X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fevp%2Fp5_crpt2.c;h=dca05148672d5b96897d3e6f01be3078c80f4013;hp=6c4b3eaf347afb940b6f7f4c5d87f6040b4c12d1;hb=27545970134d703ed96027aac9b67eced124eec3;hpb=581f1c84940d77451c2592e9fa470893f6c3c3eb

diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c
index 6c4b3eaf34..dca0514867 100644
--- a/crypto/evp/p5_crpt2.c
+++ b/crypto/evp/p5_crpt2.c
@@ -55,13 +55,13 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
-#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <stdio.h>
 #include <stdlib.h>
+#include "cryptlib.h"
+#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <openssl/x509.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "cryptlib.h"
 
 /* set this to print out info about the keygen algorithm */
 /* #define DEBUG_PKCS5V2 */
@@ -100,7 +100,7 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
 		itmp[1] = (unsigned char)((i >> 16) & 0xff);
 		itmp[2] = (unsigned char)((i >> 8) & 0xff);
 		itmp[3] = (unsigned char)(i & 0xff);
-		HMAC_Init(&hctx, pass, passlen, EVP_sha1());
+		HMAC_Init_ex(&hctx, pass, passlen, EVP_sha1(), NULL);
 		HMAC_Update(&hctx, salt, saltlen);
 		HMAC_Update(&hctx, itmp, 4);
 		HMAC_Final(&hctx, digtmp, NULL);
@@ -149,7 +149,8 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                          int en_de)
 {
 	unsigned char *pbuf, *salt, key[EVP_MAX_KEY_LENGTH];
-	int saltlen, keylen, iter, plen;
+	int saltlen, iter, plen;
+	unsigned int keylen;
 	PBE2PARAM *pbe2 = NULL;
 	const EVP_CIPHER *cipher;
 	PBKDF2PARAM *kdf = NULL;
@@ -190,6 +191,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 		goto err;
 	}
 	keylen = EVP_CIPHER_CTX_key_length(ctx);
+	OPENSSL_assert(keylen <= sizeof key);
 
 	/* Now decode key derivation function */
 
@@ -207,7 +209,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 
 	/* Now check the parameters of the kdf */
 
-	if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != keylen)){
+	if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
 						EVP_R_UNSUPPORTED_KEYLENGTH);
 		goto err;
@@ -230,7 +232,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 	iter = ASN1_INTEGER_get(kdf->iter);
 	PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
 	EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
-	memset(key, 0, keylen);
+	OPENSSL_cleanse(key, keylen);
 	PBKDF2PARAM_free(kdf);
 	return 1;