Skip to content

Commit

Permalink
Switch from env vars to C bindings
Browse files Browse the repository at this point in the history
  • Loading branch information
@dkirov-dd
dkirov-dd committed Dec 16, 2024
1 parent fe18202 commit 470bca7
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 23 deletions.
23 changes: 0 additions & 23 deletions datadog_checks_base/datadog_checks/base/checks/base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -310,29 +310,6 @@ def __init__(self, *args, **kwargs):
self.__logs_enabled = None

if os.environ.get("GOFIPS", "0") == "1":
with open("/opt/datadog-agent/embedded/ssl/openssl.cnf", "w") as f:
config = """
config_diagnostics = 1
openssl_conf = openssl_init
.include /opt/datadog-agent/embedded/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
alg_section = algorithm_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
[algorithm_sect]
default_properties = fips=yes
"""
f.write(config)

enable_fips(
path_to_openssl_conf="/opt/datadog-agent/embedded/ssl/openssl.cnf",
path_to_openssl_modules="/opt/datadog-agent/embedded/lib/ossl-modules",
Expand Down
34 changes: 34 additions & 0 deletions datadog_checks_base/datadog_checks/base/utils/fips.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,42 @@
# Licensed under a 3-clause BSD style license (see LICENSE)

import os
import sys
import logging


def enable_fips(path_to_openssl_conf: str, path_to_openssl_modules: str):
os.environ["OPENSSL_CONF"] = path_to_openssl_conf
os.environ["OPENSSL_MODULES"] = path_to_openssl_modules


def _enable_openssl_fips():
from cffi import FFI

ffi = FFI()
libcrypto = ffi.dlopen("libcrypto-3.dll" if sys.platform == "win32" else "libcrypto.so")
ffi.cdef( """
int EVP_default_properties_enable_fips(void *ctx, int enable);
"""
)

if not libcrypto.EVP_default_properties_enable_fips(ffi.NULL, 1):
raise RuntimeError("Failed to enable FIPS mode in OpenSSL")
else:
logging.info("OpenSSL FIPS mode enabled successfully.")


def _enable_cryptography_fips():
from cryptography.exceptions import InternalError
from cryptography.hazmat.backends import default_backend

cryptography_backend = default_backend()
try:
cryptography_backend._enable_fips()
pass
except InternalError as e:
logging.error("FIPS mode could not be enabled.")
raise e
if not cryptography_backend._fips_enabled:
logging.error("FIPS mode was not enabled successfully.")
raise RuntimeError("FIPS is not enabled.")

0 comments on commit 470bca7

Please sign in to comment.