boringssl/src/lib.rs

*9860b763SAndroid Build Coastguard Worker// Copyright 2022, The Android Open Source Project
*9860b763SAndroid Build Coastguard Worker//
*9860b763SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License");
*9860b763SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License.
*9860b763SAndroid Build Coastguard Worker// You may obtain a copy of the License at
*9860b763SAndroid Build Coastguard Worker//
*9860b763SAndroid Build Coastguard Worker//     http://www.apache.org/licenses/LICENSE-2.0
*9860b763SAndroid Build Coastguard Worker//
*9860b763SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software
*9860b763SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS,
*9860b763SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*9860b763SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and
*9860b763SAndroid Build Coastguard Worker// limitations under the License.
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker//! Implementations of [`kmr_common::crypto`] traits based on BoringSSL.
*9860b763SAndroid Build Coastguard Worker#![no_std]
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Workerextern crate alloc;
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Workeruse alloc::string::ToString;
*9860b763SAndroid Build Coastguard Workeruse kmr_common::Error;
*9860b763SAndroid Build Coastguard Workeruse kmr_wire::keymint::{Digest, ErrorCode};
*9860b763SAndroid Build Coastguard Workeruse log::error;
*9860b763SAndroid Build Coastguard Workeruse openssl::hash::MessageDigest;
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker#[cfg(soong)]
*9860b763SAndroid Build Coastguard Worker// There is no OpenSSL CMAC API that is available in both BoringSSL for Android (which has `cmac.h`
*9860b763SAndroid Build Coastguard Worker// functions but not `EVP_PKEY_CMAC` functionality) and in tip OpenSSL (which has `EVP_PKEY_CMAC`
*9860b763SAndroid Build Coastguard Worker// functionality but which has removed `cmac.h`).  So only build AES-CMAC for Android.
*9860b763SAndroid Build Coastguard Workerpub mod aes_cmac;
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Workerpub mod aes;
*9860b763SAndroid Build Coastguard Workerpub mod des;
*9860b763SAndroid Build Coastguard Workerpub mod ec;
*9860b763SAndroid Build Coastguard Workerpub mod eq;
*9860b763SAndroid Build Coastguard Workerpub mod hmac;
*9860b763SAndroid Build Coastguard Workerpub mod rng;
*9860b763SAndroid Build Coastguard Workerpub mod rsa;
*9860b763SAndroid Build Coastguard Workerpub mod sha256;
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker#[cfg(soong)]
*9860b763SAndroid Build Coastguard Workermod err;
*9860b763SAndroid Build Coastguard Worker#[cfg(soong)]
*9860b763SAndroid Build Coastguard Workeruse err::*;
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker#[cfg(test)]
*9860b763SAndroid Build Coastguard Workermod tests;
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Workermod types;
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Map an OpenSSL `ErrorStack` into a KeyMint [`ErrorCode`] value.
*9860b763SAndroid Build Coastguard Workerpub(crate) fn map_openssl_errstack(errs: &openssl::error::ErrorStack) -> ErrorCode {
*9860b763SAndroid Build Coastguard Worker    let errors = errs.errors();
*9860b763SAndroid Build Coastguard Worker    if errors.is_empty() {
*9860b763SAndroid Build Coastguard Worker        error!("BoringSSL error requested but none available!");
*9860b763SAndroid Build Coastguard Worker        return ErrorCode::BoringSslError;
*9860b763SAndroid Build Coastguard Worker    }
*9860b763SAndroid Build Coastguard Worker    let err = &errors[0]; // safe: length checked above
*9860b763SAndroid Build Coastguard Worker    map_openssl_err(err)
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Stub function for mapping an OpenSSL `ErrorStack` into a KeyMint [`ErrorCode`] value.
*9860b763SAndroid Build Coastguard Worker#[cfg(not(soong))]
*9860b763SAndroid Build Coastguard Workerfn map_openssl_err(_err: &openssl::error::Error) -> ErrorCode {
*9860b763SAndroid Build Coastguard Worker    ErrorCode::BoringSslError
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Macro to auto-generate error mapping around invocations of `openssl` methods.
*9860b763SAndroid Build Coastguard Worker/// An invocation like:
*9860b763SAndroid Build Coastguard Worker///
*9860b763SAndroid Build Coastguard Worker/// ```ignore
*9860b763SAndroid Build Coastguard Worker/// let x = ossl!(y.func(a, b))?;
*9860b763SAndroid Build Coastguard Worker/// ```
*9860b763SAndroid Build Coastguard Worker///
*9860b763SAndroid Build Coastguard Worker/// will map to:
*9860b763SAndroid Build Coastguard Worker///
*9860b763SAndroid Build Coastguard Worker/// ```ignore
*9860b763SAndroid Build Coastguard Worker/// let x = y.func(a, b).map_err(openssl_err!("failed to perform: y.func(a, b)"))?;
*9860b763SAndroid Build Coastguard Worker/// ```
*9860b763SAndroid Build Coastguard Worker#[macro_export]
*9860b763SAndroid Build Coastguard Workermacro_rules! ossl {
*9860b763SAndroid Build Coastguard Worker    { $e:expr } => {
*9860b763SAndroid Build Coastguard Worker        $e.map_err(openssl_err!(concat!("failed to perform: ", stringify!($e))))
*9860b763SAndroid Build Coastguard Worker    }
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Macro to emit a closure that builds an [`Error::Hal`] instance, based on an
*9860b763SAndroid Build Coastguard Worker/// openssl `ErrorStack` together with a format-like message.
*9860b763SAndroid Build Coastguard Worker#[macro_export]
*9860b763SAndroid Build Coastguard Workermacro_rules! openssl_err {
*9860b763SAndroid Build Coastguard Worker    { $($arg:tt)+ } => {
*9860b763SAndroid Build Coastguard Worker        |e| kmr_common::Error::Hal(
*9860b763SAndroid Build Coastguard Worker            $crate::map_openssl_errstack(&e),
*9860b763SAndroid Build Coastguard Worker            alloc::format!("{}:{}: {}: {:?}", file!(), line!(), format_args!($($arg)+), e)
*9860b763SAndroid Build Coastguard Worker        )
*9860b763SAndroid Build Coastguard Worker    };
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Macro to emit a closure that builds an [`Error::Hal`] instance, based on an openssl `ErrorStack`
*9860b763SAndroid Build Coastguard Worker/// together with a format-like message, plus default `ErrorCode` to be used if no OpenSSL error is
*9860b763SAndroid Build Coastguard Worker/// available.
*9860b763SAndroid Build Coastguard Worker#[macro_export]
*9860b763SAndroid Build Coastguard Workermacro_rules! openssl_err_or {
*9860b763SAndroid Build Coastguard Worker    { $default:ident, $($arg:tt)+ } => {
*9860b763SAndroid Build Coastguard Worker        |e| {
*9860b763SAndroid Build Coastguard Worker            let errors = e.errors();
*9860b763SAndroid Build Coastguard Worker            let errcode = if errors.is_empty() {
*9860b763SAndroid Build Coastguard Worker                kmr_wire::keymint::ErrorCode::$default
*9860b763SAndroid Build Coastguard Worker            } else {
*9860b763SAndroid Build Coastguard Worker                $crate::map_openssl_err(&errors[0]) // safe: length checked above
*9860b763SAndroid Build Coastguard Worker            };
*9860b763SAndroid Build Coastguard Worker            kmr_common::Error::Hal(
*9860b763SAndroid Build Coastguard Worker                errcode,
*9860b763SAndroid Build Coastguard Worker                alloc::format!("{}:{}: {}: {:?}", file!(), line!(), format_args!($($arg)+), e)
*9860b763SAndroid Build Coastguard Worker            )
*9860b763SAndroid Build Coastguard Worker        }
*9860b763SAndroid Build Coastguard Worker    };
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Macro to emit an [`Error`] indicating allocation failure at the current location.
*9860b763SAndroid Build Coastguard Worker#[macro_export]
*9860b763SAndroid Build Coastguard Workermacro_rules! malloc_err {
*9860b763SAndroid Build Coastguard Worker    {} => {
*9860b763SAndroid Build Coastguard Worker        kmr_common::Error::Alloc(concat!(file!(), ":", line!(), ": BoringSSL allocation failed"))
*9860b763SAndroid Build Coastguard Worker    };
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Translate the most recent OpenSSL error into [`Error`].
*9860b763SAndroid Build Coastguard Workerfn openssl_last_err() -> Error {
*9860b763SAndroid Build Coastguard Worker    from_openssl_err(openssl::error::ErrorStack::get())
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Translate a returned `openssl` error into [`Error`].
*9860b763SAndroid Build Coastguard Workerfn from_openssl_err(errs: openssl::error::ErrorStack) -> Error {
*9860b763SAndroid Build Coastguard Worker    Error::Hal(map_openssl_errstack(&errs), "OpenSSL failure".to_string())
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker/// Translate a [`keymint::Digest`] into an OpenSSL [`MessageDigest`].
*9860b763SAndroid Build Coastguard Workerfn digest_into_openssl(digest: Digest) -> Option<MessageDigest> {
*9860b763SAndroid Build Coastguard Worker    match digest {
*9860b763SAndroid Build Coastguard Worker        Digest::None => None,
*9860b763SAndroid Build Coastguard Worker        Digest::Md5 => Some(MessageDigest::md5()),
*9860b763SAndroid Build Coastguard Worker        Digest::Sha1 => Some(MessageDigest::sha1()),
*9860b763SAndroid Build Coastguard Worker        Digest::Sha224 => Some(MessageDigest::sha224()),
*9860b763SAndroid Build Coastguard Worker        Digest::Sha256 => Some(MessageDigest::sha256()),
*9860b763SAndroid Build Coastguard Worker        Digest::Sha384 => Some(MessageDigest::sha384()),
*9860b763SAndroid Build Coastguard Worker        Digest::Sha512 => Some(MessageDigest::sha512()),
*9860b763SAndroid Build Coastguard Worker    }
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker#[inline]
*9860b763SAndroid Build Coastguard Workerfn cvt_p<T>(r: *mut T) -> Result<*mut T, Error> {
*9860b763SAndroid Build Coastguard Worker    if r.is_null() {
*9860b763SAndroid Build Coastguard Worker        Err(openssl_last_err())
*9860b763SAndroid Build Coastguard Worker    } else {
*9860b763SAndroid Build Coastguard Worker        Ok(r)
*9860b763SAndroid Build Coastguard Worker    }
*9860b763SAndroid Build Coastguard Worker}
*9860b763SAndroid Build Coastguard Worker
*9860b763SAndroid Build Coastguard Worker#[inline]
*9860b763SAndroid Build Coastguard Workerfn cvt(r: libc::c_int) -> Result<libc::c_int, Error> {
*9860b763SAndroid Build Coastguard Worker    if r <= 0 {
*9860b763SAndroid Build Coastguard Worker        Err(openssl_last_err())
*9860b763SAndroid Build Coastguard Worker    } else {
*9860b763SAndroid Build Coastguard Worker        Ok(r)
*9860b763SAndroid Build Coastguard Worker    }
*9860b763SAndroid Build Coastguard Worker}