From 159887a6c94bd0f150e8db8a5784a88e373eab3b Mon Sep 17 00:00:00 2001 From: Abhijit Menon-Sen Date: Thu, 27 Aug 2015 16:17:13 +0530 Subject: [PATCH 1/2] Remove deprecated and unused VaultAES encryption code Now that VaultLib always decides to use AES256 to encrypt, we don't need this broken code any more. We need to be able to decrypt this format for a while longer, but encryption support can be safely dropped. --- lib/ansible/parsing/vault/__init__.py | 34 +-------------------------- 1 file changed, 1 insertion(+), 33 deletions(-) diff --git a/lib/ansible/parsing/vault/__init__.py b/lib/ansible/parsing/vault/__init__.py index c9d4372e7b5..631e436afaf 100644 --- a/lib/ansible/parsing/vault/__init__.py +++ b/lib/ansible/parsing/vault/__init__.py @@ -465,39 +465,7 @@ class VaultAES: """ Read plaintext data from in_file and write encrypted to out_file """ - # combine sha + data - this_sha = to_bytes(sha256(data).hexdigest()) - tmp_data = this_sha + b"\n" + data - - in_file = BytesIO(tmp_data) - in_file.seek(0) - out_file = BytesIO() - - bs = AES.block_size - - # Get a block of random data. EL does not have Crypto.Random.new() - # so os.urandom is used for cross platform purposes - salt = os.urandom(bs - len(b'Salted__')) - - key, iv = self.aes_derive_key_and_iv(password, salt, key_length, bs) - cipher = AES.new(key, AES.MODE_CBC, iv) - full = to_bytes(b'Salted__' + salt) - out_file.write(full) - finished = False - while not finished: - chunk = in_file.read(1024 * bs) - if len(chunk) == 0 or len(chunk) % bs != 0: - padding_length = (bs - len(chunk) % bs) or bs - chunk += to_bytes(padding_length * chr(padding_length), errors='strict', encoding='ascii') - finished = True - out_file.write(cipher.encrypt(chunk)) - - out_file.seek(0) - enc_data = out_file.read() - tmp_data = hexlify(enc_data) - - return tmp_data - + raise AnsibleError("Encryption disabled for deprecated VaultAES class") def decrypt(self, data, password, key_length=32): From 4f3a98eff6528f0247d3a67c7f239e519828285a Mon Sep 17 00:00:00 2001 From: Abhijit Menon-Sen Date: Thu, 27 Aug 2015 18:36:05 +0530 Subject: [PATCH 2/2] Update Vault tests to make sure AES decryption works Note that this test was broken in devel because it was really just duplicating the AES256 test because setting v.cipher_name to 'AES' no longer selected AES after it was de-write-whitelisted. Now that we've removed the VaultAES encryption code, we embed static output from an earlier version and test that we can decrypt it. --- test/units/parsing/vault/test_vault.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/units/parsing/vault/test_vault.py b/test/units/parsing/vault/test_vault.py index b627158c79d..ac5a500173e 100644 --- a/test/units/parsing/vault/test_vault.py +++ b/test/units/parsing/vault/test_vault.py @@ -104,9 +104,10 @@ class TestVaultLib(unittest.TestCase): raise SkipTest v = VaultLib('ansible') v.cipher_name = u'AES' - enc_data = v.encrypt("foobar") + # AES encryption code has been removed, so this is old output for + # AES-encrypted 'foobar' with password 'ansible'. + enc_data = '$ANSIBLE_VAULT;1.1;AES\n53616c7465645f5fc107ce1ef4d7b455e038a13b053225776458052f8f8f332d554809d3f150bfa3\nfe3db930508b65e0ff5947e4386b79af8ab094017629590ef6ba486814cf70f8e4ab0ed0c7d2587e\n786a5a15efeb787e1958cbdd480d076c\n' dec_data = v.decrypt(enc_data) - assert enc_data != "foobar", "encryption failed" assert dec_data == "foobar", "decryption failed" def test_encrypt_decrypt_aes256(self):