[bssl] Retrieve error code from BoringSSL
This cl retrieves the error code from BoringSSL when an operation
fails and returns it to the users.
Test: atest rialto_test
Bug: 302527194
Change-Id: I36da67c2ff9e7f45aea8db659d400c347d9705ca
diff --git a/libs/bssl/error/src/code.rs b/libs/bssl/error/src/code.rs
new file mode 100644
index 0000000..7fb36c4
--- /dev/null
+++ b/libs/bssl/error/src/code.rs
@@ -0,0 +1,98 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use core::fmt;
+use serde::{Deserialize, Serialize};
+
+type BsslReasonCode = i32;
+type BsslLibraryCode = i32;
+
+/// BoringSSL reason code.
+#[allow(missing_docs)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub enum ReasonCode {
+ NoError,
+ Global(GlobalError),
+ Cipher(CipherError),
+ Unknown(BsslReasonCode, BsslLibraryCode),
+}
+
+impl fmt::Display for ReasonCode {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::NoError => write!(f, "No error in the BoringSSL error queue."),
+ Self::Unknown(code, lib) => {
+ write!(f, "Unknown reason code '{code}' from the library '{lib}'")
+ }
+ other => write!(f, "{other:?}"),
+ }
+ }
+}
+
+/// Global errors may occur in any library.
+///
+/// The values are from:
+/// boringssl/src/include/openssl/err.h
+#[allow(missing_docs)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub enum GlobalError {
+ Fatal,
+ MallocFailure,
+ ShouldNotHaveBeenCalled,
+ PassedNullParameter,
+ InternalError,
+ Overflow,
+}
+
+impl fmt::Display for GlobalError {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ write!(f, "A global error occurred: {self:?}")
+ }
+}
+
+/// Errors occurred in the Cipher functions.
+///
+/// The values are from:
+/// boringssl/src/include/openssl/cipher.h
+#[allow(missing_docs)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub enum CipherError {
+ AesKeySetupFailed,
+ BadDecrypt,
+ BadKeyLength,
+ BufferTooSmall,
+ CtrlNotImplemented,
+ CtrlOperationNotImplemented,
+ DataNotMultipleOfBlockLength,
+ InitializationError,
+ InputNotInitialized,
+ InvalidAdSize,
+ InvalidKeyLength,
+ InvalidNonceSize,
+ InvalidOperation,
+ IvTooLarge,
+ NoCipherSet,
+ OutputAliasesInput,
+ TagTooLarge,
+ TooLarge,
+ WrongFinalBlockLength,
+ NoDirectionSet,
+ InvalidNonce,
+}
+
+impl fmt::Display for CipherError {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ write!(f, "An error occurred in a Cipher function: {self:?}")
+ }
+}
diff --git a/libs/bssl/error/src/lib.rs b/libs/bssl/error/src/lib.rs
index 68f7485..547ad43 100644
--- a/libs/bssl/error/src/lib.rs
+++ b/libs/bssl/error/src/lib.rs
@@ -16,9 +16,13 @@
#![cfg_attr(not(feature = "std"), no_std)]
+mod code;
+
use core::{fmt, result};
use serde::{Deserialize, Serialize};
+pub use crate::code::{CipherError, GlobalError, ReasonCode};
+
/// libbssl_avf result type.
pub type Result<T> = result::Result<T, Error>;
@@ -26,7 +30,7 @@
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub enum Error {
/// Failed to invoke a BoringSSL API.
- CallFailed(ApiName),
+ CallFailed(ApiName, ReasonCode),
/// An unexpected internal error occurred.
InternalError,
@@ -35,8 +39,8 @@
impl fmt::Display for Error {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
- Self::CallFailed(api_name) => {
- write!(f, "Failed to invoke the BoringSSL API: {api_name:?}")
+ Self::CallFailed(api_name, reason) => {
+ write!(f, "Failed to invoke the BoringSSL API: {api_name:?}. Reason: {reason}")
}
Self::InternalError => write!(f, "An unexpected internal error occurred"),
}
diff --git a/libs/bssl/src/ec_key.rs b/libs/bssl/src/ec_key.rs
index 901212f..7038e21 100644
--- a/libs/bssl/src/ec_key.rs
+++ b/libs/bssl/src/ec_key.rs
@@ -16,7 +16,7 @@
//! BoringSSL.
use crate::cbb::CbbFixed;
-use crate::util::check_int_result;
+use crate::util::{check_int_result, to_call_failed_error};
use alloc::vec::Vec;
use bssl_avf_error::{ApiName, Error, Result};
use bssl_ffi::{
@@ -54,7 +54,7 @@
};
let mut ec_key = NonNull::new(ec_key)
.map(Self)
- .ok_or(Error::CallFailed(ApiName::EC_KEY_new_by_curve_name))?;
+ .ok_or(to_call_failed_error(ApiName::EC_KEY_new_by_curve_name))?;
ec_key.generate_key()?;
Ok(ec_key)
}
@@ -104,7 +104,7 @@
// `EC_KEY` pointer.
unsafe { EC_KEY_get0_public_key(self.0.as_ptr()) };
if ec_point.is_null() {
- Err(Error::CallFailed(ApiName::EC_KEY_get0_public_key))
+ Err(to_call_failed_error(ApiName::EC_KEY_get0_public_key))
} else {
Ok(ec_point)
}
@@ -118,7 +118,7 @@
// `EC_KEY` pointer.
unsafe { EC_KEY_get0_group(self.0.as_ptr()) };
if group.is_null() {
- Err(Error::CallFailed(ApiName::EC_KEY_get0_group))
+ Err(to_call_failed_error(ApiName::EC_KEY_get0_group))
} else {
Ok(group)
}
@@ -144,7 +144,7 @@
// SAFETY: This is safe because the CBB pointer is initialized with `CBB_init_fixed()`,
// and it has been flushed, thus it has no active children.
let len = unsafe { CBB_len(cbb.as_ref()) };
- Ok(buf.get(0..len).ok_or(Error::CallFailed(ApiName::CBB_len))?.to_vec().into())
+ Ok(buf.get(0..len).ok_or(to_call_failed_error(ApiName::CBB_len))?.to_vec().into())
}
}
@@ -178,7 +178,7 @@
fn new() -> Result<Self> {
// SAFETY: The returned pointer is checked below.
let bn = unsafe { BN_new() };
- NonNull::new(bn).map(Self).ok_or(Error::CallFailed(ApiName::BN_new))
+ NonNull::new(bn).map(Self).ok_or(to_call_failed_error(ApiName::BN_new))
}
fn as_mut_ptr(&mut self) -> *mut BIGNUM {
diff --git a/libs/bssl/src/err.rs b/libs/bssl/src/err.rs
new file mode 100644
index 0000000..1ee40c9
--- /dev/null
+++ b/libs/bssl/src/err.rs
@@ -0,0 +1,112 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Wrappers of the error handling functions in BoringSSL err.h.
+
+use bssl_avf_error::{CipherError, GlobalError, ReasonCode};
+use bssl_ffi::{self, ERR_get_error, ERR_GET_LIB_RUST, ERR_GET_REASON_RUST};
+
+const NO_ERROR_REASON_CODE: i32 = 0;
+
+/// Returns the reason code for the least recent error and removes that
+/// error from the error queue.
+pub(crate) fn get_error_reason_code() -> ReasonCode {
+ let packed_error = get_packed_error();
+ let reason = get_reason(packed_error);
+ let lib = get_lib(packed_error);
+ map_to_reason_code(reason, lib)
+}
+
+/// Returns the packed error code for the least recent error and removes that
+/// error from the error queue.
+///
+/// Returns 0 if there are no errors in the queue.
+fn get_packed_error() -> u32 {
+ // SAFETY: This function only reads the error queue.
+ unsafe { ERR_get_error() }
+}
+
+fn get_reason(packed_error: u32) -> i32 {
+ // SAFETY: This function only reads the given error code.
+ unsafe { ERR_GET_REASON_RUST(packed_error) }
+}
+
+/// Returns the library code for the error.
+fn get_lib(packed_error: u32) -> i32 {
+ // SAFETY: This function only reads the given error code.
+ unsafe { ERR_GET_LIB_RUST(packed_error) }
+}
+
+fn map_to_reason_code(reason: i32, lib: i32) -> ReasonCode {
+ if reason == NO_ERROR_REASON_CODE {
+ return ReasonCode::NoError;
+ }
+ map_global_reason_code(reason)
+ .map(ReasonCode::Global)
+ .or_else(|| map_library_reason_code(reason, lib))
+ .unwrap_or(ReasonCode::Unknown(reason, lib))
+}
+
+/// Global errors may occur in any library.
+fn map_global_reason_code(reason: i32) -> Option<GlobalError> {
+ let reason = match reason {
+ bssl_ffi::ERR_R_FATAL => GlobalError::Fatal,
+ bssl_ffi::ERR_R_MALLOC_FAILURE => GlobalError::MallocFailure,
+ bssl_ffi::ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED => GlobalError::ShouldNotHaveBeenCalled,
+ bssl_ffi::ERR_R_PASSED_NULL_PARAMETER => GlobalError::PassedNullParameter,
+ bssl_ffi::ERR_R_INTERNAL_ERROR => GlobalError::InternalError,
+ bssl_ffi::ERR_R_OVERFLOW => GlobalError::Overflow,
+ _ => return None,
+ };
+ Some(reason)
+}
+
+fn map_library_reason_code(reason: i32, lib: i32) -> Option<ReasonCode> {
+ u32::try_from(lib).ok().and_then(|x| match x {
+ bssl_ffi::ERR_LIB_CIPHER => map_cipher_reason_code(reason).map(ReasonCode::Cipher),
+ _ => None,
+ })
+}
+
+fn map_cipher_reason_code(reason: i32) -> Option<CipherError> {
+ let error = match reason {
+ bssl_ffi::CIPHER_R_AES_KEY_SETUP_FAILED => CipherError::AesKeySetupFailed,
+ bssl_ffi::CIPHER_R_BAD_DECRYPT => CipherError::BadDecrypt,
+ bssl_ffi::CIPHER_R_BAD_KEY_LENGTH => CipherError::BadKeyLength,
+ bssl_ffi::CIPHER_R_BUFFER_TOO_SMALL => CipherError::BufferTooSmall,
+ bssl_ffi::CIPHER_R_CTRL_NOT_IMPLEMENTED => CipherError::CtrlNotImplemented,
+ bssl_ffi::CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED => {
+ CipherError::CtrlOperationNotImplemented
+ }
+ bssl_ffi::CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH => {
+ CipherError::DataNotMultipleOfBlockLength
+ }
+ bssl_ffi::CIPHER_R_INITIALIZATION_ERROR => CipherError::InitializationError,
+ bssl_ffi::CIPHER_R_INPUT_NOT_INITIALIZED => CipherError::InputNotInitialized,
+ bssl_ffi::CIPHER_R_INVALID_AD_SIZE => CipherError::InvalidAdSize,
+ bssl_ffi::CIPHER_R_INVALID_KEY_LENGTH => CipherError::InvalidKeyLength,
+ bssl_ffi::CIPHER_R_INVALID_NONCE_SIZE => CipherError::InvalidNonceSize,
+ bssl_ffi::CIPHER_R_INVALID_OPERATION => CipherError::InvalidOperation,
+ bssl_ffi::CIPHER_R_IV_TOO_LARGE => CipherError::IvTooLarge,
+ bssl_ffi::CIPHER_R_NO_CIPHER_SET => CipherError::NoCipherSet,
+ bssl_ffi::CIPHER_R_OUTPUT_ALIASES_INPUT => CipherError::OutputAliasesInput,
+ bssl_ffi::CIPHER_R_TAG_TOO_LARGE => CipherError::TagTooLarge,
+ bssl_ffi::CIPHER_R_TOO_LARGE => CipherError::TooLarge,
+ bssl_ffi::CIPHER_R_WRONG_FINAL_BLOCK_LENGTH => CipherError::WrongFinalBlockLength,
+ bssl_ffi::CIPHER_R_NO_DIRECTION_SET => CipherError::NoDirectionSet,
+ bssl_ffi::CIPHER_R_INVALID_NONCE => CipherError::InvalidNonce,
+ _ => return None,
+ };
+ Some(error)
+}
diff --git a/libs/bssl/src/hmac.rs b/libs/bssl/src/hmac.rs
index 1e09315..ddbbe4a 100644
--- a/libs/bssl/src/hmac.rs
+++ b/libs/bssl/src/hmac.rs
@@ -15,7 +15,8 @@
//! Wrappers of the HMAC functions in BoringSSL hmac.h.
use crate::digest::Digester;
-use bssl_avf_error::{ApiName, Error, Result};
+use crate::util::to_call_failed_error;
+use bssl_avf_error::{ApiName, Result};
use bssl_ffi::{HMAC, SHA256_DIGEST_LENGTH};
const SHA256_LEN: usize = SHA256_DIGEST_LENGTH as usize;
@@ -53,6 +54,6 @@
if !ret.is_null() && out_len == (out.len() as u32) {
Ok(out)
} else {
- Err(Error::CallFailed(ApiName::HMAC))
+ Err(to_call_failed_error(ApiName::HMAC))
}
}
diff --git a/libs/bssl/src/lib.rs b/libs/bssl/src/lib.rs
index 4b9ff59..8b38f5b 100644
--- a/libs/bssl/src/lib.rs
+++ b/libs/bssl/src/lib.rs
@@ -21,11 +21,13 @@
mod cbb;
mod digest;
mod ec_key;
+mod err;
mod hkdf;
mod hmac;
mod util;
-pub use bssl_avf_error::{ApiName, Error, Result};
+pub use bssl_avf_error::{ApiName, CipherError, Error, ReasonCode, Result};
+
pub use cbb::CbbFixed;
pub use digest::Digester;
pub use ec_key::{EcKey, ZVec};
diff --git a/libs/bssl/src/util.rs b/libs/bssl/src/util.rs
index cb5e368..880c85b 100644
--- a/libs/bssl/src/util.rs
+++ b/libs/bssl/src/util.rs
@@ -14,13 +14,14 @@
//! Utility functions.
+use crate::err::get_error_reason_code;
use bssl_avf_error::{ApiName, Error, Result};
use log::error;
pub(crate) fn check_int_result(ret: i32, api_name: ApiName) -> Result<()> {
match ret {
1 => Ok(()),
- 0 => Err(Error::CallFailed(api_name)),
+ 0 => Err(Error::CallFailed(api_name, get_error_reason_code())),
_ => {
error!(
"Received a return value ({}) other than 0 or 1 from the BoringSSL API: {:?}",
@@ -30,3 +31,7 @@
}
}
}
+
+pub(crate) fn to_call_failed_error(api_name: ApiName) -> Error {
+ Error::CallFailed(api_name, get_error_reason_code())
+}