ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-07-02 14:40:19 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
community.general/lib/ansible/parsing
History
Vilmos Nebehaj 58cccce384 Use PBKDF2HMAC() from cryptography for vault keys. 
When stretching the key for vault files, use PBKDF2HMAC() from the
cryptography package instead of pycrypto. This will speed up the opening
of vault files by ~10x.

The problem is here in lib/ansible/utils/vault.py:

    hash_function = SHA256

    # make two keys and one iv
    pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()

    derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength,
                        count=10000, prf=pbkdf2_prf)

`PBKDF2()` calls a Python callback function (`pbkdf2_pr()`) 10000 times.
If one has several vault files, this will cause excessive start times
with `ansible` or `ansible-playbook` (we experience ~15 second startup
times).

Testing the original implementation in 1.9.2 with a vault file:

In [2]: %timeit v.decrypt(encrypted_data)
1 loops, best of 3: 265 ms per loop

Having a recent OpenSSL version and using the vault.py changes in this commit:

In [2]: %timeit v.decrypt(encrypted_data)
10 loops, best of 3: 23.2 ms per loop
2015-07-28 14:51:36 +02:00
..
utils Making the switch to v2 2015-05-03 21:47:26 -05:00
vault Use PBKDF2HMAC() from cryptography for vault keys. 2015-07-28 14:51:36 +02:00
yaml Fixing some small bugs related to integration tests (v2) 2015-06-01 16:42:10 -05:00
__init__.py fixed file lookup pathing in dwim functinos, now does specific paths and priorities and is commented 2015-07-22 20:58:24 -04:00
mod_args.py Allowing args: "{{some_var}}" for task params again 2015-07-24 10:33:12 -04:00
splitter.py Remove octal escapes from unicode escape handling 2015-07-25 16:30:11 -04:00