Check for hash availability during vault operations

2014-03-12 09:38:20 -04:00 · 2014-03-12 09:38:20 -04:00 · 0e38f5dfdc
parent e4805fe411
commit 0e38f5dfdc
1 changed files with 10 additions and 11 deletions
--- a/lib/ansible/utils/vault.py
+++ b/lib/ansible/utils/vault.py
@ -182,7 +182,7 @@ class VaultEditor(object):
    def create_file(self):
        """ create a new encrypted file """

-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
            raise errors.AnsibleError(CRYPTO_UPGRADE)

        if os.path.isfile(self.filename):
@ -199,7 +199,7 @@ class VaultEditor(object):

    def decrypt_file(self):

-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
            raise errors.AnsibleError(CRYPTO_UPGRADE)

        if not os.path.isfile(self.filename):
@ -215,7 +215,7 @@ class VaultEditor(object):

    def edit_file(self):

-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
            raise errors.AnsibleError(CRYPTO_UPGRADE)

        # decrypt to tmpfile
@ -245,7 +245,7 @@ class VaultEditor(object):

    def encrypt_file(self):

-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
            raise errors.AnsibleError(CRYPTO_UPGRADE)

        if not os.path.isfile(self.filename):
@ -262,7 +262,7 @@ class VaultEditor(object):

    def rekey_file(self, new_password):

-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
            raise errors.AnsibleError(CRYPTO_UPGRADE)

        # decrypt 
@ -420,6 +420,11 @@ class VaultAES256(object):

    # http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html

+    def __init__(self):
+
+        if not HAS_PBKDF2 or not HAS_COUNTER or not HAS_HASH:
+            raise errors.AnsibleError(CRYPTO_UPGRADE)
+
    def gen_key_initctr(self, password, salt):
        # 16 for AES 128, 32 for AES256
        keylength = 32
@ -432,8 +437,6 @@ class VaultAES256(object):
        # make two keys and one iv
        pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()

-        if not HAS_PBKDF2:
-            raise errors.AnsibleError(CRYPTO_UPGRADE)

        derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength, 
                            count=10000, prf=pbkdf2_prf)
@ -460,8 +463,6 @@ class VaultAES256(object):
        # 1) nbits (integer) - Length of the counter, in bits.
        # 2) initial_value (integer) - initial value of the counter. "iv" from gen_key_initctr

-        if not HAS_COUNTER:
-            raise errors.AnsibleError(CRYPTO_UPGRADE)
        ctr = Counter.new(128, initial_value=long(iv, 16))

        # AES.new PARAMETERS
@ -497,8 +498,6 @@ class VaultAES256(object):
            return None

        # SET THE COUNTER AND THE CIPHER
-        if not HAS_COUNTER:
-            raise errors.AnsibleError(CRYPTO_UPGRADE)
        ctr = Counter.new(128, initial_value=long(iv, 16))
        cipher = AES.new(key1, AES.MODE_CTR, counter=ctr)