rgw: add some missed FIPS zeroization calls.

Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
(cherry picked from commit 32c84d4d35e599f6a510820b86a535a838ca2941)

diff --git a/src/rgw/rgw_ldap.cc b/src/rgw/rgw_ldap.cc
index 9e7156fc52bd6f1907ee964c10df949d5aad1715..f2009b063cfa19d4a38ec3fbd23f0f5aed500a7e 100644 (file)
--- a/src/rgw/rgw_ldap.cc
+++ b/src/rgw/rgw_ldap.cc
@@ -3,6 +3,7 @@
 
 #include "rgw_ldap.h"
 
+#include "common/ceph_crypto.h"
 #include "common/ceph_context.h"
 #include "common/common_init.h"
 #include "common/dout.h"
@@ -35,6 +36,7 @@ std::string parse_rgw_ldap_bindpw(CephContext* ctx)
         if (ldap_bindpw.back() == '\n')
           ldap_bindpw.pop_back();
       }
+      ::ceph::crypto::zeroize_for_security(bindpw, sizeof(bindpw));
   }
 
   return ldap_bindpw;

diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc
index 207c8eaad45ca49fa3b7f08e4f5f54bd0c0a5ccf..eb0264a370fbaa2d4b386892260bd8fbd5a7581a 100644 (file)
--- a/src/rgw/rgw_swift_auth.cc
+++ b/src/rgw/rgw_swift_auth.cc
@@ -483,6 +483,7 @@ static int build_token(const string& swift_user,
     k[i % CEPH_CRYPTO_HMACSHA1_DIGESTSIZE] |= *s;
   }
   calc_hmac_sha1(k, sizeof(k), bl.c_str(), bl.length(), p.c_str());
+  ::ceph::crypto::zeroize_for_security(k, sizeof(k));
 
   bl.append(p);
 

diff --git a/src/rgw/rgw_torrent.cc b/src/rgw/rgw_torrent.cc
index 57c3f944c3fb65e61593747e84312bde77ad2ee2..3fca9ba99f108834ed1ff1ae74f487781051c829 100644 (file)
--- a/src/rgw/rgw_torrent.cc
+++ b/src/rgw/rgw_torrent.cc
@@ -173,6 +173,7 @@ void seed::sha1(SHA1 *h, bufferlist &bl, off_t bl_len)
     h->Final((unsigned char *)sha);
     set_info_pieces(sha);
   }
+  ::ceph::crypto::zeroize_for_security(sha, sizeof(sha));
 }
 
 int seed::get_params()