Enable FIPS mode for digest algorithms
What does this MR do and why?
FIPS requires the use of a FIPS-validated cryptographic module. The Ruby Digest implementations are not FIPS-validated; we must use the OpenSSL implementations instead.
Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/360174
How to validate locally
Run:
FIPS_MODE=true bin/rails c
Loading development environment (Rails 6.1.4.7)
[1] pry(main)> Digest::SHA256
=> OpenSSL::Digest::SHA256
[2] pry(main)> Digest::SHA2
=> OpenSSL::Digest::SHA256
[3] pry(main)> Digest::SHA384
=> OpenSSL::Digest::SHA384
[4] pry(main)> Digest::SHA512
=> OpenSSL::Digest::SHA512
[5] pry(main)> Digest::SHA256.hexdigest('hello world')
=> "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Stan Hu