android_system_keymaster/openssl_err.cpp, branch cm-13.0 Unnamed repository; edit this file 'description' to name the repository. Return correct error from keymaster0engine for large RSA input 2015-11-03T22:35:22+00:00 Shawn Willden swillden@google.com 2015-10-23T16:11:40+00:00 39ba76dc0fd9f516d8bcd76cf2d6251206316811 Also, ensure that we always put some error on the OpenSSL error queue whenever a wrapped keymaster0 operation fails. Higher layers will look a the last entry on the queue and use it to determine what error code to return. Not putting any error on the queue means that those higher layers will get whatever error was last enqueued, making the result effectively random. Non-determinism bad. (cherry-picked from commit 22d2355b7edc470949c163e47ba8e837a1a87f47) Bug: 25337630 Change-Id: I701ab735dd089f5258b2252f543906d9f3baa7a2 
Also, ensure that we always put some error on the OpenSSL error queue
whenever a wrapped keymaster0 operation fails.  Higher layers will look
a the last entry on the queue and use it to determine what error code to
return.  Not putting any error on the queue means that those higher
layers will get whatever error was last enqueued, making the result
effectively random.  Non-determinism bad.

(cherry-picked from commit 22d2355b7edc470949c163e47ba8e837a1a87f47)

Bug: 25337630
Change-Id: I701ab735dd089f5258b2252f543906d9f3baa7a2
Left-pad messages when doing "unpadded" RSA operations. 2015-07-30T16:37:34+00:00 Shawn Willden swillden@google.com 2015-07-29T22:43:17+00:00 c0a63805e4f21e46cc533ec0938306ca997c9a2d When RSA messages that are shorter than the key size, and padding is not applied, BoringSSL (sensbibly) refuses, because odds are very high that the caller is doing something dumb. However, this causes some (dumb) things that used to work to no longer work. This CL also fixes the error code returned when a message is signed or encrypted which is the same length as the public modulus but is numerically larger than or equal to the public modulus. Rather than KM_ERROR_UNKNOWN_ERROR, it now returns KM_ERROR_INVALID_ARGUMENT. Bug: 22599805 Change-Id: I99aca5516b092f3676ffdc6c5de39f2777e3d275 
When RSA messages that are shorter than the key size, and padding is not
applied, BoringSSL (sensbibly) refuses, because odds are very high that
the caller is doing something dumb.  However, this causes some (dumb)
things that used to work to no longer work.

This CL also fixes the error code returned when a message is signed or
encrypted which is the same length as the public modulus but is
numerically larger than or equal to the public modulus.  Rather than
KM_ERROR_UNKNOWN_ERROR, it now returns KM_ERROR_INVALID_ARGUMENT.

Bug: 22599805
Change-Id: I99aca5516b092f3676ffdc6c5de39f2777e3d275
Use specified digest for RSA OAEP. 2015-07-14T16:48:29+00:00 Shawn Willden swillden@google.com 2015-07-10T20:03:14+00:00 7d05d88dc44b18e0350f7fe8d28c20f2f643bb80 Bug: 22405614 Change-Id: Ia5eb67a571a9d46acca4b4e708bb8178bd3acd0d 
Bug: 22405614
Change-Id: Ia5eb67a571a9d46acca4b4e708bb8178bd3acd0d
Support all digests for RSA. 2015-06-01T14:42:05+00:00 Shawn Willden swillden@google.com 2015-06-01T13:33:51+00:00 2bf4ad32f195bd734e4d7e7d4ac52c051f182fbf Also switch to using the EVP APIs where possible for RSA ops. Change-Id: I092a5c7598073980d36ce5137cfe17f0499a10b9 
Also switch to using the EVP APIs where possible for RSA ops.

Change-Id: I092a5c7598073980d36ce5137cfe17f0499a10b9
keymaster: support building with tip-of-tree BoringSSL. 2015-05-09T14:27:34+00:00 Adam Langley agl@google.com 2015-04-28T20:20:52+00:00 c3326552d973ce34f0f3138333a05a4a1865a699 Change-Id: Ie9bcbcb33f7904fbffef9dee4f5b4203b1d8f888 (cherry picked from commit b17720bd6675de8d3925ea7fb2ea5c7a8f773ac4) 
Change-Id: Ie9bcbcb33f7904fbffef9dee4f5b4203b1d8f888
(cherry picked from commit b17720bd6675de8d3925ea7fb2ea5c7a8f773ac4)
Revert "Remove compatibility with OpenSSL." 2015-05-09T12:48:36+00:00 Shawn Willden swillden@google.com 2015-05-09T12:48:36+00:00 d79791b0c7123b3fc5db61a0805d7593f19ca8d9 This created a build breakage in Trusty, and so was reverted in AOSP. Reverting here to sync. This reverts commit de4ffa99837df492faca1ded33b14446c4a5c9be. Change-Id: I80ffcb8f432e4af849aae49f40d313dd475d47fc 
This created a build breakage in Trusty, and so was reverted in AOSP.  Reverting here to sync.

This reverts commit de4ffa99837df492faca1ded33b14446c4a5c9be.

Change-Id: I80ffcb8f432e4af849aae49f40d313dd475d47fc
Remove compatibility with OpenSSL. 2015-05-07T01:04:23+00:00 Shawn Willden swillden@google.com 2015-05-05T13:15:24+00:00 de4ffa99837df492faca1ded33b14446c4a5c9be Android has switched from OpenSSL to BoringSSL. There were various accommodations in the code for supporting both, but coming changes make maintaining that support more difficult than it's worth, I'm abandoning OpenSSL. Change-Id: I9203c0215537c7f7aa2a89859ea52ff0f0582a9e (cherry picked from commit 9011d1ae960beb29ba50634813c28892e738aac7) 
Android has switched from OpenSSL to BoringSSL.  There were various
accommodations in the code for supporting both, but coming changes make
maintaining that support more difficult than it's worth, I'm abandoning
OpenSSL.

Change-Id: I9203c0215537c7f7aa2a89859ea52ff0f0582a9e
(cherry picked from commit 9011d1ae960beb29ba50634813c28892e738aac7)
Improve error reporting and logging. 2015-03-23T17:22:41+00:00 Shawn Willden swillden@google.com 2015-03-12T03:51:38+00:00 f01329d8692edde9a9ffb88f29f5d684eab481e2 Bug: 19603049 Bug: 19509317 Change-Id: I041c973802e6c567adc5b1f280fc5bac27ba28d6 
Bug: 19603049
Bug: 19509317
Change-Id: I041c973802e6c567adc5b1f280fc5bac27ba28d6
Update OpenSSL error codes for BoringSSL. 2015-02-26T21:39:10+00:00 Adam Langley agl@google.com 2015-02-26T21:33:18+00:00 a5fce68dfa30f6a6da030ff0bde1ac3771e58b72 The OpenSSL error code system really doesn't work very well. The values export far too much of the internals (including internal function names!) and so are quite unstable. Really they're only suitable for printing out. However, people do need to programatically handle errors in some cases and since the error queue is all there is, that's what one has to use. This change updates the error handling in the light of BoringSSL. Change-Id: I3cc99729e755a7e8e28d399631d7c4b2408c877a 
The OpenSSL error code system really doesn't work very well. The values
export far too much of the internals (including internal function
names!) and so are quite unstable. Really they're only suitable for
printing out.

However, people do need to programatically handle errors in some cases
and since the error queue is all there is, that's what one has to use.

This change updates the error handling in the light of BoringSSL.

Change-Id: I3cc99729e755a7e8e28d399631d7c4b2408c877a
Add OpenSSL error translation utility. 2015-02-25T19:33:04+00:00 Shawn Willden swillden@google.com 2015-02-07T07:31:41+00:00 26aaa76e18a1a1bc92c7d5ee6ecc62769dd764ec Bug: 19507949 Change-Id: I8d499868173e476f5e9f92a7b0e518c3163815ac 
Bug: 19507949
Change-Id: I8d499868173e476f5e9f92a7b0e518c3163815ac