diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-15 09:08:36 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-15 09:08:36 +0300 |
commit | e75da32ffd5360a31279e28ecd6060e86a6092b3 (patch) | |
tree | ba131bc0656682ad81301c919e2f096966749128 /lib/gitlab/fips.rb | |
parent | ca520489ffe196b194843851148a3d0a17064957 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/fips.rb')
-rw-r--r-- | lib/gitlab/fips.rb | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/lib/gitlab/fips.rb b/lib/gitlab/fips.rb index 97813f13a91..a7106dd70e9 100644 --- a/lib/gitlab/fips.rb +++ b/lib/gitlab/fips.rb @@ -16,6 +16,8 @@ module Gitlab Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com)) ].freeze + OPENSSL_DIGESTS = %i(SHA1 SHA256 SHA384 SHA512).freeze + class << self # Returns whether we should be running in FIPS mode or not # @@ -29,6 +31,21 @@ module Gitlab false end + + # Swap Ruby's Digest::SHAx implementations for OpenSSL::Digest::SHAx. + def enable_fips_mode! + require 'digest' + + use_openssl_digest(:SHA2, :SHA256) + OPENSSL_DIGESTS.each { |alg| use_openssl_digest(alg, alg) } + end + + private + + def use_openssl_digest(ruby_algorithm, openssl_algorithm) + Digest.send(:remove_const, ruby_algorithm) # rubocop:disable GitlabSecurity/PublicSend + Digest.const_set(ruby_algorithm, OpenSSL::Digest.const_get(openssl_algorithm, false)) + end end end end |