From 0e38f5dfdce83d839e63f40880ffd24aaa4ef1bc Mon Sep 17 00:00:00 2001 From: James Tanner Date: Wed, 12 Mar 2014 09:38:20 -0400 Subject: [PATCH] Check for hash availability during vault operations --- lib/ansible/utils/vault.py | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/lib/ansible/utils/vault.py b/lib/ansible/utils/vault.py index 6a714fcc85d..62b082a9af4 100644 --- a/lib/ansible/utils/vault.py +++ b/lib/ansible/utils/vault.py @@ -182,7 +182,7 @@ class VaultEditor(object): def create_file(self): """ create a new encrypted file """ - if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: + if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: raise errors.AnsibleError(CRYPTO_UPGRADE) if os.path.isfile(self.filename): @@ -199,7 +199,7 @@ class VaultEditor(object): def decrypt_file(self): - if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: + if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: raise errors.AnsibleError(CRYPTO_UPGRADE) if not os.path.isfile(self.filename): @@ -215,7 +215,7 @@ class VaultEditor(object): def edit_file(self): - if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: + if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: raise errors.AnsibleError(CRYPTO_UPGRADE) # decrypt to tmpfile @@ -245,7 +245,7 @@ class VaultEditor(object): def encrypt_file(self): - if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: + if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: raise errors.AnsibleError(CRYPTO_UPGRADE) if not os.path.isfile(self.filename): @@ -262,7 +262,7 @@ class VaultEditor(object): def rekey_file(self, new_password): - if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2: + if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: raise errors.AnsibleError(CRYPTO_UPGRADE) # decrypt @@ -420,6 +420,11 @@ class VaultAES256(object): # http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html + def __init__(self): + + if not HAS_PBKDF2 or not HAS_COUNTER or not HAS_HASH: + raise errors.AnsibleError(CRYPTO_UPGRADE) + def gen_key_initctr(self, password, salt): # 16 for AES 128, 32 for AES256 keylength = 32 @@ -432,8 +437,6 @@ class VaultAES256(object): # make two keys and one iv pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest() - if not HAS_PBKDF2: - raise errors.AnsibleError(CRYPTO_UPGRADE) derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength, count=10000, prf=pbkdf2_prf) @@ -460,8 +463,6 @@ class VaultAES256(object): # 1) nbits (integer) - Length of the counter, in bits. # 2) initial_value (integer) - initial value of the counter. "iv" from gen_key_initctr - if not HAS_COUNTER: - raise errors.AnsibleError(CRYPTO_UPGRADE) ctr = Counter.new(128, initial_value=long(iv, 16)) # AES.new PARAMETERS @@ -497,8 +498,6 @@ class VaultAES256(object): return None # SET THE COUNTER AND THE CIPHER - if not HAS_COUNTER: - raise errors.AnsibleError(CRYPTO_UPGRADE) ctr = Counter.new(128, initial_value=long(iv, 16)) cipher = AES.new(key1, AES.MODE_CTR, counter=ctr)