diff options
| author | Toshio Kuratomi <toshio@fedoraproject.org> | 2014-11-06 21:28:04 -0800 |
|---|---|---|
| committer | Toshio Kuratomi <toshio@fedoraproject.org> | 2014-11-06 21:28:04 -0800 |
| commit | f1267c0b053e5975dc08c151530c802015902242 (patch) | |
| tree | fef5d56454b91e0f87b918f40cc436f85292fec2 /lib/ansible/utils/__init__.py | |
| parent | 716f3eb6d98af14dc896f4bd3b551c7c85febb6c (diff) | |
| download | ansible-f1267c0b053e5975dc08c151530c802015902242.tar.gz | |
Move from md5 to sha1 to work on fips-140 enabled systems
Diffstat (limited to 'lib/ansible/utils/__init__.py')
| -rw-r--r-- | lib/ansible/utils/__init__.py | 33 |
1 files changed, 27 insertions, 6 deletions
diff --git a/lib/ansible/utils/__init__.py b/lib/ansible/utils/__init__.py index 952e8537d0..e82ae8d374 100644 --- a/lib/ansible/utils/__init__.py +++ b/lib/ansible/utils/__init__.py @@ -68,6 +68,14 @@ try: except ImportError: import simplejson as json +# Note, sha1 is the only hash algorithm compatible with python2.4 and with +# FIPS-140 mode (as of 11-2014) +try: + from hashlib import sha1 as sha1 +except ImportError: + from sha import sha as sha1 + +# Backwards compat only try: from hashlib import md5 as _md5 except ImportError: @@ -821,22 +829,22 @@ def merge_hash(a, b): return result -def md5s(data): - ''' Return MD5 hex digest of data. ''' +def secure_hash_s(data, hash_func=sha1): + ''' Return a secure hash hex digest of data. ''' - digest = _md5() + digest = hash_func() try: digest.update(data) except UnicodeEncodeError: digest.update(data.encode('utf-8')) return digest.hexdigest() -def md5(filename): - ''' Return MD5 hex digest of local file, None if file is not present or a directory. ''' +def secure_hash(filename, hash_func=sha1): + ''' Return a secure hash hex digest of local file, None if file is not present or a directory. ''' if not os.path.exists(filename) or os.path.isdir(filename): return None - digest = _md5() + digest = hash_func() blocksize = 64 * 1024 try: infile = open(filename, 'rb') @@ -849,6 +857,19 @@ def md5(filename): raise errors.AnsibleError("error while accessing the file %s, error was: %s" % (filename, e)) return digest.hexdigest() +# The checksum algorithm must match with the algorithm in ShellModule.checksum() method +checksum = secure_hash +checksum_s = secure_hash_s + +# Backwards compat. Some modules include md5s in their return values +# Continue to support that for now. As of ansible-1.8, all of those modules +# should also return "checksum" (sha1 for now) +def md5s(data): + return secure_hash_s(data, _md5) + +def md5(filename): + return secure_hash(filename, _md5) + def default(value, function): ''' syntactic sugar around lazy evaluation of defaults ''' if value is None: |