From 25607e5cf4dec7113182770d2cf771950345922e Mon Sep 17 00:00:00 2001
From: Toshio Kuratomi <toshio@fedoraproject.org>
Date: Mon, 17 Nov 2014 16:36:49 -0800
Subject: [PATCH] When run in FIPS mode, allow vault to fail only when using
 legacy format

---
 lib/ansible/utils/vault.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/ansible/utils/vault.py b/lib/ansible/utils/vault.py
index ad2dfab0b76..66f18d5c9ba 100644
--- a/lib/ansible/utils/vault.py
+++ b/lib/ansible/utils/vault.py
@@ -26,9 +26,18 @@ from io import BytesIO
 from subprocess import call
 from ansible import errors
 from hashlib import sha256
+
 # Note: Only used for loading obsolete VaultAES files.  All files are written
 # using the newer VaultAES256 which does not require md5
-from hashlib import md5
+try:
+    from hashlib import md5
+except ImportError:
+    try:
+        from md5 import md5
+    except ImportError:
+        # MD5 unavailable.  Possibly FIPS mode
+        md5 = None
+
 from binascii import hexlify
 from binascii import unhexlify
 from ansible import constants as C
@@ -358,6 +367,8 @@ class VaultAES(object):
     # http://stackoverflow.com/a/16761459
 
     def __init__(self):
+        if not md5:
+            raise errors.AnsibleError('md5 hash is unavailable (Could be due to FIPS mode).  Legacy VaultAES format is unavailable.')
         if not HAS_AES:
             raise errors.AnsibleError(CRYPTO_UPGRADE)