a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CVE-2020-25646: no_log=True missing for private key content options (#125) 

* Mark private key content options as no_log (CVE-2020-25646.)

* Mention no_log for openssl_privatekey's return_content option.

* Add change PR's URL.

* Plural.
pull/117/head
Felix Fontein 2020-10-13 14:14:05 +02:00 committed by GitHub
parent 7d0e5e814e
commit 233d1afc29
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
changelogs/fragments/cve-2020-25646.yml Normal file
View File

@ -0,0 +1,7 @@
security_fixes:
- "openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
- "openssl_privatekey_info - the option ``content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
- "openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
- "openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
- "x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content`` were not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
- "x509_crl - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."

2
plugins/modules/openssl_csr.py
View File

@ -1163,7 +1163,7 @@ def main():
state=dict(type='str', default='present', choices=['absent', 'present']), state=dict(type='str', default='present', choices=['absent', 'present']),
digest=dict(type='str', default='sha256'), digest=dict(type='str', default='sha256'),
privatekey_path=dict(type='path'), privatekey_path=dict(type='path'),
privatekey_content=dict(type='str'), privatekey_content=dict(type='str', no_log=True),
privatekey_passphrase=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True),
version=dict(type='int', default=1), version=dict(type='int', default=1),
force=dict(type='bool', default=False), force=dict(type='bool', default=False),

2
plugins/modules/openssl_privatekey.py
View File

@ -152,6 +152,8 @@ options:
- If set to C(yes), will return the (current or generated) private key's content as I(privatekey). - If set to C(yes), will return the (current or generated) private key's content as I(privatekey).
- Note that especially if the private key is not encrypted, you have to make sure that the returned - Note that especially if the private key is not encrypted, you have to make sure that the returned
value is treated appropriately and not accidentally written to logs etc.! Use with care! value is treated appropriately and not accidentally written to logs etc.! Use with care!
- Use Ansible's I(no_log) task option to avoid the output being shown. See also
U(https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-keep-secret-data-in-my-playbook).
type: bool type: bool
default: no default: no
version_added: '1.0.0' version_added: '1.0.0'

2
plugins/modules/openssl_privatekey_info.py
View File

@ -583,7 +583,7 @@ def main():
module = AnsibleModule( module = AnsibleModule(
argument_spec=dict( argument_spec=dict(
path=dict(type='path'), path=dict(type='path'),
content=dict(type='str'), content=dict(type='str', no_log=True),
passphrase=dict(type='str', no_log=True), passphrase=dict(type='str', no_log=True),
return_private_key_data=dict(type='bool', default=False), return_private_key_data=dict(type='bool', default=False),
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']), select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),

2
plugins/modules/openssl_publickey.py
View File

@ -395,7 +395,7 @@ def main():
force=dict(type='bool', default=False), force=dict(type='bool', default=False),
path=dict(type='path', required=True), path=dict(type='path', required=True),
privatekey_path=dict(type='path'), privatekey_path=dict(type='path'),
privatekey_content=dict(type='str'), privatekey_content=dict(type='str', no_log=True),
format=dict(type='str', default='PEM', choices=['OpenSSH', 'PEM']), format=dict(type='str', default='PEM', choices=['OpenSSH', 'PEM']),
privatekey_passphrase=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True),
backup=dict(type='bool', default=False), backup=dict(type='bool', default=False),

2
plugins/modules/openssl_signature.py
View File

@ -259,7 +259,7 @@ def main():
module = AnsibleModule( module = AnsibleModule(
argument_spec=dict( argument_spec=dict(
privatekey_path=dict(type='path'), privatekey_path=dict(type='path'),
privatekey_content=dict(type='str'), privatekey_content=dict(type='str', no_log=True),
privatekey_passphrase=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True),
path=dict(type='path', required=True), path=dict(type='path', required=True),
select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'), select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'),

4
plugins/modules/x509_certificate.py
View File

@ -2565,7 +2565,7 @@ def main():
# General properties of a certificate # General properties of a certificate
privatekey_path=dict(type='path'), privatekey_path=dict(type='path'),
privatekey_content=dict(type='str'), privatekey_content=dict(type='str', no_log=True),
privatekey_passphrase=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True),
# provider: assertonly # provider: assertonly
@ -2609,7 +2609,7 @@ def main():
ownca_path=dict(type='path'), ownca_path=dict(type='path'),
ownca_content=dict(type='str'), ownca_content=dict(type='str'),
ownca_privatekey_path=dict(type='path'), ownca_privatekey_path=dict(type='path'),
ownca_privatekey_content=dict(type='str'), ownca_privatekey_content=dict(type='str', no_log=True),
ownca_privatekey_passphrase=dict(type='str', no_log=True), ownca_privatekey_passphrase=dict(type='str', no_log=True),
ownca_digest=dict(type='str', default='sha256'), ownca_digest=dict(type='str', default='sha256'),
ownca_version=dict(type='int', default=3), ownca_version=dict(type='int', default=3),

2
plugins/modules/x509_crl.py
View File

@ -754,7 +754,7 @@ def main():
path=dict(type='path', required=True), path=dict(type='path', required=True),
format=dict(type='str', default='pem', choices=['pem', 'der']), format=dict(type='str', default='pem', choices=['pem', 'der']),
privatekey_path=dict(type='path'), privatekey_path=dict(type='path'),
privatekey_content=dict(type='str'), privatekey_content=dict(type='str', no_log=True),
privatekey_passphrase=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True),
issuer=dict(type='dict'), issuer=dict(type='dict'),
last_update=dict(type='str', default='+0s'), last_update=dict(type='str', default='+0s'),