From 233d1afc296f6770e905a1785ee2f35af7605e43 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 13 Oct 2020 14:14:05 +0200 Subject: [PATCH] CVE-2020-25646: no_log=True missing for private key content options (#125) * Mark private key content options as no_log (CVE-2020-25646.) * Mention no_log for openssl_privatekey's return_content option. * Add change PR's URL. * Plural. --- changelogs/fragments/cve-2020-25646.yml | 7 +++++++ plugins/modules/openssl_csr.py | 2 +- plugins/modules/openssl_privatekey.py | 2 ++ plugins/modules/openssl_privatekey_info.py | 2 +- plugins/modules/openssl_publickey.py | 2 +- plugins/modules/openssl_signature.py | 2 +- plugins/modules/x509_certificate.py | 4 ++-- plugins/modules/x509_crl.py | 2 +- 8 files changed, 16 insertions(+), 7 deletions(-) create mode 100644 changelogs/fragments/cve-2020-25646.yml diff --git a/changelogs/fragments/cve-2020-25646.yml b/changelogs/fragments/cve-2020-25646.yml new file mode 100644 index 00000000..50e2a6d4 --- /dev/null +++ b/changelogs/fragments/cve-2020-25646.yml @@ -0,0 +1,7 @@ +security_fixes: +- "openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)." +- "openssl_privatekey_info - the option ``content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)." +- "openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)." +- "openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)." +- "x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content`` were not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)." +- "x509_crl - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)." diff --git a/plugins/modules/openssl_csr.py b/plugins/modules/openssl_csr.py index dc16b3d8..dcbc5209 100644 --- a/plugins/modules/openssl_csr.py +++ b/plugins/modules/openssl_csr.py @@ -1163,7 +1163,7 @@ def main(): state=dict(type='str', default='present', choices=['absent', 'present']), digest=dict(type='str', default='sha256'), privatekey_path=dict(type='path'), - privatekey_content=dict(type='str'), + privatekey_content=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True), version=dict(type='int', default=1), force=dict(type='bool', default=False), diff --git a/plugins/modules/openssl_privatekey.py b/plugins/modules/openssl_privatekey.py index 47e3afd0..25b9eaaa 100644 --- a/plugins/modules/openssl_privatekey.py +++ b/plugins/modules/openssl_privatekey.py @@ -152,6 +152,8 @@ options: - If set to C(yes), will return the (current or generated) private key's content as I(privatekey). - Note that especially if the private key is not encrypted, you have to make sure that the returned value is treated appropriately and not accidentally written to logs etc.! Use with care! + - Use Ansible's I(no_log) task option to avoid the output being shown. See also + U(https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-keep-secret-data-in-my-playbook). type: bool default: no version_added: '1.0.0' diff --git a/plugins/modules/openssl_privatekey_info.py b/plugins/modules/openssl_privatekey_info.py index f59be86b..c4401c81 100644 --- a/plugins/modules/openssl_privatekey_info.py +++ b/plugins/modules/openssl_privatekey_info.py @@ -583,7 +583,7 @@ def main(): module = AnsibleModule( argument_spec=dict( path=dict(type='path'), - content=dict(type='str'), + content=dict(type='str', no_log=True), passphrase=dict(type='str', no_log=True), return_private_key_data=dict(type='bool', default=False), select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']), diff --git a/plugins/modules/openssl_publickey.py b/plugins/modules/openssl_publickey.py index b3c5568b..daa27a8f 100644 --- a/plugins/modules/openssl_publickey.py +++ b/plugins/modules/openssl_publickey.py @@ -395,7 +395,7 @@ def main(): force=dict(type='bool', default=False), path=dict(type='path', required=True), privatekey_path=dict(type='path'), - privatekey_content=dict(type='str'), + privatekey_content=dict(type='str', no_log=True), format=dict(type='str', default='PEM', choices=['OpenSSH', 'PEM']), privatekey_passphrase=dict(type='str', no_log=True), backup=dict(type='bool', default=False), diff --git a/plugins/modules/openssl_signature.py b/plugins/modules/openssl_signature.py index 5994dc8d..57bbdc5a 100644 --- a/plugins/modules/openssl_signature.py +++ b/plugins/modules/openssl_signature.py @@ -259,7 +259,7 @@ def main(): module = AnsibleModule( argument_spec=dict( privatekey_path=dict(type='path'), - privatekey_content=dict(type='str'), + privatekey_content=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True), path=dict(type='path', required=True), select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'), diff --git a/plugins/modules/x509_certificate.py b/plugins/modules/x509_certificate.py index 950e84ce..6d82bcac 100644 --- a/plugins/modules/x509_certificate.py +++ b/plugins/modules/x509_certificate.py @@ -2565,7 +2565,7 @@ def main(): # General properties of a certificate privatekey_path=dict(type='path'), - privatekey_content=dict(type='str'), + privatekey_content=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True), # provider: assertonly @@ -2609,7 +2609,7 @@ def main(): ownca_path=dict(type='path'), ownca_content=dict(type='str'), ownca_privatekey_path=dict(type='path'), - ownca_privatekey_content=dict(type='str'), + ownca_privatekey_content=dict(type='str', no_log=True), ownca_privatekey_passphrase=dict(type='str', no_log=True), ownca_digest=dict(type='str', default='sha256'), ownca_version=dict(type='int', default=3), diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py index 2e719956..54adb4fc 100644 --- a/plugins/modules/x509_crl.py +++ b/plugins/modules/x509_crl.py @@ -754,7 +754,7 @@ def main(): path=dict(type='path', required=True), format=dict(type='str', default='pem', choices=['pem', 'der']), privatekey_path=dict(type='path'), - privatekey_content=dict(type='str'), + privatekey_content=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True), issuer=dict(type='dict'), last_update=dict(type='str', default='+0s'),