fips: always enable AES in FIPS mode when using madmin (#11732)

This commit adds FIPS-specifc build tags to the madmin
package. When madmin is compiled with `--tags "fips"`
it will always use AES-GCM for encryption - not just
when an optimized AES implementation is available.
This commit is contained in:
Andreas Auernhammer 2021-03-08 19:58:02 +01:00 committed by GitHub
parent 64662a49ff
commit ba6930bb13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 1 deletions

View File

@ -51,7 +51,7 @@ func EncryptData(password string, data []byte) ([]byte, error) {
err error
stream *sio.Stream
)
if sioutil.NativeAES() { // Only use AES-GCM if we can use an optimized implementation
if useAES() { // Only use AES-GCM if we can use an optimized implementation
id = aesGcm
stream, err = sio.AES_256_GCM.Stream(key)
} else {

View File

@ -0,0 +1,22 @@
// MinIO Cloud Storage, (C) 2021 MinIO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// +build fips
package madmin
// useAES always returns true since AES is the only
// option out of AES-GCM and ChaCha20-Poly1305 that
// is approved by the NIST.
func useAES() bool { return true }

View File

@ -0,0 +1,24 @@
// MinIO Cloud Storage, (C) 2021 MinIO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// +build !fips
package madmin
import "github.com/secure-io/sio-go/sioutil"
// useAES returns true if the executing CPU provides
// AES-GCM hardware instructions and an optimized
// assembler implementation is available.
func useAES() bool { return sioutil.NativeAES() }