1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include "openssl_err.h" 18 19 #include <openssl/err.h> 20 #include <openssl/evp.h> 21 22 #if defined(OPENSSL_IS_BORINGSSL) 23 #include <openssl/asn1.h> 24 #include <openssl/cipher.h> 25 #include <openssl/pkcs8.h> 26 #include <openssl/x509v3.h> 27 #endif 28 29 #include <hardware/keymaster_defs.h> 30 #include <keymaster/logger.h> 31 32 namespace keymaster { 33 34 static keymaster_error_t TranslateEvpError(int reason); 35 #if defined(OPENSSL_IS_BORINGSSL) 36 static keymaster_error_t TranslateASN1Error(int reason); 37 static keymaster_error_t TranslateCipherError(int reason); 38 static keymaster_error_t TranslatePKCS8Error(int reason); 39 static keymaster_error_t TranslateX509v3Error(int reason); 40 static keymaster_error_t TranslateRsaError(int reason); 41 #endif 42 43 keymaster_error_t TranslateLastOpenSslError(bool log_message) { 44 unsigned long error = ERR_peek_last_error(); 45 46 if (log_message) { 47 LOG_D("%s", ERR_error_string(error, NULL)); 48 } 49 50 int reason = ERR_GET_REASON(error); 51 switch (ERR_GET_LIB(error)) { 52 53 case ERR_LIB_EVP: 54 return TranslateEvpError(reason); 55 #if defined(OPENSSL_IS_BORINGSSL) 56 case ERR_LIB_ASN1: 57 return TranslateASN1Error(reason); 58 case ERR_LIB_CIPHER: 59 return TranslateCipherError(reason); 60 case ERR_LIB_PKCS8: 61 return TranslatePKCS8Error(reason); 62 case ERR_LIB_X509V3: 63 return TranslateX509v3Error(reason); 64 case ERR_LIB_RSA: 65 return TranslateRsaError(reason); 66 #else 67 case ERR_LIB_ASN1: 68 LOG_E("ASN.1 parsing error %d", reason); 69 return KM_ERROR_INVALID_ARGUMENT; 70 #endif 71 } 72 73 LOG_E("Openssl error %d, %d", ERR_GET_LIB(error), reason); 74 return KM_ERROR_UNKNOWN_ERROR; 75 } 76 77 #if defined(OPENSSL_IS_BORINGSSL) 78 79 keymaster_error_t TranslatePKCS8Error(int reason) { 80 switch (reason) { 81 case PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM: 82 case PKCS8_R_UNKNOWN_CIPHER: 83 return KM_ERROR_UNSUPPORTED_ALGORITHM; 84 85 case PKCS8_R_PRIVATE_KEY_ENCODE_ERROR: 86 case PKCS8_R_PRIVATE_KEY_DECODE_ERROR: 87 return KM_ERROR_INVALID_KEY_BLOB; 88 89 case PKCS8_R_ENCODE_ERROR: 90 return KM_ERROR_INVALID_ARGUMENT; 91 92 default: 93 return KM_ERROR_UNKNOWN_ERROR; 94 } 95 } 96 97 keymaster_error_t TranslateCipherError(int reason) { 98 switch (reason) { 99 case CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: 100 case CIPHER_R_WRONG_FINAL_BLOCK_LENGTH: 101 return KM_ERROR_INVALID_INPUT_LENGTH; 102 103 case CIPHER_R_UNSUPPORTED_KEY_SIZE: 104 case CIPHER_R_BAD_KEY_LENGTH: 105 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 106 107 case CIPHER_R_BAD_DECRYPT: 108 return KM_ERROR_INVALID_ARGUMENT; 109 110 case CIPHER_R_INVALID_KEY_LENGTH: 111 return KM_ERROR_INVALID_KEY_BLOB; 112 113 default: 114 return KM_ERROR_UNKNOWN_ERROR; 115 } 116 } 117 118 keymaster_error_t TranslateASN1Error(int reason) { 119 switch (reason) { 120 #if !defined(OPENSSL_IS_BORINGSSL) 121 case ASN1_R_UNSUPPORTED_CIPHER: 122 return KM_ERROR_UNSUPPORTED_ALGORITHM; 123 124 case ASN1_R_ERROR_LOADING_SECTION: 125 return KM_ERROR_INVALID_KEY_BLOB; 126 #endif 127 128 case ASN1_R_ENCODE_ERROR: 129 return KM_ERROR_INVALID_ARGUMENT; 130 131 default: 132 return KM_ERROR_UNKNOWN_ERROR; 133 } 134 } 135 136 keymaster_error_t TranslateX509v3Error(int reason) { 137 switch (reason) { 138 case X509V3_R_UNKNOWN_OPTION: 139 return KM_ERROR_UNSUPPORTED_ALGORITHM; 140 141 default: 142 return KM_ERROR_UNKNOWN_ERROR; 143 } 144 } 145 146 keymaster_error_t TranslateRsaError(int reason) { 147 switch (reason) { 148 case RSA_R_KEY_SIZE_TOO_SMALL: 149 LOG_W("RSA key is too small to use with selected padding/digest", 0); 150 return KM_ERROR_INCOMPATIBLE_PADDING_MODE; 151 case RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE: 152 case RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE: 153 return KM_ERROR_INVALID_INPUT_LENGTH; 154 case RSA_R_DATA_TOO_LARGE_FOR_MODULUS: 155 return KM_ERROR_INVALID_ARGUMENT; 156 default: 157 return KM_ERROR_UNKNOWN_ERROR; 158 }; 159 } 160 161 #endif // OPENSSL_IS_BORINGSSL 162 163 keymaster_error_t TranslateEvpError(int reason) { 164 switch (reason) { 165 166 case EVP_R_UNKNOWN_DIGEST: 167 return KM_ERROR_UNSUPPORTED_DIGEST; 168 169 #if !defined(OPENSSL_IS_BORINGSSL) 170 case EVP_R_UNSUPPORTED_PRF: 171 case EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM: 172 case EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION: 173 case EVP_R_UNSUPPORTED_SALT_TYPE: 174 case EVP_R_UNKNOWN_PBE_ALGORITHM: 175 case EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS: 176 case EVP_R_UNSUPPORTED_CIPHER: 177 case EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE: 178 case EVP_R_UNKNOWN_CIPHER: 179 #endif 180 case EVP_R_UNSUPPORTED_ALGORITHM: 181 case EVP_R_OPERATON_NOT_INITIALIZED: 182 case EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE: 183 return KM_ERROR_UNSUPPORTED_ALGORITHM; 184 185 #if !defined(OPENSSL_IS_BORINGSSL) 186 case EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: 187 case EVP_R_WRONG_FINAL_BLOCK_LENGTH: 188 return KM_ERROR_INVALID_INPUT_LENGTH; 189 190 case EVP_R_UNSUPPORTED_KEYLENGTH: 191 case EVP_R_BAD_KEY_LENGTH: 192 return KM_ERROR_UNSUPPORTED_KEY_SIZE; 193 #endif 194 195 #if !defined(OPENSSL_IS_BORINGSSL) 196 case EVP_R_BAD_BLOCK_LENGTH: 197 case EVP_R_BN_DECODE_ERROR: 198 case EVP_R_BN_PUBKEY_ERROR: 199 case EVP_R_CIPHER_PARAMETER_ERROR: 200 case EVP_R_ERROR_LOADING_SECTION: 201 case EVP_R_EXPECTING_A_ECDSA_KEY: 202 case EVP_R_EXPECTING_A_EC_KEY: 203 case EVP_R_INVALID_DIGEST: 204 case EVP_R_INVALID_KEY_LENGTH: 205 case EVP_R_NO_DSA_PARAMETERS: 206 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 207 case EVP_R_PRIVATE_KEY_ENCODE_ERROR: 208 case EVP_R_PUBLIC_KEY_NOT_RSA: 209 #endif 210 case EVP_R_BUFFER_TOO_SMALL: 211 case EVP_R_EXPECTING_AN_RSA_KEY: 212 case EVP_R_EXPECTING_A_DH_KEY: 213 case EVP_R_EXPECTING_A_DSA_KEY: 214 case EVP_R_MISSING_PARAMETERS: 215 case EVP_R_WRONG_PUBLIC_KEY_TYPE: 216 return KM_ERROR_INVALID_KEY_BLOB; 217 218 #if !defined(OPENSSL_IS_BORINGSSL) 219 case EVP_R_BAD_DECRYPT: 220 case EVP_R_ENCODE_ERROR: 221 #endif 222 case EVP_R_DIFFERENT_PARAMETERS: 223 case EVP_R_DECODE_ERROR: 224 return KM_ERROR_INVALID_ARGUMENT; 225 226 case EVP_R_DIFFERENT_KEY_TYPES: 227 return KM_ERROR_INCOMPATIBLE_ALGORITHM; 228 } 229 230 return KM_ERROR_UNKNOWN_ERROR; 231 } 232 233 } // namespace keymaster 234