1 /*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "openssl_err.h"
18
19 #include <openssl/err.h>
20 #include <openssl/evp.h>
21
22 #if defined(OPENSSL_IS_BORINGSSL)
23 #include <openssl/asn1.h>
24 #include <openssl/cipher.h>
25 #include <openssl/pkcs8.h>
26 #include <openssl/x509v3.h>
27 #endif
28
29 #include <hardware/keymaster_defs.h>
30 #include <keymaster/logger.h>
31
32 namespace keymaster {
33
34 static keymaster_error_t TranslateEvpError(int reason);
35 #if defined(OPENSSL_IS_BORINGSSL)
36 static keymaster_error_t TranslateASN1Error(int reason);
37 static keymaster_error_t TranslateCipherError(int reason);
38 static keymaster_error_t TranslatePKCS8Error(int reason);
39 static keymaster_error_t TranslateX509v3Error(int reason);
40 static keymaster_error_t TranslateRsaError(int reason);
41 #endif
42
TranslateLastOpenSslError(bool log_message)43 keymaster_error_t TranslateLastOpenSslError(bool log_message) {
44 unsigned long error = ERR_peek_last_error();
45
46 if (log_message) {
47 LOG_D("%s", ERR_error_string(error, NULL));
48 }
49
50 int reason = ERR_GET_REASON(error);
51 switch (ERR_GET_LIB(error)) {
52 case ERR_LIB_USER:
53 return static_cast<keymaster_error_t>(reason);
54 case ERR_LIB_EVP:
55 return TranslateEvpError(reason);
56 #if defined(OPENSSL_IS_BORINGSSL)
57 case ERR_LIB_ASN1:
58 return TranslateASN1Error(reason);
59 case ERR_LIB_CIPHER:
60 return TranslateCipherError(reason);
61 case ERR_LIB_PKCS8:
62 return TranslatePKCS8Error(reason);
63 case ERR_LIB_X509V3:
64 return TranslateX509v3Error(reason);
65 case ERR_LIB_RSA:
66 return TranslateRsaError(reason);
67 #else
68 case ERR_LIB_ASN1:
69 LOG_E("ASN.1 parsing error %d", reason);
70 return KM_ERROR_INVALID_ARGUMENT;
71 #endif
72 }
73
74 LOG_E("Openssl error %d, %d", ERR_GET_LIB(error), reason);
75 return KM_ERROR_UNKNOWN_ERROR;
76 }
77
78 #if defined(OPENSSL_IS_BORINGSSL)
79
TranslatePKCS8Error(int reason)80 keymaster_error_t TranslatePKCS8Error(int reason) {
81 switch (reason) {
82 case PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
83 case PKCS8_R_UNKNOWN_CIPHER:
84 return KM_ERROR_UNSUPPORTED_ALGORITHM;
85
86 case PKCS8_R_PRIVATE_KEY_ENCODE_ERROR:
87 case PKCS8_R_PRIVATE_KEY_DECODE_ERROR:
88 return KM_ERROR_INVALID_KEY_BLOB;
89
90 case PKCS8_R_ENCODE_ERROR:
91 return KM_ERROR_INVALID_ARGUMENT;
92
93 default:
94 return KM_ERROR_UNKNOWN_ERROR;
95 }
96 }
97
TranslateCipherError(int reason)98 keymaster_error_t TranslateCipherError(int reason) {
99 switch (reason) {
100 case CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:
101 case CIPHER_R_WRONG_FINAL_BLOCK_LENGTH:
102 return KM_ERROR_INVALID_INPUT_LENGTH;
103
104 case CIPHER_R_UNSUPPORTED_KEY_SIZE:
105 case CIPHER_R_BAD_KEY_LENGTH:
106 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
107
108 case CIPHER_R_BAD_DECRYPT:
109 return KM_ERROR_INVALID_ARGUMENT;
110
111 case CIPHER_R_INVALID_KEY_LENGTH:
112 return KM_ERROR_INVALID_KEY_BLOB;
113
114 default:
115 return KM_ERROR_UNKNOWN_ERROR;
116 }
117 }
118
TranslateASN1Error(int reason)119 keymaster_error_t TranslateASN1Error(int reason) {
120 switch (reason) {
121 #if !defined(OPENSSL_IS_BORINGSSL)
122 case ASN1_R_UNSUPPORTED_CIPHER:
123 return KM_ERROR_UNSUPPORTED_ALGORITHM;
124
125 case ASN1_R_ERROR_LOADING_SECTION:
126 return KM_ERROR_INVALID_KEY_BLOB;
127 #endif
128
129 case ASN1_R_ENCODE_ERROR:
130 return KM_ERROR_INVALID_ARGUMENT;
131
132 default:
133 return KM_ERROR_UNKNOWN_ERROR;
134 }
135 }
136
TranslateX509v3Error(int reason)137 keymaster_error_t TranslateX509v3Error(int reason) {
138 switch (reason) {
139 case X509V3_R_UNKNOWN_OPTION:
140 return KM_ERROR_UNSUPPORTED_ALGORITHM;
141
142 default:
143 return KM_ERROR_UNKNOWN_ERROR;
144 }
145 }
146
TranslateRsaError(int reason)147 keymaster_error_t TranslateRsaError(int reason) {
148 switch (reason) {
149 case RSA_R_KEY_SIZE_TOO_SMALL:
150 LOG_W("RSA key is too small to use with selected padding/digest", 0);
151 return KM_ERROR_INCOMPATIBLE_PADDING_MODE;
152 case RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
153 case RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE:
154 return KM_ERROR_INVALID_INPUT_LENGTH;
155 case RSA_R_DATA_TOO_LARGE_FOR_MODULUS:
156 return KM_ERROR_INVALID_ARGUMENT;
157 default:
158 return KM_ERROR_UNKNOWN_ERROR;
159 };
160 }
161
162 #endif // OPENSSL_IS_BORINGSSL
163
TranslateEvpError(int reason)164 keymaster_error_t TranslateEvpError(int reason) {
165 switch (reason) {
166
167 case EVP_R_UNKNOWN_DIGEST:
168 return KM_ERROR_UNSUPPORTED_DIGEST;
169
170 #if !defined(OPENSSL_IS_BORINGSSL)
171 case EVP_R_UNSUPPORTED_PRF:
172 case EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
173 case EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION:
174 case EVP_R_UNSUPPORTED_SALT_TYPE:
175 case EVP_R_UNKNOWN_PBE_ALGORITHM:
176 case EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS:
177 case EVP_R_UNSUPPORTED_CIPHER:
178 case EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE:
179 case EVP_R_UNKNOWN_CIPHER:
180 #endif
181 case EVP_R_UNSUPPORTED_ALGORITHM:
182 case EVP_R_OPERATON_NOT_INITIALIZED:
183 case EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:
184 return KM_ERROR_UNSUPPORTED_ALGORITHM;
185
186 #if !defined(OPENSSL_IS_BORINGSSL)
187 case EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:
188 case EVP_R_WRONG_FINAL_BLOCK_LENGTH:
189 return KM_ERROR_INVALID_INPUT_LENGTH;
190
191 case EVP_R_UNSUPPORTED_KEYLENGTH:
192 case EVP_R_BAD_KEY_LENGTH:
193 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
194 #endif
195
196 #if !defined(OPENSSL_IS_BORINGSSL)
197 case EVP_R_BAD_BLOCK_LENGTH:
198 case EVP_R_BN_DECODE_ERROR:
199 case EVP_R_BN_PUBKEY_ERROR:
200 case EVP_R_CIPHER_PARAMETER_ERROR:
201 case EVP_R_ERROR_LOADING_SECTION:
202 case EVP_R_EXPECTING_A_ECDSA_KEY:
203 case EVP_R_EXPECTING_A_EC_KEY:
204 case EVP_R_INVALID_DIGEST:
205 case EVP_R_INVALID_KEY_LENGTH:
206 case EVP_R_NO_DSA_PARAMETERS:
207 case EVP_R_PRIVATE_KEY_DECODE_ERROR:
208 case EVP_R_PRIVATE_KEY_ENCODE_ERROR:
209 case EVP_R_PUBLIC_KEY_NOT_RSA:
210 #endif
211 case EVP_R_BUFFER_TOO_SMALL:
212 case EVP_R_EXPECTING_AN_RSA_KEY:
213 case EVP_R_EXPECTING_A_DH_KEY:
214 case EVP_R_EXPECTING_A_DSA_KEY:
215 case EVP_R_MISSING_PARAMETERS:
216 case EVP_R_WRONG_PUBLIC_KEY_TYPE:
217 return KM_ERROR_INVALID_KEY_BLOB;
218
219 #if !defined(OPENSSL_IS_BORINGSSL)
220 case EVP_R_BAD_DECRYPT:
221 case EVP_R_ENCODE_ERROR:
222 #endif
223 case EVP_R_DIFFERENT_PARAMETERS:
224 case EVP_R_DECODE_ERROR:
225 return KM_ERROR_INVALID_ARGUMENT;
226
227 case EVP_R_DIFFERENT_KEY_TYPES:
228 return KM_ERROR_INCOMPATIBLE_ALGORITHM;
229 }
230
231 return KM_ERROR_UNKNOWN_ERROR;
232 }
233
234 } // namespace keymaster
235