CVE-2020-25646: no_log=True missing for private key content options (#…

…125) * Mark private key content options as no_log (CVE-2020-25646.) * Mention no_log for openssl_privatekey's return_content option. * Add change PR's URL. * Plural.
ansible-collections · Oct 13, 2020 · 233d1af · 233d1af
1 parent 7d0e5e8
commit 233d1af
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 7 deletions.
diff --git a/changelogs/fragments/cve-2020-25646.yml b/changelogs/fragments/cve-2020-25646.yml
@@ -0,0 +1,7 @@
+security_fixes:
+- "openssl_csr - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "openssl_privatekey_info - the option ``content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "openssl_publickey - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "openssl_signature - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "x509_certificate - the options ``privatekey_content`` and ``ownca_privatekey_content`` were not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
+- "x509_crl - the option ``privatekey_content`` was not marked as ``no_log``, resulting in it being dumped into the system log by default, and returned in the registered results in the ``invocation`` field (CVE-2020-25646, https://github.com/ansible-collections/community.crypto/pull/125)."
diff --git a/plugins/modules/openssl_csr.py b/plugins/modules/openssl_csr.py
@@ -1163,7 +1163,7 @@ def main():
             state=dict(type='str', default='present', choices=['absent', 'present']),
             digest=dict(type='str', default='sha256'),
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
             version=dict(type='int', default=1),
             force=dict(type='bool', default=False),

diff --git a/plugins/modules/openssl_privatekey.py b/plugins/modules/openssl_privatekey.py
@@ -152,6 +152,8 @@
             - If set to C(yes), will return the (current or generated) private key's content as I(privatekey).
             - Note that especially if the private key is not encrypted, you have to make sure that the returned
               value is treated appropriately and not accidentally written to logs etc.! Use with care!
+            - Use Ansible's I(no_log) task option to avoid the output being shown. See also
+              U(https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-keep-secret-data-in-my-playbook).
         type: bool
         default: no
         version_added: '1.0.0'

diff --git a/plugins/modules/openssl_privatekey_info.py b/plugins/modules/openssl_privatekey_info.py
@@ -583,7 +583,7 @@ def main():
     module = AnsibleModule(
         argument_spec=dict(
             path=dict(type='path'),
-            content=dict(type='str'),
+            content=dict(type='str', no_log=True),
             passphrase=dict(type='str', no_log=True),
             return_private_key_data=dict(type='bool', default=False),
             select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),

diff --git a/plugins/modules/openssl_publickey.py b/plugins/modules/openssl_publickey.py
@@ -395,7 +395,7 @@ def main():
             force=dict(type='bool', default=False),
             path=dict(type='path', required=True),
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             format=dict(type='str', default='PEM', choices=['OpenSSH', 'PEM']),
             privatekey_passphrase=dict(type='str', no_log=True),
             backup=dict(type='bool', default=False),

diff --git a/plugins/modules/openssl_signature.py b/plugins/modules/openssl_signature.py
@@ -259,7 +259,7 @@ def main():
     module = AnsibleModule(
         argument_spec=dict(
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
             path=dict(type='path', required=True),
             select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'),

diff --git a/plugins/modules/x509_certificate.py b/plugins/modules/x509_certificate.py
@@ -2565,7 +2565,7 @@ def main():
 
             # General properties of a certificate
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
 
             # provider: assertonly
@@ -2609,7 +2609,7 @@ def main():
             ownca_path=dict(type='path'),
             ownca_content=dict(type='str'),
             ownca_privatekey_path=dict(type='path'),
-            ownca_privatekey_content=dict(type='str'),
+            ownca_privatekey_content=dict(type='str', no_log=True),
             ownca_privatekey_passphrase=dict(type='str', no_log=True),
             ownca_digest=dict(type='str', default='sha256'),
             ownca_version=dict(type='int', default=3),

diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py
@@ -754,7 +754,7 @@ def main():
             path=dict(type='path', required=True),
             format=dict(type='str', default='pem', choices=['pem', 'der']),
             privatekey_path=dict(type='path'),
-            privatekey_content=dict(type='str'),
+            privatekey_content=dict(type='str', no_log=True),
             privatekey_passphrase=dict(type='str', no_log=True),
             issuer=dict(type='dict'),
             last_update=dict(type='str', default='+0s'),