1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "openssl_err.h"
18
19 #include <openssl/err.h>
20 #include <openssl/evp.h>
21
22 #if defined(OPENSSL_IS_BORINGSSL)
23 #include <openssl/asn1.h>
24 #include <openssl/cipher.h>
25 #include <openssl/pkcs8.h>
26 #include <openssl/x509v3.h>
27 #endif
28
29 #include <hardware/keymaster_defs.h>
30 #include <keymaster/logger.h>
31
32 namespace keymaster {
33
34 static keymaster_error_t TranslateEvpError(int reason);
35 #if defined(OPENSSL_IS_BORINGSSL)
36 static keymaster_error_t TranslateASN1Error(int reason);
37 static keymaster_error_t TranslateCipherError(int reason);
38 static keymaster_error_t TranslatePKCS8Error(int reason);
39 static keymaster_error_t TranslateX509v3Error(int reason);
40 static keymaster_error_t TranslateRsaError(int reason);
41 #endif
42
TranslateLastOpenSslError(bool log_message)43 keymaster_error_t TranslateLastOpenSslError(bool log_message) {
44 unsigned long error = ERR_peek_last_error();
45
46 if (log_message) {
47 LOG_D("%s", ERR_error_string(error, NULL));
48 }
49
50 int reason = ERR_GET_REASON(error);
51
52 /* Handle global error reasons */
53 switch (reason) {
54 case ERR_R_MALLOC_FAILURE:
55 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
56 case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED:
57 case ERR_R_PASSED_NULL_PARAMETER:
58 case ERR_R_INTERNAL_ERROR:
59 case ERR_R_OVERFLOW:
60 return KM_ERROR_UNKNOWN_ERROR;
61 default:
62 break;
63 }
64
65 switch (ERR_GET_LIB(error)) {
66 case ERR_LIB_USER:
67 return static_cast<keymaster_error_t>(reason);
68 case ERR_LIB_EVP:
69 return TranslateEvpError(reason);
70 #if defined(OPENSSL_IS_BORINGSSL)
71 case ERR_LIB_ASN1:
72 return TranslateASN1Error(reason);
73 case ERR_LIB_CIPHER:
74 return TranslateCipherError(reason);
75 case ERR_LIB_PKCS8:
76 return TranslatePKCS8Error(reason);
77 case ERR_LIB_X509V3:
78 return TranslateX509v3Error(reason);
79 case ERR_LIB_RSA:
80 return TranslateRsaError(reason);
81 #else
82 case ERR_LIB_ASN1:
83 LOG_E("ASN.1 parsing error %d", reason);
84 return KM_ERROR_INVALID_ARGUMENT;
85 #endif
86 }
87
88 LOG_E("Openssl error %d, %d", ERR_GET_LIB(error), reason);
89 return KM_ERROR_UNKNOWN_ERROR;
90 }
91
92 #if defined(OPENSSL_IS_BORINGSSL)
93
TranslatePKCS8Error(int reason)94 keymaster_error_t TranslatePKCS8Error(int reason) {
95 switch (reason) {
96 case PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
97 case PKCS8_R_UNKNOWN_CIPHER:
98 return KM_ERROR_UNSUPPORTED_ALGORITHM;
99
100 case PKCS8_R_PRIVATE_KEY_ENCODE_ERROR:
101 case PKCS8_R_PRIVATE_KEY_DECODE_ERROR:
102 return KM_ERROR_INVALID_KEY_BLOB;
103
104 case PKCS8_R_ENCODE_ERROR:
105 return KM_ERROR_INVALID_ARGUMENT;
106
107 default:
108 return KM_ERROR_UNKNOWN_ERROR;
109 }
110 }
111
TranslateCipherError(int reason)112 keymaster_error_t TranslateCipherError(int reason) {
113 switch (reason) {
114 case CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:
115 case CIPHER_R_WRONG_FINAL_BLOCK_LENGTH:
116 return KM_ERROR_INVALID_INPUT_LENGTH;
117
118 case CIPHER_R_UNSUPPORTED_KEY_SIZE:
119 case CIPHER_R_BAD_KEY_LENGTH:
120 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
121
122 case CIPHER_R_BAD_DECRYPT:
123 return KM_ERROR_INVALID_ARGUMENT;
124
125 case CIPHER_R_INVALID_KEY_LENGTH:
126 return KM_ERROR_INVALID_KEY_BLOB;
127
128 default:
129 return KM_ERROR_UNKNOWN_ERROR;
130 }
131 }
132
TranslateASN1Error(int reason)133 keymaster_error_t TranslateASN1Error(int reason) {
134 switch (reason) {
135 #if !defined(OPENSSL_IS_BORINGSSL)
136 case ASN1_R_UNSUPPORTED_CIPHER:
137 return KM_ERROR_UNSUPPORTED_ALGORITHM;
138
139 case ASN1_R_ERROR_LOADING_SECTION:
140 return KM_ERROR_INVALID_KEY_BLOB;
141 #endif
142
143 case ASN1_R_ENCODE_ERROR:
144 return KM_ERROR_INVALID_ARGUMENT;
145
146 default:
147 return KM_ERROR_UNKNOWN_ERROR;
148 }
149 }
150
TranslateX509v3Error(int reason)151 keymaster_error_t TranslateX509v3Error(int reason) {
152 switch (reason) {
153 case X509V3_R_UNKNOWN_OPTION:
154 return KM_ERROR_UNSUPPORTED_ALGORITHM;
155
156 default:
157 return KM_ERROR_UNKNOWN_ERROR;
158 }
159 }
160
TranslateRsaError(int reason)161 keymaster_error_t TranslateRsaError(int reason) {
162 switch (reason) {
163 case RSA_R_KEY_SIZE_TOO_SMALL:
164 LOG_W("RSA key is too small to use with selected padding/digest", 0);
165 return KM_ERROR_INCOMPATIBLE_PADDING_MODE;
166 case RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
167 case RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE:
168 return KM_ERROR_INVALID_INPUT_LENGTH;
169 case RSA_R_DATA_TOO_LARGE_FOR_MODULUS:
170 return KM_ERROR_INVALID_ARGUMENT;
171 default:
172 return KM_ERROR_UNKNOWN_ERROR;
173 };
174 }
175
176 #endif // OPENSSL_IS_BORINGSSL
177
TranslateEvpError(int reason)178 keymaster_error_t TranslateEvpError(int reason) {
179 switch (reason) {
180
181 case EVP_R_UNKNOWN_DIGEST:
182 return KM_ERROR_UNSUPPORTED_DIGEST;
183
184 #if !defined(OPENSSL_IS_BORINGSSL)
185 case EVP_R_UNSUPPORTED_PRF:
186 case EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
187 case EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION:
188 case EVP_R_UNSUPPORTED_SALT_TYPE:
189 case EVP_R_UNKNOWN_PBE_ALGORITHM:
190 case EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS:
191 case EVP_R_UNSUPPORTED_CIPHER:
192 case EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE:
193 case EVP_R_UNKNOWN_CIPHER:
194 #endif
195 case EVP_R_UNSUPPORTED_ALGORITHM:
196 case EVP_R_OPERATON_NOT_INITIALIZED:
197 case EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:
198 return KM_ERROR_UNSUPPORTED_ALGORITHM;
199
200 #if !defined(OPENSSL_IS_BORINGSSL)
201 case EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:
202 case EVP_R_WRONG_FINAL_BLOCK_LENGTH:
203 return KM_ERROR_INVALID_INPUT_LENGTH;
204
205 case EVP_R_UNSUPPORTED_KEYLENGTH:
206 case EVP_R_BAD_KEY_LENGTH:
207 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
208 #endif
209
210 #if !defined(OPENSSL_IS_BORINGSSL)
211 case EVP_R_BAD_BLOCK_LENGTH:
212 case EVP_R_BN_DECODE_ERROR:
213 case EVP_R_BN_PUBKEY_ERROR:
214 case EVP_R_CIPHER_PARAMETER_ERROR:
215 case EVP_R_ERROR_LOADING_SECTION:
216 case EVP_R_EXPECTING_A_ECDSA_KEY:
217 case EVP_R_EXPECTING_A_EC_KEY:
218 case EVP_R_INVALID_DIGEST:
219 case EVP_R_INVALID_KEY_LENGTH:
220 case EVP_R_NO_DSA_PARAMETERS:
221 case EVP_R_PRIVATE_KEY_DECODE_ERROR:
222 case EVP_R_PRIVATE_KEY_ENCODE_ERROR:
223 case EVP_R_PUBLIC_KEY_NOT_RSA:
224 #endif
225 case EVP_R_BUFFER_TOO_SMALL:
226 case EVP_R_EXPECTING_AN_RSA_KEY:
227 case EVP_R_EXPECTING_A_DH_KEY:
228 case EVP_R_EXPECTING_A_DSA_KEY:
229 case EVP_R_MISSING_PARAMETERS:
230 case EVP_R_WRONG_PUBLIC_KEY_TYPE:
231 return KM_ERROR_INVALID_KEY_BLOB;
232
233 #if !defined(OPENSSL_IS_BORINGSSL)
234 case EVP_R_BAD_DECRYPT:
235 case EVP_R_ENCODE_ERROR:
236 #endif
237 case EVP_R_DIFFERENT_PARAMETERS:
238 case EVP_R_DECODE_ERROR:
239 return KM_ERROR_INVALID_ARGUMENT;
240
241 case EVP_R_DIFFERENT_KEY_TYPES:
242 return KM_ERROR_INCOMPATIBLE_ALGORITHM;
243 }
244
245 return KM_ERROR_UNKNOWN_ERROR;
246 }
247
248 } // namespace keymaster
249