use crypto/sha256 only for FIPS 140-2 compliance (#14983)

It would seem like the PR #11623 had chewed more than it wanted to, non-fips build shouldn't really be forced to use slower crypto/sha256 even for presumed "non-performance" codepaths. In MinIO there are really no "non-performance" codepaths. This assumption seems to have had an adverse effect in certain areas of CPU usage. This PR ensures that we stick to sha256-simd on all non-FIPS builds, our most common build to ensure we get the best out of the CPU at any given point in time.
2025-11-07 21:02:58 -05:00 · 2022-05-27 06:00:19 -07:00
parent 464b9d7c80
commit 9d07cde385
16 changed files with 35 additions and 24 deletions
--- a/internal/hash/reader.go
+++ b/internal/hash/reader.go
@@ -26,6 +26,7 @@ import (
 	"io"

 	"github.com/minio/minio/internal/etag"
+	"github.com/minio/minio/internal/hash/sha256"
 )

 // A Reader wraps an io.Reader and computes the MD5 checksum
@@ -122,7 +123,7 @@ func NewReader(src io.Reader, size int64, md5Hex, sha256Hex string, actualSize i
 	}
 	var hash hash.Hash
 	if len(SHA256) != 0 {
-		hash = newSHA256()
+		hash = sha256.New()
 	}
 	return &Reader{
 		src:           src,
--- a/internal/hash/sha256/sh256_fips.go
+++ b/internal/hash/sha256/sh256_fips.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2015-2021 MinIO, Inc.
+// Copyright (c) 2015-2022 MinIO, Inc.
 //
 // This file is part of MinIO Object Storage stack
 //
@@ -18,15 +18,18 @@
 //go:build fips
 // +build fips

-package hash
+package sha256

 import (
-	"crypto/sha256"
+	fipsha256 "crypto/sha256"
 	"hash"
 )

-// newSHA256 returns a new hash.Hash computing the SHA256 checksum.
+// New returns a new hash.Hash computing the SHA256 checksum.
 // The SHA256 implementation is FIPS 140-2 compliant when the
 // boringcrypto branch of Go is used.
 // Ref: https://github.com/golang/go/tree/dev.boringcrypto
-func newSHA256() hash.Hash { return sha256.New() }
+func New() hash.Hash { return fipsha256.New() }
+
+// Sum256 returns the SHA256 checksum of the data.
+func Sum256(data []byte) [fipssha256.Size]byte { return fipssha256.Sum256(data) }
--- a/internal/hash/sha256/sh256_nofips.go
+++ b/internal/hash/sha256/sh256_nofips.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2015-2021 MinIO, Inc.
+// Copyright (c) 2015-2022 MinIO, Inc.
 //
 // This file is part of MinIO Object Storage stack
 //
@@ -18,14 +18,17 @@
 //go:build !fips
 // +build !fips

-package hash
+package sha256

 import (
 	"hash"

-	sha256 "github.com/minio/sha256-simd"
+	nofipssha256 "github.com/minio/sha256-simd"
 )

-// newSHA256 returns a new hash.Hash computing the SHA256 checksum.
+// New returns a new hash.Hash computing the SHA256 checksum.
 // The SHA256 implementation is not FIPS 140-2 compliant.
-func newSHA256() hash.Hash { return sha256.New() }
+func New() hash.Hash { return nofipssha256.New() }
+
+// Sum256 returns the SHA256 checksum of the data.
+func Sum256(data []byte) [nofipssha256.Size]byte { return nofipssha256.Sum256(data) }