use crypto/sha256 only for FIPS 140-2 compliance (#14983)

It would seem like the PR #11623 had chewed more than it wanted to, non-fips build shouldn't really be forced to use slower crypto/sha256 even for presumed "non-performance" codepaths. In MinIO there are really no "non-performance" codepaths. This assumption seems to have had an adverse effect in certain areas of CPU usage. This PR ensures that we stick to sha256-simd on all non-FIPS builds, our most common build to ensure we get the best out of the CPU at any given point in time.
2025-11-07 21:02:58 -05:00 · 2022-05-27 06:00:19 -07:00
parent 464b9d7c80
commit 9d07cde385
16 changed files with 35 additions and 24 deletions
--- a/internal/hash/sha256/sh256_fips.go
+++ b/internal/hash/sha256/sh256_fips.go
@@ -0,0 +1,35 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+//go:build fips
+// +build fips
+
+package sha256
+
+import (
+	fipsha256 "crypto/sha256"
+	"hash"
+)
+
+// New returns a new hash.Hash computing the SHA256 checksum.
+// The SHA256 implementation is FIPS 140-2 compliant when the
+// boringcrypto branch of Go is used.
+// Ref: https://github.com/golang/go/tree/dev.boringcrypto
+func New() hash.Hash { return fipsha256.New() }
+
+// Sum256 returns the SHA256 checksum of the data.
+func Sum256(data []byte) [fipssha256.Size]byte { return fipssha256.Sum256(data) }
--- a/internal/hash/sha256/sh256_nofips.go
+++ b/internal/hash/sha256/sh256_nofips.go
@@ -0,0 +1,34 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+//go:build !fips
+// +build !fips
+
+package sha256
+
+import (
+	"hash"
+
+	nofipssha256 "github.com/minio/sha256-simd"
+)
+
+// New returns a new hash.Hash computing the SHA256 checksum.
+// The SHA256 implementation is not FIPS 140-2 compliant.
+func New() hash.Hash { return nofipssha256.New() }
+
+// Sum256 returns the SHA256 checksum of the data.
+func Sum256(data []byte) [nofipssha256.Size]byte { return nofipssha256.Sum256(data) }