config: enforce AES-GCM in FIPS mode (#12265)

This commit enforces the usage of AES-256 for config and IAM data en/decryption in FIPS mode. Further, it improves the implementation of `fips.Enabled` by making it a compile time constant. Now, the compiler is able to evaluate the any `if fips.Enabled { ... }` at compile time and eliminate unused code. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-29 21:33:31 -05:00 · 2021-05-10 17:24:11 +02:00
parent 2d79d6d847
commit c03a06cca8
5 changed files with 18 additions and 13 deletions
--- a/pkg/fips/api.go
+++ b/pkg/fips/api.go
@@ -34,14 +34,13 @@ package fips

 import "crypto/tls"

-// Enabled returns true if and only if FIPS 140-2 support
-// is enabled.
+// Enabled indicates whether cryptographic primitives,
+// like AES or SHA-256, are implemented using a FIPS 140
+// certified module.
 //
-// FIPS 140-2 requires that only specifc cryptographic
-// primitives, like AES or SHA-256, are used and that
-// those primitives are implemented by a FIPS 140-2
-// certified cryptographic module.
-func Enabled() bool { return enabled }
+// If FIPS-140 is enabled no non-NIST/FIPS approved
+// primitives must be used.
+const Enabled = enabled

 // CipherSuitesDARE returns the supported cipher suites
 // for the DARE object encryption.