Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_privatekey_info: disable private key consistency checks by default #309

Merged
merged 2 commits into from
Oct 20, 2021
Merged

openssl_privatekey_info: disable private key consistency checks by default #309

merged 2 commits into from
Oct 20, 2021

Conversation

felixfontein
Copy link
Contributor

SUMMARY

This adds an option check_consistency to allow users to explicitly request private key consistency checks (currently supported for some key types, but not all). This is a breaking change since in < 2.0.0, these checks were always made. I think it's better to disable them by default so that key material is not unnecessarily copied into Python data structures, and no computations are done with it (which could in theory result in timing attacks).

(This also affects diff mode for openssl_privatekey and openssl_privatekey_pipe.)

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

openssl_privatekey_info

Ajpantuso
Ajpantuso approved these changes Oct 19, 2021
View reviewed changes
Copy link
Collaborator

@Ajpantuso Ajpantuso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, only comment is to maybe include a link in the description of check_consistency describing the theoretical risk of computing with private key material (this is the first I found that's not a scholarly article https://access.redhat.com/blogs/766093/posts/1976303). That might avoid unnecessary concerns around the breaking change.

@felixfontein
Copy link
Contributor Author

I've extended the description to mention side-channel attacks.

@felixfontein felixfontein merged commit c5df302 into ansible-collections:main Oct 20, 2021
@felixfontein felixfontein deleted the consistency branch October 20, 2021 16:28
@felixfontein
Copy link
Contributor Author

@Ajpantuso thanks for reviewing this!

@renovate renovate bot mentioned this pull request Nov 1, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ajpantuso Ajpantuso Ajpantuso approved these changes

Assignees
No one assigned
Labels
breaking_change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@felixfontein @Ajpantuso