Merge pull request #4287 from chef/jdm/1.3-fips

Default Chef with FIPS OpenSSL to use sign v1.3

9 files changed, 31 insertions, 5 deletions

diff --git a/lib/chef/application.rb b/lib/chef/application.rb
index 4562d84a5d..a4d4fc209d 100644
--- a/lib/chef/application.rb
+++ b/lib/chef/application.rb
@@ -84,6 +84,7 @@ class Chef
       parse_options
       load_config_file
       Chef::Config.export_proxies
+      Chef::Config.init_openssl
     end
 
     # Parse the config file
diff --git a/lib/chef/application/apply.rb b/lib/chef/application/apply.rb
index f6348a951b..42b2d5fc9a 100644
--- a/lib/chef/application/apply.rb
+++ b/lib/chef/application/apply.rb
@@ -125,6 +125,7 @@ class Chef::Application::Apply < Chef::Application
     Chef::Config.merge!(config)
     configure_logging
     Chef::Config.export_proxies
+    Chef::Config.init_openssl
     parse_json
   end
 
diff --git a/lib/chef/application/client.rb b/lib/chef/application/client.rb
index ba357b420d..5b124b60a7 100644
--- a/lib/chef/application/client.rb
+++ b/lib/chef/application/client.rb
@@ -274,6 +274,11 @@ class Chef::Application::Client < Chef::Application
     :description    => "Whether a local mode (-z) server binds to a port",
     :boolean        => true
 
+  option :fips,
+    :long         => "--fips",
+    :description  => "Enable fips mode",
+    :boolean      => true
+
   IMMEDIATE_RUN_SIGNAL = "1".freeze
 
   attr_reader :chef_client_json
@@ -287,6 +292,8 @@ class Chef::Application::Client < Chef::Application
 
     set_specific_recipes
 
+    Chef::Config[:fips] = config[:fips] if config.has_key? :fips
+
     Chef::Config[:chef_server_url] = config[:chef_server_url] if config.has_key? :chef_server_url
 
     Chef::Config.local_mode = config[:local_mode] if config.has_key?(:local_mode)
diff --git a/lib/chef/formatters/doc.rb b/lib/chef/formatters/doc.rb
index 5510956754..ab450cdeac 100644
--- a/lib/chef/formatters/doc.rb
+++ b/lib/chef/formatters/doc.rb
@@ -43,6 +43,7 @@ class Chef
 
       def run_start(version)
         puts_line "Starting Chef Client, version #{version}"
+        puts_line "OpenSSL FIPS 140 mode enabled" if Chef::Config[:fips]
       end
 
       def total_resources
diff --git a/lib/chef/formatters/minimal.rb b/lib/chef/formatters/minimal.rb
index 2e32968b4b..94fbfd3818 100644
--- a/lib/chef/formatters/minimal.rb
+++ b/lib/chef/formatters/minimal.rb
@@ -29,7 +29,8 @@ class Chef
 
       # Called at the very start of a Chef Run
       def run_start(version)
-        puts "Starting Chef Client, version #{version}"
+        puts_line "Starting Chef Client, version #{version}"
+        puts_line "OpenSSL FIPS 140 mode enabled" if Chef::Config[:fips]
       end
 
       # Called at the end of the Chef run.
diff --git a/lib/chef/http/authenticator.rb b/lib/chef/http/authenticator.rb
index 02074171f8..ab4804c964 100644
--- a/lib/chef/http/authenticator.rb
+++ b/lib/chef/http/authenticator.rb
@@ -47,8 +47,8 @@ class Chef
       end
 
       def handle_request(method, url, headers={}, data=false)
-        headers.merge!(authentication_headers(method, url, data)) if sign_requests?
         headers.merge!({"X-Ops-Server-API-Version" => @api_version})
+        headers.merge!(authentication_headers(method, url, data, headers)) if sign_requests?
         [method, url, headers, data]
       end
 
@@ -90,12 +90,17 @@ class Chef
         raise Chef::Exceptions::InvalidPrivateKey, msg
       end
 
-      def authentication_headers(method, url, json_body=nil)
-        request_params = {:http_method => method, :path => url.path, :body => json_body, :host => "#{url.host}:#{url.port}"}
+      def authentication_headers(method, url, json_body=nil, headers=nil)
+        request_params = {
+          :http_method => method,
+          :path => url.path,
+          :body => json_body,
+          :host => "#{url.host}:#{url.port}",
+          :headers => headers,
+        }
         request_params[:body] ||= ""
         auth_credentials.signature_headers(request_params)
       end
-
     end
   end
 end
diff --git a/lib/chef/knife.rb b/lib/chef/knife.rb
index a070c6c858..5cfcc7182a 100644
--- a/lib/chef/knife.rb
+++ b/lib/chef/knife.rb
@@ -398,6 +398,7 @@ class Chef
       merge_configs
       apply_computed_config
       Chef::Config.export_proxies
+      Chef::Config.init_openssl
       # This has to be after apply_computed_config so that Mixlib::Log is configured
       Chef::Log.info("Using configuration from #{config[:config_file]}") if config[:config_file]
     end
diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb
index 23ec98e563..4db6c22f2e 100644
--- a/lib/chef/knife/bootstrap.rb
+++ b/lib/chef/knife/bootstrap.rb
@@ -250,6 +250,11 @@ class Chef
           Chef::Config[:knife][:bootstrap_vault_item]
         }
 
+      option :fips,
+        :long => "--fips",
+        :description => "Set openssl to run in fips mode",
+        :boolean => true
+
       def initialize(argv=[])
         super
         @client_builder = Chef::Knife::Bootstrap::ClientBuilder.new(
diff --git a/lib/chef/knife/core/bootstrap_context.rb b/lib/chef/knife/core/bootstrap_context.rb
index b0a759dd05..46ade9f00f 100644
--- a/lib/chef/knife/core/bootstrap_context.rb
+++ b/lib/chef/knife/core/bootstrap_context.rb
@@ -120,6 +120,10 @@ validation_client_name "#{@chef_config[:validation_client_name]}"
             client_rb << %Q{trusted_certs_dir "/etc/chef/trusted_certs"\n}
           end
 
+          if @config[:fips]
+            client_rb << %Q{fips true\n}
+          end
+
           client_rb
         end