search

chef-cookbooks / chef_client_updater

Chef Cookbook to update the chef client on nodes
https://supermarket.chef.io/cookbooks/chef_client_updater
Apache License 2.0
54 stars 79 forks source link

Need an option to disable SHA256 hash check #29

Closed DRLDoom closed 7 years ago

DRLDoom commented 7 years ago

Cookbook version

2.0.1

Chef-client version

12.17.44 to 12.20.3

Platform Details

Windows Server 2012 R2 - AWS

Scenario:

Attempting in upgrade Chef-client on a Windows Server 2012 R2.

Steps to Reproduce:

Our systems are hardened per DISA Stigs. Which is preventing the SHA256 hash check call in the install powershell script.

You can replicate the issue by setting the below registry key to 1. If set to 0 the powershell SHA256 check will work.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy
Enabled = 1

Calling the resource like this:

chef_client_updater 'update chef-client' do
  prevent_downgrade true
  version '12.20.3'
  download_url_override 'https://s3.amazonaws.com/somebucket/chef-client-12.20.3-1-x64.msi'
end

Expected Result:

Successful run with the checlient being upgraded to 12.20.3.

Actual Result:

---- Begin output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/user/AppData/Local/Temp/chef-script20170616-6856-h6zzx.ps1" ----
STDOUT: 
STDERR: C:\Users\user\AppData\Local\Temp\chef-script20170616-6856-h6zzx.ps1 : Exception calling "Create" with "1" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,chef-script20170616-6856-h6zzx.ps1
---- End output of "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/user/AppData/Local/Temp/chef-script20170616-6856-h6zzx.ps1" ----
Ran "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -InputFormat None -File "C:/Users/sysdrl1/AppData/Local/Temp/chef-script20170616-6856-h6zzx.ps1" returned 1

Workaround

For a temporary workaround I am using this: 

registry_key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy' do
  values [{ name: 'Enabled', type: :dword, data: '0' }]
  action :create
end
lamont-granquist commented 7 years ago

So an option to disable the check seems like the wrong approach here which will disable security features because of an algorithm issue (with an algorithm which has no actual weaknesses but is just a certificational FIPS issue).

In this case your workaround is a more appropriate workaround and is more in line with official recommendations from microsoft: https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/

There's a bug here though which is that there definitely are FIPS-compliant SHA256 algorithms that can be used to do this work. Its likely the problem here is entirely certificational and that the particular implementation we're using has not been blessed with FIPS, while other numerically equivalent algorithms are so blessed, and we should be using the latter.

However, this is all a bit over my head, since I'm both not a Windows expert nor a FIPS expert.

lamont-granquist commented 7 years ago

This is where the SHA256 check happens and any fix should probably hit this line (and the similar line somewhat above it):

https://github.com/jvogt/mixlib-install/blob/1c631979e189f2e418025d44342a212778f1a876/lib/mixlib/install/generator/powershell/scripts/install_project.ps1#L103

This bug looks like it discusses this situation:

https://github.com/IdentityServer/IdentityServer3/issues/571

This issue is also now resolved in .Net 4.6.2. Prior to .Net 4.6.2, SHA256.Create() defaulted to using SHA256Managed. In .Net 4.6.2 they changed it to use SHA256Cng. dotnet/roslyn#15939

btm commented 7 years ago

I agree with @lamont-granquist that this should be fixed over in https://github.com/chef/mixlib-install.

It actually is likely to be simply changing

New-Object -TypeName Security.Cryptography.SHA256Managed

to

New-Object -TypeName Security.Cryptography.SHA256Cng

here: https://github.com/chef/mixlib-install/blob/master/lib/mixlib/install/generator/powershell/scripts/helpers.ps1.erb#L144.

btm commented 7 years ago

This should be fixed by https://github.com/chef/mixlib-install/pull/220 when it gets released to omnitruck.