diff --git a/datadog_checks_base/datadog_checks/base/utils/fips.py b/datadog_checks_base/datadog_checks/base/utils/fips.py index de24f60b578d8e..36de6c1e3038cc 100644 --- a/datadog_checks_base/datadog_checks/base/utils/fips.py +++ b/datadog_checks_base/datadog_checks/base/utils/fips.py @@ -3,42 +3,30 @@ # Licensed under a 3-clause BSD style license (see LICENSE) import os -import sys -import logging -def enable_fips(path_to_openssl_conf: str, path_to_openssl_modules: str): - os.environ["OPENSSL_CONF"] = path_to_openssl_conf - os.environ["OPENSSL_MODULES"] = path_to_openssl_modules +def enable_fips(path_to_openssl_conf=None, path_to_openssl_modules=None): + path_to_embedded = None + if os.getenv("OPENSSL_CONF") is None: + if path_to_openssl_conf is None: + path_to_embedded = _get_embedded_path() if path_to_embedded is None else path_to_embedded + path_to_openssl_conf = path_to_embedded / "ssl" / "openssl.cnf" + if not path_to_openssl_conf.exists(): + raise RuntimeError(f'The configuration file "{path_to_openssl_conf}" does not exist') + os.environ["OPENSSL_CONF"] = str(path_to_openssl_conf) + if os.getenv("OPENSSL_MODULES") is None: + if path_to_openssl_modules is None: + path_to_embedded = _get_embedded_path() if path_to_embedded is None else path_to_embedded + path_to_openssl_modules = path_to_embedded / "lib" / "ossl-modules" + if not path_to_openssl_conf.exists(): + raise RuntimeError(f'The directory "{path_to_openssl_modules}" does not exist') + os.environ["OPENSSL_MODULES"] = str(path_to_openssl_modules) -def _enable_openssl_fips(): - from cffi import FFI - ffi = FFI() - libcrypto = ffi.dlopen("libcrypto-3.dll" if sys.platform == "win32" else "libcrypto.so") - ffi.cdef( """ - int EVP_default_properties_enable_fips(void *ctx, int enable); - """ - ) +def _get_embedded_path(): + import sys + from pathlib import Path - if not libcrypto.EVP_default_properties_enable_fips(ffi.NULL, 1): - raise RuntimeError("Failed to enable FIPS mode in OpenSSL") - else: - logging.info("OpenSSL FIPS mode enabled successfully.") - - -def _enable_cryptography_fips(): - from cryptography.exceptions import InternalError - from cryptography.hazmat.backends import default_backend - - cryptography_backend = default_backend() - try: - cryptography_backend._enable_fips() - pass - except InternalError as e: - logging.error("FIPS mode could not be enabled.") - raise e - if not cryptography_backend._fips_enabled: - logging.error("FIPS mode was not enabled successfully.") - raise RuntimeError("FIPS is not enabled.") + embedded_dir = "embedded3" if os.name == 'nt' else "embedded" + return Path(sys.executable.split("embedded")[0] + embedded_dir)