diff -u -p a/apps/apps.c b/apps/apps.c --- a/apps/apps.c +++ b/apps/apps.c @@ -612,13 +612,13 @@ int password_callback(char *buf, int buf { BIO_printf(bio_err, "User interface error\n"); ERR_print_errors(bio_err); - OPENSSL_cleanse(buf,(unsigned int)bufsiz); + OPENSSL_cleanse(buf, buflen); res = 0; } if (ok == -2) { BIO_printf(bio_err,"aborted!\n"); - OPENSSL_cleanse(buf,(unsigned int)bufsiz); + OPENSSL_cleanse(buf, buflen); res = 0; } UI_free(ui); diff -u -p a/crypto/des/des.c b/crypto/des/des.c --- a/crypto/des/des.c +++ b/crypto/des/des.c @@ -666,8 +666,8 @@ void doencryption(void) if (l) fclose(CKSUM_OUT); } problems: - OPENSSL_cleanse(buf,sizeof(buf)); - OPENSSL_cleanse(obuf,sizeof(obuf)); + OPENSSL_cleanse(buf, BUFSIZE + 8); + OPENSSL_cleanse(obuf, BUFSIZE + 8); OPENSSL_cleanse(&ks,sizeof(ks)); OPENSSL_cleanse(&ks2,sizeof(ks2)); OPENSSL_cleanse(iv,sizeof(iv)); diff -u -p a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -396,7 +396,8 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, * NOT taken from the BytesToKey function */ EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL); - if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE); + if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf, + PEM_BUFSIZE * 8); OPENSSL_assert(strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf); @@ -424,7 +425,7 @@ err: OPENSSL_cleanse(key,sizeof(key)); OPENSSL_cleanse(iv,sizeof(iv)); OPENSSL_cleanse((char *)&ctx,sizeof(ctx)); - OPENSSL_cleanse(buf,PEM_BUFSIZE); + OPENSSL_cleanse(buf, PEM_BUFSIZE * 8); if (data != NULL) { OPENSSL_cleanse(data,(unsigned int)dsize); diff -u -p a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -144,7 +144,8 @@ void * PKCS12_item_decrypt_d2i(X509_ALGO } #endif ret = ASN1_item_d2i(NULL, &p, outlen, it); - if (zbuf) OPENSSL_cleanse(out, outlen); + if (zbuf) OPENSSL_cleanse(out, + inlen + EVP_CIPHER_CTX_block_size(&ctx)); if(!ret) PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,PKCS12_R_DECODE_ERROR); OPENSSL_free(out); return ret;