diff --git a/frameworks/js/ani/src/ani_dh_key_util.cpp b/frameworks/js/ani/src/ani_dh_key_util.cpp index 740f1d9a1739c5dca93fb599074a462b754ded41..4d86ff23ccd837088e0fa98e2dbace1b4ffa4201 100644 --- a/frameworks/js/ani/src/ani_dh_key_util.cpp +++ b/frameworks/js/ani/src/ani_dh_key_util.cpp @@ -37,7 +37,8 @@ DHCommonParamsSpec GenDHCommonParamsSpec(int32_t pLen, optional_view sk dh.l = dhCommParamsSpec->length; BigIntegerToArrayU8(dhCommParamsSpec->p, dh.p); BigIntegerToArrayU8(dhCommParamsSpec->g, dh.g); - HcfObjDestroy(dhCommParamsSpec); + FreeDhCommParamsSpec(dhCommParamsSpec); + HcfFree(dhCommParamsSpec); return dh; } } // namespace ANI::CryptoFramework diff --git a/frameworks/js/ani/src/ani_ecc_key_util.cpp b/frameworks/js/ani/src/ani_ecc_key_util.cpp index e2ab9c3f3a11c8021c1b869b5f2cf8bf6a7dc208..28f6c646069374364cc41f3722fb7a66f5fff60d 100644 --- a/frameworks/js/ani/src/ani_ecc_key_util.cpp +++ b/frameworks/js/ani/src/ani_ecc_key_util.cpp @@ -44,7 +44,8 @@ ECCCommonParamsSpec GenECCCommonParamsSpec(string_view curveName) BigIntegerToArrayU8(eccCommParamsSpec->g.x, ecc.g.x); BigIntegerToArrayU8(eccCommParamsSpec->g.y, ecc.g.y); BigIntegerToArrayU8(eccCommParamsSpec->n, ecc.n); - HcfObjDestroy(eccCommParamsSpec); + FreeEccCommParamsSpec(eccCommParamsSpec); + HcfFree(eccCommParamsSpec); return ecc; } diff --git a/frameworks/js/ani/src/ani_kdf.cpp b/frameworks/js/ani/src/ani_kdf.cpp index c0611c9e7aa0160107f090d09d21471f7b46b7f6..08869d732a1d1f88b6e441e37010c03af504d690 100644 --- a/frameworks/js/ani/src/ani_kdf.cpp +++ b/frameworks/js/ani/src/ani_kdf.cpp @@ -25,8 +25,11 @@ const std::string PBKDF2_ALG_NAME = "PBKDF2"; const std::string HKDF_ALG_NAME = "HKDF"; const std::string SCRYPT_ALG_NAME = "SCRYPT"; -void SetPBKDF2ParamsSpecAttribute(const PBKDF2Spec ¶ms, HcfPBKDF2ParamsSpec &pbkdf2Spec, HcfBlob &outBlob) +bool SetPBKDF2ParamsSpecAttribute(const PBKDF2Spec ¶ms, HcfPBKDF2ParamsSpec &pbkdf2Spec, HcfBlob &outBlob) { + if (params.keySize < 0) { + return false; + } pbkdf2Spec.base.algName = params.base.algName.c_str(); if (params.password.get_tag() == OptStrUint8Arr::tag_t::STRING) { StringToDataBlob(params.password.get_STRING_ref(), pbkdf2Spec.password); @@ -39,10 +42,14 @@ void SetPBKDF2ParamsSpecAttribute(const PBKDF2Spec ¶ms, HcfPBKDF2ParamsSpec outBlob.data = static_cast(HcfMalloc(keySize, 0)); outBlob.len = (outBlob.data == nullptr) ? 0 : keySize; pbkdf2Spec.output = outBlob; + return true; } -void SetHkdfParamsSpecAttribute(const HKDFSpec ¶ms, HcfHkdfParamsSpec &hkdfSpec, HcfBlob &outBlob) +bool SetHkdfParamsSpecAttribute(const HKDFSpec ¶ms, HcfHkdfParamsSpec &hkdfSpec, HcfBlob &outBlob) { + if (params.keySize < 0) { + return false; + } hkdfSpec.base.algName = params.base.algName.c_str(); if (params.key.get_tag() == OptStrUint8Arr::tag_t::STRING) { StringToDataBlob(params.key.get_STRING_ref(), hkdfSpec.key); @@ -55,10 +62,14 @@ void SetHkdfParamsSpecAttribute(const HKDFSpec ¶ms, HcfHkdfParamsSpec &hkdfS outBlob.data = static_cast(HcfMalloc(keySize, 0)); outBlob.len = (outBlob.data == nullptr) ? 0 : keySize; hkdfSpec.output = outBlob; + return true; } -void SetScryptParamsSpecAttribute(const ScryptSpec ¶ms, HcfScryptParamsSpec &scryptSpec, HcfBlob &outBlob) +bool SetScryptParamsSpecAttribute(const ScryptSpec ¶ms, HcfScryptParamsSpec &scryptSpec, HcfBlob &outBlob) { + if (params.keySize < 0 || params.n < 0 || params.r < 0 || params.p < 0 || params.maxMemory < 0) { + return false; + } scryptSpec.base.algName = params.base.algName.c_str(); if (params.passphrase.get_tag() == OptStrUint8Arr::tag_t::STRING) { StringToDataBlob(params.passphrase.get_STRING_ref(), scryptSpec.passPhrase); @@ -74,6 +85,7 @@ void SetScryptParamsSpecAttribute(const ScryptSpec ¶ms, HcfScryptParamsSpec outBlob.data = static_cast(HcfMalloc(keySize, 0)); outBlob.len = (outBlob.data == nullptr) ? 0 : keySize; scryptSpec.output = outBlob; + return true; } } // namespace @@ -100,16 +112,18 @@ DataBlob KdfImpl::GenerateSecretSync(OptExtKdfSpec const& params) HcfScryptParamsSpec scryptSpec = {}; HcfBlob outBlob = {}; const std::string &algName = params.get_KDFSPEC_ref().algName.c_str(); + bool flag = false; if (params.get_tag() == OptExtKdfSpec::tag_t::PBKDF2SPEC && algName == PBKDF2_ALG_NAME) { - SetPBKDF2ParamsSpecAttribute(params.get_PBKDF2SPEC_ref(), pbkdf2Spec, outBlob); + flag = SetPBKDF2ParamsSpecAttribute(params.get_PBKDF2SPEC_ref(), pbkdf2Spec, outBlob); paramsSpec = reinterpret_cast(&pbkdf2Spec); } else if (params.get_tag() == OptExtKdfSpec::tag_t::HKDFSPEC && algName == HKDF_ALG_NAME) { - SetHkdfParamsSpecAttribute(params.get_HKDFSPEC_ref(), hkdfSpec, outBlob); + flag = SetHkdfParamsSpecAttribute(params.get_HKDFSPEC_ref(), hkdfSpec, outBlob); paramsSpec = reinterpret_cast(&hkdfSpec); } else if (params.get_tag() == OptExtKdfSpec::tag_t::SCRYPTSPEC && algName == SCRYPT_ALG_NAME) { - SetScryptParamsSpecAttribute(params.get_SCRYPTSPEC_ref(), scryptSpec, outBlob); + flag = SetScryptParamsSpecAttribute(params.get_SCRYPTSPEC_ref(), scryptSpec, outBlob); paramsSpec = reinterpret_cast(&scryptSpec); - } else { + } + if (!flag) { ANI_LOGE_THROW(HCF_INVALID_PARAMS, "invalid kdf spec!"); return {}; } diff --git a/plugin/openssl_plugin/crypto_operation/kdf/src/hkdf_openssl.c b/plugin/openssl_plugin/crypto_operation/kdf/src/hkdf_openssl.c index 4f3f2b5b4cefa0af15f1f9e1f15d3d1eae69749a..fd14e7cd9f60aa52b5ac9de7ed69d282e6a9a145 100644 --- a/plugin/openssl_plugin/crypto_operation/kdf/src/hkdf_openssl.c +++ b/plugin/openssl_plugin/crypto_operation/kdf/src/hkdf_openssl.c @@ -97,7 +97,7 @@ static bool CheckHkdfParams(HcfHkdfParamsSpec *params) LOGE("beyond the length"); return false; } - if (params->key.data == NULL && params->key.len == 0) { + if (params->key.data == NULL || params->key.len == 0) { LOGE("check params failed, key is NULL"); return false; } diff --git a/plugin/openssl_plugin/key/asy_key_generator/src/rsa_asy_key_generator_openssl.c b/plugin/openssl_plugin/key/asy_key_generator/src/rsa_asy_key_generator_openssl.c index 162ef321bcefccf62945cf868780da18842e5cbb..06cd3fdee170a14b7092a5fdf7216bfad0b13b1e 100644 --- a/plugin/openssl_plugin/key/asy_key_generator/src/rsa_asy_key_generator_openssl.c +++ b/plugin/openssl_plugin/key/asy_key_generator/src/rsa_asy_key_generator_openssl.c @@ -36,6 +36,7 @@ #define OPENSSL_BITS_PER_BYTE 8 #define OPENSSL_RSA_KEYPAIR_CNT 3 #define OPENSSL_RSA_KEYGEN_DEFAULT_PRIMES 2 +#define PASSWORD_MAX_LENGTH 4096 #define MAX_KEY_SIZE 8192 #define MIN_KEY_SIZE 512 #define PRIMES_2 2 @@ -724,8 +725,18 @@ static HcfResult GetPriKeyEncodedPem(const HcfPriKey *self, HcfParamsSpec *param OpensslEvpPkeyFree(pkey); return HCF_NOT_SUPPORT; } - cipher = EVP_CIPHER_fetch(NULL, cipherStr, NULL); passWord = (const char *)spec->password; + if (passWord == NULL) { + LOGE("passWord is NULL."); + OpensslEvpPkeyFree(pkey); + return HCF_INVALID_PARAMS; + } + if (strlen(passWord) == 0 || strlen(passWord) > PASSWORD_MAX_LENGTH) { + LOGE("passWord is invalid."); + OpensslEvpPkeyFree(pkey); + return HCF_INVALID_PARAMS; + } + cipher = EVP_CIPHER_fetch(NULL, cipherStr, NULL); result = GetPriKeyPem(format, pkey, cipher, passWord, returnString); EVP_CIPHER_free((EVP_CIPHER *)cipher); } else { @@ -1213,6 +1224,13 @@ static HcfResult EngineConvertPemKey(HcfAsyKeyGeneratorSpi *self, HcfParamsSpec LOGE("ConvertPemKeyParams is invalid."); return HCF_INVALID_PARAMS; } + if (params != NULL) { + HcfKeyDecodingParamsSpec *spec = (HcfKeyDecodingParamsSpec *)params; + if (spec->password == NULL || strlen(spec->password) == 0 || strlen(spec->password) > PASSWORD_MAX_LENGTH) { + LOGE("password is invalid."); + return HCF_INVALID_PARAMS; + } + } if (!HcfIsClassMatch((HcfObjectBase *)self, OPENSSL_RSA_GENERATOR_CLASS)) { LOGE("Class not match."); return HCF_INVALID_PARAMS;