diff options
author | David Benjamin <davidben@google.com> | 2016-03-29 19:28:02 -0400 |
---|---|---|
committer | David Benjamin <davidben@google.com> | 2016-03-29 20:02:54 -0400 |
commit | 303d5944bfa48d501753a94eca6dc481e5a2757d (patch) | |
tree | c4e20f885c41acec85e202d62811ce45e91568b0 | |
parent | 9c0d63364a0589c35102a8bd49b1c44418bbd476 (diff) | |
download | keymaster-303d5944bfa48d501753a94eca6dc481e5a2757d.tar.gz |
system/keymaster: update BoringSSL error mapping.
Fix keymaster to unblock the BoringSSL update. Some error strings no longer
exist. Each of these was unreachable, so I haven't bothered replacing the
mapping.
- EVP_R_EXPECTING_A_DH_KEY. This was not reachable in keymaster. It's only
emitted by the EVP_PKEY_get0_DH and EVP_PKEY_get1_DH functions which are
never called by keymaster. In BoringSSL, since DH EVP_PKEYs never existed, it
was impossible for those functions to succeed.
- EVP_R_WRONG_PUBLIC_KEY_TYPE. In OpenSSL, this was only ever emitted in the
deprecated EVP_SignFinal and EVP_VerifyFinal functions, which keymaster
doesn't use. In BoringSSL, this was emitted as part of X509_verify which is
not used in keymaster (outside of some test code). To align with OpenSSL and
avoid churn in the future, BoringSSL has since switched that to
ASN1_R_WRONG_PUBLIC_KEY_TYPE to match OpenSSL's X509_verify behavior.
- EVP_R_UNKNOWN_DIGEST. In OpenSSL, this was only ever emitted in some PBE code
which is not reachable from keymaster. In BoringSSL, this was only emitted as
part of RSA-PSS code in X509_verify, which is not used in keymaster. The
corresponding OpenSSL error was RSA_R_UNKNOWN_DIGEST which keymaster was not
paying attention to before. BoringSSL currently maps most RSA-PSS parse
errors to X509_R_INVALID_PSS_PARAMETERS for simplicity since no one ever
needed to condition on the old RSA_R_ errors in OpenSSL.
Change-Id: I8ffba5bc5fd1b703fc186fbddce50504f90c1029
-rw-r--r-- | openssl_err.cpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/openssl_err.cpp b/openssl_err.cpp index cd4ba20..078b8e3 100644 --- a/openssl_err.cpp +++ b/openssl_err.cpp @@ -178,10 +178,10 @@ keymaster_error_t TranslateRsaError(int reason) { keymaster_error_t TranslateEvpError(int reason) { switch (reason) { +#if !defined(OPENSSL_IS_BORINGSSL) case EVP_R_UNKNOWN_DIGEST: return KM_ERROR_UNSUPPORTED_DIGEST; -#if !defined(OPENSSL_IS_BORINGSSL) case EVP_R_UNSUPPORTED_PRF: case EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM: case EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION: @@ -213,6 +213,7 @@ keymaster_error_t TranslateEvpError(int reason) { case EVP_R_BN_PUBKEY_ERROR: case EVP_R_CIPHER_PARAMETER_ERROR: case EVP_R_ERROR_LOADING_SECTION: + case EVP_R_EXPECTING_A_DH_KEY: case EVP_R_EXPECTING_A_ECDSA_KEY: case EVP_R_EXPECTING_A_EC_KEY: case EVP_R_INVALID_DIGEST: @@ -221,13 +222,12 @@ keymaster_error_t TranslateEvpError(int reason) { case EVP_R_PRIVATE_KEY_DECODE_ERROR: case EVP_R_PRIVATE_KEY_ENCODE_ERROR: case EVP_R_PUBLIC_KEY_NOT_RSA: + case EVP_R_WRONG_PUBLIC_KEY_TYPE: #endif case EVP_R_BUFFER_TOO_SMALL: case EVP_R_EXPECTING_AN_RSA_KEY: - case EVP_R_EXPECTING_A_DH_KEY: case EVP_R_EXPECTING_A_DSA_KEY: case EVP_R_MISSING_PARAMETERS: - case EVP_R_WRONG_PUBLIC_KEY_TYPE: return KM_ERROR_INVALID_KEY_BLOB; #if !defined(OPENSSL_IS_BORINGSSL) |