From 470bca77f265800b983cd2d5d8c6e5abc4249615 Mon Sep 17 00:00:00 2001 From: David Kirov Date: Fri, 13 Dec 2024 11:09:45 +0100 Subject: [PATCH] Switch from env vars to C bindings --- .../datadog_checks/base/checks/base.py | 23 ------------- .../datadog_checks/base/utils/fips.py | 34 +++++++++++++++++++ 2 files changed, 34 insertions(+), 23 deletions(-) diff --git a/datadog_checks_base/datadog_checks/base/checks/base.py b/datadog_checks_base/datadog_checks/base/checks/base.py index d87e4038eab35..738a86252072e 100644 --- a/datadog_checks_base/datadog_checks/base/checks/base.py +++ b/datadog_checks_base/datadog_checks/base/checks/base.py @@ -310,29 +310,6 @@ def __init__(self, *args, **kwargs): self.__logs_enabled = None if os.environ.get("GOFIPS", "0") == "1": - with open("/opt/datadog-agent/embedded/ssl/openssl.cnf", "w") as f: - config = """ -config_diagnostics = 1 -openssl_conf = openssl_init - -.include /opt/datadog-agent/embedded/ssl/fipsmodule.cnf - -[openssl_init] -providers = provider_sect -alg_section = algorithm_sect - -[provider_sect] -fips = fips_sect -base = base_sect - -[base_sect] -activate = 1 - -[algorithm_sect] -default_properties = fips=yes -""" - f.write(config) - enable_fips( path_to_openssl_conf="/opt/datadog-agent/embedded/ssl/openssl.cnf", path_to_openssl_modules="/opt/datadog-agent/embedded/lib/ossl-modules", diff --git a/datadog_checks_base/datadog_checks/base/utils/fips.py b/datadog_checks_base/datadog_checks/base/utils/fips.py index 4c7004e96999f..de24f60b578d8 100644 --- a/datadog_checks_base/datadog_checks/base/utils/fips.py +++ b/datadog_checks_base/datadog_checks/base/utils/fips.py @@ -3,8 +3,42 @@ # Licensed under a 3-clause BSD style license (see LICENSE) import os +import sys +import logging def enable_fips(path_to_openssl_conf: str, path_to_openssl_modules: str): os.environ["OPENSSL_CONF"] = path_to_openssl_conf os.environ["OPENSSL_MODULES"] = path_to_openssl_modules + + +def _enable_openssl_fips(): + from cffi import FFI + + ffi = FFI() + libcrypto = ffi.dlopen("libcrypto-3.dll" if sys.platform == "win32" else "libcrypto.so") + ffi.cdef( """ + int EVP_default_properties_enable_fips(void *ctx, int enable); + """ + ) + + if not libcrypto.EVP_default_properties_enable_fips(ffi.NULL, 1): + raise RuntimeError("Failed to enable FIPS mode in OpenSSL") + else: + logging.info("OpenSSL FIPS mode enabled successfully.") + + +def _enable_cryptography_fips(): + from cryptography.exceptions import InternalError + from cryptography.hazmat.backends import default_backend + + cryptography_backend = default_backend() + try: + cryptography_backend._enable_fips() + pass + except InternalError as e: + logging.error("FIPS mode could not be enabled.") + raise e + if not cryptography_backend._fips_enabled: + logging.error("FIPS mode was not enabled successfully.") + raise RuntimeError("FIPS is not enabled.")