From 9bb32983fd5ed70f972272360ea7748637eeb9a6 Mon Sep 17 00:00:00 2001
From: kang1024 <yangjiankang3@huawei.com>
Date: Tue, 29 Jul 2025 16:06:09 +0800
Subject: [PATCH] =?UTF-8?q?1.=20=E5=A2=9E=E5=8A=A0bigint=E6=A0=A1=E9=AA=8C?=
 =?UTF-8?q?=EF=BC=8C=E8=B4=9F=E6=95=B0=E6=8A=9B=E5=87=BAINVALID=5FPARAMS?=
 =?UTF-8?q?=E5=BC=82=E5=B8=B8=EF=BC=9B2.=20=E4=BF=AE=E5=A4=8DDHKeyUtil?=
 =?UTF-8?q?=E5=92=8CECCKeyUtil=E4=B8=AD=E5=86=85=E5=AD=98=E9=87=8A?=
 =?UTF-8?q?=E6=94=BE=E6=8E=A5=E5=8F=A3=E4=BD=BF=E7=94=A8=E4=B8=8D=E6=AD=A3?=
 =?UTF-8?q?=E7=A1=AE=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: kang1024 <yangjiankang3@huawei.com>
---
 frameworks/js/ani/src/ani_dh_key_util.cpp     |  3 +-
 frameworks/js/ani/src/ani_ecc_key_util.cpp    |  3 +-
 frameworks/js/ani/src/ani_kdf.cpp             | 28 ++++++++++++++-----
 .../crypto_operation/kdf/src/hkdf_openssl.c   |  2 +-
 .../src/rsa_asy_key_generator_openssl.c       | 20 ++++++++++++-
 5 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/frameworks/js/ani/src/ani_dh_key_util.cpp b/frameworks/js/ani/src/ani_dh_key_util.cpp
index 740f1d9..4d86ff2 100644
--- a/frameworks/js/ani/src/ani_dh_key_util.cpp
+++ b/frameworks/js/ani/src/ani_dh_key_util.cpp
@@ -37,7 +37,8 @@ DHCommonParamsSpec GenDHCommonParamsSpec(int32_t pLen, optional_view<int32_t> sk
     dh.l = dhCommParamsSpec->length;
     BigIntegerToArrayU8(dhCommParamsSpec->p, dh.p);
     BigIntegerToArrayU8(dhCommParamsSpec->g, dh.g);
-    HcfObjDestroy(dhCommParamsSpec);
+    FreeDhCommParamsSpec(dhCommParamsSpec);
+    HcfFree(dhCommParamsSpec);
     return dh;
 }
 } // namespace ANI::CryptoFramework
diff --git a/frameworks/js/ani/src/ani_ecc_key_util.cpp b/frameworks/js/ani/src/ani_ecc_key_util.cpp
index e2ab9c3..28f6c64 100644
--- a/frameworks/js/ani/src/ani_ecc_key_util.cpp
+++ b/frameworks/js/ani/src/ani_ecc_key_util.cpp
@@ -44,7 +44,8 @@ ECCCommonParamsSpec GenECCCommonParamsSpec(string_view curveName)
     BigIntegerToArrayU8(eccCommParamsSpec->g.x, ecc.g.x);
     BigIntegerToArrayU8(eccCommParamsSpec->g.y, ecc.g.y);
     BigIntegerToArrayU8(eccCommParamsSpec->n, ecc.n);
-    HcfObjDestroy(eccCommParamsSpec);
+    FreeEccCommParamsSpec(eccCommParamsSpec);
+    HcfFree(eccCommParamsSpec);
     return ecc;
 }
 
diff --git a/frameworks/js/ani/src/ani_kdf.cpp b/frameworks/js/ani/src/ani_kdf.cpp
index c0611c9..08869d7 100644
--- a/frameworks/js/ani/src/ani_kdf.cpp
+++ b/frameworks/js/ani/src/ani_kdf.cpp
@@ -25,8 +25,11 @@ const std::string PBKDF2_ALG_NAME = "PBKDF2";
 const std::string HKDF_ALG_NAME = "HKDF";
 const std::string SCRYPT_ALG_NAME = "SCRYPT";
 
-void SetPBKDF2ParamsSpecAttribute(const PBKDF2Spec &params, HcfPBKDF2ParamsSpec &pbkdf2Spec, HcfBlob &outBlob)
+bool SetPBKDF2ParamsSpecAttribute(const PBKDF2Spec &params, HcfPBKDF2ParamsSpec &pbkdf2Spec, HcfBlob &outBlob)
 {
+    if (params.keySize < 0) {
+        return false;
+    }
     pbkdf2Spec.base.algName = params.base.algName.c_str();
     if (params.password.get_tag() == OptStrUint8Arr::tag_t::STRING) {
         StringToDataBlob(params.password.get_STRING_ref(), pbkdf2Spec.password);
@@ -39,10 +42,14 @@ void SetPBKDF2ParamsSpecAttribute(const PBKDF2Spec &params, HcfPBKDF2ParamsSpec
     outBlob.data = static_cast<uint8_t *>(HcfMalloc(keySize, 0));
     outBlob.len = (outBlob.data == nullptr) ? 0 : keySize;
     pbkdf2Spec.output = outBlob;
+    return true;
 }
 
-void SetHkdfParamsSpecAttribute(const HKDFSpec &params, HcfHkdfParamsSpec &hkdfSpec, HcfBlob &outBlob)
+bool SetHkdfParamsSpecAttribute(const HKDFSpec &params, HcfHkdfParamsSpec &hkdfSpec, HcfBlob &outBlob)
 {
+    if (params.keySize < 0) {
+        return false;
+    }
     hkdfSpec.base.algName = params.base.algName.c_str();
     if (params.key.get_tag() == OptStrUint8Arr::tag_t::STRING) {
         StringToDataBlob(params.key.get_STRING_ref(), hkdfSpec.key);
@@ -55,10 +62,14 @@ void SetHkdfParamsSpecAttribute(const HKDFSpec &params, HcfHkdfParamsSpec &hkdfS
     outBlob.data = static_cast<uint8_t *>(HcfMalloc(keySize, 0));
     outBlob.len = (outBlob.data == nullptr) ? 0 : keySize;
     hkdfSpec.output = outBlob;
+    return true;
 }
 
-void SetScryptParamsSpecAttribute(const ScryptSpec &params, HcfScryptParamsSpec &scryptSpec, HcfBlob &outBlob)
+bool SetScryptParamsSpecAttribute(const ScryptSpec &params, HcfScryptParamsSpec &scryptSpec, HcfBlob &outBlob)
 {
+    if (params.keySize < 0 || params.n < 0 || params.r < 0 || params.p < 0 || params.maxMemory < 0) {
+        return false;
+    }
     scryptSpec.base.algName = params.base.algName.c_str();
     if (params.passphrase.get_tag() == OptStrUint8Arr::tag_t::STRING) {
         StringToDataBlob(params.passphrase.get_STRING_ref(), scryptSpec.passPhrase);
@@ -74,6 +85,7 @@ void SetScryptParamsSpecAttribute(const ScryptSpec &params, HcfScryptParamsSpec
     outBlob.data = static_cast<uint8_t *>(HcfMalloc(keySize, 0));
     outBlob.len = (outBlob.data == nullptr) ? 0 : keySize;
     scryptSpec.output = outBlob;
+    return true;
 }
 } // namespace
 
@@ -100,16 +112,18 @@ DataBlob KdfImpl::GenerateSecretSync(OptExtKdfSpec const& params)
     HcfScryptParamsSpec scryptSpec = {};
     HcfBlob outBlob = {};
     const std::string &algName = params.get_KDFSPEC_ref().algName.c_str();
+    bool flag = false;
     if (params.get_tag() == OptExtKdfSpec::tag_t::PBKDF2SPEC && algName == PBKDF2_ALG_NAME) {
-        SetPBKDF2ParamsSpecAttribute(params.get_PBKDF2SPEC_ref(), pbkdf2Spec, outBlob);
+        flag = SetPBKDF2ParamsSpecAttribute(params.get_PBKDF2SPEC_ref(), pbkdf2Spec, outBlob);
         paramsSpec = reinterpret_cast<HcfKdfParamsSpec *>(&pbkdf2Spec);
     } else if (params.get_tag() == OptExtKdfSpec::tag_t::HKDFSPEC && algName == HKDF_ALG_NAME) {
-        SetHkdfParamsSpecAttribute(params.get_HKDFSPEC_ref(), hkdfSpec, outBlob);
+        flag = SetHkdfParamsSpecAttribute(params.get_HKDFSPEC_ref(), hkdfSpec, outBlob);
         paramsSpec = reinterpret_cast<HcfKdfParamsSpec *>(&hkdfSpec);
     } else if (params.get_tag() == OptExtKdfSpec::tag_t::SCRYPTSPEC && algName == SCRYPT_ALG_NAME) {
-        SetScryptParamsSpecAttribute(params.get_SCRYPTSPEC_ref(), scryptSpec, outBlob);
+        flag = SetScryptParamsSpecAttribute(params.get_SCRYPTSPEC_ref(), scryptSpec, outBlob);
         paramsSpec = reinterpret_cast<HcfKdfParamsSpec *>(&scryptSpec);
-    } else {
+    }
+    if (!flag) {
         ANI_LOGE_THROW(HCF_INVALID_PARAMS, "invalid kdf spec!");
         return {};
     }
diff --git a/plugin/openssl_plugin/crypto_operation/kdf/src/hkdf_openssl.c b/plugin/openssl_plugin/crypto_operation/kdf/src/hkdf_openssl.c
index 4f3f2b5..fd14e7c 100644
--- a/plugin/openssl_plugin/crypto_operation/kdf/src/hkdf_openssl.c
+++ b/plugin/openssl_plugin/crypto_operation/kdf/src/hkdf_openssl.c
@@ -97,7 +97,7 @@ static bool CheckHkdfParams(HcfHkdfParamsSpec *params)
             LOGE("beyond the length");
             return false;
     }
-    if (params->key.data == NULL && params->key.len == 0) {
+    if (params->key.data == NULL || params->key.len == 0) {
         LOGE("check params failed, key is NULL");
         return false;
     }
diff --git a/plugin/openssl_plugin/key/asy_key_generator/src/rsa_asy_key_generator_openssl.c b/plugin/openssl_plugin/key/asy_key_generator/src/rsa_asy_key_generator_openssl.c
index 162ef32..06cd3fd 100644
--- a/plugin/openssl_plugin/key/asy_key_generator/src/rsa_asy_key_generator_openssl.c
+++ b/plugin/openssl_plugin/key/asy_key_generator/src/rsa_asy_key_generator_openssl.c
@@ -36,6 +36,7 @@
 #define OPENSSL_BITS_PER_BYTE 8
 #define OPENSSL_RSA_KEYPAIR_CNT 3
 #define OPENSSL_RSA_KEYGEN_DEFAULT_PRIMES 2
+#define PASSWORD_MAX_LENGTH 4096
 #define MAX_KEY_SIZE 8192
 #define MIN_KEY_SIZE 512
 #define PRIMES_2 2
@@ -724,8 +725,18 @@ static HcfResult GetPriKeyEncodedPem(const HcfPriKey *self, HcfParamsSpec *param
             OpensslEvpPkeyFree(pkey);
             return HCF_NOT_SUPPORT;
         }
-        cipher = EVP_CIPHER_fetch(NULL, cipherStr, NULL);
         passWord = (const char *)spec->password;
+        if (passWord == NULL) {
+            LOGE("passWord is NULL.");
+            OpensslEvpPkeyFree(pkey);
+            return HCF_INVALID_PARAMS;
+        }
+        if (strlen(passWord) == 0 || strlen(passWord) > PASSWORD_MAX_LENGTH) {
+            LOGE("passWord is invalid.");
+            OpensslEvpPkeyFree(pkey);
+            return HCF_INVALID_PARAMS;
+        }
+        cipher = EVP_CIPHER_fetch(NULL, cipherStr, NULL);
         result = GetPriKeyPem(format, pkey, cipher, passWord, returnString);
         EVP_CIPHER_free((EVP_CIPHER *)cipher);
     } else {
@@ -1213,6 +1224,13 @@ static HcfResult EngineConvertPemKey(HcfAsyKeyGeneratorSpi *self, HcfParamsSpec
         LOGE("ConvertPemKeyParams is invalid.");
         return HCF_INVALID_PARAMS;
     }
+    if (params != NULL) {
+        HcfKeyDecodingParamsSpec *spec = (HcfKeyDecodingParamsSpec *)params;
+        if (spec->password == NULL || strlen(spec->password) == 0 || strlen(spec->password) > PASSWORD_MAX_LENGTH) {
+            LOGE("password is invalid.");
+            return HCF_INVALID_PARAMS;
+        }
+    }
     if (!HcfIsClassMatch((HcfObjectBase *)self, OPENSSL_RSA_GENERATOR_CLASS)) {
         LOGE("Class not match.");
         return HCF_INVALID_PARAMS;
-- 
Gitee