When run in FIPS mode, allow vault to fail only when using legacy format
This commit is contained in:
parent
4ae2d58d72
commit
25607e5cf4
1 changed files with 12 additions and 1 deletions
|
@ -26,9 +26,18 @@ from io import BytesIO
|
||||||
from subprocess import call
|
from subprocess import call
|
||||||
from ansible import errors
|
from ansible import errors
|
||||||
from hashlib import sha256
|
from hashlib import sha256
|
||||||
|
|
||||||
# Note: Only used for loading obsolete VaultAES files. All files are written
|
# Note: Only used for loading obsolete VaultAES files. All files are written
|
||||||
# using the newer VaultAES256 which does not require md5
|
# using the newer VaultAES256 which does not require md5
|
||||||
from hashlib import md5
|
try:
|
||||||
|
from hashlib import md5
|
||||||
|
except ImportError:
|
||||||
|
try:
|
||||||
|
from md5 import md5
|
||||||
|
except ImportError:
|
||||||
|
# MD5 unavailable. Possibly FIPS mode
|
||||||
|
md5 = None
|
||||||
|
|
||||||
from binascii import hexlify
|
from binascii import hexlify
|
||||||
from binascii import unhexlify
|
from binascii import unhexlify
|
||||||
from ansible import constants as C
|
from ansible import constants as C
|
||||||
|
@ -358,6 +367,8 @@ class VaultAES(object):
|
||||||
# http://stackoverflow.com/a/16761459
|
# http://stackoverflow.com/a/16761459
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
|
if not md5:
|
||||||
|
raise errors.AnsibleError('md5 hash is unavailable (Could be due to FIPS mode). Legacy VaultAES format is unavailable.')
|
||||||
if not HAS_AES:
|
if not HAS_AES:
|
||||||
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
raise errors.AnsibleError(CRYPTO_UPGRADE)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue