config: enforce AES-GCM in FIPS mode (#12265)

This commit enforces the usage of AES-256
for config and IAM data en/decryption in FIPS
mode.

Further, it improves the implementation of
`fips.Enabled` by making it a compile time
constant. Now, the compiler is able to evaluate
the any `if fips.Enabled { ... }` at compile time
and eliminate unused code.

Signed-off-by: Andreas Auernhammer <aead@mail.de>

cmd/config/crypto.go

@@ -26,6 +26,7 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/minio/minio/pkg/fips"
 	"github.com/minio/minio/pkg/kms"
 	"github.com/secure-io/sio-go"
 	"github.com/secure-io/sio-go/sioutil"
@@ -62,7 +63,7 @@ func DecryptBytes(KMS kms.KMS, ciphertext []byte, context kms.Context) ([]byte,
 // ciphertext.
 func Encrypt(KMS kms.KMS, plaintext io.Reader, context kms.Context) (io.Reader, error) {
 	var algorithm = sio.AES_256_GCM
-	if !sioutil.NativeAES() {
+	if !fips.Enabled && !sioutil.NativeAES() {
 		algorithm = sio.ChaCha20Poly1305
 	}
 
@@ -141,6 +142,9 @@ func Decrypt(KMS kms.KMS, ciphertext io.Reader, context kms.Context) (io.Reader,
 	if err := json.Unmarshal(metadataBuffer, &metadata); err != nil {
 		return nil, err
 	}
+	if fips.Enabled && metadata.Algorithm != sio.AES_256_GCM {
+		return nil, fmt.Errorf("config: unsupported encryption algorithm: %q is not supported in FIPS mode", metadata.Algorithm)
+	}
 
 	key, err := KMS.DecryptKey(metadata.KeyID, metadata.KMSKey, context)
 	if err != nil {

cmd/http/server.go

@@ -173,7 +173,7 @@ func NewServer(addrs []string, handler http.Handler, getCert certs.GetCertificat
 			NextProtos:               []string{"http/1.1", "h2"},
 			GetCertificate:           getCert,
 		}
-		if secureCiphers || fips.Enabled() {
+		if secureCiphers || fips.Enabled {
 			tlsConfig.CipherSuites = fips.CipherSuitesTLS()
 			tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()
 		}