1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <keymaster/km_openssl/openssl_err.h>
18
19 #include <openssl/err.h>
20 #include <openssl/evp.h>
21
22 #if defined(OPENSSL_IS_BORINGSSL)
23 #include <openssl/asn1.h>
24 #include <openssl/cipher.h>
25 #include <openssl/pkcs8.h>
26 #include <openssl/x509v3.h>
27 #endif
28
29 #include <hardware/keymaster_defs.h>
30 #include <keymaster/logger.h>
31
32 namespace keymaster {
33
34 static keymaster_error_t TranslateEvpError(int reason);
35 #if defined(OPENSSL_IS_BORINGSSL)
36 static keymaster_error_t TranslateASN1Error(int reason);
37 static keymaster_error_t TranslateCipherError(int reason);
38 static keymaster_error_t TranslatePKCS8Error(int reason);
39 static keymaster_error_t TranslateX509v3Error(int reason);
40 static keymaster_error_t TranslateRsaError(int reason);
41 #endif
42
TranslateLastOpenSslError(bool log_message)43 keymaster_error_t TranslateLastOpenSslError(bool log_message) {
44 uint32_t error = ERR_peek_last_error();
45
46 if (log_message) {
47 char buf[128];
48 ERR_error_string_n(error, buf, sizeof(buf));
49 LOG_D("%s", buf);
50 }
51
52 int reason = ERR_GET_REASON(error);
53
54 /* Handle global error reasons */
55 switch (reason) {
56 case ERR_R_MALLOC_FAILURE:
57 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
58 case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED:
59 case ERR_R_PASSED_NULL_PARAMETER:
60 case ERR_R_INTERNAL_ERROR:
61 case ERR_R_OVERFLOW:
62 return KM_ERROR_UNKNOWN_ERROR;
63 default:
64 break;
65 }
66
67 switch (ERR_GET_LIB(error)) {
68 case ERR_LIB_USER:
69 return static_cast<keymaster_error_t>(reason);
70 case ERR_LIB_EVP:
71 return TranslateEvpError(reason);
72 #if defined(OPENSSL_IS_BORINGSSL)
73 case ERR_LIB_ASN1:
74 return TranslateASN1Error(reason);
75 case ERR_LIB_CIPHER:
76 return TranslateCipherError(reason);
77 case ERR_LIB_PKCS8:
78 return TranslatePKCS8Error(reason);
79 case ERR_LIB_X509V3:
80 return TranslateX509v3Error(reason);
81 case ERR_LIB_RSA:
82 return TranslateRsaError(reason);
83 #else
84 case ERR_LIB_ASN1:
85 LOG_E("ASN.1 parsing error %d", reason);
86 return KM_ERROR_INVALID_ARGUMENT;
87 #endif
88 }
89
90 LOG_E("Openssl error %d, %d", ERR_GET_LIB(error), reason);
91 return KM_ERROR_UNKNOWN_ERROR;
92 }
93
94 #if defined(OPENSSL_IS_BORINGSSL)
95
TranslatePKCS8Error(int reason)96 keymaster_error_t TranslatePKCS8Error(int reason) {
97 switch (reason) {
98 case PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
99 case PKCS8_R_UNKNOWN_CIPHER:
100 return KM_ERROR_UNSUPPORTED_ALGORITHM;
101
102 case PKCS8_R_PRIVATE_KEY_ENCODE_ERROR:
103 case PKCS8_R_PRIVATE_KEY_DECODE_ERROR:
104 return KM_ERROR_INVALID_KEY_BLOB;
105
106 case PKCS8_R_ENCODE_ERROR:
107 return KM_ERROR_INVALID_ARGUMENT;
108
109 default:
110 return KM_ERROR_UNKNOWN_ERROR;
111 }
112 }
113
TranslateCipherError(int reason)114 keymaster_error_t TranslateCipherError(int reason) {
115 switch (reason) {
116 case CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:
117 case CIPHER_R_WRONG_FINAL_BLOCK_LENGTH:
118 return KM_ERROR_INVALID_INPUT_LENGTH;
119
120 case CIPHER_R_UNSUPPORTED_KEY_SIZE:
121 case CIPHER_R_BAD_KEY_LENGTH:
122 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
123
124 case CIPHER_R_BAD_DECRYPT:
125 return KM_ERROR_INVALID_ARGUMENT;
126
127 case CIPHER_R_INVALID_KEY_LENGTH:
128 return KM_ERROR_INVALID_KEY_BLOB;
129
130 default:
131 return KM_ERROR_UNKNOWN_ERROR;
132 }
133 }
134
TranslateASN1Error(int reason)135 keymaster_error_t TranslateASN1Error(int reason) {
136 switch (reason) {
137 #if !defined(OPENSSL_IS_BORINGSSL)
138 case ASN1_R_UNSUPPORTED_CIPHER:
139 return KM_ERROR_UNSUPPORTED_ALGORITHM;
140
141 case ASN1_R_ERROR_LOADING_SECTION:
142 return KM_ERROR_INVALID_KEY_BLOB;
143 #endif
144
145 case ASN1_R_ENCODE_ERROR:
146 return KM_ERROR_INVALID_ARGUMENT;
147
148 default:
149 return KM_ERROR_UNKNOWN_ERROR;
150 }
151 }
152
TranslateX509v3Error(int reason)153 keymaster_error_t TranslateX509v3Error(int reason) {
154 switch (reason) {
155 case X509V3_R_UNKNOWN_OPTION:
156 return KM_ERROR_UNSUPPORTED_ALGORITHM;
157
158 default:
159 return KM_ERROR_UNKNOWN_ERROR;
160 }
161 }
162
TranslateRsaError(int reason)163 keymaster_error_t TranslateRsaError(int reason) {
164 switch (reason) {
165 case RSA_R_KEY_SIZE_TOO_SMALL:
166 LOG_W("RSA key is too small to use with selected padding/digest", 0);
167 return KM_ERROR_INCOMPATIBLE_PADDING_MODE;
168 case RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
169 case RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE:
170 return KM_ERROR_INVALID_INPUT_LENGTH;
171 case RSA_R_DATA_TOO_LARGE_FOR_MODULUS:
172 case RSA_R_DATA_TOO_LARGE:
173 return KM_ERROR_INVALID_ARGUMENT;
174 default:
175 return KM_ERROR_UNKNOWN_ERROR;
176 };
177 }
178
179 #endif // OPENSSL_IS_BORINGSSL
180
TranslateEvpError(int reason)181 keymaster_error_t TranslateEvpError(int reason) {
182 switch (reason) {
183
184 #if !defined(OPENSSL_IS_BORINGSSL)
185 case EVP_R_UNKNOWN_DIGEST:
186 return KM_ERROR_UNSUPPORTED_DIGEST;
187
188 case EVP_R_UNSUPPORTED_PRF:
189 case EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
190 case EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION:
191 case EVP_R_UNSUPPORTED_SALT_TYPE:
192 case EVP_R_UNKNOWN_PBE_ALGORITHM:
193 case EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS:
194 case EVP_R_UNSUPPORTED_CIPHER:
195 case EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE:
196 case EVP_R_UNKNOWN_CIPHER:
197 #endif
198 case EVP_R_UNSUPPORTED_ALGORITHM:
199 case EVP_R_OPERATON_NOT_INITIALIZED:
200 case EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:
201 return KM_ERROR_UNSUPPORTED_ALGORITHM;
202
203 #if !defined(OPENSSL_IS_BORINGSSL)
204 case EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:
205 case EVP_R_WRONG_FINAL_BLOCK_LENGTH:
206 return KM_ERROR_INVALID_INPUT_LENGTH;
207
208 case EVP_R_UNSUPPORTED_KEYLENGTH:
209 case EVP_R_BAD_KEY_LENGTH:
210 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
211 #endif
212
213 #if !defined(OPENSSL_IS_BORINGSSL)
214 case EVP_R_BAD_BLOCK_LENGTH:
215 case EVP_R_BN_DECODE_ERROR:
216 case EVP_R_BN_PUBKEY_ERROR:
217 case EVP_R_CIPHER_PARAMETER_ERROR:
218 case EVP_R_ERROR_LOADING_SECTION:
219 case EVP_R_EXPECTING_A_DH_KEY:
220 case EVP_R_EXPECTING_A_ECDSA_KEY:
221 case EVP_R_EXPECTING_A_EC_KEY:
222 case EVP_R_INVALID_DIGEST:
223 case EVP_R_INVALID_KEY_LENGTH:
224 case EVP_R_NO_DSA_PARAMETERS:
225 case EVP_R_PRIVATE_KEY_DECODE_ERROR:
226 case EVP_R_PRIVATE_KEY_ENCODE_ERROR:
227 case EVP_R_PUBLIC_KEY_NOT_RSA:
228 case EVP_R_WRONG_PUBLIC_KEY_TYPE:
229 #endif
230 case EVP_R_BUFFER_TOO_SMALL:
231 case EVP_R_EXPECTING_AN_RSA_KEY:
232 case EVP_R_EXPECTING_A_DSA_KEY:
233 case EVP_R_MISSING_PARAMETERS:
234 return KM_ERROR_INVALID_KEY_BLOB;
235
236 #if !defined(OPENSSL_IS_BORINGSSL)
237 case EVP_R_BAD_DECRYPT:
238 case EVP_R_ENCODE_ERROR:
239 #endif
240 case EVP_R_DIFFERENT_PARAMETERS:
241 case EVP_R_DECODE_ERROR:
242 return KM_ERROR_INVALID_ARGUMENT;
243
244 case EVP_R_DIFFERENT_KEY_TYPES:
245 return KM_ERROR_INCOMPATIBLE_ALGORITHM;
246 }
247
248 return KM_ERROR_UNKNOWN_ERROR;
249 }
250
251 } // namespace keymaster
252