diff --git a/.github/workflows/go-fips.yml b/.github/workflows/go-fips.yml deleted file mode 100644 index 39d65e353..000000000 --- a/.github/workflows/go-fips.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: FIPS Build Test - -on: - pull_request: - branches: - - master - -# This ensures that previous jobs for the PR are canceled when the PR is -# updated. -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} - cancel-in-progress: true - -permissions: - contents: read - -jobs: - build: - name: Go BoringCrypto ${{ matrix.go-version }} on ${{ matrix.os }} - runs-on: ${{ matrix.os }} - strategy: - matrix: - go-version: [1.24.x] - os: [ubuntu-latest] - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 - with: - go-version: ${{ matrix.go-version }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Setup dockerfile for build test - run: | - GO_VERSION=$(go version | cut -d ' ' -f 3 | sed 's/go//') - echo Detected go version $GO_VERSION - cat > Dockerfile.fips.test < - they are only published for `linux-amd64` architecture as binary files with the suffix `.fips`. We also publish corresponding container images to our official image repositories. - -We are not making any statements or representations about the suitability of this code or build in relation to the FIPS 140-2 standard. Interested users will have to evaluate for themselves whether this is useful for their own purposes. diff --git a/cmd/bucket-metadata.go b/cmd/bucket-metadata.go index d0132c1c9..dca5c9e77 100644 --- a/cmd/bucket-metadata.go +++ b/cmd/bucket-metadata.go @@ -38,7 +38,6 @@ import ( "github.com/minio/minio/internal/bucket/versioning" "github.com/minio/minio/internal/crypto" "github.com/minio/minio/internal/event" - "github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/kms" "github.com/minio/minio/internal/logger" "github.com/minio/pkg/v3/policy" @@ -556,7 +555,7 @@ func encryptBucketMetadata(ctx context.Context, bucket string, input []byte, kms objectKey := crypto.GenerateKey(key.Plaintext, rand.Reader) sealedKey := objectKey.Seal(key.Plaintext, crypto.GenerateIV(rand.Reader), crypto.S3.String(), bucket, "") crypto.S3.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey) - _, err = sio.Encrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()}) + _, err = sio.Encrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20}) if err != nil { return output, metabytes, err } @@ -590,6 +589,6 @@ func decryptBucketMetadata(input []byte, bucket string, meta map[string]string, } outbuf := bytes.NewBuffer(nil) - _, err = sio.Decrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()}) + _, err = sio.Decrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20}) return outbuf.Bytes(), err } diff --git a/cmd/encryption-v1.go b/cmd/encryption-v1.go index 9935ff9bd..47c801450 100644 --- a/cmd/encryption-v1.go +++ b/cmd/encryption-v1.go @@ -37,7 +37,6 @@ import ( "github.com/minio/kms-go/kes" "github.com/minio/minio/internal/crypto" "github.com/minio/minio/internal/etag" - "github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/hash" "github.com/minio/minio/internal/hash/sha256" xhttp "github.com/minio/minio/internal/http" @@ -427,7 +426,7 @@ func newEncryptReader(ctx context.Context, content io.Reader, kind crypto.Type, return nil, crypto.ObjectKey{}, err } - reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()}) + reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey[:], MinVersion: sio.Version20}) if err != nil { return nil, crypto.ObjectKey{}, crypto.ErrInvalidCustomerKey } @@ -570,7 +569,6 @@ func newDecryptReaderWithObjectKey(client io.Reader, objectEncryptionKey []byte, reader, err := sio.DecryptReader(client, sio.Config{ Key: objectEncryptionKey, SequenceNumber: seqNumber, - CipherSuites: fips.DARECiphers(), }) if err != nil { return nil, crypto.ErrInvalidCustomerKey @@ -1062,7 +1060,7 @@ func metadataEncrypter(key crypto.ObjectKey) objectMetaEncryptFn { var buffer bytes.Buffer mac := hmac.New(sha256.New, key[:]) mac.Write([]byte(baseKey)) - if _, err := sio.Encrypt(&buffer, bytes.NewReader(data), sio.Config{Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}); err != nil { + if _, err := sio.Encrypt(&buffer, bytes.NewReader(data), sio.Config{Key: mac.Sum(nil)}); err != nil { logger.CriticalIf(context.Background(), errors.New("unable to encrypt using object key")) } return buffer.Bytes() @@ -1085,7 +1083,7 @@ func (o *ObjectInfo) metadataDecrypter(h http.Header) objectMetaDecryptFn { } mac := hmac.New(sha256.New, key) mac.Write([]byte(baseKey)) - return sio.DecryptBuffer(nil, input, sio.Config{Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}) + return sio.DecryptBuffer(nil, input, sio.Config{Key: mac.Sum(nil)}) } } diff --git a/cmd/grid.go b/cmd/grid.go index a2c8f3973..0b442267c 100644 --- a/cmd/grid.go +++ b/cmd/grid.go @@ -22,7 +22,7 @@ import ( "crypto/tls" "sync/atomic" - "github.com/minio/minio/internal/fips" + "github.com/minio/minio/internal/crypto" "github.com/minio/minio/internal/grid" xhttp "github.com/minio/minio/internal/http" "github.com/minio/minio/internal/rest" @@ -52,8 +52,8 @@ func initGlobalGrid(ctx context.Context, eps EndpointServerPools) error { newCachedAuthToken(), &tls.Config{ RootCAs: globalRootCAs, - CipherSuites: fips.TLSCiphers(), - CurvePreferences: fips.TLSCurveIDs(), + CipherSuites: crypto.TLSCiphers(), + CurvePreferences: crypto.TLSCurveIDs(), }), Local: local, Hosts: hosts, @@ -85,8 +85,8 @@ func initGlobalLockGrid(ctx context.Context, eps EndpointServerPools) error { newCachedAuthToken(), &tls.Config{ RootCAs: globalRootCAs, - CipherSuites: fips.TLSCiphers(), - CurvePreferences: fips.TLSCurveIDs(), + CipherSuites: crypto.TLSCiphers(), + CurvePreferences: crypto.TLSCurveIDs(), }, grid.RouteLockPath), Local: local, Hosts: hosts, diff --git a/cmd/object-multipart-handlers.go b/cmd/object-multipart-handlers.go index f074638c5..e6db2a9db 100644 --- a/cmd/object-multipart-handlers.go +++ b/cmd/object-multipart-handlers.go @@ -42,7 +42,6 @@ import ( "github.com/minio/minio/internal/crypto" "github.com/minio/minio/internal/etag" "github.com/minio/minio/internal/event" - "github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/handlers" "github.com/minio/minio/internal/hash" "github.com/minio/minio/internal/hash/sha256" @@ -527,9 +526,8 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt partEncryptionKey := objectEncryptionKey.DerivePartKey(uint32(partID)) encReader, err := sio.EncryptReader(reader, sio.Config{ - Key: partEncryptionKey[:], - CipherSuites: fips.DARECiphers(), - Nonce: &nonce, + Key: partEncryptionKey[:], + Nonce: &nonce, }) if err != nil { writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL) @@ -825,9 +823,8 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http copy(nonce[:], tmp[:12]) reader, err = sio.EncryptReader(in, sio.Config{ - Key: partEncryptionKey[:], - CipherSuites: fips.DARECiphers(), - Nonce: &nonce, + Key: partEncryptionKey[:], + Nonce: &nonce, }) if err != nil { writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL) diff --git a/cmd/update.go b/cmd/update.go index 174be7ae2..2965c38e1 100644 --- a/cmd/update.go +++ b/cmd/update.go @@ -50,8 +50,13 @@ const ( updateTimeout = 10 * time.Second ) -// For windows our files have .exe additionally. -var minioReleaseWindowsInfoURL = MinioReleaseURL + "minio.exe.sha256sum" +var ( + // Newer official download info URLs appear earlier below. + minioReleaseInfoURL = MinioReleaseURL + "minio.sha256sum" + + // For windows our files have .exe additionally. + minioReleaseWindowsInfoURL = MinioReleaseURL + "minio.exe.sha256sum" +) // minioVersionToReleaseTime - parses a standard official release // MinIO version string. diff --git a/cmd/update_fips.go b/cmd/update_fips.go deleted file mode 100644 index d14c1d5ce..000000000 --- a/cmd/update_fips.go +++ /dev/null @@ -1,24 +0,0 @@ -//go:build fips -// +build fips - -// Copyright (c) 2015-2021 MinIO, Inc. -// -// This file is part of MinIO Object Storage stack -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -package cmd - -// Newer official download info URLs appear earlier below. -var minioReleaseInfoURL = MinioReleaseURL + "minio.fips.sha256sum" diff --git a/cmd/update_nofips.go b/cmd/update_nofips.go deleted file mode 100644 index baeabc6e3..000000000 --- a/cmd/update_nofips.go +++ /dev/null @@ -1,24 +0,0 @@ -//go:build !fips -// +build !fips - -// Copyright (c) 2015-2021 MinIO, Inc. -// -// This file is part of MinIO Object Storage stack -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -package cmd - -// Newer official download info URLs appear earlier below. -var minioReleaseInfoURL = MinioReleaseURL + "minio.sha256sum" diff --git a/cmd/utils.go b/cmd/utils.go index 4013678ba..90ce955a9 100644 --- a/cmd/utils.go +++ b/cmd/utils.go @@ -52,7 +52,7 @@ import ( "github.com/minio/minio/internal/config/api" xtls "github.com/minio/minio/internal/config/identity/tls" "github.com/minio/minio/internal/config/storageclass" - "github.com/minio/minio/internal/fips" + "github.com/minio/minio/internal/crypto" "github.com/minio/minio/internal/handlers" "github.com/minio/minio/internal/hash" xhttp "github.com/minio/minio/internal/http" @@ -612,8 +612,8 @@ func NewInternodeHTTPTransport(maxIdleConnsPerHost int) func() http.RoundTripper LookupHost: globalDNSCache.LookupHost, DialTimeout: rest.DefaultTimeout, RootCAs: globalRootCAs, - CipherSuites: fips.TLSCiphers(), - CurvePreferences: fips.TLSCurveIDs(), + CipherSuites: crypto.TLSCiphers(), + CurvePreferences: crypto.TLSCurveIDs(), EnableHTTP2: false, TCPOptions: globalTCPOptions, }.NewInternodeHTTPTransport(maxIdleConnsPerHost) @@ -626,8 +626,8 @@ func NewHTTPTransportWithClientCerts(clientCert, clientKey string) http.RoundTri LookupHost: globalDNSCache.LookupHost, DialTimeout: defaultDialTimeout, RootCAs: globalRootCAs, - CipherSuites: fips.TLSCiphersBackwardCompatible(), - CurvePreferences: fips.TLSCurveIDs(), + CipherSuites: crypto.TLSCiphersBackwardCompatible(), + CurvePreferences: crypto.TLSCurveIDs(), TCPOptions: globalTCPOptions, EnableHTTP2: false, } @@ -665,8 +665,8 @@ func NewHTTPTransportWithTimeout(timeout time.Duration) *http.Transport { DialTimeout: defaultDialTimeout, RootCAs: globalRootCAs, TCPOptions: globalTCPOptions, - CipherSuites: fips.TLSCiphersBackwardCompatible(), - CurvePreferences: fips.TLSCurveIDs(), + CipherSuites: crypto.TLSCiphersBackwardCompatible(), + CurvePreferences: crypto.TLSCurveIDs(), EnableHTTP2: false, }.NewHTTPTransportWithTimeout(timeout) } @@ -677,8 +677,8 @@ func NewRemoteTargetHTTPTransport(insecure bool) func() *http.Transport { return xhttp.ConnSettings{ LookupHost: globalDNSCache.LookupHost, RootCAs: globalRootCAs, - CipherSuites: fips.TLSCiphersBackwardCompatible(), - CurvePreferences: fips.TLSCurveIDs(), + CipherSuites: crypto.TLSCiphersBackwardCompatible(), + CurvePreferences: crypto.TLSCurveIDs(), TCPOptions: globalTCPOptions, EnableHTTP2: false, }.NewRemoteTargetHTTPTransport(insecure) @@ -986,11 +986,11 @@ func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config { } if secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn; secureCiphers { - tlsConfig.CipherSuites = fips.TLSCiphers() + tlsConfig.CipherSuites = crypto.TLSCiphers() } else { - tlsConfig.CipherSuites = fips.TLSCiphersBackwardCompatible() + tlsConfig.CipherSuites = crypto.TLSCiphersBackwardCompatible() } - tlsConfig.CurvePreferences = fips.TLSCurveIDs() + tlsConfig.CurvePreferences = crypto.TLSCurveIDs() return tlsConfig } diff --git a/internal/config/crypto.go b/internal/config/crypto.go index ecacdbca5..757b1db4e 100644 --- a/internal/config/crypto.go +++ b/internal/config/crypto.go @@ -27,7 +27,6 @@ import ( "io" jsoniter "github.com/json-iterator/go" - "github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/kms" "github.com/secure-io/sio-go" "github.com/secure-io/sio-go/sioutil" @@ -64,7 +63,7 @@ func DecryptBytes(k *kms.KMS, ciphertext []byte, context kms.Context) ([]byte, e // ciphertext. func Encrypt(k *kms.KMS, plaintext io.Reader, ctx kms.Context) (io.Reader, error) { algorithm := sio.AES_256_GCM - if !fips.Enabled && !sioutil.NativeAES() { + if !sioutil.NativeAES() { algorithm = sio.ChaCha20Poly1305 } @@ -145,9 +144,6 @@ func Decrypt(k *kms.KMS, ciphertext io.Reader, associatedData kms.Context) (io.R if err := json.Unmarshal(metadataBuffer, &metadata); err != nil { return nil, err } - if fips.Enabled && metadata.Algorithm != sio.AES_256_GCM { - return nil, fmt.Errorf("config: unsupported encryption algorithm: %q is not supported in FIPS mode", metadata.Algorithm) - } key, err := k.Decrypt(context.TODO(), &kms.DecryptRequest{ Name: metadata.KeyID, diff --git a/internal/config/etcd/etcd.go b/internal/config/etcd/etcd.go index d62d2be7e..87e18012b 100644 --- a/internal/config/etcd/etcd.go +++ b/internal/config/etcd/etcd.go @@ -24,7 +24,7 @@ import ( "time" "github.com/minio/minio/internal/config" - "github.com/minio/minio/internal/fips" + "github.com/minio/minio/internal/crypto" "github.com/minio/pkg/v3/env" xnet "github.com/minio/pkg/v3/net" clientv3 "go.etcd.io/etcd/client/v3" @@ -165,8 +165,8 @@ func LookupConfig(kvs config.KVS, rootCAs *x509.CertPool) (Config, error) { MinVersion: tls.VersionTLS12, NextProtos: []string{"http/1.1", "h2"}, ClientSessionCache: tls.NewLRUClientSessionCache(64), - CipherSuites: fips.TLSCiphersBackwardCompatible(), - CurvePreferences: fips.TLSCurveIDs(), + CipherSuites: crypto.TLSCiphersBackwardCompatible(), + CurvePreferences: crypto.TLSCurveIDs(), } // This is only to support client side certificate authentication // https://coreos.com/etcd/docs/latest/op-guide/security.html diff --git a/internal/config/identity/ldap/config.go b/internal/config/identity/ldap/config.go index b0bd5c582..00dbedc9c 100644 --- a/internal/config/identity/ldap/config.go +++ b/internal/config/identity/ldap/config.go @@ -26,7 +26,7 @@ import ( "github.com/minio/madmin-go/v3" "github.com/minio/minio/internal/config" - "github.com/minio/minio/internal/fips" + "github.com/minio/minio/internal/crypto" "github.com/minio/pkg/v3/ldap" ) @@ -197,7 +197,7 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) { MinVersion: tls.VersionTLS12, NextProtos: []string{"h2", "http/1.1"}, ClientSessionCache: tls.NewLRUClientSessionCache(100), - CipherSuites: fips.TLSCiphersBackwardCompatible(), // Contains RSA key exchange + CipherSuites: crypto.TLSCiphersBackwardCompatible(), // Contains RSA key exchange RootCAs: rootCAs, }, } diff --git a/internal/config/identity/openid/ecdsa-sha3_contrib.go b/internal/config/identity/openid/ecdsa-sha3_contrib.go index 7a820b870..11d7acb79 100644 --- a/internal/config/identity/openid/ecdsa-sha3_contrib.go +++ b/internal/config/identity/openid/ecdsa-sha3_contrib.go @@ -11,9 +11,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -//go:build !fips -// +build !fips - package openid import ( @@ -22,7 +19,7 @@ import ( "github.com/golang-jwt/jwt/v4" // Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288 - _ "golang.org/x/crypto/sha3" // There is no SHA-3 FIPS-140 2 compliant implementation + _ "golang.org/x/crypto/sha3" ) // Specific instances for EC256 and company diff --git a/internal/config/identity/openid/rsa-sha3_contrib.go b/internal/config/identity/openid/rsa-sha3_contrib.go index 2481abf99..826074735 100644 --- a/internal/config/identity/openid/rsa-sha3_contrib.go +++ b/internal/config/identity/openid/rsa-sha3_contrib.go @@ -12,9 +12,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -//go:build !fips -// +build !fips - package openid import ( @@ -23,7 +20,7 @@ import ( "github.com/golang-jwt/jwt/v4" // Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288 - _ "golang.org/x/crypto/sha3" // There is no SHA-3 FIPS-140 2 compliant implementation + _ "golang.org/x/crypto/sha3" ) // Specific instances for RS256 and company diff --git a/internal/fips/api.go b/internal/crypto/crypto.go similarity index 51% rename from internal/fips/api.go rename to internal/crypto/crypto.go index 6faefeb7c..5a82fd893 100644 --- a/internal/fips/api.go +++ b/internal/crypto/crypto.go @@ -15,22 +15,7 @@ // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see . -// Package fips provides functionality to configure cryptographic -// implementations compliant with FIPS 140. -// -// FIPS 140 [1] is a US standard for data processing that specifies -// requirements for cryptographic modules. Software that is "FIPS 140 -// compliant" must use approved cryptographic primitives only and that -// are implemented by a FIPS 140 certified cryptographic module. -// -// So, FIPS 140 requires that a certified implementation of e.g. AES -// is used to implement more high-level cryptographic protocols. -// It does not require any specific security criteria for those -// high-level protocols. FIPS 140 focuses only on the implementation -// and usage of the most low-level cryptographic building blocks. -// -// [1]: https://en.wikipedia.org/wiki/FIPS_140 -package fips +package crypto import ( "crypto/tls" @@ -38,40 +23,13 @@ import ( "github.com/minio/sio" ) -// Enabled indicates whether cryptographic primitives, -// like AES or SHA-256, are implemented using a FIPS 140 -// certified module. -// -// If FIPS-140 is enabled no non-NIST/FIPS approved -// primitives must be used. -const Enabled = enabled - // DARECiphers returns a list of supported cipher suites // for the DARE object encryption. -func DARECiphers() []byte { - if Enabled { - return []byte{sio.AES_256_GCM} - } - return []byte{sio.AES_256_GCM, sio.CHACHA20_POLY1305} -} +func DARECiphers() []byte { return []byte{sio.AES_256_GCM, sio.CHACHA20_POLY1305} } // TLSCiphers returns a list of supported TLS transport // cipher suite IDs. -// -// The list contains only ciphers that use AES-GCM or -// (non-FIPS) CHACHA20-POLY1305 and ellitpic curve key -// exchange. func TLSCiphers() []uint16 { - if Enabled { - return []uint16{ - tls.TLS_AES_128_GCM_SHA256, // TLS 1.3 - tls.TLS_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2 - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - } - } return []uint16{ tls.TLS_CHACHA20_POLY1305_SHA256, // TLS 1.3 tls.TLS_AES_128_GCM_SHA256, @@ -92,24 +50,6 @@ func TLSCiphers() []uint16 { // ciphers for backward compatibility. In particular, AES-CBC // and non-ECDHE ciphers. func TLSCiphersBackwardCompatible() []uint16 { - if Enabled { - return []uint16{ - tls.TLS_AES_128_GCM_SHA256, // TLS 1.3 - tls.TLS_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2 ECDHE GCM - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // TLS 1.2 ECDHE CBC - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2 non-ECDHE - tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - tls.TLS_RSA_WITH_AES_128_CBC_SHA, - tls.TLS_RSA_WITH_AES_256_CBC_SHA, - } - } return []uint16{ tls.TLS_CHACHA20_POLY1305_SHA256, // TLS 1.3 tls.TLS_AES_128_GCM_SHA256, @@ -134,10 +74,5 @@ func TLSCiphersBackwardCompatible() []uint16 { // TLSCurveIDs returns a list of supported elliptic curve IDs // in preference order. func TLSCurveIDs() []tls.CurveID { - var curves []tls.CurveID - if !Enabled { - curves = append(curves, tls.X25519) // Only enable X25519 in non-FIPS mode - } - curves = append(curves, tls.CurveP256, tls.CurveP384, tls.CurveP521) - return curves + return []tls.CurveID{tls.CurveP256, tls.X25519, tls.CurveP384, tls.CurveP521} } diff --git a/internal/crypto/key.go b/internal/crypto/key.go index 992e214bf..7c59ecd34 100644 --- a/internal/crypto/key.go +++ b/internal/crypto/key.go @@ -27,7 +27,6 @@ import ( "io" "path" - "github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/hash/sha256" "github.com/minio/minio/internal/logger" "github.com/minio/sio" @@ -98,7 +97,7 @@ func (key ObjectKey) Seal(extKey []byte, iv [32]byte, domain, bucket, object str mac.Write([]byte(SealAlgorithm)) mac.Write([]byte(path.Join(bucket, object))) // use path.Join for canonical 'bucket/object' mac.Sum(sealingKey[:0]) - if n, err := sio.Encrypt(&encryptedKey, bytes.NewReader(key[:]), sio.Config{Key: sealingKey[:], CipherSuites: fips.DARECiphers()}); n != 64 || err != nil { + if n, err := sio.Encrypt(&encryptedKey, bytes.NewReader(key[:]), sio.Config{Key: sealingKey[:]}); n != 64 || err != nil { logger.CriticalIf(context.Background(), errors.New("Unable to generate sealed key")) } sealedKey := SealedKey{ @@ -123,12 +122,12 @@ func (key *ObjectKey) Unseal(extKey []byte, sealedKey SealedKey, domain, bucket, mac.Write([]byte(domain)) mac.Write([]byte(SealAlgorithm)) mac.Write([]byte(path.Join(bucket, object))) // use path.Join for canonical 'bucket/object' - unsealConfig = sio.Config{MinVersion: sio.Version20, Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()} + unsealConfig = sio.Config{MinVersion: sio.Version20, Key: mac.Sum(nil)} case InsecureSealAlgorithm: sha := sha256.New() sha.Write(extKey) sha.Write(sealedKey.IV[:]) - unsealConfig = sio.Config{MinVersion: sio.Version10, Key: sha.Sum(nil), CipherSuites: fips.DARECiphers()} + unsealConfig = sio.Config{MinVersion: sio.Version10, Key: sha.Sum(nil)} } if out, err := sio.DecryptBuffer(key[:0], sealedKey.Key[:], unsealConfig); len(out) != 32 || err != nil { @@ -159,7 +158,7 @@ func (key ObjectKey) SealETag(etag []byte) []byte { var buffer bytes.Buffer mac := hmac.New(sha256.New, key[:]) mac.Write([]byte("SSE-etag")) - if _, err := sio.Encrypt(&buffer, bytes.NewReader(etag), sio.Config{Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}); err != nil { + if _, err := sio.Encrypt(&buffer, bytes.NewReader(etag), sio.Config{Key: mac.Sum(nil)}); err != nil { logger.CriticalIf(context.Background(), errors.New("Unable to encrypt ETag using object key")) } return buffer.Bytes() @@ -175,5 +174,5 @@ func (key ObjectKey) UnsealETag(etag []byte) ([]byte, error) { } mac := hmac.New(sha256.New, key[:]) mac.Write([]byte("SSE-etag")) - return sio.DecryptBuffer(make([]byte, 0, len(etag)), etag, sio.Config{Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}) + return sio.DecryptBuffer(make([]byte, 0, len(etag)), etag, sio.Config{Key: mac.Sum(nil)}) } diff --git a/internal/crypto/sse.go b/internal/crypto/sse.go index 422ff1488..40e4b4b1f 100644 --- a/internal/crypto/sse.go +++ b/internal/crypto/sse.go @@ -24,7 +24,6 @@ import ( "io" "net/http" - "github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/ioutil" "github.com/minio/minio/internal/logger" "github.com/minio/sio" @@ -101,7 +100,7 @@ func unsealObjectKey(clientKey []byte, metadata map[string]string, bucket, objec // EncryptSinglePart encrypts an io.Reader which must be the // body of a single-part PUT request. func EncryptSinglePart(r io.Reader, key ObjectKey) io.Reader { - r, err := sio.EncryptReader(r, sio.Config{MinVersion: sio.Version20, Key: key[:], CipherSuites: fips.DARECiphers()}) + r, err := sio.EncryptReader(r, sio.Config{MinVersion: sio.Version20, Key: key[:]}) if err != nil { logger.CriticalIf(context.Background(), errors.New("Unable to encrypt io.Reader using object key")) } @@ -123,7 +122,7 @@ func DecryptSinglePart(w io.Writer, offset, length int64, key ObjectKey) io.Writ const PayloadSize = 1 << 16 // DARE 2.0 w = ioutil.LimitedWriter(w, offset%PayloadSize, length) - decWriter, err := sio.DecryptWriter(w, sio.Config{Key: key[:], CipherSuites: fips.DARECiphers()}) + decWriter, err := sio.DecryptWriter(w, sio.Config{Key: key[:]}) if err != nil { logger.CriticalIf(context.Background(), errors.New("Unable to decrypt io.Writer using object key")) } diff --git a/internal/etag/etag.go b/internal/etag/etag.go index c891426a9..78d0e5d4d 100644 --- a/internal/etag/etag.go +++ b/internal/etag/etag.go @@ -117,7 +117,6 @@ import ( "strconv" "strings" - "github.com/minio/minio/internal/fips" "github.com/minio/minio/internal/hash/sha256" xhttp "github.com/minio/minio/internal/http" "github.com/minio/sio" @@ -346,8 +345,7 @@ func Decrypt(key []byte, etag ETag) (ETag, error) { plaintext := make([]byte, 0, 16) etag, err := sio.DecryptBuffer(plaintext, etag, sio.Config{ - Key: decryptionKey, - CipherSuites: fips.DARECiphers(), + Key: decryptionKey, }) if err != nil { return nil, err diff --git a/internal/fips/fips.go b/internal/fips/fips.go deleted file mode 100644 index 17fc535aa..000000000 --- a/internal/fips/fips.go +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright (c) 2015-2021 MinIO, Inc. -// -// This file is part of MinIO Object Storage stack -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -//go:build fips && linux && amd64 -// +build fips,linux,amd64 - -package fips - -import _ "crypto/tls/fipsonly" - -const enabled = true diff --git a/internal/fips/no_fips.go b/internal/fips/no_fips.go deleted file mode 100644 index 96cfd3aa8..000000000 --- a/internal/fips/no_fips.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright (c) 2015-2021 MinIO, Inc. -// -// This file is part of MinIO Object Storage stack -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -//go:build !fips -// +build !fips - -package fips - -const enabled = false