Make sure we get the definition of OPENSSL_NO_AES.

[oweals/openssl.git] / crypto / evp / p5_crpt2.c

diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c
index 7881860b53eee7690d4c1ccab331eb053682bc1d..1f94e1ef88b26ed56da7c3e42d115c3d29a4d862 100644 (file)
--- a/crypto/evp/p5_crpt2.c
+++ b/crypto/evp/p5_crpt2.c
@@ -58,10 +58,10 @@
 #if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <stdio.h>
 #include <stdlib.h>
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "cryptlib.h"
 
 /* set this to print out info about the keygen algorithm */
 /* #define DEBUG_PKCS5V2 */
@@ -190,6 +190,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                goto err;
        }
        keylen = EVP_CIPHER_CTX_key_length(ctx);
+       OPENSSL_assert(keylen <= sizeof key);
 
        /* Now decode key derivation function */
 
@@ -230,7 +231,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
        iter = ASN1_INTEGER_get(kdf->iter);
        PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
        EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
-       memset(key, 0, keylen);
+       OPENSSL_cleanse(key, keylen);
        PBKDF2PARAM_free(kdf);
        return 1;