Do openssl initialization from applications

Some notes:

* Add module overrides for fips

    We need to use the SHA1 module under OpenSSL because the openssl
    functions called by Digest::SHA1 cause openssl to crash the process.

    We use the Digest::MD5 over the OpenSSL::MD5 module because md5
    is not allowed when in fips mode and causes the process to crash.
    While we work through these issues, we're going to allow it to
    pass by compiling the ruby md5 implementation.

* Use OpenSSL::Digest::SHA256 instead of Digest::SHA256

    Digest::SHA256 is broken in fips mode because it uses
    unapproved APIs. They cause the process to terminate.

6 files changed, 28 insertions, 1 deletions

diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index 124c5d6464..7bf5d05572 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -27,6 +27,7 @@ require "chef-config/windows"
 require "chef-config/path_helper"
 require "mixlib/shellout"
 require "uri"
+require 'openssl'
 
 module ChefConfig
 
@@ -453,6 +454,19 @@ module ChefConfig
     # Set to true if Chef is to set OpenSSL to run in FIPS mode
     default :openssl_fips, false
 
+    # Initialize openssl
+    def self.init_openssl
+      if openssl_fips
+        ChefConfig.logger.warn "The `openssl_fips` is still a work in progress. This feature is incomplete."
+        OpenSSL.fips_mode = true
+        require 'digest'
+        require 'digest/sha1'
+        require 'digest/md5'
+        Digest.const_set('SHA1', OpenSSL::Digest::SHA1)
+        OpenSSL::Digest.const_set('MD5', Digest::MD5)
+      end
+    end
+
     # Sets the version of the signed header authentication protocol to use (see
     # the 'mixlib-authorization' project for more detail). Currently, versions
     # 1.0, 1.1, and 1.3 are available.
diff --git a/lib/chef/application.rb b/lib/chef/application.rb
index 4562d84a5d..a4d4fc209d 100644
--- a/lib/chef/application.rb
+++ b/lib/chef/application.rb
@@ -84,6 +84,7 @@ class Chef
       parse_options
       load_config_file
       Chef::Config.export_proxies
+      Chef::Config.init_openssl
     end
 
     # Parse the config file
diff --git a/lib/chef/application/apply.rb b/lib/chef/application/apply.rb
index f6348a951b..42b2d5fc9a 100644
--- a/lib/chef/application/apply.rb
+++ b/lib/chef/application/apply.rb
@@ -125,6 +125,7 @@ class Chef::Application::Apply < Chef::Application
     Chef::Config.merge!(config)
     configure_logging
     Chef::Config.export_proxies
+    Chef::Config.init_openssl
     parse_json
   end
 
diff --git a/lib/chef/knife.rb b/lib/chef/knife.rb
index a070c6c858..5cfcc7182a 100644
--- a/lib/chef/knife.rb
+++ b/lib/chef/knife.rb
@@ -398,6 +398,7 @@ class Chef
       merge_configs
       apply_computed_config
       Chef::Config.export_proxies
+      Chef::Config.init_openssl
       # This has to be after apply_computed_config so that Mixlib::Log is configured
       Chef::Log.info("Using configuration from #{config[:config_file]}") if config[:config_file]
     end
diff --git a/spec/support/chef_helpers.rb b/spec/support/chef_helpers.rb
index a792cd3c5f..cfc876ffd3 100644
--- a/spec/support/chef_helpers.rb
+++ b/spec/support/chef_helpers.rb
@@ -27,7 +27,7 @@ Chef::Config.solo(false)
 
 
 def sha256_checksum(path)
-  Digest::SHA256.hexdigest(File.read(path))
+  OpenSSL::Digest::SHA256.hexdigest(File.read(path))
 end
 
 # From Ruby 1.9.2+
diff --git a/spec/unit/application_spec.rb b/spec/unit/application_spec.rb
index 6a78e5c827..c8f138cdcc 100644
--- a/spec/unit/application_spec.rb
+++ b/spec/unit/application_spec.rb
@@ -136,6 +136,16 @@ describe Chef::Application do
         expect(Chef::Config.rspec_ran).to eq("true")
       end
 
+      context "when openssl fips" do
+        before do
+          allow(Chef::Config).to receive(:openssl_fips).and_return(true)
+        end
+
+        it "sets openssl in fips mode" do
+          expect(OpenSSL).to receive(:'fips_mode=').with(true)
+          @app.configure_chef
+        end
+      end
     end
 
     describe "when there is no config_file defined" do