1 /*
2  * Copyright (C) 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <keymaster/km_openssl/openssl_err.h>
18 
19 #include <openssl/err.h>
20 #include <openssl/evp.h>
21 
22 #if defined(OPENSSL_IS_BORINGSSL)
23 #include <openssl/asn1.h>
24 #include <openssl/cipher.h>
25 #include <openssl/pkcs8.h>
26 #include <openssl/x509v3.h>
27 #endif
28 
29 #include <hardware/keymaster_defs.h>
30 #include <keymaster/logger.h>
31 
32 namespace keymaster {
33 
34 static keymaster_error_t TranslateEvpError(int reason);
35 #if defined(OPENSSL_IS_BORINGSSL)
36 static keymaster_error_t TranslateASN1Error(int reason);
37 static keymaster_error_t TranslateCipherError(int reason);
38 static keymaster_error_t TranslatePKCS8Error(int reason);
39 static keymaster_error_t TranslateX509v3Error(int reason);
40 static keymaster_error_t TranslateRsaError(int reason);
41 #endif
42 
TranslateLastOpenSslError(bool log_message)43 keymaster_error_t TranslateLastOpenSslError(bool log_message) {
44     unsigned long error = ERR_peek_last_error();
45 
46     if (log_message) {
47         LOG_D("%s", ERR_error_string(error, nullptr));
48     }
49 
50     int reason = ERR_GET_REASON(error);
51 
52     /* Handle global error reasons */
53     switch (reason) {
54     case ERR_R_MALLOC_FAILURE:
55         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
56     case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED:
57     case ERR_R_PASSED_NULL_PARAMETER:
58     case ERR_R_INTERNAL_ERROR:
59     case ERR_R_OVERFLOW:
60         return KM_ERROR_UNKNOWN_ERROR;
61     default:
62         break;
63     }
64 
65     switch (ERR_GET_LIB(error)) {
66     case ERR_LIB_USER:
67         return static_cast<keymaster_error_t>(reason);
68     case ERR_LIB_EVP:
69         return TranslateEvpError(reason);
70 #if defined(OPENSSL_IS_BORINGSSL)
71     case ERR_LIB_ASN1:
72         return TranslateASN1Error(reason);
73     case ERR_LIB_CIPHER:
74         return TranslateCipherError(reason);
75     case ERR_LIB_PKCS8:
76         return TranslatePKCS8Error(reason);
77     case ERR_LIB_X509V3:
78         return TranslateX509v3Error(reason);
79     case ERR_LIB_RSA:
80         return TranslateRsaError(reason);
81 #else
82     case ERR_LIB_ASN1:
83         LOG_E("ASN.1 parsing error %d", reason);
84         return KM_ERROR_INVALID_ARGUMENT;
85 #endif
86     }
87 
88     LOG_E("Openssl error %d, %d", ERR_GET_LIB(error), reason);
89     return KM_ERROR_UNKNOWN_ERROR;
90 }
91 
92 #if defined(OPENSSL_IS_BORINGSSL)
93 
TranslatePKCS8Error(int reason)94 keymaster_error_t TranslatePKCS8Error(int reason) {
95     switch (reason) {
96     case PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
97     case PKCS8_R_UNKNOWN_CIPHER:
98         return KM_ERROR_UNSUPPORTED_ALGORITHM;
99 
100     case PKCS8_R_PRIVATE_KEY_ENCODE_ERROR:
101     case PKCS8_R_PRIVATE_KEY_DECODE_ERROR:
102         return KM_ERROR_INVALID_KEY_BLOB;
103 
104     case PKCS8_R_ENCODE_ERROR:
105         return KM_ERROR_INVALID_ARGUMENT;
106 
107     default:
108         return KM_ERROR_UNKNOWN_ERROR;
109     }
110 }
111 
TranslateCipherError(int reason)112 keymaster_error_t TranslateCipherError(int reason) {
113     switch (reason) {
114     case CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:
115     case CIPHER_R_WRONG_FINAL_BLOCK_LENGTH:
116         return KM_ERROR_INVALID_INPUT_LENGTH;
117 
118     case CIPHER_R_UNSUPPORTED_KEY_SIZE:
119     case CIPHER_R_BAD_KEY_LENGTH:
120         return KM_ERROR_UNSUPPORTED_KEY_SIZE;
121 
122     case CIPHER_R_BAD_DECRYPT:
123         return KM_ERROR_INVALID_ARGUMENT;
124 
125     case CIPHER_R_INVALID_KEY_LENGTH:
126         return KM_ERROR_INVALID_KEY_BLOB;
127 
128     default:
129         return KM_ERROR_UNKNOWN_ERROR;
130     }
131 }
132 
TranslateASN1Error(int reason)133 keymaster_error_t TranslateASN1Error(int reason) {
134     switch (reason) {
135 #if !defined(OPENSSL_IS_BORINGSSL)
136     case ASN1_R_UNSUPPORTED_CIPHER:
137         return KM_ERROR_UNSUPPORTED_ALGORITHM;
138 
139     case ASN1_R_ERROR_LOADING_SECTION:
140         return KM_ERROR_INVALID_KEY_BLOB;
141 #endif
142 
143     case ASN1_R_ENCODE_ERROR:
144         return KM_ERROR_INVALID_ARGUMENT;
145 
146     default:
147         return KM_ERROR_UNKNOWN_ERROR;
148     }
149 }
150 
TranslateX509v3Error(int reason)151 keymaster_error_t TranslateX509v3Error(int reason) {
152     switch (reason) {
153     case X509V3_R_UNKNOWN_OPTION:
154         return KM_ERROR_UNSUPPORTED_ALGORITHM;
155 
156     default:
157         return KM_ERROR_UNKNOWN_ERROR;
158     }
159 }
160 
TranslateRsaError(int reason)161 keymaster_error_t TranslateRsaError(int reason) {
162     switch (reason) {
163     case RSA_R_KEY_SIZE_TOO_SMALL:
164         LOG_W("RSA key is too small to use with selected padding/digest", 0);
165         return KM_ERROR_INCOMPATIBLE_PADDING_MODE;
166     case RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
167     case RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE:
168         return KM_ERROR_INVALID_INPUT_LENGTH;
169     case RSA_R_DATA_TOO_LARGE_FOR_MODULUS:
170     case RSA_R_DATA_TOO_LARGE:
171         return KM_ERROR_INVALID_ARGUMENT;
172     default:
173         return KM_ERROR_UNKNOWN_ERROR;
174     };
175 }
176 
177 #endif  // OPENSSL_IS_BORINGSSL
178 
TranslateEvpError(int reason)179 keymaster_error_t TranslateEvpError(int reason) {
180     switch (reason) {
181 
182 #if !defined(OPENSSL_IS_BORINGSSL)
183     case EVP_R_UNKNOWN_DIGEST:
184         return KM_ERROR_UNSUPPORTED_DIGEST;
185 
186     case EVP_R_UNSUPPORTED_PRF:
187     case EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:
188     case EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION:
189     case EVP_R_UNSUPPORTED_SALT_TYPE:
190     case EVP_R_UNKNOWN_PBE_ALGORITHM:
191     case EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS:
192     case EVP_R_UNSUPPORTED_CIPHER:
193     case EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE:
194     case EVP_R_UNKNOWN_CIPHER:
195 #endif
196     case EVP_R_UNSUPPORTED_ALGORITHM:
197     case EVP_R_OPERATON_NOT_INITIALIZED:
198     case EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:
199         return KM_ERROR_UNSUPPORTED_ALGORITHM;
200 
201 #if !defined(OPENSSL_IS_BORINGSSL)
202     case EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:
203     case EVP_R_WRONG_FINAL_BLOCK_LENGTH:
204         return KM_ERROR_INVALID_INPUT_LENGTH;
205 
206     case EVP_R_UNSUPPORTED_KEYLENGTH:
207     case EVP_R_BAD_KEY_LENGTH:
208         return KM_ERROR_UNSUPPORTED_KEY_SIZE;
209 #endif
210 
211 #if !defined(OPENSSL_IS_BORINGSSL)
212     case EVP_R_BAD_BLOCK_LENGTH:
213     case EVP_R_BN_DECODE_ERROR:
214     case EVP_R_BN_PUBKEY_ERROR:
215     case EVP_R_CIPHER_PARAMETER_ERROR:
216     case EVP_R_ERROR_LOADING_SECTION:
217     case EVP_R_EXPECTING_A_DH_KEY:
218     case EVP_R_EXPECTING_A_ECDSA_KEY:
219     case EVP_R_EXPECTING_A_EC_KEY:
220     case EVP_R_INVALID_DIGEST:
221     case EVP_R_INVALID_KEY_LENGTH:
222     case EVP_R_NO_DSA_PARAMETERS:
223     case EVP_R_PRIVATE_KEY_DECODE_ERROR:
224     case EVP_R_PRIVATE_KEY_ENCODE_ERROR:
225     case EVP_R_PUBLIC_KEY_NOT_RSA:
226     case EVP_R_WRONG_PUBLIC_KEY_TYPE:
227 #endif
228     case EVP_R_BUFFER_TOO_SMALL:
229     case EVP_R_EXPECTING_AN_RSA_KEY:
230     case EVP_R_EXPECTING_A_DSA_KEY:
231     case EVP_R_MISSING_PARAMETERS:
232         return KM_ERROR_INVALID_KEY_BLOB;
233 
234 #if !defined(OPENSSL_IS_BORINGSSL)
235     case EVP_R_BAD_DECRYPT:
236     case EVP_R_ENCODE_ERROR:
237 #endif
238     case EVP_R_DIFFERENT_PARAMETERS:
239     case EVP_R_DECODE_ERROR:
240         return KM_ERROR_INVALID_ARGUMENT;
241 
242     case EVP_R_DIFFERENT_KEY_TYPES:
243         return KM_ERROR_INCOMPATIBLE_ALGORITHM;
244     }
245 
246     return KM_ERROR_UNKNOWN_ERROR;
247 }
248 
249 }  // namespace keymaster
250