From 4f5dded4d46abe3644f31d4283e6f543d7f3cec3 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Tue, 23 Jul 2024 12:11:25 +0200 Subject: [PATCH] fips: enforce FIPS-compliant TLS ciphers in FIPS mode (#20131) This commit enforces FIPS-compliant TLS ciphers in FIPS mode by importing the `fipsonly` module. Otherwise, MinIO still accepts non-FIPS compliant TLS connections. --- internal/fips/api.go | 6 +----- internal/fips/fips.go | 2 ++ internal/fips/go19.go | 23 ----------------------- internal/fips/no_go19.go | 23 ----------------------- 4 files changed, 3 insertions(+), 51 deletions(-) delete mode 100644 internal/fips/go19.go delete mode 100644 internal/fips/no_go19.go diff --git a/internal/fips/api.go b/internal/fips/api.go index debcc1b10..6faefeb7c 100644 --- a/internal/fips/api.go +++ b/internal/fips/api.go @@ -138,10 +138,6 @@ func TLSCurveIDs() []tls.CurveID { if !Enabled { curves = append(curves, tls.X25519) // Only enable X25519 in non-FIPS mode } - curves = append(curves, tls.CurveP256) - if go19 { - // With go1.19 enable P384, P521 newer constant time implementations. - curves = append(curves, tls.CurveP384, tls.CurveP521) - } + curves = append(curves, tls.CurveP256, tls.CurveP384, tls.CurveP521) return curves } diff --git a/internal/fips/fips.go b/internal/fips/fips.go index 94b3ed00c..17fc535aa 100644 --- a/internal/fips/fips.go +++ b/internal/fips/fips.go @@ -20,4 +20,6 @@ package fips +import _ "crypto/tls/fipsonly" + const enabled = true diff --git a/internal/fips/go19.go b/internal/fips/go19.go deleted file mode 100644 index 2f61bcab8..000000000 --- a/internal/fips/go19.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright (c) 2015-2022 MinIO, Inc. -// -// This file is part of MinIO Object Storage stack -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -//go:build go1.19 -// +build go1.19 - -package fips - -const go19 = true diff --git a/internal/fips/no_go19.go b/internal/fips/no_go19.go deleted file mode 100644 index 5879bf9d7..000000000 --- a/internal/fips/no_go19.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright (c) 2015-2022 MinIO, Inc. -// -// This file is part of MinIO Object Storage stack -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU Affero General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU Affero General Public License for more details. -// -// You should have received a copy of the GNU Affero General Public License -// along with this program. If not, see . - -//go:build !go1.19 -// +build !go1.19 - -package fips - -const go19 = false