From 47927df0a46ab8e852bc74b9588f84485cd1be3c Mon Sep 17 00:00:00 2001 From: David Kirov Date: Fri, 13 Dec 2024 11:09:45 +0100 Subject: [PATCH] Switch from env vars to C bindings --- .../datadog_checks/base/checks/base.py | 23 ------------------- .../datadog_checks/base/utils/fips.py | 19 +++++++++++++++ 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/datadog_checks_base/datadog_checks/base/checks/base.py b/datadog_checks_base/datadog_checks/base/checks/base.py index d87e4038eab35..738a86252072e 100644 --- a/datadog_checks_base/datadog_checks/base/checks/base.py +++ b/datadog_checks_base/datadog_checks/base/checks/base.py @@ -310,29 +310,6 @@ def __init__(self, *args, **kwargs): self.__logs_enabled = None if os.environ.get("GOFIPS", "0") == "1": - with open("/opt/datadog-agent/embedded/ssl/openssl.cnf", "w") as f: - config = """ -config_diagnostics = 1 -openssl_conf = openssl_init - -.include /opt/datadog-agent/embedded/ssl/fipsmodule.cnf - -[openssl_init] -providers = provider_sect -alg_section = algorithm_sect - -[provider_sect] -fips = fips_sect -base = base_sect - -[base_sect] -activate = 1 - -[algorithm_sect] -default_properties = fips=yes -""" - f.write(config) - enable_fips( path_to_openssl_conf="/opt/datadog-agent/embedded/ssl/openssl.cnf", path_to_openssl_modules="/opt/datadog-agent/embedded/lib/ossl-modules", diff --git a/datadog_checks_base/datadog_checks/base/utils/fips.py b/datadog_checks_base/datadog_checks/base/utils/fips.py index 4c7004e96999f..d9de0254e6ab9 100644 --- a/datadog_checks_base/datadog_checks/base/utils/fips.py +++ b/datadog_checks_base/datadog_checks/base/utils/fips.py @@ -3,8 +3,27 @@ # Licensed under a 3-clause BSD style license (see LICENSE) import os +import sys +import logging def enable_fips(path_to_openssl_conf: str, path_to_openssl_modules: str): os.environ["OPENSSL_CONF"] = path_to_openssl_conf os.environ["OPENSSL_MODULES"] = path_to_openssl_modules + _enable_cryptography_fips() + + +def _enable_cryptography_fips(): + from cryptography.exceptions import InternalError + from cryptography.hazmat.backends import default_backend + + cryptography_backend = default_backend() + try: + cryptography_backend._enable_fips() + pass + except InternalError as e: + logging.error("FIPS mode could not be enabled.") + raise e + if not cryptography_backend._fips_enabled: + logging.error("FIPS mode was not enabled successfully.") + raise RuntimeError("FIPS is not enabled.")