Fix some warnings in static analysis.

lib/luks2/luks2_digest_pbkdf2.c

@@ -131,8 +131,8 @@ static int PBKDF2_digest_store(struct crypt_device *cd,
 	}
 
 	hmac_size = crypt_hmac_size(pbkdf.hash);
-	if (hmac_size < 0)
-		return hmac_size;
+	if (hmac_size < 0 || hmac_size > (int)sizeof(digest_raw))
+		return -EINVAL;
 
 	r = crypt_pbkdf(CRYPT_KDF_PBKDF2, pbkdf.hash, volume_key, volume_key_len,
 			salt, LUKS_SALTSIZE, digest_raw, hmac_size,

lib/luks2/luks2_reencrypt.c

@@ -2680,8 +2680,10 @@ static int _reencrypt_init_by_passphrase(struct crypt_device *cd,
 	uint32_t flags = params ? params->flags : 0;
 
 	if (cipher) {
-		r = LUKS2_check_cipher(cd, crypt_keyslot_get_key_size(cd, keyslot_new),
-			       cipher, cipher_mode);
+		r = crypt_keyslot_get_key_size(cd, keyslot_new);
+		if (r < 0)
+			return r;
+		r = LUKS2_check_cipher(cd, r, cipher, cipher_mode);
 		if (r < 0)
 			return r;
 	}

lib/luks2/luks2_token.c

@@ -347,7 +347,7 @@ static int LUKS2_keyslot_open_by_token(struct crypt_device *cd,
 {
 	const crypt_token_handler *h;
 	json_object *jobj_token, *jobj_token_keyslots, *jobj;
-	const char *num = NULL;
+	unsigned int num = 0;
 	int i, r;
 
 	if (!(h = LUKS2_token_handler(cd, token)))
@@ -365,15 +365,15 @@ static int LUKS2_keyslot_open_by_token(struct crypt_device *cd,
 	r = -EINVAL;
 	for (i = 0; i < (int) json_object_array_length(jobj_token_keyslots) && r < 0; i++) {
 		jobj = json_object_array_get_idx(jobj_token_keyslots, i);
-		num = json_object_get_string(jobj);
-		log_dbg(cd, "Trying to open keyslot %s with token %d (type %s).", num, token, h->name);
-		r = LUKS2_keyslot_open(cd, atoi(num), segment, buffer, buffer_len, vk);
+		num = atoi(json_object_get_string(jobj));
+		log_dbg(cd, "Trying to open keyslot %u with token %d (type %s).", num, token, h->name);
+		r = LUKS2_keyslot_open(cd, num, segment, buffer, buffer_len, vk);
 	}
 
-	if (r >= 0 && num)
-		return atoi(num);
+	if (r < 0)
+		return r;
 
-	return r;
+	return num;
 }
 
 int LUKS2_token_open_and_activate(struct crypt_device *cd,