1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
#
# Copyright:: Copyright (c) 2014 Chef Software, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This software makes sure that SSL_CERT_FILE environment variable is pointed
# to the bundled CA certificates that ship with omnibus. With this, Chef
# tools can be used with https URLs out of the box.
name "openssl-customization"
source path: "#{project.files_path}/#{name}"
if windows?
dependency "ruby-windows"
else
dependency "ruby"
dependency "rubygems"
end
fips_enabled = (project.overrides[:fips] && project.overrides[:fips][:enabled]) || false
build do
block "Add OpenSSL customization file" do
# gets directories for RbConfig::CONFIG and sanitizes them.
def get_sanitized_rbconfig(config)
ruby = windows_safe_path("#{install_dir}/embedded/bin/ruby")
config_dir = Bundler.with_clean_env do
command_output = %x|#{ruby} -rrbconfig -e "puts RbConfig::CONFIG['#{config}']"|.strip
windows_safe_path(command_output)
end
if config_dir.nil? || config_dir.empty?
raise "could not determine embedded ruby's RbConfig::CONFIG['#{config}']"
end
config_dir
end
fips_additions = [
"OpenSSL.fips_mode = true",
"require 'digest'",
"require 'digest/sha1'",
"Digest::SHA1 = OpenSSL::Digest::SHA1",
"require 'digest/md5'",
"# We're going to use the ruby md5 implementation for now",
"# This will be removed once all our MD5 uses are removed",
"OpenSSL::Digest::MD5 = Digest::MD5",
].join("\n")
if windows?
embedded_ruby_site_dir = get_sanitized_rbconfig('sitelibdir')
embedded_ruby_lib_dir = get_sanitized_rbconfig('rubylibdir')
source_ssl_env_hack = File.join(project_dir, "windows", "ssl_env_hack.rb")
destination_ssl_env_hack = File.join(embedded_ruby_site_dir, "ssl_env_hack.rb")
copy(source_ssl_env_hack, destination_ssl_env_hack)
# Unfortunately there is no patch on windows, but luckily we only need to append a line to the openssl.rb
# to pick up our script which find the CA bundle in omnibus installations and points SSL_CERT_FILE to it
# if it's not already set
source_openssl_rb = File.join(embedded_ruby_lib_dir, "openssl.rb")
File.open(source_openssl_rb, "r+") do |f|
unpatched_openssl_rb = f.read
f.rewind
f.write("\nrequire 'ssl_env_hack'\n")
f.write(unpatched_openssl_rb)
f.write(fips_additions) if fips_enabled
end
else
embedded_ruby_lib_dir = get_sanitized_rbconfig('rubylibdir')
source_openssl_rb = File.join(embedded_ruby_lib_dir, "openssl.rb")
File.open(source_openssl_rb, "r+") do |f|
unpatched_openssl_rb = f.read
f.rewind
f.write(unpatched_openssl_rb)
f.write(fips_additions) if fips_enabled
end
end
end
end
|