53 lines
1.8 KiB
Ruby
53 lines
1.8 KiB
Ruby
# rubocop: disable Naming/FileName
|
|
# frozen_string_literal: true
|
|
|
|
module Gitlab
|
|
class FIPS
|
|
# A simple utility class for FIPS-related helpers
|
|
|
|
Technology = Gitlab::SSHPublicKey::Technology
|
|
|
|
SSH_KEY_TECHNOLOGIES = [
|
|
Technology.new(:rsa, SSHData::PublicKey::RSA, [3072, 4096], %w(ssh-rsa)),
|
|
Technology.new(:dsa, SSHData::PublicKey::DSA, [], %w(ssh-dss)),
|
|
Technology.new(:ecdsa, SSHData::PublicKey::ECDSA, [256, 384, 521], %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)),
|
|
Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519)),
|
|
Technology.new(:ecdsa_sk, SSHData::PublicKey::SKECDSA, [256], %w(sk-ecdsa-sha2-nistp256@openssh.com)),
|
|
Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com))
|
|
].freeze
|
|
|
|
OPENSSL_DIGESTS = %i(SHA1 SHA256 SHA384 SHA512).freeze
|
|
|
|
class << self
|
|
# Returns whether we should be running in FIPS mode or not
|
|
#
|
|
# @return [Boolean]
|
|
def enabled?
|
|
# Attempt to auto-detect FIPS mode from OpenSSL
|
|
return true if OpenSSL.fips_mode
|
|
|
|
# Otherwise allow it to be set manually via the env vars
|
|
return true if ENV["FIPS_MODE"] == "true"
|
|
|
|
false
|
|
end
|
|
|
|
# Swap Ruby's Digest::SHAx implementations for OpenSSL::Digest::SHAx.
|
|
def enable_fips_mode!
|
|
require 'digest'
|
|
|
|
use_openssl_digest(:SHA2, :SHA256)
|
|
OPENSSL_DIGESTS.each { |alg| use_openssl_digest(alg, alg) }
|
|
end
|
|
|
|
private
|
|
|
|
def use_openssl_digest(ruby_algorithm, openssl_algorithm)
|
|
Digest.send(:remove_const, ruby_algorithm) # rubocop:disable GitlabSecurity/PublicSend
|
|
Digest.const_set(ruby_algorithm, OpenSSL::Digest.const_get(openssl_algorithm, false))
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
# rubocop: enable Naming/FileName
|