From d4f7430b6215c1e091a0736bbdd143ea622d5a2b Mon Sep 17 00:00:00 2001
From: Radoslaw Zarzynski <rzarzyns@redhat.com>
Date: Fri, 15 Nov 2019 16:42:12 +0100
Subject: [PATCH] auth: audit memset & bzero users for FIPS.

This commit add comments after auditing a subset of
`memset` and `bzero` users found basing on the GCC's
`deprecated` attribute:
https://gist.github.com/rzarzynski/db9b4ca6b3d409d2ab8d38f4d6678063.

Signed-off-by: Radoslaw Zarzynski <rzarzyns@redhat.com>
(cherry picked from commit 947931db7bca4f10fd461ebf727e06587af3c393)
---
 src/auth/Crypto.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/auth/Crypto.cc b/src/auth/Crypto.cc
index 8b355bf114230..7c376a65a0c87 100644
--- a/src/auth/Crypto.cc
+++ b/src/auth/Crypto.cc
@@ -253,6 +253,8 @@ public:
     // let's pad the data
     std::uint8_t pad_len = out_tmp.length() - in.length();
     ceph::bufferptr pad_buf{pad_len};
+    // FIPS zeroization audit 20191115: this memset is not intended to
+    // wipe out a secret after use.
     memset(pad_buf.c_str(), pad_len, pad_len);
 
     // form contiguous buffer for block cipher. The ctor copies shallowly.
@@ -328,6 +330,8 @@ public:
 
     std::array<unsigned char, AES_BLOCK_LEN> last_block;
     memcpy(last_block.data(), in.buf + in.length - tail_len, tail_len);
+    // FIPS zeroization audit 20191115: this memset is not intended to
+    // wipe out a secret after use.
     memset(last_block.data() + tail_len, pad_len, pad_len);
 
     // need a local copy because AES_cbc_encrypt takes `iv` as non-const.
-- 
2.39.5