Ideally, all hashes that the native OpenSSL supports would be available. Also, I'd like to re-iterate the speed of a direct file content comparison in most cases against a hash comparison unless the hashes are pre-computed.
For a sourced file, the checksum makes sense so long as the checksum is sent from the server to the client. In the case of a templated file, you have the contents of both files at hand, so just compare the contents, it's likely to be astronomically faster than computing the hashes. This can also circumvent the checksum audit since, if the file contents are the same, the checksums are the same and that logic can be avoided. Trevor On Tue, Nov 1, 2011 at 3:16 PM, <[email protected]> wrote: > Issue #9617 has been updated by Dump Dump. > > Thanks for looking at this issue :) > > I would like to point out, that while checking the file size is certainly > better, it’s not as much of a protection as one might think: > > It all depends on the file to attack. If its a binary, it might be slightly > complicated. If it’s a config file, most contain a lot of comments and > useless config options which can be wiped and replaced by the padding, to > keep the same file size. > > Generally, multi-hash is the safest bet (but also the slowest, which can be > an issue). File size + stronger hash (as in SHA2 or similar) would actually > be a good compromise. > > ________________________________ > > Bug #9617: Puppet uses insecure file checksums > > Author: Dump Dump > Status: Accepted > Priority: Normal > Assignee: Nigel Kersten > Category: file > Target version: > Affected Puppet version: > Keywords: md5 checksum security > Branch: > > Puppet uses MD5 for file checksums. > > It is possible for an attacker to modify a file contents to it’s liking, > while padding for example, with a large comment, for the md5 to match the > original checksum. While an administrator would suspect that after an > attack, Puppet would replace all the files it’s told to fix, it won’t. > > While Puppet should not be used as a security device, it touches security. > In a proper environment where attackers are sandboxed and cannot touch > puppet, but can touch other files, it makes sense for puppet to be able to > create secure checksums. Likewise, in an environment where you need to > quickly fix a file to close a security hole, but you know some systems are > compromised, this helps as you can’t expect a reinstall of hundred or > thousand of systems overnight. > > The proposal is to add SHA512 as a checksum option. See patch for a sample > (it’s missing tests, etc) > > An additional option can be to perform both md5 and sha (and/or others) > checksums > > ________________________________ > > You have received this notification because you have either subscribed to > it, or are involved in it. To change your notification preferences, please > click here: http://projects.puppetlabs.com/my/account > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Bugs" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-bugs?hl=en. > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
