fips: do not use SHA-3 when building a FIPS-140 2 binary (#11710)

This commit disables SHA-3 for OpenID when building a
FIPS-140 2 compatible binary. While SHA-3 is a
crypto. hash function accepted by NIST there is no
FIPS-140 2 compliant implementation available when
using the boringcrypto Go branch.

Therefore, SHA-3 must not be used when building
a FIPS-140 2 binary.

cmd/config/identity/openid/ecdsa-sha3.go

@@ -1,18 +1,18 @@
-/*
+// MinIO Cloud Storage, (C) 2020 MinIO, Inc.
- * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
+//
- *
+// Licensed under the Apache License, Version 2.0 (the "License");
- * Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
- * you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
- * You may obtain a copy of the License at
+//
- *
+//     http://www.apache.org/licenses/LICENSE-2.0
- *     http://www.apache.org/licenses/LICENSE-2.0
+//
- *
+// Unless required by applicable law or agreed to in writing, software
- * Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
- * distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
- * See the License for the specific language governing permissions and
+// limitations under the License.
- * limitations under the License.
+
- */
+// +build !fips
 
 package openid
 
@@ -22,7 +22,7 @@ import (
 	"github.com/dgrijalva/jwt-go"
 
 	// Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288
-	_ "golang.org/x/crypto/sha3"
+	_ "golang.org/x/crypto/sha3" // There is no SHA-3 FIPS-140 2 compliant implementation
 )
 
 // Specific instances for EC256 and company

cmd/config/identity/openid/rsa-sha3.go

@@ -1,18 +1,18 @@
-/*
+// MinIO Cloud Storage, (C) 2020 MinIO, Inc.
- * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
+//
- *
+// Licensed under the Apache License, Version 2.0 (the "License");
- * Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
- * you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
- * You may obtain a copy of the License at
+//
- *
+//     http://www.apache.org/licenses/LICENSE-2.0
- *     http://www.apache.org/licenses/LICENSE-2.0
+//
- *
+// Unless required by applicable law or agreed to in writing, software
- * Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
- * distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
- * See the License for the specific language governing permissions and
+// limitations under the License.
- * limitations under the License.
+
- */
+// +build !fips
 
 package openid
 
@@ -22,7 +22,7 @@ import (
 	"github.com/dgrijalva/jwt-go"
 
 	// Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288
-	_ "golang.org/x/crypto/sha3"
+	_ "golang.org/x/crypto/sha3" // There is no SHA-3 FIPS-140 2 compliant implementation
 )
 
 // Specific instances for RS256 and company