import new upstream nautilus stable release 14.2.8

[ceph.git] / ceph / src / rgw / rgw_swift_auth.cc

diff --git a/ceph/src/rgw/rgw_swift_auth.cc b/ceph/src/rgw/rgw_swift_auth.cc
index dcd6758f3e90171485e0b9848b509a40edf589d9..eb0264a370fbaa2d4b386892260bd8fbd5a7581a 100644 (file)
--- a/ceph/src/rgw/rgw_swift_auth.cc
+++ b/ceph/src/rgw/rgw_swift_auth.cc
@@ -475,12 +475,15 @@ static int build_token(const string& swift_user,
   dout(20) << "build_token token=" << buf << dendl;
 
   char k[CEPH_CRYPTO_HMACSHA1_DIGESTSIZE];
+  // FIPS zeroization audit 20191116: this memset is not intended to
+  // wipe out a secret after use.
   memset(k, 0, sizeof(k));
   const char *s = key.c_str();
   for (int i = 0; i < (int)key.length(); i++, s++) {
     k[i % CEPH_CRYPTO_HMACSHA1_DIGESTSIZE] |= *s;
   }
   calc_hmac_sha1(k, sizeof(k), bl.c_str(), bl.length(), p.c_str());
+  ::ceph::crypto::zeroize_for_security(k, sizeof(k));
 
   bl.append(p);