From 10522438b74bcdb17cc98b3dafdbd2e966876593 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Tue, 21 Jun 2022 11:10:50 -0700
Subject: [PATCH] add go1.18 specific curve preferences (#15132)

---
 internal/fips/api.go     | 17 +++++++++--------
 internal/fips/go1.18.go  | 23 +++++++++++++++++++++++
 internal/fips/no_go18.go | 23 +++++++++++++++++++++++
 3 files changed, 55 insertions(+), 8 deletions(-)
 create mode 100644 internal/fips/go1.18.go
 create mode 100644 internal/fips/no_go18.go

diff --git a/internal/fips/api.go b/internal/fips/api.go
index 39acbfa68..cbb64fef3 100644
--- a/internal/fips/api.go
+++ b/internal/fips/api.go
@@ -134,13 +134,14 @@ func TLSCiphersBackwardCompatible() []uint16 {
 // TLSCurveIDs returns a list of supported elliptic curve IDs
 // in preference order.
 func TLSCurveIDs() []tls.CurveID {
-	// TODO(aead): Once MinIO switches to Go 1.18
-	// enable CurveP384 and CurveP512.
-	//
-	// See: https://go.dev/doc/go1.18 Changes to crypto/elliptic
-
-	if Enabled {
-		return []tls.CurveID{tls.CurveP256}
+	curves := []tls.CurveID{tls.CurveP256}
+	if go18 {
+		// With go1.18 enable P384, P521 newer constant time implementations.
+		curves = append(curves, []tls.CurveID{tls.CurveP384, tls.CurveP521}...)
 	}
-	return []tls.CurveID{tls.X25519, tls.CurveP256}
+	if !Enabled {
+		// No-FIPS we enable x25519 as well.
+		curves = append(curves, tls.X25519)
+	}
+	return curves
 }
diff --git a/internal/fips/go1.18.go b/internal/fips/go1.18.go
new file mode 100644
index 000000000..880315f29
--- /dev/null
+++ b/internal/fips/go1.18.go
@@ -0,0 +1,23 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+//go:build go1.18
+// +build go1.18
+
+package fips
+
+const go18 = true
diff --git a/internal/fips/no_go18.go b/internal/fips/no_go18.go
new file mode 100644
index 000000000..972e0f1f0
--- /dev/null
+++ b/internal/fips/no_go18.go
@@ -0,0 +1,23 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+//go:build !go1.18
+// +build !go1.18
+
+package fips
+
+const go18 = false