Switch from env vars to C bindings

datadog_checks_base/datadog_checks/base/checks/base.py

@@ -310,29 +310,6 @@ def __init__(self, *args, **kwargs):
         self.__logs_enabled = None
 
         if os.environ.get("GOFIPS", "0") == "1":
-            with open("/opt/datadog-agent/embedded/ssl/openssl.cnf", "w") as f:
-                config = """
-config_diagnostics = 1
-openssl_conf = openssl_init
-
-.include /opt/datadog-agent/embedded/ssl/fipsmodule.cnf
-
-[openssl_init]
-providers = provider_sect
-alg_section = algorithm_sect
-
-[provider_sect]
-fips = fips_sect
-base = base_sect
-
-[base_sect]
-activate = 1
-
-[algorithm_sect]
-default_properties = fips=yes
-"""
-                f.write(config)
-
             enable_fips(
                 path_to_openssl_conf="/opt/datadog-agent/embedded/ssl/openssl.cnf",
                 path_to_openssl_modules="/opt/datadog-agent/embedded/lib/ossl-modules",

datadog_checks_base/datadog_checks/base/utils/fips.py

@@ -3,8 +3,27 @@
 # Licensed under a 3-clause BSD style license (see LICENSE)
 
 import os
+import sys
+import logging
 
 
 def enable_fips(path_to_openssl_conf: str, path_to_openssl_modules: str):
     os.environ["OPENSSL_CONF"] = path_to_openssl_conf
     os.environ["OPENSSL_MODULES"] = path_to_openssl_modules
+    _enable_cryptography_fips()
+
+
+def _enable_cryptography_fips():
+    from cryptography.exceptions import InternalError
+    from cryptography.hazmat.backends import default_backend
+
+    cryptography_backend = default_backend()
+    try:
+        cryptography_backend._enable_fips()
+        pass
+    except InternalError as e:
+        logging.error("FIPS mode could not be enabled.")
+        raise e
+    if not cryptography_backend._fips_enabled:
+        logging.error("FIPS mode was not enabled successfully.")
+        raise RuntimeError("FIPS is not enabled.")