add new pkg/fips for FIPS 140-2 (#12051)

This commit introduces a new package `pkg/fips` that bundles functionality to handle and configure cryptographic protocols in case of FIPS 140. If it is compiled with `--tags=fips` it assumes that a FIPS 140-2 cryptographic module is used to implement all FIPS compliant cryptographic primitives - like AES, SHA-256, ... In "FIPS mode" it excludes all non-FIPS compliant cryptographic primitives from the protocol parameters.
2025-11-20 01:50:24 -05:00 · 2021-04-14 17:29:56 +02:00
parent b4eeeb8449
commit 97aa831352
11 changed files with 178 additions and 44 deletions
--- a/pkg/fips/api.go
+++ b/pkg/fips/api.go
@@ -0,0 +1,59 @@
+// MinIO Cloud Storage, (C) 2021 MinIO, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package fips provides functionality to configure cryptographic
+// implementations compliant with FIPS 140.
+//
+// FIPS 140 [1] is a US standard for data processing that specifies
+// requirements for cryptographic modules. Software that is "FIPS 140
+// compliant" must use approved cryptographic primitives only and that
+// are implemented by a FIPS 140 certified cryptographic module.
+//
+// So, FIPS 140 requires that a certified implementation of e.g. AES
+// is used to implement more high-level cryptographic protocols.
+// It does not require any specific security criteria for those
+// high-level protocols. FIPS 140 focuses only on the implementation
+// and usage of the most low-level cryptographic building blocks.
+//
+// [1]: https://en.wikipedia.org/wiki/FIPS_140
+package fips
+
+import "crypto/tls"
+
+// Enabled returns true if and only if FIPS 140-2 support
+// is enabled.
+//
+// FIPS 140-2 requires that only specifc cryptographic
+// primitives, like AES or SHA-256, are used and that
+// those primitives are implemented by a FIPS 140-2
+// certified cryptographic module.
+func Enabled() bool { return enabled }
+
+// CipherSuitesDARE returns the supported cipher suites
+// for the DARE object encryption.
+func CipherSuitesDARE() []byte {
+	return cipherSuitesDARE()
+}
+
+// CipherSuitesTLS returns the supported cipher suites
+// used by the TLS stack.
+func CipherSuitesTLS() []uint16 {
+	return cipherSuitesTLS()
+}
+
+// EllipticCurvesTLS returns the supported elliptic
+// curves used by the TLS stack.
+func EllipticCurvesTLS() []tls.CurveID {
+	return ellipticCurvesTLS()
+}
--- a/pkg/fips/fips.go
+++ b/pkg/fips/fips.go
@@ -0,0 +1,42 @@
+// MinIO Cloud Storage, (C) 2021 MinIO, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//+build fips
+
+package fips
+
+import (
+	"crypto/tls"
+
+	"github.com/minio/sio"
+)
+
+var enabled = true
+
+func cipherSuitesDARE() []byte {
+	return []byte{sio.AES_256_GCM}
+}
+
+func cipherSuitesTLS() []uint16 {
+	return []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	}
+}
+
+func ellipticCurvesTLS() []tls.Curve {
+	return []tls.CurveID{tls.CurveP256}
+}
--- a/pkg/fips/no_fips.go
+++ b/pkg/fips/no_fips.go
@@ -0,0 +1,44 @@
+// MinIO Cloud Storage, (C) 2021 MinIO, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//+build !fips
+
+package fips
+
+import (
+	"crypto/tls"
+
+	"github.com/minio/sio"
+)
+
+var enabled = false
+
+func cipherSuitesDARE() []byte {
+	return []byte{sio.AES_256_GCM, sio.CHACHA20_POLY1305}
+}
+
+func cipherSuitesTLS() []uint16 {
+	return []uint16{
+		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	}
+}
+
+func ellipticCurvesTLS() []tls.CurveID {
+	return []tls.CurveID{tls.X25519, tls.CurveP256}
+}