1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <keymaster/km_openssl/openssl_err.h> 18 19 #include <openssl/err.h> 20 #include <openssl/evp.h> 21 22 #if defined(OPENSSL_IS_BORINGSSL) 23 #include <openssl/asn1.h> 24 #include <openssl/cipher.h> 25 #include <openssl/pkcs8.h> 26 #include <openssl/x509v3.h> 27 #endif 28 29 #include <hardware/keymaster_defs.h> 30 #include <keymaster/logger.h> 31 32 namespace keymaster { 33 34 static keymaster_error_t TranslateEvpError(int reason); 35 #if defined(OPENSSL_IS_BORINGSSL) 36 static keymaster_error_t TranslateASN1Error(int reason); 37 static keymaster_error_t TranslateCipherError(int reason); 38 static keymaster_error_t TranslatePKCS8Error(int reason); 39 static keymaster_error_t TranslateX509v3Error(int reason); 40 static keymaster_error_t TranslateRsaError(int reason); 41 #endif 42 43 keymaster_error_t TranslateLastOpenSslError(bool log_message) { 44 unsigned long error = ERR_peek_last_error(); 45 46 if (log_message) { 47 LOG_D("%s", ERR_error_string(error, nullptr)); 48 } 49 50 int reason = ERR_GET_REASON(error); 51 52 /* Handle global error reasons */ 53 switch (reason) { 54 case ERR_R_MALLOC_FAILURE: 55 return KM_ERROR_MEMORY_ALLOCATION_FAILED; 56 case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED: 57 case ERR_R_PASSED_NULL_PARAMETER: 58 case ERR_R_INTERNAL_ERROR: 59 case ERR_R_OVERFLOW: 60 return KM_ERROR_UNKNOWN_ERROR; 61 default: 62 break; 63 } 64 65 switch (ERR_GET_LIB(error)) { 66 case ERR_LIB_USER: 67 return static_cast<keymaster_error_t>(reason); 68 case ERR_LIB_EVP: 69 return TranslateEvpError(reason); 70 #if defined(OPENSSL_IS_BORINGSSL) 71 case ERR_LIB_ASN1: 72 return TranslateASN1Error(reason); 73 case ERR_LIB_CIPHER: 74 return TranslateCipherError(reason); 75 case ERR_LIB_PKCS8: 76 return TranslatePKCS8Error(reason); 77 case ERR_LIB_X509V3: 78 return TranslateX509v3Error(reason); 79 case ERR_LIB_RSA: 80 return TranslateRsaError(reason); 81 #else 82 case ERR_LIB_ASN1: 83 LOG_E("ASN.1 parsing error %d", reason); 84 return KM_ERROR_INVALID_ARGUMENT; 85 #endif 86 } 87 88 LOG_E("Openssl error %d, %d", ERR_GET_LIB(error), reason); 89 return KM_ERROR_UNKNOWN_ERROR; 90 } 91 92 #if defined(OPENSSL_IS_BORINGSSL) 93 94 keymaster_error_t TranslatePKCS8Error(int reason) { 95 switch (reason) { 96 case PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM: 97 case PKCS8_R_UNKNOWN_CIPHER: 98 return KM_ERROR_UNSUPPORTED_ALGORITHM; 99 100 case PKCS8_R_PRIVATE_KEY_ENCODE_ERROR: 101 case PKCS8_R_PRIVATE_KEY_DECODE_ERROR: 102 return KM_ERROR_INVALID_KEY_BLOB; 103 104 case PKCS8_R_ENCODE_ERROR: 105 return KM_ERROR_INVALID_ARGUMENT; 106 107 default: 108 return KM_ERROR_UNKNOWN_ERROR; 109 } 110 } 111 112 keymaster_error_t TranslateCipherError(int reason) { 113 switch (reason) { 114 case CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: 115 case CIPHER_R_WRONG_FINAL_BLOCK_LENGTH: 116 return KM_ERROR_INVALID_INPUT_LENGTH; 117 118 case CIPHER_R_UNSUPPORTED_KEY_SIZE: 119 case CIPHER_R_BAD_KEY_LENGTH: 120 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 121 122 case CIPHER_R_BAD_DECRYPT: 123 return KM_ERROR_INVALID_ARGUMENT; 124 125 case CIPHER_R_INVALID_KEY_LENGTH: 126 return KM_ERROR_INVALID_KEY_BLOB; 127 128 default: 129 return KM_ERROR_UNKNOWN_ERROR; 130 } 131 } 132 133 keymaster_error_t TranslateASN1Error(int reason) { 134 switch (reason) { 135 #if !defined(OPENSSL_IS_BORINGSSL) 136 case ASN1_R_UNSUPPORTED_CIPHER: 137 return KM_ERROR_UNSUPPORTED_ALGORITHM; 138 139 case ASN1_R_ERROR_LOADING_SECTION: 140 return KM_ERROR_INVALID_KEY_BLOB; 141 #endif 142 143 case ASN1_R_ENCODE_ERROR: 144 return KM_ERROR_INVALID_ARGUMENT; 145 146 default: 147 return KM_ERROR_UNKNOWN_ERROR; 148 } 149 } 150 151 keymaster_error_t TranslateX509v3Error(int reason) { 152 switch (reason) { 153 case X509V3_R_UNKNOWN_OPTION: 154 return KM_ERROR_UNSUPPORTED_ALGORITHM; 155 156 default: 157 return KM_ERROR_UNKNOWN_ERROR; 158 } 159 } 160 161 keymaster_error_t TranslateRsaError(int reason) { 162 switch (reason) { 163 case RSA_R_KEY_SIZE_TOO_SMALL: 164 LOG_W("RSA key is too small to use with selected padding/digest", 0); 165 return KM_ERROR_INCOMPATIBLE_PADDING_MODE; 166 case RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE: 167 case RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE: 168 return KM_ERROR_INVALID_INPUT_LENGTH; 169 case RSA_R_DATA_TOO_LARGE_FOR_MODULUS: 170 case RSA_R_DATA_TOO_LARGE: 171 return KM_ERROR_INVALID_ARGUMENT; 172 default: 173 return KM_ERROR_UNKNOWN_ERROR; 174 }; 175 } 176 177 #endif // OPENSSL_IS_BORINGSSL 178 179 keymaster_error_t TranslateEvpError(int reason) { 180 switch (reason) { 181 182 #if !defined(OPENSSL_IS_BORINGSSL) 183 case EVP_R_UNKNOWN_DIGEST: 184 return KM_ERROR_UNSUPPORTED_DIGEST; 185 186 case EVP_R_UNSUPPORTED_PRF: 187 case EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM: 188 case EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION: 189 case EVP_R_UNSUPPORTED_SALT_TYPE: 190 case EVP_R_UNKNOWN_PBE_ALGORITHM: 191 case EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS: 192 case EVP_R_UNSUPPORTED_CIPHER: 193 case EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE: 194 case EVP_R_UNKNOWN_CIPHER: 195 #endif 196 case EVP_R_UNSUPPORTED_ALGORITHM: 197 case EVP_R_OPERATON_NOT_INITIALIZED: 198 case EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE: 199 return KM_ERROR_UNSUPPORTED_ALGORITHM; 200 201 #if !defined(OPENSSL_IS_BORINGSSL) 202 case EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: 203 case EVP_R_WRONG_FINAL_BLOCK_LENGTH: 204 return KM_ERROR_INVALID_INPUT_LENGTH; 205 206 case EVP_R_UNSUPPORTED_KEYLENGTH: 207 case EVP_R_BAD_KEY_LENGTH: 208 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 209 #endif 210 211 #if !defined(OPENSSL_IS_BORINGSSL) 212 case EVP_R_BAD_BLOCK_LENGTH: 213 case EVP_R_BN_DECODE_ERROR: 214 case EVP_R_BN_PUBKEY_ERROR: 215 case EVP_R_CIPHER_PARAMETER_ERROR: 216 case EVP_R_ERROR_LOADING_SECTION: 217 case EVP_R_EXPECTING_A_DH_KEY: 218 case EVP_R_EXPECTING_A_ECDSA_KEY: 219 case EVP_R_EXPECTING_A_EC_KEY: 220 case EVP_R_INVALID_DIGEST: 221 case EVP_R_INVALID_KEY_LENGTH: 222 case EVP_R_NO_DSA_PARAMETERS: 223 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 224 case EVP_R_PRIVATE_KEY_ENCODE_ERROR: 225 case EVP_R_PUBLIC_KEY_NOT_RSA: 226 case EVP_R_WRONG_PUBLIC_KEY_TYPE: 227 #endif 228 case EVP_R_BUFFER_TOO_SMALL: 229 case EVP_R_EXPECTING_AN_RSA_KEY: 230 case EVP_R_EXPECTING_A_DSA_KEY: 231 case EVP_R_MISSING_PARAMETERS: 232 return KM_ERROR_INVALID_KEY_BLOB; 233 234 #if !defined(OPENSSL_IS_BORINGSSL) 235 case EVP_R_BAD_DECRYPT: 236 case EVP_R_ENCODE_ERROR: 237 #endif 238 case EVP_R_DIFFERENT_PARAMETERS: 239 case EVP_R_DECODE_ERROR: 240 return KM_ERROR_INVALID_ARGUMENT; 241 242 case EVP_R_DIFFERENT_KEY_TYPES: 243 return KM_ERROR_INCOMPATIBLE_ALGORITHM; 244 } 245 246 return KM_ERROR_UNKNOWN_ERROR; 247 } 248 249 } // namespace keymaster 250