Make the digest algorithm configurable and default to SHA2 under FIPS…

…-mode. Signed-off-by: Noah Kantrowitz <noah@coderanger.net>
chef · Apr 19, 2018 · b198b77 · b198b77
1 parent 5e20670
commit b198b77
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/lib/ohai/plugins/shard.rb b/lib/ohai/plugins/shard.rb
@@ -18,12 +18,8 @@
 
 Ohai.plugin(:ShardSeed) do
   require "openssl"
-  require "digest/md5"
   depends "hostname", "dmi", "machine_id", "machinename"
   provides "shard_seed"
-  # Disable this plugin by default under FIPS mode because even though we aren't
-  # using MD5 for cryptography, it will still throw up an error.
-  optional true if defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode
 
   def get_dmi_property(dmi, thing)
     %w{system base_board chassis}.each do |section|
@@ -37,6 +33,27 @@ def default_sources
     [:machinename, :serial, :uuid]
   end
 
+  def default_digest_algorithm
+    if defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode
+      # Even though it is being used safely, FIPS-mode will still blow up on
+      # any use of MD5 so default to SHA2 instead.
+      "sha256"
+    else
+      "md5"
+    end
+  end
+
+  def digest_algorithm
+    case Ohai.config[:plugin][:shard_seed][:digest_algorithm] || default_digest_algorithm
+    when "md5"
+      require "digest/md5"
+      Digest::MD5
+    when "sha256"
+      require "digest/sha2"
+      Digest::SHA256
+    end
+  end
+
   # Common sources go here. Put sources that need to be different per-platform
   # under their collect_data block.
   def create_seed(&block)
@@ -56,7 +73,7 @@ def create_seed(&block)
                 yield(src)
               end
     end
-    shard_seed Digest::MD5.hexdigest(data)[0...7].to_i(16)
+    shard_seed digest_algorithm.hexdigest(data)[0...7].to_i(16)
   end
 
   collect_data(:darwin) do