config: enforce AES-GCM in FIPS mode (#12265)

This commit enforces the usage of AES-256 for config and IAM data en/decryption in FIPS mode. Further, it improves the implementation of `fips.Enabled` by making it a compile time constant. Now, the compiler is able to evaluate the any `if fips.Enabled { ... }` at compile time and eliminate unused code. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-28 21:18:10 -05:00 · 2021-05-10 17:24:11 +02:00
parent 2d79d6d847
commit c03a06cca8
5 changed files with 18 additions and 13 deletions
--- a/pkg/fips/no_fips.go
+++ b/pkg/fips/no_fips.go
@@ -15,6 +15,8 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.

+// +build !fips
+
 package fips

 import (
@@ -23,7 +25,7 @@ import (
 	"github.com/minio/sio"
 )

-var enabled = false
+const enabled = false

 func cipherSuitesDARE() []byte {
 	return []byte{sio.AES_256_GCM, sio.CHACHA20_POLY1305}