When run in FIPS mode, allow vault to fail only when using legacy format

pull/7917/merge
Toshio Kuratomi 10 years ago
parent 4ae2d58d72
commit 25607e5cf4

@ -26,9 +26,18 @@ from io import BytesIO
from subprocess import call from subprocess import call
from ansible import errors from ansible import errors
from hashlib import sha256 from hashlib import sha256
# Note: Only used for loading obsolete VaultAES files. All files are written # Note: Only used for loading obsolete VaultAES files. All files are written
# using the newer VaultAES256 which does not require md5 # using the newer VaultAES256 which does not require md5
try:
from hashlib import md5 from hashlib import md5
except ImportError:
try:
from md5 import md5
except ImportError:
# MD5 unavailable. Possibly FIPS mode
md5 = None
from binascii import hexlify from binascii import hexlify
from binascii import unhexlify from binascii import unhexlify
from ansible import constants as C from ansible import constants as C
@ -358,6 +367,8 @@ class VaultAES(object):
# http://stackoverflow.com/a/16761459 # http://stackoverflow.com/a/16761459
def __init__(self): def __init__(self):
if not md5:
raise errors.AnsibleError('md5 hash is unavailable (Could be due to FIPS mode). Legacy VaultAES format is unavailable.')
if not HAS_AES: if not HAS_AES:
raise errors.AnsibleError(CRYPTO_UPGRADE) raise errors.AnsibleError(CRYPTO_UPGRADE)

Loading…
Cancel
Save