Skip to content

Commit

Permalink
Rework enable_fips for user env var overwrite
Browse files Browse the repository at this point in the history
  • Loading branch information
dkirov-dd committed Dec 17, 2024
1 parent c624089 commit fd7318a
Showing 1 changed file with 21 additions and 33 deletions.
54 changes: 21 additions & 33 deletions datadog_checks_base/datadog_checks/base/utils/fips.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,42 +3,30 @@
# Licensed under a 3-clause BSD style license (see LICENSE)

import os
import sys
import logging


def enable_fips(path_to_openssl_conf: str, path_to_openssl_modules: str):
os.environ["OPENSSL_CONF"] = path_to_openssl_conf
os.environ["OPENSSL_MODULES"] = path_to_openssl_modules
def enable_fips(path_to_openssl_conf=None, path_to_openssl_modules=None):
path_to_embedded = None
if os.getenv("OPENSSL_CONF") is None:
if path_to_openssl_conf is None:
path_to_embedded = _get_embedded_path() if path_to_embedded is None else path_to_embedded
path_to_openssl_conf = path_to_embedded / "ssl" / "openssl.cnf"
if not path_to_openssl_conf.exists():
raise RuntimeError(f'The configuration file "{path_to_openssl_conf}" does not exist')
os.environ["OPENSSL_CONF"] = str(path_to_openssl_conf)

if os.getenv("OPENSSL_MODULES") is None:
if path_to_openssl_modules is None:
path_to_embedded = _get_embedded_path() if path_to_embedded is None else path_to_embedded
path_to_openssl_modules = path_to_embedded / "lib" / "ossl-modules"
if not path_to_openssl_conf.exists():
raise RuntimeError(f'The directory "{path_to_openssl_modules}" does not exist')
os.environ["OPENSSL_MODULES"] = str(path_to_openssl_modules)

def _enable_openssl_fips():
from cffi import FFI

ffi = FFI()
libcrypto = ffi.dlopen("libcrypto-3.dll" if sys.platform == "win32" else "libcrypto.so")
ffi.cdef( """
int EVP_default_properties_enable_fips(void *ctx, int enable);
"""
)
def _get_embedded_path():
import sys
from pathlib import Path

if not libcrypto.EVP_default_properties_enable_fips(ffi.NULL, 1):
raise RuntimeError("Failed to enable FIPS mode in OpenSSL")
else:
logging.info("OpenSSL FIPS mode enabled successfully.")


def _enable_cryptography_fips():
from cryptography.exceptions import InternalError
from cryptography.hazmat.backends import default_backend

cryptography_backend = default_backend()
try:
cryptography_backend._enable_fips()
pass
except InternalError as e:
logging.error("FIPS mode could not be enabled.")
raise e
if not cryptography_backend._fips_enabled:
logging.error("FIPS mode was not enabled successfully.")
raise RuntimeError("FIPS is not enabled.")
embedded_dir = "embedded3" if os.name == 'nt' else "embedded"
return Path(sys.executable.split("embedded")[0] + embedded_dir)

0 comments on commit fd7318a

Please sign in to comment.