add new pkg/fips for FIPS 140-2 (#12051)

This commit introduces a new package `pkg/fips` that bundles functionality to handle and configure cryptographic protocols in case of FIPS 140. If it is compiled with `--tags=fips` it assumes that a FIPS 140-2 cryptographic module is used to implement all FIPS compliant cryptographic primitives - like AES, SHA-256, ... In "FIPS mode" it excludes all non-FIPS compliant cryptographic primitives from the protocol parameters.
2025-11-24 03:27:44 -05:00 · 2021-04-14 17:29:56 +02:00
parent b4eeeb8449
commit 97aa831352
11 changed files with 178 additions and 44 deletions
--- a/cmd/disk-cache-backend.go
+++ b/cmd/disk-cache-backend.go
@@ -39,6 +39,7 @@ import (
 	xhttp "github.com/minio/minio/cmd/http"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/disk"
+	"github.com/minio/minio/pkg/fips"
 	"github.com/minio/sio"
 )

@@ -661,7 +662,7 @@ func newCacheEncryptReader(content io.Reader, bucket, object string, metadata ma
 		return nil, err
 	}

-	reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey[:], MinVersion: sio.Version20})
+	reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey[:], MinVersion: sio.Version20, CipherSuites: fips.CipherSuitesDARE()})
 	if err != nil {
 		return nil, crypto.ErrInvalidCustomerKey
 	}