diff options
author | Matt Wrock <matt@mattwrock.com> | 2016-05-04 15:23:06 -0700 |
---|---|---|
committer | Matt Wrock <matt@mattwrock.com> | 2016-05-04 15:23:06 -0700 |
commit | 11370ea1adf262fe9a3efe7238b7c699246a0d39 (patch) | |
tree | 155812cbe84b93078c921f69bbc4001ff7023aba /chef-config/lib | |
parent | db27c5675c8367fdf5615e507ddd35fac8420710 (diff) | |
parent | 86b95621e77a1037574ba25c723c4b182ff88c5f (diff) | |
download | chef-11370ea1adf262fe9a3efe7238b7c699246a0d39.tar.gz |
Merge pull request #4880 from chef/fipdidydipity
Adds a system check for fips enablement and runs in fips mode if enabled
Diffstat (limited to 'chef-config/lib')
-rw-r--r-- | chef-config/lib/chef-config/config.rb | 6 | ||||
-rw-r--r-- | chef-config/lib/chef-config/fips.rb | 51 |
2 files changed, 56 insertions, 1 deletions
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb index e6192c22cb..e237f10412 100644 --- a/chef-config/lib/chef-config/config.rb +++ b/chef-config/lib/chef-config/config.rb @@ -22,6 +22,7 @@ require "mixlib/config" require "pathname" +require "chef-config/fips" require "chef-config/logger" require "chef-config/windows" require "chef-config/path_helper" @@ -513,7 +514,9 @@ module ChefConfig default :recipe_url, nil # Set to true if Chef is to set OpenSSL to run in FIPS mode - default(:fips) { ENV["CHEF_FIPS"] == "1" } + default(:fips) do + !ENV["CHEF_FIPS"].nil? || ChefConfig.fips? + end # Initialize openssl def self.init_openssl @@ -966,6 +969,7 @@ module ChefConfig Digest.const_set("SHA1", OpenSSL::Digest::SHA1) OpenSSL::Digest.send(:remove_const, "MD5") if OpenSSL::Digest.const_defined?("MD5") OpenSSL::Digest.const_set("MD5", Digest::MD5) + ChefConfig.logger.debug "FIPS mode is enabled." end end end diff --git a/chef-config/lib/chef-config/fips.rb b/chef-config/lib/chef-config/fips.rb new file mode 100644 index 0000000000..623ce87686 --- /dev/null +++ b/chef-config/lib/chef-config/fips.rb @@ -0,0 +1,51 @@ +# +# Author:: Matt Wrock (<matt@mattwrock.com>) +# Copyright:: Copyright (c) 2016 Chef Software, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +module ChefConfig + + def self.fips? + if ChefConfig.windows? + begin + require "win32/registry" + rescue LoadError + return false + end + + # from http://msdn.microsoft.com/en-us/library/windows/desktop/aa384129(v=vs.85).aspx + reg_type = + case ::RbConfig::CONFIG["target_cpu"] + when "i386" + Win32::Registry::KEY_READ | 0x100 + when "x86_64" + Win32::Registry::KEY_READ | 0x200 + else + Win32::Registry::KEY_READ + end + begin + Win32::Registry::HKEY_LOCAL_MACHINE.open('System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy', reg_type) do |policy| + policy["Enabled"] != 0 + end + rescue Win32::Registry::Error + false + end + else + fips_path = "/proc/sys/crypto/fips_enabled" + File.exist?(fips_path) && File.read(fips_path).chomp != "0" + end + end +end |