|
|
@ -182,7 +182,7 @@ class VaultEditor(object):
|
|
|
|
def create_file(self):
|
|
|
|
def create_file(self):
|
|
|
|
""" create a new encrypted file """
|
|
|
|
""" create a new encrypted file """
|
|
|
|
|
|
|
|
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
|
|
|
|
if os.path.isfile(self.filename):
|
|
|
|
if os.path.isfile(self.filename):
|
|
|
@ -199,7 +199,7 @@ class VaultEditor(object):
|
|
|
|
|
|
|
|
|
|
|
|
def decrypt_file(self):
|
|
|
|
def decrypt_file(self):
|
|
|
|
|
|
|
|
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
|
|
|
|
if not os.path.isfile(self.filename):
|
|
|
|
if not os.path.isfile(self.filename):
|
|
|
@ -215,7 +215,7 @@ class VaultEditor(object):
|
|
|
|
|
|
|
|
|
|
|
|
def edit_file(self):
|
|
|
|
def edit_file(self):
|
|
|
|
|
|
|
|
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
|
|
|
|
# decrypt to tmpfile
|
|
|
|
# decrypt to tmpfile
|
|
|
@ -245,7 +245,7 @@ class VaultEditor(object):
|
|
|
|
|
|
|
|
|
|
|
|
def encrypt_file(self):
|
|
|
|
def encrypt_file(self):
|
|
|
|
|
|
|
|
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
|
|
|
|
if not os.path.isfile(self.filename):
|
|
|
|
if not os.path.isfile(self.filename):
|
|
|
@ -262,7 +262,7 @@ class VaultEditor(object):
|
|
|
|
|
|
|
|
|
|
|
|
def rekey_file(self, new_password):
|
|
|
|
def rekey_file(self, new_password):
|
|
|
|
|
|
|
|
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
|
|
|
|
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
|
|
|
|
# decrypt
|
|
|
|
# decrypt
|
|
|
@ -420,6 +420,11 @@ class VaultAES256(object):
|
|
|
|
|
|
|
|
|
|
|
|
# http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
|
|
|
|
# http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def __init__(self):
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if not HAS_PBKDF2 or not HAS_COUNTER or not HAS_HASH:
|
|
|
|
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
|
|
|
|
def gen_key_initctr(self, password, salt):
|
|
|
|
def gen_key_initctr(self, password, salt):
|
|
|
|
# 16 for AES 128, 32 for AES256
|
|
|
|
# 16 for AES 128, 32 for AES256
|
|
|
|
keylength = 32
|
|
|
|
keylength = 32
|
|
|
@ -432,8 +437,6 @@ class VaultAES256(object):
|
|
|
|
# make two keys and one iv
|
|
|
|
# make two keys and one iv
|
|
|
|
pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()
|
|
|
|
pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()
|
|
|
|
|
|
|
|
|
|
|
|
if not HAS_PBKDF2:
|
|
|
|
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength,
|
|
|
|
derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength,
|
|
|
|
count=10000, prf=pbkdf2_prf)
|
|
|
|
count=10000, prf=pbkdf2_prf)
|
|
|
@ -460,8 +463,6 @@ class VaultAES256(object):
|
|
|
|
# 1) nbits (integer) - Length of the counter, in bits.
|
|
|
|
# 1) nbits (integer) - Length of the counter, in bits.
|
|
|
|
# 2) initial_value (integer) - initial value of the counter. "iv" from gen_key_initctr
|
|
|
|
# 2) initial_value (integer) - initial value of the counter. "iv" from gen_key_initctr
|
|
|
|
|
|
|
|
|
|
|
|
if not HAS_COUNTER:
|
|
|
|
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
ctr = Counter.new(128, initial_value=long(iv, 16))
|
|
|
|
ctr = Counter.new(128, initial_value=long(iv, 16))
|
|
|
|
|
|
|
|
|
|
|
|
# AES.new PARAMETERS
|
|
|
|
# AES.new PARAMETERS
|
|
|
@ -497,8 +498,6 @@ class VaultAES256(object):
|
|
|
|
return None
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
# SET THE COUNTER AND THE CIPHER
|
|
|
|
# SET THE COUNTER AND THE CIPHER
|
|
|
|
if not HAS_COUNTER:
|
|
|
|
|
|
|
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
|
|
|
|
|
|
|
ctr = Counter.new(128, initial_value=long(iv, 16))
|
|
|
|
ctr = Counter.new(128, initial_value=long(iv, 16))
|
|
|
|
cipher = AES.new(key1, AES.MODE_CTR, counter=ctr)
|
|
|
|
cipher = AES.new(key1, AES.MODE_CTR, counter=ctr)
|
|
|
|
|
|
|
|
|
|
|
|