diff options
| author | Adam Langley <agl@google.com> | 2015-02-26 13:33:18 -0800 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2015-02-26 13:39:10 -0800 |
| commit | a5fce68dfa30f6a6da030ff0bde1ac3771e58b72 (patch) | |
| tree | 2807daefa5338cd99e3a8a314ba89bf7b42c4ff9 | |
| parent | 1cb9407218ede2706baef0017f510c94308e5c69 (diff) | |
| download | android_system_keymaster-a5fce68dfa30f6a6da030ff0bde1ac3771e58b72.tar.gz android_system_keymaster-a5fce68dfa30f6a6da030ff0bde1ac3771e58b72.tar.bz2 android_system_keymaster-a5fce68dfa30f6a6da030ff0bde1ac3771e58b72.zip | |
Update OpenSSL error codes for BoringSSL.
The OpenSSL error code system really doesn't work very well. The values
export far too much of the internals (including internal function
names!) and so are quite unstable. Really they're only suitable for
printing out.
However, people do need to programatically handle errors in some cases
and since the error queue is all there is, that's what one has to use.
This change updates the error handling in the light of BoringSSL.
Change-Id: I3cc99729e755a7e8e28d399631d7c4b2408c877a
| -rw-r--r-- | openssl_err.cpp | 150 |
1 files changed, 110 insertions, 40 deletions
diff --git a/openssl_err.cpp b/openssl_err.cpp index 167aa0d..4584716 100644 --- a/openssl_err.cpp +++ b/openssl_err.cpp @@ -19,12 +19,25 @@ #include <openssl/err.h> #include <openssl/evp.h> +#if defined(OPENSSL_IS_BORINGSSL) +#include <openssl/asn1.h> +#include <openssl/cipher.h> +#include <openssl/pkcs8.h> +#include <openssl/x509v3.h> +#endif + #include <hardware/keymaster_defs.h> #include <keymaster/logger.h> namespace keymaster { static keymaster_error_t TranslateEvpError(int reason); +#if defined(OPENSSL_IS_BORINGSSL) +static keymaster_error_t TranslateASN1Error(int reason); +static keymaster_error_t TranslateCipherError(int reason); +static keymaster_error_t TranslatePKCS8Error(int reason); +static keymaster_error_t TranslateX509v3Error(int reason); +#endif keymaster_error_t TranslateLastOpenSslError(bool log_message) { unsigned long error = ERR_peek_last_error(); @@ -38,65 +51,117 @@ keymaster_error_t TranslateLastOpenSslError(bool log_message) { case ERR_LIB_EVP: return TranslateEvpError(reason); - +#if defined(OPENSSL_IS_BORINGSSL) + case ERR_LIB_ASN1: + return TranslateASN1Error(reason); + case ERR_LIB_CIPHER: + return TranslateCipherError(reason); + case ERR_LIB_PKCS8: + return TranslatePKCS8Error(reason); + case ERR_LIB_X509V3: + return TranslateX509v3Error(reason); +#else case ERR_LIB_ASN1: // TODO(swillden): Consider a better return code. return KM_ERROR_INVALID_ARGUMENT; +#endif } return KM_ERROR_UNKNOWN_ERROR; } +#if defined(OPENSSL_IS_BORINGSSL) + +keymaster_error_t TranslatePKCS8Error(int reason) { + switch (reason) { + case PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM: + case PKCS8_R_UNKNOWN_CIPHER: + return KM_ERROR_UNSUPPORTED_ALGORITHM; + + case PKCS8_R_PRIVATE_KEY_ENCODE_ERROR: + case PKCS8_R_PRIVATE_KEY_DECODE_ERROR: + return KM_ERROR_INVALID_KEY_BLOB; + + case PKCS8_R_ENCODE_ERROR: + return KM_ERROR_INVALID_ARGUMENT; + + default: + return KM_ERROR_UNKNOWN_ERROR; + } +} + +keymaster_error_t TranslateCipherError(int reason) { + switch (reason) { + case CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: + case CIPHER_R_WRONG_FINAL_BLOCK_LENGTH: + return KM_ERROR_INVALID_INPUT_LENGTH; + + case CIPHER_R_UNSUPPORTED_KEY_SIZE: + case CIPHER_R_BAD_KEY_LENGTH: + return KM_ERROR_UNSUPPORTED_KEY_SIZE; + + case CIPHER_R_BAD_DECRYPT: + return KM_ERROR_INVALID_ARGUMENT; + + case CIPHER_R_INVALID_KEY_LENGTH: + return KM_ERROR_INVALID_KEY_BLOB; + + default: + return KM_ERROR_UNKNOWN_ERROR; + } +} + +keymaster_error_t TranslateASN1Error(int reason) { + switch (reason) { + case ASN1_R_UNSUPPORTED_CIPHER: + return KM_ERROR_UNSUPPORTED_ALGORITHM; + + case ASN1_R_ERROR_LOADING_SECTION: + return KM_ERROR_INVALID_KEY_BLOB; + + case ASN1_R_ENCODE_ERROR: + return KM_ERROR_INVALID_ARGUMENT; + + default: + return KM_ERROR_UNKNOWN_ERROR; + } +} + +keymaster_error_t TranslateX509v3Error(int reason) { + switch (reason) { + case X509V3_R_UNKNOWN_OPTION: + return KM_ERROR_UNSUPPORTED_ALGORITHM; + + default: + return KM_ERROR_UNKNOWN_ERROR; + } +} + +#endif // OPENSSL_IS_BORINGSSL + keymaster_error_t TranslateEvpError(int reason) { switch (reason) { case EVP_R_UNKNOWN_DIGEST: return KM_ERROR_UNSUPPORTED_DIGEST; +#if !defined(OPENSSL_IS_BORINGSSL) case EVP_R_UNSUPPORTED_PRF: case EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM: case EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION: case EVP_R_UNSUPPORTED_SALT_TYPE: case EVP_R_UNKNOWN_PBE_ALGORITHM: case EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS: - case EVP_R_UNSUPPORTED_ALGORITHM: case EVP_R_UNSUPPORTED_CIPHER: - case EVP_R_OPERATON_NOT_INITIALIZED: case EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE: - case EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE: case EVP_R_UNKNOWN_CIPHER: +#endif + case EVP_R_UNSUPPORTED_ALGORITHM: + case EVP_R_OPERATON_NOT_INITIALIZED: + case EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE: return KM_ERROR_UNSUPPORTED_ALGORITHM; - case EVP_R_UNKNOWN_OPTION: - case EVP_R_TOO_LARGE: - case EVP_R_KEYGEN_FAILURE: - case EVP_R_NO_OPERATION_SET: - case EVP_R_NO_SIGN_FUNCTION_CONFIGURED: - case EVP_R_NO_VERIFY_FUNCTION_CONFIGURED: - case EVP_R_MESSAGE_DIGEST_IS_NULL: - case EVP_R_METHOD_NOT_SUPPORTED: - case EVP_R_INVALID_OPERATION: - case EVP_R_IV_TOO_LARGE: - case EVP_R_NO_KEY_SET: - case EVP_R_NO_CIPHER_SET: - case EVP_R_NO_DEFAULT_DIGEST: - case EVP_R_NO_DIGEST_SET: - case EVP_R_EVP_PBE_CIPHERINIT_ERROR: - case EVP_R_INITIALIZATION_ERROR: - case EVP_R_INPUT_NOT_INITIALIZED: - case EVP_R_CAMELLIA_KEY_SETUP_FAILED: - case EVP_R_AES_IV_SETUP_FAILED: - case EVP_R_AES_KEY_SETUP_FAILED: - case EVP_R_FIPS_MODE_NOT_SUPPORTED: - case EVP_R_ASN1_LIB: - case EVP_R_COMMAND_NOT_SUPPORTED: - case EVP_R_CTRL_NOT_IMPLEMENTED: - case EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED: - case EVP_R_DISABLED_FOR_FIPS: - case EVP_R_ERROR_SETTING_FIPS_MODE: - case EVP_R_INVALID_FIPS_MODE: - return KM_ERROR_UNKNOWN_ERROR; - +#if !defined(OPENSSL_IS_BORINGSSL) case EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: case EVP_R_WRONG_FINAL_BLOCK_LENGTH: return KM_ERROR_INVALID_INPUT_LENGTH; @@ -104,32 +169,37 @@ keymaster_error_t TranslateEvpError(int reason) { case EVP_R_UNSUPPORTED_KEYLENGTH: case EVP_R_BAD_KEY_LENGTH: return KM_ERROR_UNSUPPORTED_KEY_SIZE; +#endif +#if !defined(OPENSSL_IS_BORINGSSL) case EVP_R_BAD_BLOCK_LENGTH: case EVP_R_BN_DECODE_ERROR: case EVP_R_BN_PUBKEY_ERROR: - case EVP_R_BUFFER_TOO_SMALL: case EVP_R_CIPHER_PARAMETER_ERROR: case EVP_R_ERROR_LOADING_SECTION: - case EVP_R_EXPECTING_AN_RSA_KEY: - case EVP_R_EXPECTING_A_DH_KEY: - case EVP_R_EXPECTING_A_DSA_KEY: case EVP_R_EXPECTING_A_ECDSA_KEY: case EVP_R_EXPECTING_A_EC_KEY: case EVP_R_INVALID_DIGEST: case EVP_R_INVALID_KEY_LENGTH: - case EVP_R_MISSING_PARAMETERS: case EVP_R_NO_DSA_PARAMETERS: case EVP_R_PRIVATE_KEY_DECODE_ERROR: case EVP_R_PRIVATE_KEY_ENCODE_ERROR: case EVP_R_PUBLIC_KEY_NOT_RSA: +#endif + case EVP_R_BUFFER_TOO_SMALL: + case EVP_R_EXPECTING_AN_RSA_KEY: + case EVP_R_EXPECTING_A_DH_KEY: + case EVP_R_EXPECTING_A_DSA_KEY: + case EVP_R_MISSING_PARAMETERS: case EVP_R_WRONG_PUBLIC_KEY_TYPE: return KM_ERROR_INVALID_KEY_BLOB; +#if !defined(OPENSSL_IS_BORINGSSL) case EVP_R_BAD_DECRYPT: + case EVP_R_ENCODE_ERROR: +#endif case EVP_R_DIFFERENT_PARAMETERS: case EVP_R_DECODE_ERROR: - case EVP_R_ENCODE_ERROR: return KM_ERROR_INVALID_ARGUMENT; case EVP_R_DIFFERENT_KEY_TYPES: |