From ca57871954fd3a0d79321d1c9b4abf1c51249b8d Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Tue, 18 Feb 2020 09:43:22 +0100
Subject: [PATCH] openssl_* modules: prevent crash on fingerprint determination
 in FIPS mode (#67515)

* openssl_* modules: prevent crash on fingerprint determination in FIPS mode.

* Add changelog.
---
 changelogs/fragments/67515-openssl-fingerprint-fips.yml | 2 ++
 lib/ansible/module_utils/crypto.py                      | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/67515-openssl-fingerprint-fips.yml

diff --git a/changelogs/fragments/67515-openssl-fingerprint-fips.yml b/changelogs/fragments/67515-openssl-fingerprint-fips.yml
new file mode 100644
index 00000000000..18738d1f687
--- /dev/null
+++ b/changelogs/fragments/67515-openssl-fingerprint-fips.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_* modules - prevent crash on fingerprint determination in FIPS mode (https://github.com/ansible/ansible/issues/67213)."
diff --git a/lib/ansible/module_utils/crypto.py b/lib/ansible/module_utils/crypto.py
index 8217eb80457..8eebeeb3ecf 100644
--- a/lib/ansible/module_utils/crypto.py
+++ b/lib/ansible/module_utils/crypto.py
@@ -155,7 +155,12 @@ def get_fingerprint_of_bytes(source):
 
     for algo in algorithms:
         f = getattr(hashlib, algo)
-        h = f(source)
+        try:
+            h = f(source)
+        except ValueError:
+            # This can happen for hash algorithms not supported in FIPS mode
+            # (https://github.com/ansible/ansible/issues/67213)
+            continue
         try:
             # Certain hash functions have a hexdigest() which expects a length parameter
             pubkey_digest = h.hexdigest()