When run in FIPS mode, allow vault to fail only when using legacy format

25607e5c · Toshio Kuratomi · 4ae2d58d · 25607e5c
Commit 25607e5c authored Nov 17, 2014 by Toshio Kuratomi
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletions

lib/ansible/utils/vault.py
+12 -1

No files found.
--- a/lib/ansible/utils/vault.py
+++ b/lib/ansible/utils/vault.py
@@ -26,9 +26,18 @@ from io import BytesIO
 from subprocess import call
 from ansible import errors
 from hashlib import sha256
+
 # Note: Only used for loading obsolete VaultAES files.  All files are written
 # using the newer VaultAES256 which does not require md5
-from hashlib import md5
+try:
+    from hashlib import md5
+except ImportError:
+    try:
+        from md5 import md5
+    except ImportError:
+        # MD5 unavailable.  Possibly FIPS mode
+        md5 = None
+
 from binascii import hexlify
 from binascii import unhexlify
 from ansible import constants as C
@@ -358,6 +367,8 @@ class VaultAES(object):
    # http://stackoverflow.com/a/16761459

    def __init__(self):
+        if not md5:
+            raise errors.AnsibleError('md5 hash is unavailable (Could be due to FIPS mode).  Legacy VaultAES format is unavailable.')
        if not HAS_AES:
            raise errors.AnsibleError(CRYPTO_UPGRADE)