openssl.c @@ -114,13 +114,13 @@ CxPlatTlsVerifyCertificate( QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _Out_ RSA** RsaKey, + _Out_ EVP_PKEY** RsaKey, _Out_ X509** X509Cert ) { QUIC_CERTIFICATE* Cert = NULL; BYTE* KeyData = NULL; - RSA* Rsa = NULL; + EVP_PKEY* PKey = NULL; DWORD KeyLength = 0; NCRYPT_KEY_HANDLE KeyHandle = 0; PCCERT_CONTEXT CertCtx = NULL; @@ -129,7 +129,6 @@ CxPlatTlsExtractPrivateKey( DWORD ExportPolicyLength = 0; unsigned char* TempCertEncoded = NULL; QUIC_STATUS Status; - int Ret = 0; if (QUIC_FAILED( Status = @@ -199,12 +198,12 @@ CxPlatTlsExtractPrivateKey( NCryptExportKey( KeyHandle, 0, - BCRYPT_RSAFULLPRIVATE_BLOB, + NCRYPT_PKCS8_PRIVATE_KEY_BLOB, NULL, NULL, 0, &KeyLength, - 0))) { + NCRYPT_SILENT_FLAG))) { QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", @@ -228,12 +227,12 @@ CxPlatTlsExtractPrivateKey( NCryptExportKey( KeyHandle, 0, - BCRYPT_RSAFULLPRIVATE_BLOB, + NCRYPT_PKCS8_PRIVATE_KEY_BLOB, NULL, KeyData, KeyLength, &KeyLength, - 0))) { + NCRYPT_SILENT_FLAG))) { QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", @@ -242,86 +241,28 @@ CxPlatTlsExtractPrivateKey( goto Exit; } - BCRYPT_RSAKEY_BLOB* Blob = (BCRYPT_RSAKEY_BLOB*)KeyData; - - if (Blob->Magic != BCRYPT_RSAFULLPRIVATE_MAGIC) { - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "NCryptExportKey resulted in incorrect magic number"); - Status = QUIC_STATUS_INTERNAL_ERROR; - goto Exit; - } - - Rsa = RSA_new(); - if (Rsa == NULL) { + BIO* Pkcs8Bio = BIO_new_mem_buf(KeyData, KeyLength); + if (Pkcs8Bio == NULL) { QuicTraceEvent( LibraryError, "[ lib] ERROR, %s.", - "RSA_new failed"); + "BIO_new_mem_buf failed"); Status = QUIC_STATUS_OUT_OF_MEMORY; goto Exit; } - // - // There is no automatic way to convert from a CNG representation of a - // private key to an OpenSSL representation. So in order for this to - // work, we must manually deconstruct the key from CNG, and construct it - // again in OpenSSL. The key ends up being the same, just represented - // differently. - // This was found using the following StackOverflow answer, with the - // author giving permissions to use it. - // https://stackoverflow.com/a/60181045 - // - - // n is the modulus common to both public and private key - BIGNUM* n = BN_bin2bn(KeyData + sizeof(BCRYPT_RSAKEY_BLOB) + Blob->cbPublicExp, Blob->cbModulus, NULL); - // e is the public exponent - BIGNUM* e = BN_bin2bn(KeyData + sizeof(BCRYPT_RSAKEY_BLOB), Blob->cbPublicExp, NULL); - // d is the private exponent - BIGNUM* d = BN_bin2bn(KeyData + sizeof(BCRYPT_RSAKEY_BLOB) + Blob->cbPublicExp + Blob->cbModulus + Blob->cbPrime1 + Blob->cbPrime2 + Blob->cbPrime1 + Blob->cbPrime2 + Blob->cbPrime1, Blob->cbModulus, NULL); - - Ret = RSA_set0_key(Rsa, n, e, d); - if (Ret != 1) { + PKey = d2i_PKCS8PrivateKey_bio(Pkcs8Bio, NULL, NULL, NULL); + if (PKey == NULL) { QuicTraceEvent( LibraryError, "[ lib] ERROR, %s.", - "RSA_set0_key failed"); - Status = QUIC_STATUS_TLS_ERROR; - goto Exit; - } - - // p and q are the first and second factor of n - BIGNUM* p = BN_bin2bn(KeyData + sizeof(BCRYPT_RSAKEY_BLOB) + Blob->cbPublicExp + Blob->cbModulus, Blob->cbPrime1, NULL); - BIGNUM* q = BN_bin2bn(KeyData + sizeof(BCRYPT_RSAKEY_BLOB) + Blob->cbPublicExp + Blob->cbModulus + Blob->cbPrime1, Blob->cbPrime2, NULL); - - Ret = RSA_set0_factors(Rsa, p, q); - if (Ret != 1) { - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "RSA_set0_factors failed"); - Status = QUIC_STATUS_TLS_ERROR; - goto Exit; - } - - // dmp1, dmq1 and iqmp are the exponents and coefficient for CRT calculations - BIGNUM* dmp1 = BN_bin2bn(KeyData + sizeof(BCRYPT_RSAKEY_BLOB) + Blob->cbPublicExp + Blob->cbModulus + Blob->cbPrime1 + Blob->cbPrime2, Blob->cbPrime1, NULL); - BIGNUM* dmq1 = BN_bin2bn(KeyData + sizeof(BCRYPT_RSAKEY_BLOB) + Blob->cbPublicExp + Blob->cbModulus + Blob->cbPrime1 + Blob->cbPrime2 + Blob->cbPrime1, Blob->cbPrime2, NULL); - BIGNUM* iqmp = BN_bin2bn(KeyData + sizeof(BCRYPT_RSAKEY_BLOB) + Blob->cbPublicExp + Blob->cbModulus + Blob->cbPrime1 + Blob->cbPrime2 + Blob->cbPrime1 + Blob->cbPrime2, Blob->cbPrime1, NULL); - - Ret = RSA_set0_crt_params(Rsa, dmp1, dmq1, iqmp); - if (Ret != 1) { - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "RSA_set0_crt_params failed"); - Status = QUIC_STATUS_TLS_ERROR; + "d2i_PKCS8PrivateKey_bio failed"); + Status = QUIC_STATUS_OUT_OF_MEMORY; goto Exit; } - *RsaKey = Rsa; - Rsa = NULL; + *RsaKey = PKey; + PKey = NULL; *X509Cert = X509CertStorage; X509CertStorage = NULL; Status = QUIC_STATUS_SUCCESS; @@ -331,8 +272,8 @@ CxPlatTlsExtractPrivateKey( X509_free(X509CertStorage); } - if (Rsa != NULL) { - RSA_free(Rsa); + if (PKey != NULL) { + EVP_PKEY_free(PKey); } if (KeyData != NULL) { diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index 6359cdd47a..c197069fc4 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -856,7 +856,7 @@ CXPLAT_STATIC_ASSERT( QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _Out_ RSA** EvpPrivateKey, + _Out_ EVP_PKEY** EvpPrivateKey, _Out_ X509** X509Cert); _IRQL_requires_max_(PASSIVE_LEVEL) @@ -962,7 +962,7 @@ CxPlatTlsSecConfigCreate( QUIC_STATUS Status = QUIC_STATUS_SUCCESS; int Ret = 0; CXPLAT_SEC_CONFIG* SecurityConfig = NULL; - RSA* RsaKey = NULL; + EVP_PKEY* PrivKey = NULL; X509* X509Cert = NULL; EVP_PKEY * PrivateKey = NULL; char* CipherSuiteString = NULL; @@ -1326,22 +1326,22 @@ CxPlatTlsSecConfigCreate( Status = CxPlatTlsExtractPrivateKey( CredConfig, - &RsaKey, + &PrivKey, &X509Cert); if (QUIC_FAILED(Status)) { goto Exit; } Ret = - SSL_CTX_use_RSAPrivateKey( + SSL_CTX_use_PrivateKey( SecurityConfig->SSLCtx, - RsaKey); + PrivKey); if (Ret != 1) { QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", ERR_get_error(), - "SSL_CTX_use_RSAPrivateKey_file failed"); + "SSL_CTX_use_PrivateKey failed"); Status = QUIC_STATUS_TLS_ERROR; goto Exit; } @@ -1451,8 +1451,8 @@ CxPlatTlsSecConfigCreate( X509_free(X509Cert); } - if (RsaKey != NULL) { - RSA_free(RsaKey); + if (PrivKey != NULL) { + EVP_PKEY_free(PrivKey); } if (PrivateKey != NULL) { From eca11584f40c7963c13d6074c150952aa61d24f8 Mon Sep 17 00:00:00 2001 From: Anthony Rossi Date: Thu, 16 Sep 2021 18:07:51 -0700 Subject: [PATCH 2/8] More cleanup and error logging --- src/platform/cert_capi_openssl.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/platform/cert_capi_openssl.c b/src/platform/cert_capi_openssl.c index 298d58d6e5..0c827cde09 100644 --- a/src/platform/cert_capi_openssl.c +++ b/src/platform/cert_capi_openssl.c @@ -120,6 +120,7 @@ CxPlatTlsExtractPrivateKey( { QUIC_CERTIFICATE* Cert = NULL; BYTE* KeyData = NULL; + BIO* Pkcs8Bio = NULL; EVP_PKEY* PKey = NULL; DWORD KeyLength = 0; NCRYPT_KEY_HANDLE KeyHandle = 0; @@ -241,7 +242,7 @@ CxPlatTlsExtractPrivateKey( goto Exit; } - BIO* Pkcs8Bio = BIO_new_mem_buf(KeyData, KeyLength); + Pkcs8Bio = BIO_new_mem_buf(KeyData, KeyLength); if (Pkcs8Bio == NULL) { QuicTraceEvent( LibraryError, @@ -254,8 +255,9 @@ CxPlatTlsExtractPrivateKey( PKey = d2i_PKCS8PrivateKey_bio(Pkcs8Bio, NULL, NULL, NULL); if (PKey == NULL) { QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + ERR_peek_error(), "d2i_PKCS8PrivateKey_bio failed"); Status = QUIC_STATUS_OUT_OF_MEMORY; goto Exit; @@ -276,6 +278,10 @@ CxPlatTlsExtractPrivateKey( EVP_PKEY_free(PKey); } + if (Pkcs8Bio != NULL) { + BIO_free(Pkcs8Bio); + } + if (KeyData != NULL) { CXPLAT_FREE(KeyData, QUIC_POOL_TLS_RSA); } From 9fb77a04aaab109eb645d1ee47b65d13395f73f4 Mon Sep 17 00:00:00 2001 From: Anthony Rossi Date: Tue, 19 Oct 2021 17:01:13 -0700 Subject: [PATCH 3/8] Export certificate from CAPI as PFX. Signed-off-by: Anthony Rossi --- src/inc/quic_platform.h | 2 +- src/platform/cert_capi_openssl.c | 151 ++++++++++++++----------------- src/platform/darwin_openssl.c | 10 +- src/platform/posix_openssl.c | 10 +- src/platform/tls_openssl.c | 100 +++++++++++--------- 5 files changed, 142 insertions(+), 131 deletions(-) diff --git a/src/inc/quic_platform.h b/src/inc/quic_platform.h index d86f38898a..4e6763f861 100644 --- a/src/inc/quic_platform.h +++ b/src/inc/quic_platform.h @@ -130,7 +130,7 @@ typedef struct CXPLAT_SLIST_ENTRY { #define QUIC_POOL_STATELESS_CTX 'C3cQ' // Qc3C - QUIC Stateless Context #define QUIC_POOL_OPER 'D3cQ' // Qc3D - QUIC Operation #define QUIC_POOL_EVENT 'E3cQ' // Qc3E - QUIC Event -#define QUIC_POOL_TLS_RSA 'F3cQ' // Qc3F - QUIC Platform NCrypt RSA Key +#define QUIC_POOL_TLS_PFX 'F3cQ' // Qc3F - QUIC Platform PFX #define QUIC_POOL_DESIRED_VER_LIST '04cQ' // Qc40 - QUIC App-supplied desired versions list #define QUIC_POOL_DEFAULT_COMPAT_VER_LIST '14cQ' // Qc41 - QUIC Default compatible versions list #define QUIC_POOL_VERSION_INFO '24cQ' // Qc42 - QUIC Version info diff --git a/src/platform/cert_capi_openssl.c b/src/platform/cert_capi_openssl.c index a819f2d851..c00bf5875d 100644 --- a/src/platform/cert_capi_openssl.c +++ b/src/platform/cert_capi_openssl.c @@ -128,21 +128,18 @@ CxPlatTlsVerifyCertificate( QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _Out_ EVP_PKEY** RsaKey, - _Out_ X509** X509Cert + _In_z_ const uint8_t* Password, + _Out_ uint8_t** PfxBytes, + _Out_ uint32_t* PfxSize ) { QUIC_CERTIFICATE* Cert = NULL; - BYTE* KeyData = NULL; - BIO* Pkcs8Bio = NULL; - EVP_PKEY* PKey = NULL; - DWORD KeyLength = 0; + HCERTSTORE TempCertStore = NULL; + CRYPT_DATA_BLOB PfxDataBlob = {0, NULL}; NCRYPT_KEY_HANDLE KeyHandle = 0; PCCERT_CONTEXT CertCtx = NULL; - X509* X509CertStorage = NULL; DWORD ExportPolicyProperty = 0; DWORD ExportPolicyLength = 0; - unsigned char* TempCertEncoded = NULL; QUIC_STATUS Status; if (QUIC_FAILED( @@ -157,23 +154,10 @@ CxPlatTlsExtractPrivateKey( } CertCtx = (PCCERT_CONTEXT)Cert; + // - // d2i_X509 incremements the the cert variable, so it must be stored in a temp. + // TODO: support CSP keys in addition to CNG keys. // - TempCertEncoded = CertCtx->pbCertEncoded; - X509CertStorage = - d2i_X509( - NULL, - &TempCertEncoded, - CertCtx->cbCertEncoded); - if (X509CertStorage == NULL) { - QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "d2i_X509 failed"); - Status = QUIC_STATUS_OUT_OF_MEMORY; - goto Exit; - } KeyHandle = (NCRYPT_KEY_HANDLE)CxPlatCertGetPrivateKey(Cert); if (KeyHandle == 0) { @@ -208,96 +192,97 @@ CxPlatTlsExtractPrivateKey( goto Exit; } - if (FAILED( - Status = - NCryptExportKey( - KeyHandle, - 0, - NCRYPT_PKCS8_PRIVATE_KEY_BLOB, - NULL, - NULL, - 0, - &KeyLength, - NCRYPT_SILENT_FLAG))) { + TempCertStore = + CertOpenStore( + CERT_STORE_PROV_MEMORY, + X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, + 0, + CERT_STORE_ENUM_ARCHIVED_FLAG, + NULL); + + if (NULL == TempCertStore){ + Status = HRESULT_FROM_WIN32(GetLastError()); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", Status, - "NCryptExportKey failed."); + "CertOpenStore failed"); goto Exit; } - KeyData = CXPLAT_ALLOC_NONPAGED(KeyLength, QUIC_POOL_TLS_RSA); - if (KeyData == NULL) { + if (!CertAddCertificateContextToStore( + TempCertStore, + CertCtx, + CERT_STORE_ADD_REPLACE_EXISTING, + NULL)) { + Status = HRESULT_FROM_WIN32(GetLastError()); QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "RSA Key", - KeyLength); - Status = QUIC_STATUS_OUT_OF_MEMORY; + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "CertAddCertificateContextToStore failed"); goto Exit; } - if (FAILED(Status = - NCryptExportKey( - KeyHandle, - 0, - NCRYPT_PKCS8_PRIVATE_KEY_BLOB, - NULL, - KeyData, - KeyLength, - &KeyLength, - NCRYPT_SILENT_FLAG))) { + // + // TODO: Export certificate chain, support PBES2 + // + PKCS12_PBES2_EXPORT_PARAMS Pbes2ExportParams = {0}; + Pbes2ExportParams.dwSize = sizeof(PKCS12_PBES2_EXPORT_PARAMS); + Pbes2ExportParams.pwszPbes2Alg = PKCS12_PBES2_ALG_AES256_SHA256; + DWORD Flags = EXPORT_PRIVATE_KEYS | REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY | PKCS12_EXPORT_PBES2_PARAMS; + + if (!PFXExportCertStoreEx( + TempCertStore, + &PfxDataBlob, + (LPCWSTR)Password, + (void*)&Pbes2ExportParams, + Flags)) { + Status = HRESULT_FROM_WIN32(GetLastError()); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", Status, - "NCryptExportKey failed."); + "PFXExportCertStoreEx get size failed"); goto Exit; } - Pkcs8Bio = BIO_new_mem_buf(KeyData, KeyLength); - if (Pkcs8Bio == NULL) { + PfxDataBlob.pbData = CXPLAT_ALLOC_NONPAGED(PfxDataBlob.cbData, QUIC_POOL_TLS_PFX); + + if (PfxDataBlob.pbData == NULL) { QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "BIO_new_mem_buf failed"); + AllocFailure, + "Allocation of '%s' failed. (%llu bytes)", + "PFX data", + PfxDataBlob.cbData); Status = QUIC_STATUS_OUT_OF_MEMORY; goto Exit; } - PKey = d2i_PKCS8PrivateKey_bio(Pkcs8Bio, NULL, NULL, NULL); - if (PKey == NULL) { + if (!PFXExportCertStoreEx( + TempCertStore, + &PfxDataBlob, + (LPCWSTR)Password, + (void*)&Pbes2ExportParams, + Flags)) { + Status = HRESULT_FROM_WIN32(GetLastError()); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - ERR_peek_error(), - "d2i_PKCS8PrivateKey_bio failed"); - Status = QUIC_STATUS_OUT_OF_MEMORY; + Status, + "PFXExportCertStoreEx get size failed"); goto Exit; } - *RsaKey = PKey; - PKey = NULL; - *X509Cert = X509CertStorage; - X509CertStorage = NULL; + *PfxBytes = PfxDataBlob.pbData; + *PfxSize = PfxDataBlob.cbData; + PfxDataBlob.pbData = NULL; + Status = QUIC_STATUS_SUCCESS; Exit: - if (X509CertStorage != NULL) { - X509_free(X509CertStorage); - } - - if (PKey != NULL) { - EVP_PKEY_free(PKey); - } - - if (Pkcs8Bio != NULL) { - BIO_free(Pkcs8Bio); - } - - if (KeyData != NULL) { - CXPLAT_FREE(KeyData, QUIC_POOL_TLS_RSA); + if (PfxDataBlob.pbData != NULL) { + CXPLAT_FREE(PfxDataBlob.pbData, QUIC_POOL_TLS_PFX); } if (KeyHandle != 0) { @@ -308,6 +293,10 @@ CxPlatTlsExtractPrivateKey( CxPlatCertFree(Cert); } + if (TempCertStore != NULL) { + CertCloseStore(TempCertStore, 0); + } + return Status; } diff --git a/src/platform/darwin_openssl.c b/src/platform/darwin_openssl.c index 525a67ae12..af8542e8ee 100644 --- a/src/platform/darwin_openssl.c +++ b/src/platform/darwin_openssl.c @@ -222,12 +222,14 @@ CxPlatTlsVerifyCertificate( QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _Out_ EVP_PKEY** EvpPrivateKey, - _Out_ X509** X509Cert + _In_z_ const uint8_t* Password, + _Out_ uint8_t** PfxBytes, + _Out_ uint32_t* PfxSize ) { UNREFERENCED_PARAMETER(CredConfig); - UNREFERENCED_PARAMETER(EvpPrivateKey); - UNREFERENCED_PARAMETER(X509Cert); + UNREFERENCED_PARAMETER(Password); + UNREFERENCED_PARAMETER(PfxBytes); + UNREFERENCED_PARAMETER(PfxSize); return QUIC_STATUS_NOT_SUPPORTED; } diff --git a/src/platform/posix_openssl.c b/src/platform/posix_openssl.c index 29b12f5213..11120de173 100644 --- a/src/platform/posix_openssl.c +++ b/src/platform/posix_openssl.c @@ -31,13 +31,15 @@ QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _Out_ EVP_PKEY** EvpPrivateKey, - _Out_ X509** X509Cert + _In_z_ const uint8_t* Password, + _Out_ uint8_t** PfxBytes, + _Out_ uint32_t* PfxSize ) { UNREFERENCED_PARAMETER(CredConfig); - UNREFERENCED_PARAMETER(EvpPrivateKey); - UNREFERENCED_PARAMETER(X509Cert); + UNREFERENCED_PARAMETER(Password); + UNREFERENCED_PARAMETER(PfxBytes); + UNREFERENCED_PARAMETER(PfxSize); return QUIC_STATUS_NOT_SUPPORTED; } diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index c197069fc4..5b54588337 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -37,6 +37,7 @@ uint16_t CxPlatTlsTPHeaderSize = 0; const size_t OpenSslFilePrefixLength = sizeof("..\\..\\..\\..\\..\\..\\submodules"); +#define PFX_PASSWORD_LENGTH 34 // // The QUIC sec config object. Created once per listener on server side and // once per connection on client side. @@ -856,8 +857,9 @@ CXPLAT_STATIC_ASSERT( QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _Out_ EVP_PKEY** EvpPrivateKey, - _Out_ X509** X509Cert); + _In_z_ const uint8_t* Password, + _Out_ uint8_t** PfxBytes, + _Out_ uint32_t* PfxSize); _IRQL_requires_max_(PASSIVE_LEVEL) QUIC_STATUS @@ -1239,7 +1241,7 @@ CxPlatTlsSecConfigCreate( Status = QUIC_STATUS_TLS_ERROR; goto Exit; } - } else if (CredConfig->Type == QUIC_CREDENTIAL_TYPE_CERTIFICATE_PKCS12) { + } else if (CredConfig->Type != QUIC_CREDENTIAL_TYPE_NONE) { BIO* Bio = BIO_new(BIO_s_mem()); PKCS12 *Pkcs12 = NULL; @@ -1254,7 +1256,60 @@ CxPlatTlsSecConfigCreate( } BIO_set_mem_eof_return(Bio, 0); - BIO_write(Bio, CredConfig->CertificatePkcs12->Asn1Blob, CredConfig->CertificatePkcs12->Asn1BlobLength); + + if (CredConfig->Type == QUIC_CREDENTIAL_TYPE_CERTIFICATE_PKCS12) { + Ret = + BIO_write( + Bio, + CredConfig->CertificatePkcs12->Asn1Blob, + CredConfig->CertificatePkcs12->Asn1BlobLength); + if (Ret < 0) { + QuicTraceEvent( + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + ERR_get_error(), + "BIO_write failed"); + Status = QUIC_STATUS_TLS_ERROR; + goto Exit; + } + } else { + uint8_t* PfxBlob = NULL; + uint32_t PfxSize = 0; + uint8_t Password[PFX_PASSWORD_LENGTH]; + CxPlatRandom(sizeof(Password), Password); + + // + // Fixup password to printable characters + // + for (uint32_t idx = 0; idx < sizeof(Password) - 2; ++idx) { + Password[idx] = (Password[idx] % 94) + 32; + } + Password[PFX_PASSWORD_LENGTH - 2] = 0; + Password[PFX_PASSWORD_LENGTH - 1] = 0; + + Status = + CxPlatTlsExtractPrivateKey( + CredConfig, + Password, + &PfxBlob, + &PfxSize); + if (QUIC_FAILED(Status)) { + goto Exit; + } + + Ret = BIO_write(Bio, PfxBlob, PfxSize); + CXPLAT_FREE(PfxBlob, QUIC_POOL_TLS_PFX); + if (Ret < 0) { + QuicTraceEvent( + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + ERR_get_error(), + "BIO_write failed"); + Status = QUIC_STATUS_TLS_ERROR; + goto Exit; + } + } + Pkcs12 = d2i_PKCS12_bio(Bio, NULL); BIO_free(Bio); Bio = NULL; @@ -1309,43 +1364,6 @@ CxPlatTlsSecConfigCreate( goto Exit; } - Ret = - SSL_CTX_use_certificate( - SecurityConfig->SSLCtx, - X509Cert); - if (Ret != 1) { - QuicTraceEvent( - LibraryErrorStatus, - "[ lib] ERROR, %u, %s.", - ERR_get_error(), - "SSL_CTX_use_certificate failed"); - Status = QUIC_STATUS_TLS_ERROR; - goto Exit; - } - } else if (CredConfig->Type != QUIC_CREDENTIAL_TYPE_NONE) { - Status = - CxPlatTlsExtractPrivateKey( - CredConfig, - &PrivKey, - &X509Cert); - if (QUIC_FAILED(Status)) { - goto Exit; - } - - Ret = - SSL_CTX_use_PrivateKey( - SecurityConfig->SSLCtx, - PrivKey); - if (Ret != 1) { - QuicTraceEvent( - LibraryErrorStatus, - "[ lib] ERROR, %u, %s.", - ERR_get_error(), - "SSL_CTX_use_PrivateKey failed"); - Status = QUIC_STATUS_TLS_ERROR; - goto Exit; - } - Ret = SSL_CTX_use_certificate( SecurityConfig->SSLCtx, From d1aa1cc3b309e7c76d727a6500a6a1bb062dc182 Mon Sep 17 00:00:00 2001 From: Anthony Rossi Date: Tue, 19 Oct 2021 21:19:07 -0700 Subject: [PATCH 4/8] Fix password handling, and export chain with EE cert. Signed-off-by: Anthony Rossi --- src/platform/cert_capi_openssl.c | 155 +++++++++++++++++++++++++++++-- src/platform/darwin_openssl.c | 2 +- src/platform/posix_openssl.c | 2 +- src/platform/tls_openssl.c | 26 ++++-- 4 files changed, 167 insertions(+), 18 deletions(-) diff --git a/src/platform/cert_capi_openssl.c b/src/platform/cert_capi_openssl.c index c00bf5875d..b3bf0bd87c 100644 --- a/src/platform/cert_capi_openssl.c +++ b/src/platform/cert_capi_openssl.c @@ -125,15 +125,139 @@ CxPlatTlsVerifyCertificate( return Result; } +QUIC_STATUS +CxPlatAddChainToStore( + _In_ HCERTSTORE CertStore, + _In_ PCCERT_CONTEXT CertContext + ) +{ + QUIC_STATUS Status; + CERT_CHAIN_ENGINE_CONFIG CertChainEngineConfig; + HCERTCHAINENGINE CertChainEngine = NULL; + PCCERT_CHAIN_CONTEXT CertChainContext = NULL; + CERT_CHAIN_PARA CertChainPara; + PCCERT_CONTEXT TempCertContext = NULL; + + CERT_CHAIN_POLICY_PARA PolicyPara; + CERT_CHAIN_POLICY_STATUS PolicyStatus; + + // + // Create a new chain engine, then build the chain + // + ZeroMemory(&CertChainEngineConfig, sizeof(CertChainEngineConfig)); + CertChainEngineConfig.cbSize = sizeof(CertChainEngineConfig); + if (!CertCreateCertificateChainEngine(&CertChainEngineConfig, &CertChainEngine)) { + Status = HRESULT_FROM_WIN32(GetLastError()); + QuicTraceEvent( + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "CertCreateCertificateChainEngine"); + goto Exit; + } + + ZeroMemory(&CertChainPara, sizeof(CertChainPara)); + CertChainPara.cbSize = sizeof(CertChainPara); + + if (!CertGetCertificateChain( + CertChainEngine, + CertContext, + NULL, + NULL, + &CertChainPara, + 0, + NULL, + &CertChainContext)) { + Status = HRESULT_FROM_WIN32(GetLastError()); + QuicTraceEvent( + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "CertGetCertificateChain"); + goto Exit; + } + + // + // Make sure there is at least 1 simple chain. + // + if (CertChainContext->cChain == 0) { + Status = CERT_E_CHAINING; + QuicTraceEvent( + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "CertGetCertificateChain didn't build a chain"); + goto Exit; + } + + for (DWORD i = 0; i < CertChainContext->rgpChain[0]->cElement; ++i) { + CertAddCertificateContextToStore( + CertStore, + CertChainContext->rgpChain[0]->rgpElement[i]->pCertContext, + CERT_STORE_ADD_REPLACE_EXISTING, + &TempCertContext); + + // + // Remove any private key property the cert context may have on it. + // + if (TempCertContext) { + CertSetCertificateContextProperty( + TempCertContext, + CERT_KEY_PROV_INFO_PROP_ID, + 0, + NULL); + + CertFreeCertificateContext(TempCertContext); + } + } + + ZeroMemory(&PolicyPara, sizeof(PolicyPara)); + PolicyPara.cbSize = sizeof(PolicyPara); + + ZeroMemory(&PolicyStatus, sizeof(PolicyStatus)); + PolicyStatus.cbSize = sizeof(PolicyStatus); + + if (!CertVerifyCertificateChainPolicy( + CERT_CHAIN_POLICY_BASE, + CertChainContext, + &PolicyPara, + &PolicyStatus)) { + QuicTraceEvent( + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + HRESULT_FROM_WIN32(GetLastError()), + "CertVerifyCertificateChainPolicy"); + } + + QuicTraceLogVerbose( + TlsExportCapiCertChainVerifyResult, + "Exported chain verification result: %u", + PolicyStatus.dwError); + + Status = S_OK; + +Exit: + if (CertChainContext != NULL) { + CertFreeCertificateChain(CertChainContext); + } + + if (CertChainEngine != NULL) { + CertFreeCertificateChainEngine(CertChainEngine); + } + + return Status; +} + QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _In_z_ const uint8_t* Password, + _In_z_ const char* Password, _Out_ uint8_t** PfxBytes, _Out_ uint32_t* PfxSize ) { QUIC_CERTIFICATE* Cert = NULL; + PWSTR PasswordW = NULL; HCERTSTORE TempCertStore = NULL; CRYPT_DATA_BLOB PfxDataBlob = {0, NULL}; NCRYPT_KEY_HANDLE KeyHandle = 0; @@ -210,6 +334,11 @@ CxPlatTlsExtractPrivateKey( goto Exit; } + Status = CxPlatAddChainToStore(TempCertStore, CertCtx); + if (QUIC_FAILED(Status) && Status != CERT_E_CHAINING) { + goto Exit; + } + if (!CertAddCertificateContextToStore( TempCertStore, CertCtx, @@ -224,9 +353,20 @@ CxPlatTlsExtractPrivateKey( goto Exit; } - // - // TODO: Export certificate chain, support PBES2 - // + Status = + CxPlatUtf8ToWideChar( + Password, + QUIC_POOL_PLATFORM_TMP_ALLOC, + &PasswordW); + if (QUIC_FAILED(Status)) { + QuicTraceEvent( + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "Convert temporary password to unicode"); + goto Exit; + } + PKCS12_PBES2_EXPORT_PARAMS Pbes2ExportParams = {0}; Pbes2ExportParams.dwSize = sizeof(PKCS12_PBES2_EXPORT_PARAMS); Pbes2ExportParams.pwszPbes2Alg = PKCS12_PBES2_ALG_AES256_SHA256; @@ -235,7 +375,7 @@ CxPlatTlsExtractPrivateKey( if (!PFXExportCertStoreEx( TempCertStore, &PfxDataBlob, - (LPCWSTR)Password, + PasswordW, (void*)&Pbes2ExportParams, Flags)) { Status = HRESULT_FROM_WIN32(GetLastError()); @@ -262,7 +402,7 @@ CxPlatTlsExtractPrivateKey( if (!PFXExportCertStoreEx( TempCertStore, &PfxDataBlob, - (LPCWSTR)Password, + PasswordW, (void*)&Pbes2ExportParams, Flags)) { Status = HRESULT_FROM_WIN32(GetLastError()); @@ -281,6 +421,9 @@ CxPlatTlsExtractPrivateKey( Status = QUIC_STATUS_SUCCESS; Exit: + if (PasswordW != NULL) { + CXPLAT_FREE(PasswordW, QUIC_POOL_PLATFORM_TMP_ALLOC); + } if (PfxDataBlob.pbData != NULL) { CXPLAT_FREE(PfxDataBlob.pbData, QUIC_POOL_TLS_PFX); } diff --git a/src/platform/darwin_openssl.c b/src/platform/darwin_openssl.c index af8542e8ee..7bf5d2b027 100644 --- a/src/platform/darwin_openssl.c +++ b/src/platform/darwin_openssl.c @@ -222,7 +222,7 @@ CxPlatTlsVerifyCertificate( QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _In_z_ const uint8_t* Password, + _In_z_ const char* Password, _Out_ uint8_t** PfxBytes, _Out_ uint32_t* PfxSize ) diff --git a/src/platform/posix_openssl.c b/src/platform/posix_openssl.c index 11120de173..5aada34d05 100644 --- a/src/platform/posix_openssl.c +++ b/src/platform/posix_openssl.c @@ -31,7 +31,7 @@ QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _In_z_ const uint8_t* Password, + _In_z_ const char* Password, _Out_ uint8_t** PfxBytes, _Out_ uint32_t* PfxSize ) diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index 5b54588337..bb28bf78a0 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -37,7 +37,7 @@ uint16_t CxPlatTlsTPHeaderSize = 0; const size_t OpenSslFilePrefixLength = sizeof("..\\..\\..\\..\\..\\..\\submodules"); -#define PFX_PASSWORD_LENGTH 34 +#define PFX_PASSWORD_LENGTH 33 // // The QUIC sec config object. Created once per listener on server side and // once per connection on client side. @@ -857,7 +857,7 @@ CXPLAT_STATIC_ASSERT( QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, - _In_z_ const uint8_t* Password, + _In_z_ const char* Password, _Out_ uint8_t** PfxBytes, _Out_ uint32_t* PfxSize); @@ -1244,6 +1244,8 @@ CxPlatTlsSecConfigCreate( } else if (CredConfig->Type != QUIC_CREDENTIAL_TYPE_NONE) { BIO* Bio = BIO_new(BIO_s_mem()); PKCS12 *Pkcs12 = NULL; + const char* Password = NULL; + char PasswordBuffer[PFX_PASSWORD_LENGTH]; if (!Bio) { QuicTraceEvent( @@ -1258,6 +1260,7 @@ CxPlatTlsSecConfigCreate( BIO_set_mem_eof_return(Bio, 0); if (CredConfig->Type == QUIC_CREDENTIAL_TYPE_CERTIFICATE_PKCS12) { + Password = CredConfig->CertificatePkcs12->PrivateKeyPassword; Ret = BIO_write( Bio, @@ -1275,22 +1278,22 @@ CxPlatTlsSecConfigCreate( } else { uint8_t* PfxBlob = NULL; uint32_t PfxSize = 0; - uint8_t Password[PFX_PASSWORD_LENGTH]; - CxPlatRandom(sizeof(Password), Password); + CxPlatRandom(sizeof(PasswordBuffer), PasswordBuffer); + Password = PasswordBuffer; // // Fixup password to printable characters // - for (uint32_t idx = 0; idx < sizeof(Password) - 2; ++idx) { - Password[idx] = (Password[idx] % 94) + 32; + for (uint32_t idx = 0; idx < sizeof(PasswordBuffer); ++idx) { +#pragma prefast(suppress:28199, "Buffer is initialized by CxPlatRandom"); + PasswordBuffer[idx] = ((uint8_t)PasswordBuffer[idx] % 94) + 32; } - Password[PFX_PASSWORD_LENGTH - 2] = 0; - Password[PFX_PASSWORD_LENGTH - 1] = 0; + PasswordBuffer[PFX_PASSWORD_LENGTH - 1] = 0; Status = CxPlatTlsExtractPrivateKey( CredConfig, - Password, + PasswordBuffer, &PfxBlob, &PfxSize); if (QUIC_FAILED(Status)) { @@ -1326,7 +1329,7 @@ CxPlatTlsSecConfigCreate( STACK_OF(X509) *CaCertificates = NULL; Ret = - PKCS12_parse(Pkcs12, CredConfig->CertificatePkcs12->PrivateKeyPassword, &PrivateKey, &X509Cert, &CaCertificates); + PKCS12_parse(Pkcs12, Password, &PrivateKey, &X509Cert, &CaCertificates); if (CaCertificates) { X509* CaCert; while ((CaCert = sk_X509_pop(CaCertificates)) != NULL) { @@ -1339,6 +1342,9 @@ CxPlatTlsSecConfigCreate( if (Pkcs12) { PKCS12_free(Pkcs12); } + if (Password == PasswordBuffer) { + CxPlatZeroMemory(PasswordBuffer, sizeof(PasswordBuffer)); + } if (Ret != 1) { QuicTraceEvent( From 3725a2d9753b4357ac91e79fdeddcd970845cad0 Mon Sep 17 00:00:00 2001 From: Anthony Rossi Date: Tue, 19 Oct 2021 21:33:10 -0700 Subject: [PATCH 5/8] Update CLOG files Signed-off-by: Anthony Rossi --- .../linux/cert_capi_openssl.c.clog.h | 209 +++++++++++------- .../linux/cert_capi_openssl.c.clog.h.lttng.h | 27 ++- src/generated/linux/tls_openssl.c.clog.h | 32 +-- src/manifest/clog.sidecar | 16 ++ 4 files changed, 189 insertions(+), 95 deletions(-) diff --git a/src/generated/linux/cert_capi_openssl.c.clog.h b/src/generated/linux/cert_capi_openssl.c.clog.h index e551d84968..350d320310 100644 --- a/src/generated/linux/cert_capi_openssl.c.clog.h +++ b/src/generated/linux/cert_capi_openssl.c.clog.h @@ -12,6 +12,10 @@ #include "cert_capi_openssl.c.clog.h.lttng.h" #endif #include +#ifndef _clog_MACRO_QuicTraceLogVerbose +#define _clog_MACRO_QuicTraceLogVerbose 1 +#define QuicTraceLogVerbose(a, ...) _clog_CAT(_clog_ARGN_SELECTOR(__VA_ARGS__), _clog_CAT(_,a(#a, __VA_ARGS__))) +#endif #ifndef _clog_MACRO_QuicTraceEvent #define _clog_MACRO_QuicTraceEvent 1 #define QuicTraceEvent(a, ...) _clog_CAT(_clog_ARGN_SELECTOR(__VA_ARGS__), _clog_CAT(_,a(#a, __VA_ARGS__))) @@ -19,6 +23,27 @@ #ifdef __cplusplus extern "C" { #endif +#ifndef _clog_3_ARGS_TRACE_TlsExportCapiCertChainVerifyResult + + + +/*---------------------------------------------------------- +// Decoder Ring for TlsExportCapiCertChainVerifyResult +// Exported chain verification result: %u +// QuicTraceLogVerbose( + TlsExportCapiCertChainVerifyResult, + "Exported chain verification result: %u", + PolicyStatus.dwError); +// arg2 = arg2 = PolicyStatus.dwError +----------------------------------------------------------*/ +#define _clog_3_ARGS_TRACE_TlsExportCapiCertChainVerifyResult(uniqueId, encoded_arg_string, arg2)\ +tracepoint(CLOG_CERT_CAPI_OPENSSL_C, TlsExportCapiCertChainVerifyResult , arg2);\ + +#endif + + + + #ifndef _clog_3_ARGS_TRACE_LibraryError @@ -74,9 +99,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ LibraryErrorStatus, "[ lib] ERROR, %u, %s.", Status, - "CxPlatCertCreate"); + "CertCreateCertificateChainEngine"); // arg2 = arg2 = Status -// arg3 = arg3 = "CxPlatCertCreate" +// arg3 = arg3 = "CertCreateCertificateChainEngine" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -85,20 +110,22 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ -#ifndef _clog_3_ARGS_TRACE_LibraryError +#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus /*---------------------------------------------------------- -// Decoder Ring for LibraryError -// [ lib] ERROR, %s. +// Decoder Ring for LibraryErrorStatus +// [ lib] ERROR, %u, %s. // QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "d2i_X509 failed"); -// arg2 = arg2 = "d2i_X509 failed" + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "CertGetCertificateChain"); +// arg2 = arg2 = Status +// arg3 = arg3 = "CertGetCertificateChain" ----------------------------------------------------------*/ -#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\ +#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ #endif @@ -116,9 +143,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ LibraryErrorStatus, "[ lib] ERROR, %u, %s.", Status, - "NCryptGetProperty failed"); + "CertGetCertificateChain didn't build a chain"); // arg2 = arg2 = Status -// arg3 = arg3 = "NCryptGetProperty failed" +// arg3 = arg3 = "CertGetCertificateChain didn't build a chain" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -127,20 +154,22 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ -#ifndef _clog_3_ARGS_TRACE_LibraryError +#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus /*---------------------------------------------------------- -// Decoder Ring for LibraryError -// [ lib] ERROR, %s. +// Decoder Ring for LibraryErrorStatus +// [ lib] ERROR, %u, %s. // QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "Requested certificate does not support exporting. An exportable certificate is required"); -// arg2 = arg2 = "Requested certificate does not support exporting. An exportable certificate is required" + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + HRESULT_FROM_WIN32(GetLastError()), + "CertVerifyCertificateChainPolicy"); +// arg2 = arg2 = HRESULT_FROM_WIN32(GetLastError()) +// arg3 = arg3 = "CertVerifyCertificateChainPolicy" ----------------------------------------------------------*/ -#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\ +#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ #endif @@ -158,9 +187,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ LibraryErrorStatus, "[ lib] ERROR, %u, %s.", Status, - "NCryptExportKey failed."); + "CxPlatCertCreate"); // arg2 = arg2 = Status -// arg3 = arg3 = "NCryptExportKey failed." +// arg3 = arg3 = "CxPlatCertCreate" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -169,23 +198,42 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ -#ifndef _clog_4_ARGS_TRACE_AllocFailure +#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus /*---------------------------------------------------------- -// Decoder Ring for AllocFailure -// Allocation of '%s' failed. (%llu bytes) +// Decoder Ring for LibraryErrorStatus +// [ lib] ERROR, %u, %s. // QuicTraceEvent( - AllocFailure, - "Allocation of '%s' failed. (%llu bytes)", - "RSA Key", - KeyLength); -// arg2 = arg2 = "RSA Key" -// arg3 = arg3 = KeyLength + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "NCryptGetProperty failed"); +// arg2 = arg2 = Status +// arg3 = arg3 = "NCryptGetProperty failed" ----------------------------------------------------------*/ -#define _clog_4_ARGS_TRACE_AllocFailure(uniqueId, encoded_arg_string, arg2, arg3)\ -tracepoint(CLOG_CERT_CAPI_OPENSSL_C, AllocFailure , arg2, arg3);\ +#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ + +#endif + + + + +#ifndef _clog_3_ARGS_TRACE_LibraryError + + + +/*---------------------------------------------------------- +// Decoder Ring for LibraryError +// [ lib] ERROR, %s. +// QuicTraceEvent( + LibraryError, + "[ lib] ERROR, %s.", + "Requested certificate does not support exporting. An exportable certificate is required"); +// arg2 = arg2 = "Requested certificate does not support exporting. An exportable certificate is required" +----------------------------------------------------------*/ +#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\ #endif @@ -203,9 +251,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, AllocFailure , arg2, arg3);\ LibraryErrorStatus, "[ lib] ERROR, %u, %s.", Status, - "NCryptExportKey failed."); + "CertOpenStore failed"); // arg2 = arg2 = Status -// arg3 = arg3 = "NCryptExportKey failed." +// arg3 = arg3 = "CertOpenStore failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -214,100 +262,111 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, AllocFailure , arg2, arg3);\ -#ifndef _clog_3_ARGS_TRACE_LibraryError +#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus /*---------------------------------------------------------- -// Decoder Ring for LibraryError -// [ lib] ERROR, %s. +// Decoder Ring for LibraryErrorStatus +// [ lib] ERROR, %u, %s. // QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "NCryptExportKey resulted in incorrect magic number"); -// arg2 = arg2 = "NCryptExportKey resulted in incorrect magic number" + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "CertAddCertificateContextToStore failed"); +// arg2 = arg2 = Status +// arg3 = arg3 = "CertAddCertificateContextToStore failed" ----------------------------------------------------------*/ -#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\ +#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ #endif -#ifndef _clog_3_ARGS_TRACE_LibraryError +#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus /*---------------------------------------------------------- -// Decoder Ring for LibraryError -// [ lib] ERROR, %s. +// Decoder Ring for LibraryErrorStatus +// [ lib] ERROR, %u, %s. // QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "RSA_new failed"); -// arg2 = arg2 = "RSA_new failed" + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "Convert temporary password to unicode"); +// arg2 = arg2 = Status +// arg3 = arg3 = "Convert temporary password to unicode" ----------------------------------------------------------*/ -#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\ +#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ #endif -#ifndef _clog_3_ARGS_TRACE_LibraryError +#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus /*---------------------------------------------------------- -// Decoder Ring for LibraryError -// [ lib] ERROR, %s. +// Decoder Ring for LibraryErrorStatus +// [ lib] ERROR, %u, %s. // QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "RSA_set0_key failed"); -// arg2 = arg2 = "RSA_set0_key failed" + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "PFXExportCertStoreEx get size failed"); +// arg2 = arg2 = Status +// arg3 = arg3 = "PFXExportCertStoreEx get size failed" ----------------------------------------------------------*/ -#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\ +#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ #endif -#ifndef _clog_3_ARGS_TRACE_LibraryError +#ifndef _clog_4_ARGS_TRACE_AllocFailure /*---------------------------------------------------------- -// Decoder Ring for LibraryError -// [ lib] ERROR, %s. +// Decoder Ring for AllocFailure +// Allocation of '%s' failed. (%llu bytes) // QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "RSA_set0_factors failed"); -// arg2 = arg2 = "RSA_set0_factors failed" + AllocFailure, + "Allocation of '%s' failed. (%llu bytes)", + "PFX data", + PfxDataBlob.cbData); +// arg2 = arg2 = "PFX data" +// arg3 = arg3 = PfxDataBlob.cbData ----------------------------------------------------------*/ -#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\ +#define _clog_4_ARGS_TRACE_AllocFailure(uniqueId, encoded_arg_string, arg2, arg3)\ +tracepoint(CLOG_CERT_CAPI_OPENSSL_C, AllocFailure , arg2, arg3);\ #endif -#ifndef _clog_3_ARGS_TRACE_LibraryError +#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus /*---------------------------------------------------------- -// Decoder Ring for LibraryError -// [ lib] ERROR, %s. +// Decoder Ring for LibraryErrorStatus +// [ lib] ERROR, %u, %s. // QuicTraceEvent( - LibraryError, - "[ lib] ERROR, %s.", - "RSA_set0_crt_params failed"); -// arg2 = arg2 = "RSA_set0_crt_params failed" + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + Status, + "PFXExportCertStoreEx get size failed"); +// arg2 = arg2 = Status +// arg3 = arg3 = "PFXExportCertStoreEx get size failed" ----------------------------------------------------------*/ -#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\ +#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ #endif diff --git a/src/generated/linux/cert_capi_openssl.c.clog.h.lttng.h b/src/generated/linux/cert_capi_openssl.c.clog.h.lttng.h index 0c95c8d287..0a03e97ccb 100644 --- a/src/generated/linux/cert_capi_openssl.c.clog.h.lttng.h +++ b/src/generated/linux/cert_capi_openssl.c.clog.h.lttng.h @@ -1,6 +1,25 @@ +/*---------------------------------------------------------- +// Decoder Ring for TlsExportCapiCertChainVerifyResult +// Exported chain verification result: %u +// QuicTraceLogVerbose( + TlsExportCapiCertChainVerifyResult, + "Exported chain verification result: %u", + PolicyStatus.dwError); +// arg2 = arg2 = PolicyStatus.dwError +----------------------------------------------------------*/ +TRACEPOINT_EVENT(CLOG_CERT_CAPI_OPENSSL_C, TlsExportCapiCertChainVerifyResult, + TP_ARGS( + unsigned int, arg2), + TP_FIELDS( + ctf_integer(unsigned int, arg2, arg2) + ) +) + + + /*---------------------------------------------------------- // Decoder Ring for LibraryError // [ lib] ERROR, %s. @@ -49,10 +68,10 @@ TRACEPOINT_EVENT(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus, // QuicTraceEvent( AllocFailure, "Allocation of '%s' failed. (%llu bytes)", - "RSA Key", - KeyLength); -// arg2 = arg2 = "RSA Key" -// arg3 = arg3 = KeyLength + "PFX data", + PfxDataBlob.cbData); +// arg2 = arg2 = "PFX data" +// arg3 = arg3 = PfxDataBlob.cbData ----------------------------------------------------------*/ TRACEPOINT_EVENT(CLOG_CERT_CAPI_OPENSSL_C, AllocFailure, TP_ARGS( diff --git a/src/generated/linux/tls_openssl.c.clog.h b/src/generated/linux/tls_openssl.c.clog.h index b4172bb7c3..c6035fcec5 100644 --- a/src/generated/linux/tls_openssl.c.clog.h +++ b/src/generated/linux/tls_openssl.c.clog.h @@ -1227,12 +1227,12 @@ tracepoint(CLOG_TLS_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ // Decoder Ring for LibraryErrorStatus // [ lib] ERROR, %u, %s. // QuicTraceEvent( - LibraryErrorStatus, - "[ lib] ERROR, %u, %s.", - ERR_get_error(), - "d2i_PKCS12_bio failed"); + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + ERR_get_error(), + "BIO_write failed"); // arg2 = arg2 = ERR_get_error() -// arg3 = arg3 = "d2i_PKCS12_bio failed" +// arg3 = arg3 = "BIO_write failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -1249,12 +1249,12 @@ tracepoint(CLOG_TLS_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ // Decoder Ring for LibraryErrorStatus // [ lib] ERROR, %u, %s. // QuicTraceEvent( - LibraryErrorStatus, - "[ lib] ERROR, %u, %s.", - ERR_get_error(), - "PKCS12_parse failed"); + LibraryErrorStatus, + "[ lib] ERROR, %u, %s.", + ERR_get_error(), + "BIO_write failed"); // arg2 = arg2 = ERR_get_error() -// arg3 = arg3 = "PKCS12_parse failed" +// arg3 = arg3 = "BIO_write failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -1274,9 +1274,9 @@ tracepoint(CLOG_TLS_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ LibraryErrorStatus, "[ lib] ERROR, %u, %s.", ERR_get_error(), - "SSL_CTX_use_PrivateKey_file failed"); + "d2i_PKCS12_bio failed"); // arg2 = arg2 = ERR_get_error() -// arg3 = arg3 = "SSL_CTX_use_PrivateKey_file failed" +// arg3 = arg3 = "d2i_PKCS12_bio failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -1296,9 +1296,9 @@ tracepoint(CLOG_TLS_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ LibraryErrorStatus, "[ lib] ERROR, %u, %s.", ERR_get_error(), - "SSL_CTX_use_certificate failed"); + "PKCS12_parse failed"); // arg2 = arg2 = ERR_get_error() -// arg3 = arg3 = "SSL_CTX_use_certificate failed" +// arg3 = arg3 = "PKCS12_parse failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -1318,9 +1318,9 @@ tracepoint(CLOG_TLS_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ LibraryErrorStatus, "[ lib] ERROR, %u, %s.", ERR_get_error(), - "SSL_CTX_use_RSAPrivateKey_file failed"); + "SSL_CTX_use_PrivateKey_file failed"); // arg2 = arg2 = ERR_get_error() -// arg3 = arg3 = "SSL_CTX_use_RSAPrivateKey_file failed" +// arg3 = arg3 = "SSL_CTX_use_PrivateKey_file failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ diff --git a/src/manifest/clog.sidecar b/src/manifest/clog.sidecar index a859621d21..9e5ad9a2b5 100644 --- a/src/manifest/clog.sidecar +++ b/src/manifest/clog.sidecar @@ -8601,6 +8601,18 @@ ], "macroName": "QuicTraceLogVerbose" }, + "TlsExportCapiCertChainVerifyResult": { + "ModuleProperites": {}, + "TraceString": "Exported chain verification result: %u", + "UniqueId": "TlsExportCapiCertChainVerifyResult", + "splitArgs": [ + { + "DefinationEncoding": "u", + "MacroVariableName": "arg2" + } + ], + "macroName": "QuicTraceLogVerbose" + }, "TlsLogSecret": { "ModuleProperites": {}, "TraceString": "[ tls] %s[%u]: %s", @@ -12920,6 +12932,10 @@ "UniquenessHash": "d53212c8-2068-d598-a55f-1b238ec86ad1", "TraceID": "CertCapiVerify" }, + { + "UniquenessHash": "34dcc43f-ca44-d42f-d1f1-ed7f98fc9779", + "TraceID": "TlsExportCapiCertChainVerifyResult" + }, { "UniquenessHash": "7512a5e6-b76b-d244-25a2-f27c6b593461", "TraceID": "TlsLogSecret" From f565c40662520b7910cb301d37a4c1a9a109d333 Mon Sep 17 00:00:00 2001 From: Anthony Rossi Date: Tue, 19 Oct 2021 21:46:15 -0700 Subject: [PATCH 6/8] Remove unused variable and prefast suppresion. Signed-off-by: Anthony Rossi --- src/platform/tls_openssl.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index bb28bf78a0..8827ed0cef 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -964,9 +964,8 @@ CxPlatTlsSecConfigCreate( QUIC_STATUS Status = QUIC_STATUS_SUCCESS; int Ret = 0; CXPLAT_SEC_CONFIG* SecurityConfig = NULL; - EVP_PKEY* PrivKey = NULL; X509* X509Cert = NULL; - EVP_PKEY * PrivateKey = NULL; + EVP_PKEY* PrivateKey = NULL; char* CipherSuiteString = NULL; // @@ -1279,16 +1278,15 @@ CxPlatTlsSecConfigCreate( uint8_t* PfxBlob = NULL; uint32_t PfxSize = 0; CxPlatRandom(sizeof(PasswordBuffer), PasswordBuffer); - Password = PasswordBuffer; // // Fixup password to printable characters // for (uint32_t idx = 0; idx < sizeof(PasswordBuffer); ++idx) { -#pragma prefast(suppress:28199, "Buffer is initialized by CxPlatRandom"); PasswordBuffer[idx] = ((uint8_t)PasswordBuffer[idx] % 94) + 32; } PasswordBuffer[PFX_PASSWORD_LENGTH - 1] = 0; + Password = PasswordBuffer; Status = CxPlatTlsExtractPrivateKey( @@ -1475,10 +1473,6 @@ CxPlatTlsSecConfigCreate( X509_free(X509Cert); } - if (PrivKey != NULL) { - EVP_PKEY_free(PrivKey); - } - if (PrivateKey != NULL) { EVP_PKEY_free(PrivateKey); } From 6b9f91b102a0a45cdfc032a290f0d166196faeae Mon Sep 17 00:00:00 2001 From: Anthony Rossi Date: Wed, 20 Oct 2021 11:28:58 -0700 Subject: [PATCH 7/8] Address review comments. Signed-off-by: Anthony Rossi --- src/platform/cert_capi_openssl.c | 46 ++++++++++++++++++-------------- src/platform/darwin_openssl.c | 2 +- src/platform/posix_openssl.c | 2 +- src/platform/tls_openssl.c | 2 +- 4 files changed, 29 insertions(+), 23 deletions(-) diff --git a/src/platform/cert_capi_openssl.c b/src/platform/cert_capi_openssl.c index b3bf0bd87c..88bfb3ac23 100644 --- a/src/platform/cert_capi_openssl.c +++ b/src/platform/cert_capi_openssl.c @@ -127,11 +127,12 @@ CxPlatTlsVerifyCertificate( QUIC_STATUS CxPlatAddChainToStore( - _In_ HCERTSTORE CertStore, - _In_ PCCERT_CONTEXT CertContext + _In_ HCERTSTORE CertStore, + _In_ PCCERT_CONTEXT CertContext ) { QUIC_STATUS Status; + DWORD LastError; CERT_CHAIN_ENGINE_CONFIG CertChainEngineConfig; HCERTCHAINENGINE CertChainEngine = NULL; PCCERT_CHAIN_CONTEXT CertChainContext = NULL; @@ -142,16 +143,17 @@ CxPlatAddChainToStore( CERT_CHAIN_POLICY_STATUS PolicyStatus; // - // Create a new chain engine, then build the chain + // Create a new chain engine, then build the chain. // ZeroMemory(&CertChainEngineConfig, sizeof(CertChainEngineConfig)); CertChainEngineConfig.cbSize = sizeof(CertChainEngineConfig); if (!CertCreateCertificateChainEngine(&CertChainEngineConfig, &CertChainEngine)) { - Status = HRESULT_FROM_WIN32(GetLastError()); + LastError = GetLastError(); + Status = HRESULT_FROM_WIN32(LastError); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "CertCreateCertificateChainEngine"); goto Exit; } @@ -168,11 +170,12 @@ CxPlatAddChainToStore( 0, NULL, &CertChainContext)) { - Status = HRESULT_FROM_WIN32(GetLastError()); + LastError = GetLastError(); + Status = HRESULT_FROM_WIN32(LastError); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "CertGetCertificateChain"); goto Exit; } @@ -225,7 +228,7 @@ CxPlatAddChainToStore( QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - HRESULT_FROM_WIN32(GetLastError()), + GetLastError(), "CertVerifyCertificateChainPolicy"); } @@ -252,7 +255,7 @@ QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, _In_z_ const char* Password, - _Out_ uint8_t** PfxBytes, + _Outptr_result_buffer_(*PfxSize) uint8_t** PfxBytes, _Out_ uint32_t* PfxSize ) { @@ -264,6 +267,7 @@ CxPlatTlsExtractPrivateKey( PCCERT_CONTEXT CertCtx = NULL; DWORD ExportPolicyProperty = 0; DWORD ExportPolicyLength = 0; + DWORD LastError; QUIC_STATUS Status; if (QUIC_FAILED( @@ -323,13 +327,13 @@ CxPlatTlsExtractPrivateKey( 0, CERT_STORE_ENUM_ARCHIVED_FLAG, NULL); - - if (NULL == TempCertStore){ - Status = HRESULT_FROM_WIN32(GetLastError()); + if (NULL == TempCertStore) { + LastError = GetLastError(); + Status = HRESULT_FROM_WIN32(LastError); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "CertOpenStore failed"); goto Exit; } @@ -344,11 +348,12 @@ CxPlatTlsExtractPrivateKey( CertCtx, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { - Status = HRESULT_FROM_WIN32(GetLastError()); + LastError = GetLastError(); + Status = HRESULT_FROM_WIN32(LastError); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "CertAddCertificateContextToStore failed"); goto Exit; } @@ -378,17 +383,17 @@ CxPlatTlsExtractPrivateKey( PasswordW, (void*)&Pbes2ExportParams, Flags)) { - Status = HRESULT_FROM_WIN32(GetLastError()); + LastError = GetLastError(); + Status = HRESULT_FROM_WIN32(LastError); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "PFXExportCertStoreEx get size failed"); goto Exit; } PfxDataBlob.pbData = CXPLAT_ALLOC_NONPAGED(PfxDataBlob.cbData, QUIC_POOL_TLS_PFX); - if (PfxDataBlob.pbData == NULL) { QuicTraceEvent( AllocFailure, @@ -405,11 +410,12 @@ CxPlatTlsExtractPrivateKey( PasswordW, (void*)&Pbes2ExportParams, Flags)) { - Status = HRESULT_FROM_WIN32(GetLastError()); + LastError = GetLastError(); + Status = HRESULT_FROM_WIN32(LastError); QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "PFXExportCertStoreEx get size failed"); goto Exit; } diff --git a/src/platform/darwin_openssl.c b/src/platform/darwin_openssl.c index 7bf5d2b027..1873851d32 100644 --- a/src/platform/darwin_openssl.c +++ b/src/platform/darwin_openssl.c @@ -223,7 +223,7 @@ QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, _In_z_ const char* Password, - _Out_ uint8_t** PfxBytes, + _Outptr_result_buffer_(*PfxSize) uint8_t** PfxBytes, _Out_ uint32_t* PfxSize ) { diff --git a/src/platform/posix_openssl.c b/src/platform/posix_openssl.c index 5aada34d05..cb81fa359b 100644 --- a/src/platform/posix_openssl.c +++ b/src/platform/posix_openssl.c @@ -32,7 +32,7 @@ QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, _In_z_ const char* Password, - _Out_ uint8_t** PfxBytes, + _Outptr_result_buffer_(*PfxSize) uint8_t** PfxBytes, _Out_ uint32_t* PfxSize ) { diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index 8827ed0cef..03b580473f 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -858,7 +858,7 @@ QUIC_STATUS CxPlatTlsExtractPrivateKey( _In_ const QUIC_CREDENTIAL_CONFIG* CredConfig, _In_z_ const char* Password, - _Out_ uint8_t** PfxBytes, + _Outptr_result_buffer_(*PfxSize) uint8_t** PfxBytes, _Out_ uint32_t* PfxSize); _IRQL_requires_max_(PASSIVE_LEVEL) From 634bbd2c3a3ae6513d16c9e7fed4099fbd192e50 Mon Sep 17 00:00:00 2001 From: Anthony Rossi Date: Wed, 20 Oct 2021 15:26:11 -0700 Subject: [PATCH 8/8] Update CLOG. Signed-off-by: Anthony Rossi --- .../linux/cert_capi_openssl.c.clog.h | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/generated/linux/cert_capi_openssl.c.clog.h b/src/generated/linux/cert_capi_openssl.c.clog.h index 350d320310..5f242e00f4 100644 --- a/src/generated/linux/cert_capi_openssl.c.clog.h +++ b/src/generated/linux/cert_capi_openssl.c.clog.h @@ -98,9 +98,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ // QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "CertCreateCertificateChainEngine"); -// arg2 = arg2 = Status +// arg2 = arg2 = LastError // arg3 = arg3 = "CertCreateCertificateChainEngine" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -120,9 +120,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ // QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "CertGetCertificateChain"); -// arg2 = arg2 = Status +// arg2 = arg2 = LastError // arg3 = arg3 = "CertGetCertificateChain" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -164,9 +164,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ // QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - HRESULT_FROM_WIN32(GetLastError()), + GetLastError(), "CertVerifyCertificateChainPolicy"); -// arg2 = arg2 = HRESULT_FROM_WIN32(GetLastError()) +// arg2 = arg2 = GetLastError() // arg3 = arg3 = "CertVerifyCertificateChainPolicy" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -250,9 +250,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ // QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "CertOpenStore failed"); -// arg2 = arg2 = Status +// arg2 = arg2 = LastError // arg3 = arg3 = "CertOpenStore failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -272,9 +272,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ // QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "CertAddCertificateContextToStore failed"); -// arg2 = arg2 = Status +// arg2 = arg2 = LastError // arg3 = arg3 = "CertAddCertificateContextToStore failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -316,9 +316,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, LibraryErrorStatus , arg2, arg3);\ // QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "PFXExportCertStoreEx get size failed"); -// arg2 = arg2 = Status +// arg2 = arg2 = LastError // arg3 = arg3 = "PFXExportCertStoreEx get size failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\ @@ -361,9 +361,9 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, AllocFailure , arg2, arg3);\ // QuicTraceEvent( LibraryErrorStatus, "[ lib] ERROR, %u, %s.", - Status, + LastError, "PFXExportCertStoreEx get size failed"); -// arg2 = arg2 = Status +// arg2 = arg2 = LastError // arg3 = arg3 = "PFXExportCertStoreEx get size failed" ----------------------------------------------------------*/ #define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\