mirror of
https://github.com/minio/minio.git
synced 2025-01-26 14:13:16 -05:00
fips: simplify TLS configuration (#15127)
This commit simplifies the TLS configuration. It inlines the FIPS / non-FIPS code. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
parent
b3eda248a3
commit
cd7a0a9757
@ -465,7 +465,7 @@ func encryptBucketMetadata(bucket string, input []byte, kmsContext kms.Context)
|
|||||||
objectKey := crypto.GenerateKey(key.Plaintext, rand.Reader)
|
objectKey := crypto.GenerateKey(key.Plaintext, rand.Reader)
|
||||||
sealedKey := objectKey.Seal(key.Plaintext, crypto.GenerateIV(rand.Reader), crypto.S3.String(), bucket, "")
|
sealedKey := objectKey.Seal(key.Plaintext, crypto.GenerateIV(rand.Reader), crypto.S3.String(), bucket, "")
|
||||||
crypto.S3.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey)
|
crypto.S3.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey)
|
||||||
_, err = sio.Encrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20, CipherSuites: fips.CipherSuitesDARE()})
|
_, err = sio.Encrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return output, metabytes, err
|
return output, metabytes, err
|
||||||
}
|
}
|
||||||
@ -495,6 +495,6 @@ func decryptBucketMetadata(input []byte, bucket string, meta map[string]string,
|
|||||||
}
|
}
|
||||||
|
|
||||||
outbuf := bytes.NewBuffer(nil)
|
outbuf := bytes.NewBuffer(nil)
|
||||||
_, err = sio.Decrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20, CipherSuites: fips.CipherSuitesDARE()})
|
_, err = sio.Decrypt(outbuf, bytes.NewBuffer(input), sio.Config{Key: objectKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()})
|
||||||
return outbuf.Bytes(), err
|
return outbuf.Bytes(), err
|
||||||
}
|
}
|
||||||
|
@ -803,7 +803,7 @@ func newCacheEncryptReader(content io.Reader, bucket, object string, metadata ma
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey, MinVersion: sio.Version20, CipherSuites: fips.CipherSuitesDARE()})
|
reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey, MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, crypto.ErrInvalidCustomerKey
|
return nil, crypto.ErrInvalidCustomerKey
|
||||||
}
|
}
|
||||||
@ -1454,7 +1454,7 @@ func newCachePartEncryptReader(ctx context.Context, bucket, object string, partI
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
reader, err := sio.EncryptReader(content, sio.Config{Key: partEncryptionKey[:], MinVersion: sio.Version20, CipherSuites: fips.CipherSuitesDARE()})
|
reader, err := sio.EncryptReader(content, sio.Config{Key: partEncryptionKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, crypto.ErrInvalidCustomerKey
|
return nil, crypto.ErrInvalidCustomerKey
|
||||||
}
|
}
|
||||||
|
@ -406,7 +406,7 @@ func newEncryptReader(content io.Reader, kind crypto.Type, keyID string, key []b
|
|||||||
return nil, crypto.ObjectKey{}, err
|
return nil, crypto.ObjectKey{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey[:], MinVersion: sio.Version20, CipherSuites: fips.CipherSuitesDARE()})
|
reader, err := sio.EncryptReader(content, sio.Config{Key: objectEncryptionKey[:], MinVersion: sio.Version20, CipherSuites: fips.DARECiphers()})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, crypto.ObjectKey{}, crypto.ErrInvalidCustomerKey
|
return nil, crypto.ObjectKey{}, crypto.ErrInvalidCustomerKey
|
||||||
}
|
}
|
||||||
@ -553,7 +553,7 @@ func newDecryptReaderWithObjectKey(client io.Reader, objectEncryptionKey []byte,
|
|||||||
reader, err := sio.DecryptReader(client, sio.Config{
|
reader, err := sio.DecryptReader(client, sio.Config{
|
||||||
Key: objectEncryptionKey,
|
Key: objectEncryptionKey,
|
||||||
SequenceNumber: seqNumber,
|
SequenceNumber: seqNumber,
|
||||||
CipherSuites: fips.CipherSuitesDARE(),
|
CipherSuites: fips.DARECiphers(),
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, crypto.ErrInvalidCustomerKey
|
return nil, crypto.ErrInvalidCustomerKey
|
||||||
|
@ -2622,7 +2622,7 @@ func (api objectAPIHandlers) CopyObjectPartHandler(w http.ResponseWriter, r *htt
|
|||||||
copy(objectEncryptionKey[:], key)
|
copy(objectEncryptionKey[:], key)
|
||||||
|
|
||||||
partEncryptionKey := objectEncryptionKey.DerivePartKey(uint32(partID))
|
partEncryptionKey := objectEncryptionKey.DerivePartKey(uint32(partID))
|
||||||
encReader, err := sio.EncryptReader(reader, sio.Config{Key: partEncryptionKey[:], CipherSuites: fips.CipherSuitesDARE()})
|
encReader, err := sio.EncryptReader(reader, sio.Config{Key: partEncryptionKey[:], CipherSuites: fips.DARECiphers()})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
|
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
@ -2885,7 +2885,7 @@ func (api objectAPIHandlers) PutObjectPartHandler(w http.ResponseWriter, r *http
|
|||||||
// We add a buffer on bigger files to reduce the number of syscalls upstream.
|
// We add a buffer on bigger files to reduce the number of syscalls upstream.
|
||||||
in = bufio.NewReaderSize(hashReader, encryptBufferSize)
|
in = bufio.NewReaderSize(hashReader, encryptBufferSize)
|
||||||
}
|
}
|
||||||
reader, err = sio.EncryptReader(in, sio.Config{Key: partEncryptionKey[:], CipherSuites: fips.CipherSuitesDARE()})
|
reader, err = sio.EncryptReader(in, sio.Config{Key: partEncryptionKey[:], CipherSuites: fips.DARECiphers()})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
|
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
|
||||||
return
|
return
|
||||||
|
@ -206,15 +206,15 @@ func serverHandleCmdArgs(ctx *cli.Context) {
|
|||||||
// allow transport to be HTTP/1.1 for proxying.
|
// allow transport to be HTTP/1.1 for proxying.
|
||||||
globalProxyTransport = newCustomHTTPProxyTransport(&tls.Config{
|
globalProxyTransport = newCustomHTTPProxyTransport(&tls.Config{
|
||||||
RootCAs: globalRootCAs,
|
RootCAs: globalRootCAs,
|
||||||
CipherSuites: fips.CipherSuitesTLS(),
|
CipherSuites: fips.TLSCiphers(),
|
||||||
CurvePreferences: fips.EllipticCurvesTLS(),
|
CurvePreferences: fips.TLSCurveIDs(),
|
||||||
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
}, rest.DefaultTimeout)()
|
}, rest.DefaultTimeout)()
|
||||||
globalProxyEndpoints = GetProxyEndpoints(globalEndpoints)
|
globalProxyEndpoints = GetProxyEndpoints(globalEndpoints)
|
||||||
globalInternodeTransport = newInternodeHTTPTransport(&tls.Config{
|
globalInternodeTransport = newInternodeHTTPTransport(&tls.Config{
|
||||||
RootCAs: globalRootCAs,
|
RootCAs: globalRootCAs,
|
||||||
CipherSuites: fips.CipherSuitesTLS(),
|
CipherSuites: fips.TLSCiphers(),
|
||||||
CurvePreferences: fips.EllipticCurvesTLS(),
|
CurvePreferences: fips.TLSCurveIDs(),
|
||||||
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
|
||||||
}, rest.DefaultTimeout)()
|
}, rest.DefaultTimeout)()
|
||||||
|
|
||||||
|
13
cmd/utils.go
13
cmd/utils.go
@ -1067,17 +1067,12 @@ func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config {
|
|||||||
tlsConfig.ClientAuth = tls.RequestClientCert
|
tlsConfig.ClientAuth = tls.RequestClientCert
|
||||||
}
|
}
|
||||||
|
|
||||||
secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn
|
if secureCiphers := env.Get(api.EnvAPISecureCiphers, config.EnableOn) == config.EnableOn; secureCiphers {
|
||||||
if secureCiphers || fips.Enabled {
|
tlsConfig.CipherSuites = fips.TLSCiphers()
|
||||||
// Hardened ciphers
|
|
||||||
tlsConfig.CipherSuites = fips.CipherSuitesTLS()
|
|
||||||
tlsConfig.CurvePreferences = fips.EllipticCurvesTLS()
|
|
||||||
} else {
|
} else {
|
||||||
// Default ciphers while excluding those with security issues
|
tlsConfig.CipherSuites = fips.TLSCiphersBackwardCompatible()
|
||||||
for _, cipher := range tls.CipherSuites() {
|
|
||||||
tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, cipher.ID)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
tlsConfig.CurvePreferences = fips.TLSCurveIDs()
|
||||||
return tlsConfig
|
return tlsConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -96,7 +96,7 @@ func (key ObjectKey) Seal(extKey []byte, iv [32]byte, domain, bucket, object str
|
|||||||
mac.Write([]byte(SealAlgorithm))
|
mac.Write([]byte(SealAlgorithm))
|
||||||
mac.Write([]byte(path.Join(bucket, object))) // use path.Join for canonical 'bucket/object'
|
mac.Write([]byte(path.Join(bucket, object))) // use path.Join for canonical 'bucket/object'
|
||||||
mac.Sum(sealingKey[:0])
|
mac.Sum(sealingKey[:0])
|
||||||
if n, err := sio.Encrypt(&encryptedKey, bytes.NewReader(key[:]), sio.Config{Key: sealingKey[:], CipherSuites: fips.CipherSuitesDARE()}); n != 64 || err != nil {
|
if n, err := sio.Encrypt(&encryptedKey, bytes.NewReader(key[:]), sio.Config{Key: sealingKey[:], CipherSuites: fips.DARECiphers()}); n != 64 || err != nil {
|
||||||
logger.CriticalIf(context.Background(), errors.New("Unable to generate sealed key"))
|
logger.CriticalIf(context.Background(), errors.New("Unable to generate sealed key"))
|
||||||
}
|
}
|
||||||
sealedKey := SealedKey{
|
sealedKey := SealedKey{
|
||||||
@ -121,12 +121,12 @@ func (key *ObjectKey) Unseal(extKey []byte, sealedKey SealedKey, domain, bucket,
|
|||||||
mac.Write([]byte(domain))
|
mac.Write([]byte(domain))
|
||||||
mac.Write([]byte(SealAlgorithm))
|
mac.Write([]byte(SealAlgorithm))
|
||||||
mac.Write([]byte(path.Join(bucket, object))) // use path.Join for canonical 'bucket/object'
|
mac.Write([]byte(path.Join(bucket, object))) // use path.Join for canonical 'bucket/object'
|
||||||
unsealConfig = sio.Config{MinVersion: sio.Version20, Key: mac.Sum(nil), CipherSuites: fips.CipherSuitesDARE()}
|
unsealConfig = sio.Config{MinVersion: sio.Version20, Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}
|
||||||
case InsecureSealAlgorithm:
|
case InsecureSealAlgorithm:
|
||||||
sha := sha256.New()
|
sha := sha256.New()
|
||||||
sha.Write(extKey)
|
sha.Write(extKey)
|
||||||
sha.Write(sealedKey.IV[:])
|
sha.Write(sealedKey.IV[:])
|
||||||
unsealConfig = sio.Config{MinVersion: sio.Version10, Key: sha.Sum(nil), CipherSuites: fips.CipherSuitesDARE()}
|
unsealConfig = sio.Config{MinVersion: sio.Version10, Key: sha.Sum(nil), CipherSuites: fips.DARECiphers()}
|
||||||
}
|
}
|
||||||
|
|
||||||
if out, err := sio.DecryptBuffer(key[:0], sealedKey.Key[:], unsealConfig); len(out) != 32 || err != nil {
|
if out, err := sio.DecryptBuffer(key[:0], sealedKey.Key[:], unsealConfig); len(out) != 32 || err != nil {
|
||||||
@ -157,7 +157,7 @@ func (key ObjectKey) SealETag(etag []byte) []byte {
|
|||||||
var buffer bytes.Buffer
|
var buffer bytes.Buffer
|
||||||
mac := hmac.New(sha256.New, key[:])
|
mac := hmac.New(sha256.New, key[:])
|
||||||
mac.Write([]byte("SSE-etag"))
|
mac.Write([]byte("SSE-etag"))
|
||||||
if _, err := sio.Encrypt(&buffer, bytes.NewReader(etag), sio.Config{Key: mac.Sum(nil), CipherSuites: fips.CipherSuitesDARE()}); err != nil {
|
if _, err := sio.Encrypt(&buffer, bytes.NewReader(etag), sio.Config{Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()}); err != nil {
|
||||||
logger.CriticalIf(context.Background(), errors.New("Unable to encrypt ETag using object key"))
|
logger.CriticalIf(context.Background(), errors.New("Unable to encrypt ETag using object key"))
|
||||||
}
|
}
|
||||||
return buffer.Bytes()
|
return buffer.Bytes()
|
||||||
@ -173,5 +173,5 @@ func (key ObjectKey) UnsealETag(etag []byte) ([]byte, error) {
|
|||||||
}
|
}
|
||||||
mac := hmac.New(sha256.New, key[:])
|
mac := hmac.New(sha256.New, key[:])
|
||||||
mac.Write([]byte("SSE-etag"))
|
mac.Write([]byte("SSE-etag"))
|
||||||
return sio.DecryptBuffer(make([]byte, 0, len(etag)), etag, sio.Config{Key: mac.Sum(nil), CipherSuites: fips.CipherSuitesDARE()})
|
return sio.DecryptBuffer(make([]byte, 0, len(etag)), etag, sio.Config{Key: mac.Sum(nil), CipherSuites: fips.DARECiphers()})
|
||||||
}
|
}
|
||||||
|
@ -96,7 +96,7 @@ func unsealObjectKey(clientKey []byte, metadata map[string]string, bucket, objec
|
|||||||
// EncryptSinglePart encrypts an io.Reader which must be the
|
// EncryptSinglePart encrypts an io.Reader which must be the
|
||||||
// the body of a single-part PUT request.
|
// the body of a single-part PUT request.
|
||||||
func EncryptSinglePart(r io.Reader, key ObjectKey) io.Reader {
|
func EncryptSinglePart(r io.Reader, key ObjectKey) io.Reader {
|
||||||
r, err := sio.EncryptReader(r, sio.Config{MinVersion: sio.Version20, Key: key[:], CipherSuites: fips.CipherSuitesDARE()})
|
r, err := sio.EncryptReader(r, sio.Config{MinVersion: sio.Version20, Key: key[:], CipherSuites: fips.DARECiphers()})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.CriticalIf(context.Background(), errors.New("Unable to encrypt io.Reader using object key"))
|
logger.CriticalIf(context.Background(), errors.New("Unable to encrypt io.Reader using object key"))
|
||||||
}
|
}
|
||||||
@ -118,7 +118,7 @@ func DecryptSinglePart(w io.Writer, offset, length int64, key ObjectKey) io.Writ
|
|||||||
const PayloadSize = 1 << 16 // DARE 2.0
|
const PayloadSize = 1 << 16 // DARE 2.0
|
||||||
w = ioutil.LimitedWriter(w, offset%PayloadSize, length)
|
w = ioutil.LimitedWriter(w, offset%PayloadSize, length)
|
||||||
|
|
||||||
decWriter, err := sio.DecryptWriter(w, sio.Config{Key: key[:], CipherSuites: fips.CipherSuitesDARE()})
|
decWriter, err := sio.DecryptWriter(w, sio.Config{Key: key[:], CipherSuites: fips.DARECiphers()})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.CriticalIf(context.Background(), errors.New("Unable to decrypt io.Writer using object key"))
|
logger.CriticalIf(context.Background(), errors.New("Unable to decrypt io.Writer using object key"))
|
||||||
}
|
}
|
||||||
|
@ -340,7 +340,7 @@ func Decrypt(key []byte, etag ETag) (ETag, error) {
|
|||||||
plaintext := make([]byte, 0, 16)
|
plaintext := make([]byte, 0, 16)
|
||||||
etag, err := sio.DecryptBuffer(plaintext, etag, sio.Config{
|
etag, err := sio.DecryptBuffer(plaintext, etag, sio.Config{
|
||||||
Key: decryptionKey,
|
Key: decryptionKey,
|
||||||
CipherSuites: fips.CipherSuitesDARE(),
|
CipherSuites: fips.DARECiphers(),
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -32,7 +32,11 @@
|
|||||||
// [1]: https://en.wikipedia.org/wiki/FIPS_140
|
// [1]: https://en.wikipedia.org/wiki/FIPS_140
|
||||||
package fips
|
package fips
|
||||||
|
|
||||||
import "crypto/tls"
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
|
||||||
|
"github.com/minio/sio"
|
||||||
|
)
|
||||||
|
|
||||||
// Enabled indicates whether cryptographic primitives,
|
// Enabled indicates whether cryptographic primitives,
|
||||||
// like AES or SHA-256, are implemented using a FIPS 140
|
// like AES or SHA-256, are implemented using a FIPS 140
|
||||||
@ -42,20 +46,101 @@ import "crypto/tls"
|
|||||||
// primitives must be used.
|
// primitives must be used.
|
||||||
const Enabled = enabled
|
const Enabled = enabled
|
||||||
|
|
||||||
// CipherSuitesDARE returns the supported cipher suites
|
// DARECiphers returns a list of supported cipher suites
|
||||||
// for the DARE object encryption.
|
// for the DARE object encryption.
|
||||||
func CipherSuitesDARE() []byte {
|
func DARECiphers() []byte {
|
||||||
return cipherSuitesDARE()
|
if Enabled {
|
||||||
|
return []byte{sio.AES_256_GCM}
|
||||||
|
}
|
||||||
|
return []byte{sio.AES_256_GCM, sio.CHACHA20_POLY1305}
|
||||||
}
|
}
|
||||||
|
|
||||||
// CipherSuitesTLS returns the supported cipher suites
|
// TLSCiphers returns a list of supported TLS transport
|
||||||
// used by the TLS stack.
|
// cipher suite IDs.
|
||||||
func CipherSuitesTLS() []uint16 {
|
//
|
||||||
return cipherSuitesTLS()
|
// The list contains only ciphers that use AES-GCM or
|
||||||
|
// (non-FIPS) CHACHA20-POLY1305 and ellitpic curve key
|
||||||
|
// exchange.
|
||||||
|
func TLSCiphers() []uint16 {
|
||||||
|
if Enabled {
|
||||||
|
return []uint16{
|
||||||
|
tls.TLS_AES_128_GCM_SHA256, // TLS 1.3
|
||||||
|
tls.TLS_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return []uint16{
|
||||||
|
tls.TLS_CHACHA20_POLY1305_SHA256, // TLS 1.3
|
||||||
|
tls.TLS_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, // TLS 1.2
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// EllipticCurvesTLS returns the supported elliptic
|
// TLSCiphersBackwardCompatible returns a list of supported
|
||||||
// curves used by the TLS stack.
|
// TLS transport cipher suite IDs.
|
||||||
func EllipticCurvesTLS() []tls.CurveID {
|
//
|
||||||
return ellipticCurvesTLS()
|
// In contrast to TLSCiphers, the list contains additional
|
||||||
|
// ciphers for backward compatibility. In particular, AES-CBC
|
||||||
|
// and non-ECDHE ciphers.
|
||||||
|
func TLSCiphersBackwardCompatible() []uint16 {
|
||||||
|
if Enabled {
|
||||||
|
return []uint16{
|
||||||
|
tls.TLS_AES_128_GCM_SHA256, // TLS 1.3
|
||||||
|
tls.TLS_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2 ECDHE GCM
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // TLS 1.2 ECDHE CBC
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2 non-ECDHE
|
||||||
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return []uint16{
|
||||||
|
tls.TLS_CHACHA20_POLY1305_SHA256, // TLS 1.3
|
||||||
|
tls.TLS_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, // TLS 1.2 ECDHE GCM / POLY1305
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // TLS 1.2 ECDHE CBC
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // TLS 1.2 non-ECDHE
|
||||||
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TLSCurveIDs returns a list of supported elliptic curve IDs
|
||||||
|
// in preference order.
|
||||||
|
func TLSCurveIDs() []tls.CurveID {
|
||||||
|
// TODO(aead): Once MinIO switches to Go 1.18
|
||||||
|
// enable CurveP384 and CurveP512.
|
||||||
|
//
|
||||||
|
// See: https://go.dev/doc/go1.18 Changes to crypto/elliptic
|
||||||
|
|
||||||
|
if Enabled {
|
||||||
|
return []tls.CurveID{tls.CurveP256}
|
||||||
|
}
|
||||||
|
return []tls.CurveID{tls.X25519, tls.CurveP256}
|
||||||
}
|
}
|
||||||
|
@ -20,29 +20,4 @@
|
|||||||
|
|
||||||
package fips
|
package fips
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/tls"
|
|
||||||
|
|
||||||
"github.com/minio/sio"
|
|
||||||
)
|
|
||||||
|
|
||||||
const enabled = true
|
const enabled = true
|
||||||
|
|
||||||
func cipherSuitesDARE() []byte {
|
|
||||||
return []byte{sio.AES_256_GCM}
|
|
||||||
}
|
|
||||||
|
|
||||||
func cipherSuitesTLS() []uint16 {
|
|
||||||
return []uint16{
|
|
||||||
tls.TLS_AES_128_GCM_SHA256,
|
|
||||||
tls.TLS_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func ellipticCurvesTLS() []tls.CurveID {
|
|
||||||
return []tls.CurveID{tls.CurveP256}
|
|
||||||
}
|
|
||||||
|
@ -20,32 +20,4 @@
|
|||||||
|
|
||||||
package fips
|
package fips
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/tls"
|
|
||||||
|
|
||||||
"github.com/minio/sio"
|
|
||||||
)
|
|
||||||
|
|
||||||
const enabled = false
|
const enabled = false
|
||||||
|
|
||||||
func cipherSuitesDARE() []byte {
|
|
||||||
return []byte{sio.AES_256_GCM, sio.CHACHA20_POLY1305}
|
|
||||||
}
|
|
||||||
|
|
||||||
func cipherSuitesTLS() []uint16 {
|
|
||||||
return []uint16{
|
|
||||||
tls.TLS_CHACHA20_POLY1305_SHA256,
|
|
||||||
tls.TLS_AES_128_GCM_SHA256,
|
|
||||||
tls.TLS_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
||||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func ellipticCurvesTLS() []tls.CurveID {
|
|
||||||
return []tls.CurveID{tls.X25519, tls.CurveP256}
|
|
||||||
}
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user