MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 21:02:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

remove support for FIPS 140-2 with boringcrypto (#21292)

Browse Source 
This commit removes FIPS 140-2 related code for the following
reasons:
 - FIPS 140-2 is a compliance, not a security requirement. Being
   FIPS 140-2 compliant has no security implication on its own.
   From a tech. perspetive, a FIPS 140-2 compliant implementation
   is not necessarily secure and a non-FIPS 140-2 compliant implementation
   is not necessarily insecure. It depends on the concret design and
   crypto primitives/constructions used.
 - The boringcrypto branch used to achieve FIPS 140-2 compliance was never
   officially supported by the Go team and is now in maintainance mode.
   It is replaced by a built-in FIPS 140-3 module. It will be removed
   eventually. Ref: https://github.com/golang/go/issues/69536
 - FIPS 140-2 modules are no longer re-certified after Sep. 2026.
   Ref: https://csrc.nist.gov/projects/cryptographic-module-validation-program

Signed-off-by: Andreas Auernhammer <github@aead.dev>
This commit is contained in:
Andreas Auernhammer
2025-05-16 16:27:42 +02:00
committed by GitHub
parent c0a33952c6
commit 1d50cae43d
21 changed files with 52 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/config/crypto.go
View File

@@ -27,7 +27,6 @@ import (
"io"
jsoniter "github.com/json-iterator/go"
"github.com/minio/minio/internal/fips"
"github.com/minio/minio/internal/kms"
"github.com/secure-io/sio-go"
"github.com/secure-io/sio-go/sioutil"
@@ -64,7 +63,7 @@ func DecryptBytes(k *kms.KMS, ciphertext []byte, context kms.Context) ([]byte, e
// ciphertext.
func Encrypt(k *kms.KMS, plaintext io.Reader, ctx kms.Context) (io.Reader, error) {
algorithm := sio.AES_256_GCM
if !fips.Enabled && !sioutil.NativeAES() {
if !sioutil.NativeAES() {
algorithm = sio.ChaCha20Poly1305
}
@@ -145,9 +144,6 @@ func Decrypt(k *kms.KMS, ciphertext io.Reader, associatedData kms.Context) (io.R
if err := json.Unmarshal(metadataBuffer, &metadata); err != nil {
return nil, err
}
if fips.Enabled && metadata.Algorithm != sio.AES_256_GCM {
return nil, fmt.Errorf("config: unsupported encryption algorithm: %q is not supported in FIPS mode", metadata.Algorithm)
}
key, err := k.Decrypt(context.TODO(), &kms.DecryptRequest{
Name: metadata.KeyID,