Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-15 09:08:36 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-15 09:08:36 +0300
commit: e75da32ffd5360a31279e28ecd6060e86a6092b3 (patch)
tree: ba131bc0656682ad81301c919e2f096966749128 /lib/gitlab/fips.rb
parent: ca520489ffe196b194843851148a3d0a17064957 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/lib/gitlab/fips.rb b/lib/gitlab/fips.rb
index 97813f13a91..a7106dd70e9 100644
--- a/lib/gitlab/fips.rb
+++ b/lib/gitlab/fips.rb
@@ -16,6 +16,8 @@ module Gitlab
       Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com))
     ].freeze
 
+    OPENSSL_DIGESTS = %i(SHA1 SHA256 SHA384 SHA512).freeze
+
     class << self
       # Returns whether we should be running in FIPS mode or not
       #
@@ -29,6 +31,21 @@ module Gitlab
 
         false
       end
+
+      # Swap Ruby's Digest::SHAx implementations for OpenSSL::Digest::SHAx.
+      def enable_fips_mode!
+        require 'digest'
+
+        use_openssl_digest(:SHA2, :SHA256)
+        OPENSSL_DIGESTS.each { |alg| use_openssl_digest(alg, alg) }
+      end
+
+      private
+
+      def use_openssl_digest(ruby_algorithm, openssl_algorithm)
+        Digest.send(:remove_const, ruby_algorithm) # rubocop:disable GitlabSecurity/PublicSend
+        Digest.const_set(ruby_algorithm, OpenSSL::Digest.const_get(openssl_algorithm, false))
+      end
     end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-15 09:08:36 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-15 09:08:36 +0300
commit	e75da32ffd5360a31279e28ecd6060e86a6092b3 (patch)
tree	ba131bc0656682ad81301c919e2f096966749128 /lib/gitlab/fips.rb
parent	ca520489ffe196b194843851148a3d0a17064957 (diff)