X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=crypto%2Fevp%2Fp5_crpt2.c;h=1f94e1ef88b26ed56da7c3e42d115c3d29a4d862;hb=8c84b677e29487b168a700a917dcf58d377a2fba;hp=7881860b53eee7690d4c1ccab331eb053682bc1d;hpb=de941e289e5d320d2e3258b0ebf71562830aaabc;p=oweals%2Fopenssl.git

diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c
index 7881860b53..1f94e1ef88 100644
--- a/crypto/evp/p5_crpt2.c
+++ b/crypto/evp/p5_crpt2.c
@@ -58,10 +58,10 @@
 #if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <stdio.h>
 #include <stdlib.h>
+#include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "cryptlib.h"
 
 /* set this to print out info about the keygen algorithm */
 /* #define DEBUG_PKCS5V2 */
@@ -190,6 +190,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 		goto err;
 	}
 	keylen = EVP_CIPHER_CTX_key_length(ctx);
+	OPENSSL_assert(keylen <= sizeof key);
 
 	/* Now decode key derivation function */
 
@@ -230,7 +231,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 	iter = ASN1_INTEGER_get(kdf->iter);
 	PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
 	EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
-	memset(key, 0, keylen);
+	OPENSSL_cleanse(key, keylen);
 	PBKDF2PARAM_free(kdf);
 	return 1;