Do openssl initialization from applications

Some notes:

* Add module overrides for fips

    We need to use the SHA1 module under OpenSSL because the openssl
    functions called by Digest::SHA1 cause openssl to crash the process.

    We use the Digest::MD5 over the OpenSSL::MD5 module because md5
    is not allowed when in fips mode and causes the process to crash.
    While we work through these issues, we're going to allow it to
    pass by compiling the ruby md5 implementation.

* Use OpenSSL::Digest::SHA256 instead of Digest::SHA256

    Digest::SHA256 is broken in fips mode because it uses
    unapproved APIs. They cause the process to terminate.

1 files changed, 14 insertions, 0 deletions

diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb
index 124c5d6464..7bf5d05572 100644
--- a/chef-config/lib/chef-config/config.rb
+++ b/chef-config/lib/chef-config/config.rb
@@ -27,6 +27,7 @@ require "chef-config/windows"
 require "chef-config/path_helper"
 require "mixlib/shellout"
 require "uri"
+require 'openssl'
 
 module ChefConfig
 
@@ -453,6 +454,19 @@ module ChefConfig
     # Set to true if Chef is to set OpenSSL to run in FIPS mode
     default :openssl_fips, false
 
+    # Initialize openssl
+    def self.init_openssl
+      if openssl_fips
+        ChefConfig.logger.warn "The `openssl_fips` is still a work in progress. This feature is incomplete."
+        OpenSSL.fips_mode = true
+        require 'digest'
+        require 'digest/sha1'
+        require 'digest/md5'
+        Digest.const_set('SHA1', OpenSSL::Digest::SHA1)
+        OpenSSL::Digest.const_set('MD5', Digest::MD5)
+      end
+    end
+
     # Sets the version of the signed header authentication protocol to use (see
     # the 'mixlib-authorization' project for more detail). Currently, versions
     # 1.0, 1.1, and 1.3 are available.