Enable FIPS mode for digest algorithms (!88469) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-fips-use-openssl into master May 24, 2022

What does this MR do and why?

FIPS requires the use of a FIPS-validated cryptographic module. The Ruby Digest implementations are not FIPS-validated; we must use the OpenSSL implementations instead.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/360174

How to validate locally

Run:

FIPS_MODE=true bin/rails c

Loading development environment (Rails 6.1.4.7)
[1] pry(main)> Digest::SHA256
=> OpenSSL::Digest::SHA256
[2] pry(main)> Digest::SHA2
=> OpenSSL::Digest::SHA256
[3] pry(main)> Digest::SHA384
=> OpenSSL::Digest::SHA384
[4] pry(main)> Digest::SHA512
=> OpenSSL::Digest::SHA512
[5] pry(main)> Digest::SHA256.hexdigest('hello world')
=> "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jun 10, 2022 by Stan Hu

Enable FIPS mode for digest algorithms

What does this MR do and why?

How to validate locally

MR acceptance checklist

Merge request reports