auth: audit memset & bzero users for FIPS.

This commit add comments after auditing a subset of
`memset` and `bzero` users found basing on the GCC's
`deprecated` attribute:
https://gist.github.com/rzarzynski/db9b4ca6b3d409d2ab8d38f4d6678063.

Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
(cherry picked from commit 947931db7bca4f10fd461ebf727e06587af3c393)

diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc
index 8b355bf1142301c112509334876102f8f79cab66..7c376a65a0c874da2d002ec95e5d552ba6317c9d 100644 (file)
--- a/src/auth/Crypto.cc
+++ b/src/auth/Crypto.cc
@@ -253,6 +253,8 @@ public:
     // let's pad the data
     std::uint8_t pad_len = out_tmp.length() - in.length();
     ceph::bufferptr pad_buf{pad_len};
+    // FIPS zeroization audit 20191115: this memset is not intended to
+    // wipe out a secret after use.
     memset(pad_buf.c_str(), pad_len, pad_len);
 
     // form contiguous buffer for block cipher. The ctor copies shallowly.
@@ -328,6 +330,8 @@ public:
 
     std::array<unsigned char, AES_BLOCK_LEN> last_block;
     memcpy(last_block.data(), in.buf + in.length - tail_len, tail_len);
+    // FIPS zeroization audit 20191115: this memset is not intended to
+    // wipe out a secret after use.
     memset(last_block.data() + tail_len, pad_len, pad_len);
 
     // need a local copy because AES_cbc_encrypt takes `iv` as non-const.