From 0e38f5dfdce83d839e63f40880ffd24aaa4ef1bc Mon Sep 17 00:00:00 2001
From: James Tanner <tanner.jc@gmail.com>
Date: Wed, 12 Mar 2014 09:38:20 -0400
Subject: [PATCH] Check for hash availability during vault operations

---
 lib/ansible/utils/vault.py | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/lib/ansible/utils/vault.py b/lib/ansible/utils/vault.py
index 6a714fcc85d..62b082a9af4 100644
--- a/lib/ansible/utils/vault.py
+++ b/lib/ansible/utils/vault.py
@@ -182,7 +182,7 @@ class VaultEditor(object):
     def create_file(self):
         """ create a new encrypted file """
 
-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
         if os.path.isfile(self.filename):
@@ -199,7 +199,7 @@ class VaultEditor(object):
 
     def decrypt_file(self):
 
-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
         if not os.path.isfile(self.filename):
@@ -215,7 +215,7 @@ class VaultEditor(object):
 
     def edit_file(self):
 
-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
         # decrypt to tmpfile
@@ -245,7 +245,7 @@ class VaultEditor(object):
 
     def encrypt_file(self):
 
-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
         if not os.path.isfile(self.filename):
@@ -262,7 +262,7 @@ class VaultEditor(object):
 
     def rekey_file(self, new_password):
 
-        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2:
+        if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
         # decrypt 
@@ -420,6 +420,11 @@ class VaultAES256(object):
 
     # http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
 
+    def __init__(self):
+
+        if not HAS_PBKDF2 or not HAS_COUNTER or not HAS_HASH:
+            raise errors.AnsibleError(CRYPTO_UPGRADE)
+
     def gen_key_initctr(self, password, salt):
         # 16 for AES 128, 32 for AES256
         keylength = 32
@@ -432,8 +437,6 @@ class VaultAES256(object):
         # make two keys and one iv
         pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()
 
-        if not HAS_PBKDF2:
-            raise errors.AnsibleError(CRYPTO_UPGRADE)
 
         derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength, 
                             count=10000, prf=pbkdf2_prf)
@@ -460,8 +463,6 @@ class VaultAES256(object):
         # 1) nbits (integer) - Length of the counter, in bits.
         # 2) initial_value (integer) - initial value of the counter. "iv" from gen_key_initctr
 
-        if not HAS_COUNTER:
-            raise errors.AnsibleError(CRYPTO_UPGRADE)
         ctr = Counter.new(128, initial_value=long(iv, 16))
 
         # AES.new PARAMETERS
@@ -497,8 +498,6 @@ class VaultAES256(object):
             return None
 
         # SET THE COUNTER AND THE CIPHER
-        if not HAS_COUNTER:
-            raise errors.AnsibleError(CRYPTO_UPGRADE)
         ctr = Counter.new(128, initial_value=long(iv, 16))
         cipher = AES.new(key1, AES.MODE_CTR, counter=ctr)