From cccb3ec4e724c5a151821d85f1567e5a6a18863b Mon Sep 17 00:00:00 2001
From: Radoslaw Zarzynski <rzarzyns@redhat.com>
Date: Fri, 15 Nov 2019 23:25:32 +0100
Subject: [PATCH] common: switch to ceph::crypto::zeroize_for_security().

Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
(cherry picked from commit a5e19234eda35688782318da16e74de05c8ba9d3)
---
 src/common/ceph_crypto.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/common/ceph_crypto.h b/src/common/ceph_crypto.h
index dda3306b2a60e..03351eb4053b1 100644
--- a/src/common/ceph_crypto.h
+++ b/src/common/ceph_crypto.h
@@ -244,7 +244,9 @@ namespace ceph::crypto::ssl {
   public:
     HMAC (const EVP_MD *type, const unsigned char *key, size_t length)
       : mpType(type) {
-      ::memset(&mContext, 0, sizeof(mContext));
+      // the strict FIPS zeroization doesn't seem to be necessary here.
+      // just in the case.
+      ::ceph::crypto::zeroize_for_security(&mContext, sizeof(mContext));
       const auto r = HMAC_Init_ex(&mContext, key, length, mpType, nullptr);
       if (r != 1) {
 	  throw DigestException("HMAC_Init_ex() failed");
-- 
2.39.5