MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-20 01:50:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

config: enforce AES-GCM in FIPS mode (#12265)

Browse Source 
This commit enforces the usage of AES-256
for config and IAM data en/decryption in FIPS
mode.

Further, it improves the implementation of
`fips.Enabled` by making it a compile time
constant. Now, the compiler is able to evaluate
the any `if fips.Enabled { ... }` at compile time
and eliminate unused code.

Signed-off-by: Andreas Auernhammer <aead@mail.de>
This commit is contained in:
Andreas Auernhammer
2021-05-10 17:24:11 +02:00
committed by GitHub
parent 2d79d6d847
commit c03a06cca8
5 changed files with 18 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/fips/api.go
View File

@@ -34,14 +34,13 @@ package fips
import "crypto/tls"
// Enabled returns true if and only if FIPS 140-2 support
// is enabled.
// Enabled indicates whether cryptographic primitives,
// like AES or SHA-256, are implemented using a FIPS 140
// certified module.
//
// FIPS 140-2 requires that only specifc cryptographic
// primitives, like AES or SHA-256, are used and that
// those primitives are implemented by a FIPS 140-2
// certified cryptographic module.
func Enabled() bool { return enabled }
// If FIPS-140 is enabled no non-NIST/FIPS approved
// primitives must be used.
const Enabled = enabled
// CipherSuitesDARE returns the supported cipher suites
// for the DARE object encryption.

6
pkg/fips/fips.go
View File

@@ -1,5 +1,3 @@
// +build fips
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
@@ -17,6 +15,8 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
// +build fips,linux,amd64
package fips
import (
@@ -25,7 +25,7 @@ import (
"github.com/minio/sio"
)
var enabled = true
const enabled = true
func cipherSuitesDARE() []byte {
return []byte{sio.AES_256_GCM}

4
pkg/fips/no_fips.go
View File

@@ -15,6 +15,8 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
// +build !fips
package fips
import (
@@ -23,7 +25,7 @@ import (
"github.com/minio/sio"
)
var enabled = false
const enabled = false
func cipherSuitesDARE() []byte {
return []byte{sio.AES_256_GCM, sio.CHACHA20_POLY1305}