Move from md5 to sha1 to work on FIPS-140 enabled systems

lib/ansible/modules/files/assemble.py

@@ -153,8 +153,9 @@ def main():
     )
 
     changed   = False
-    pathmd5   = None
-    destmd5   = None
+    path_md5    = None   # Deprecated
+    path_hash   = None
+    dest_hash   = None
     src       = os.path.expanduser(module.params['src'])
     dest      = os.path.expanduser(module.params['dest'])
     backup    = module.params['backup']
@@ -175,23 +176,29 @@ def main():
             module.fail_json(msg="Invalid Regexp (%s) in \"%s\"" % (e, regexp))
 
     path = assemble_from_fragments(src, delimiter, compiled_regexp)
-    pathmd5 = module.md5(path)
+    path_hash = module.sha1(path)
 
     if os.path.exists(dest):
-        destmd5 = module.md5(dest)
+        dest_hash = module.sha1(dest)
 
-    if pathmd5 != destmd5:
-        if backup and destmd5 is not None:
+    if path_hash != dest_hash:
+        if backup and dest_hash is not None:
             module.backup_local(dest)
         shutil.copy(path, dest)
         changed = True
 
+    # Backwards compat.  This won't return data if FIPS mode is active
+    try:
+        pathmd5 = module.md5(path)
+    except ValueError:
+        pathmd5 = None
+
     os.remove(path)
 
     file_args = module.load_file_common_arguments(module.params)
     changed = module.set_fs_attributes_if_different(file_args, changed)
     # Mission complete
-    module.exit_json(src=src, dest=dest, md5sum=pathmd5, changed=changed, msg="OK")
+    module.exit_json(src=src, dest=dest, md5sum=pathmd5, checksum=path_hash, changed=changed, msg="OK")
 
 # import module snippets
 from ansible.module_utils.basic import *

lib/ansible/modules/files/copy.py

@@ -167,8 +167,13 @@ def main():
     if not os.access(src, os.R_OK):
         module.fail_json(msg="Source %s not readable" % (src))
 
-    md5sum_src = module.md5(src)
-    md5sum_dest = None
+    checksum_src = module.sha1(src)
+    checksum_dest = None
+    # Backwards compat only.  This will be None in FIPS mode
+    try:
+        md5sum_src = module.md5(src)
+    except ValueError:
+        md5sum_src = None
 
     changed = False
 
@@ -198,7 +203,7 @@ def main():
                 basename = original_basename
             dest = os.path.join(dest, basename)
         if os.access(dest, os.R_OK):
-            md5sum_dest = module.md5(dest)
+            checksum_dest = module.sha1(dest)
     else:
         if not os.path.exists(os.path.dirname(dest)):
             try:
@@ -215,7 +220,7 @@ def main():
         module.fail_json(msg="Destination %s not writable" % (os.path.dirname(dest)))
 
     backup_file = None
-    if md5sum_src != md5sum_dest or os.path.islink(dest):
+    if checksum_src != checksum_dest or os.path.islink(dest):
         try:
             if backup:
                 if os.path.exists(dest):
@@ -238,7 +243,7 @@ def main():
         changed = False
 
     res_args = dict(
-        dest = dest, src = src, md5sum = md5sum_src, changed = changed
+        dest = dest, src = src, md5sum = md5sum_src, checksum = checksum_src, changed = changed
     )
     if backup_file:
         res_args['backup_file'] = backup_file

lib/ansible/modules/files/fetch.py

@@ -34,13 +34,14 @@ options:
     required: false
     choices: [ "yes", "no" ]
     default: "no"
-  validate_md5:
+  validate_checksum:
     version_added: "1.4"
     description:
-      - Verify that the source and destination md5sums match after the files are fetched.
+      - Verify that the source and destination checksums match after the files are fetched.
     required: false
     choices: [ "yes", "no" ]
     default: "yes"
+    aliases: [ "validate_md5" ]
   flat:
     version_added: "1.2"
     description:

lib/ansible/modules/files/stat.py

@@ -36,10 +36,17 @@ options:
     aliases: []
   get_md5:
     description:
-      - Whether to return the md5 sum of the file
+      - Whether to return the md5 sum of the file.  Will return None if we're unable to use md5 (Common for FIPS-140 compliant systems)
     required: false
     default: yes
     aliases: []
+  get_checksum:
+    description:
+      - Whether to return a checksum of the file (currently sha1)
+    required: false
+    default: yes
+    aliases: []
+    version_added: "1.8"
 author: Bruce Pennypacker
 '''
 
@@ -73,7 +80,8 @@ def main():
         argument_spec = dict(
             path = dict(required=True),
             follow = dict(default='no', type='bool'),
-            get_md5 = dict(default='yes', type='bool')
+            get_md5 = dict(default='yes', type='bool'),
+            get_checksum = dict(default='yes', type='bool')
         ),
         supports_check_mode = True
     )
@@ -82,6 +90,7 @@ def main():
     path = os.path.expanduser(path)
     follow = module.params.get('follow')
     get_md5 = module.params.get('get_md5')
+    get_checksum = module.params.get('get_checksum')
 
     try:
         if follow:
@@ -135,7 +144,14 @@ def main():
         d['lnk_source'] = os.path.realpath(path)
 
     if S_ISREG(mode) and get_md5 and os.access(path,os.R_OK):
-        d['md5']       = module.md5(path)
+        # Will fail on FIPS-140 compliant systems
+        try:
+            d['md5']       = module.md5(path)
+        except ValueError:
+            d['md5']       = None
+
+    if S_ISREG(mode) and get_checksum and os.access(path,os.R_OK):
+        d['checksum']       = module.sha1(path)
 
 
     try: