mirror of
https://github.com/minio/minio.git
synced 2025-05-22 10:01:50 -04:00
1d50cae43d
This commit removes FIPS 140-2 related code for the following reasons: - FIPS 140-2 is a compliance, not a security requirement. Being FIPS 140-2 compliant has no security implication on its own. From a tech. perspetive, a FIPS 140-2 compliant implementation is not necessarily secure and a non-FIPS 140-2 compliant implementation is not necessarily insecure. It depends on the concret design and crypto primitives/constructions used. - The boringcrypto branch used to achieve FIPS 140-2 compliance was never officially supported by the Go team and is now in maintainance mode. It is replaced by a built-in FIPS 140-3 module. It will be removed eventually. Ref: https://github.com/golang/go/issues/69536 - FIPS 140-2 modules are no longer re-certified after Sep. 2026. Ref: https://csrc.nist.gov/projects/cryptographic-module-validation-program Signed-off-by: Andreas Auernhammer <github@aead.dev>
108 lines
3.7 KiB
Go
108 lines
3.7 KiB
Go
// Copyright (c) 2015-2023 MinIO, Inc.
|
|
//
|
|
// This file is part of MinIO Object Storage stack
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"sync/atomic"
|
|
|
|
"github.com/minio/minio/internal/crypto"
|
|
"github.com/minio/minio/internal/grid"
|
|
xhttp "github.com/minio/minio/internal/http"
|
|
"github.com/minio/minio/internal/rest"
|
|
)
|
|
|
|
// globalGrid is the global grid manager.
|
|
var globalGrid atomic.Pointer[grid.Manager]
|
|
|
|
// globalLockGrid is the global lock grid manager.
|
|
var globalLockGrid atomic.Pointer[grid.Manager]
|
|
|
|
// globalGridStart is a channel that will block startup of grid connections until closed.
|
|
var globalGridStart = make(chan struct{})
|
|
|
|
// globalLockGridStart is a channel that will block startup of lock grid connections until closed.
|
|
var globalLockGridStart = make(chan struct{})
|
|
|
|
func initGlobalGrid(ctx context.Context, eps EndpointServerPools) error {
|
|
hosts, local := eps.GridHosts()
|
|
lookupHost := globalDNSCache.LookupHost
|
|
g, err := grid.NewManager(ctx, grid.ManagerOptions{
|
|
// Pass Dialer for websocket grid, make sure we do not
|
|
// provide any DriveOPTimeout() function, as that is not
|
|
// useful over persistent connections.
|
|
Dialer: grid.ConnectWS(
|
|
grid.ContextDialer(xhttp.DialContextWithLookupHost(lookupHost, xhttp.NewInternodeDialContext(rest.DefaultTimeout, globalTCPOptions.ForWebsocket()))),
|
|
newCachedAuthToken(),
|
|
&tls.Config{
|
|
RootCAs: globalRootCAs,
|
|
CipherSuites: crypto.TLSCiphers(),
|
|
CurvePreferences: crypto.TLSCurveIDs(),
|
|
}),
|
|
Local: local,
|
|
Hosts: hosts,
|
|
AuthToken: validateStorageRequestToken,
|
|
AuthFn: newCachedAuthToken(),
|
|
BlockConnect: globalGridStart,
|
|
// Record incoming and outgoing bytes.
|
|
Incoming: globalConnStats.incInternodeInputBytes,
|
|
Outgoing: globalConnStats.incInternodeOutputBytes,
|
|
TraceTo: globalTrace,
|
|
RoutePath: grid.RoutePath,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
globalGrid.Store(g)
|
|
return nil
|
|
}
|
|
|
|
func initGlobalLockGrid(ctx context.Context, eps EndpointServerPools) error {
|
|
hosts, local := eps.GridHosts()
|
|
lookupHost := globalDNSCache.LookupHost
|
|
g, err := grid.NewManager(ctx, grid.ManagerOptions{
|
|
// Pass Dialer for websocket grid, make sure we do not
|
|
// provide any DriveOPTimeout() function, as that is not
|
|
// useful over persistent connections.
|
|
Dialer: grid.ConnectWSWithRoutePath(
|
|
grid.ContextDialer(xhttp.DialContextWithLookupHost(lookupHost, xhttp.NewInternodeDialContext(rest.DefaultTimeout, globalTCPOptions.ForWebsocket()))),
|
|
newCachedAuthToken(),
|
|
&tls.Config{
|
|
RootCAs: globalRootCAs,
|
|
CipherSuites: crypto.TLSCiphers(),
|
|
CurvePreferences: crypto.TLSCurveIDs(),
|
|
}, grid.RouteLockPath),
|
|
Local: local,
|
|
Hosts: hosts,
|
|
AuthToken: validateStorageRequestToken,
|
|
AuthFn: newCachedAuthToken(),
|
|
BlockConnect: globalGridStart,
|
|
// Record incoming and outgoing bytes.
|
|
Incoming: globalConnStats.incInternodeInputBytes,
|
|
Outgoing: globalConnStats.incInternodeOutputBytes,
|
|
TraceTo: globalTrace,
|
|
RoutePath: grid.RouteLockPath,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
globalLockGrid.Store(g)
|
|
return nil
|
|
}
|