Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-4012

Issues with has() and hashmatch()

    XMLWordPrintable

    Details

      Description

      This ticket details several issues related to hash() and hashmatch().

      The documentation for hash() and hashmatch() each list md5, sha1, sha256, sha384, and sha512 as being supported.

      In the source I think I see that md5, sha224, sha256, sha384, sha512, sha1, sha, best, and crypt, seem to be supported in libntech.

      Issues:

      • hash() being fed an unsupported algorithm results in a fatal error while hashmatch() errors, but not fatally.
        • I don't really have an opinion on if it should be fatal or not, just that it seems like they should be aligned.
      • hashmatch() should have a better error, indicating the requested hashing type instead of a raw type which is not human readable. E.g. error: Could not determine function for file hashing (type=8) should instead be error: Could not determine function for file hashing (crypt)
      • crypt related assertion (that I can't reproduce any more, but perhaps someone can see how it may have been triggered). I was running a 3.20.0 pre-release enterprise package at the time.
      • sha224 is not listed as a supported algorithm (but works) for hashmatch()
      • sha224 causes a non-fatal error for hash()
      Test Policy
      bundle agent __main__
      {
      
        vars:
            # I created the file with the files promise and manually ran the sum utilities on it to get these hashes.
      
            "expected_digest[sha512]" string => "861844d6704e8573fec34d967e20bcfef3d424cf48be04e6dc08f2bd58c729743371015ead891cc3cf1c9d34b49264b510751b1ff9e537937bc46b5d6ff4ecc8";
            "expected_digest[sha384]" string => "bfd76c0ebbd006fee583410547c1887b0292be76d582d96c242d2a792723e3fd6fd061f9d5cfd13b8f961358e6adba4a";
            "expected_digest[sha224]" string => "4575bb4ec129df6380cedde6d71217fe0536f8ffc4e18bca530a7a1b";
            "expected_digest[sha256]" string => "7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069";
            "expected_digest[sha1]"   string => "2ef7bde608ce5404e97d5f042f95f89f1c232871";
            "expected_digest[md5]"    string => "ed076287532e86365e841e92bfc50d8c";
      
            #"expected_digest[best]"   string => "861844d6704e8573fec34d967e20bcfef3d424cf48be04e6dc08f2bd58c729743371015ead891cc3cf1c9d34b49264b510751b1ff9e537937bc46b5d6ff4ecc8";
            # error: Could not determine function for file hashing (type=7)
            # Expected that it would match that of sha512
            # Expected that error would say 'best' instead of type=7
      
            #"expected_digest[sha]"    string => "2ef7bde608ce5404e97d5f042f95f89f1c232871";
            # Could not determine function for file hashing (type=6)
            # Expected that it would match that of sha1
            # Expected that error would say 'sha' instead of (type=7)
      
            #"expected_digest[crypt]"  string => "";
            # error: Could not determine function for file hashing (type=8)
            # Expected that error would say 'crypt' instead of (type=8)
            # Furthermore, while working on this example policy I saw crypt casue an assertion
            # cf-agent: hash.c:486: HashString: Assertion `type != HASH_METHOD_CRYPT' failed.
            # But, I neglected to save the exact policy and can't seem to trigger it again. :-/
      
            "digest[sha512]" string => hash( readfile("/tmp/test.txt", "inf" ), "sha512" );
            "digest[sha384]" string => hash( readfile("/tmp/test.txt", "inf" ), "sha384" );
            "digest[sha256]" string => hash( readfile("/tmp/test.txt", "inf" ), "sha256" );
            "digest[sha1]"   string => hash( readfile("/tmp/test.txt", "inf" ), "sha1" );
            "digest[md5]"    string => hash( readfile("/tmp/test.txt", "inf" ), "md5" );
      
            # The error messages here are good, but shouldn't hash() and hashmatch() be aligned with respect to fatal or not? 
            #"digest[sha224]" string => hash( readfile("/tmp/test.txt", "inf" ), "sha224" ); # error: Fatal CFEngine error: In function 'hash', error in variable 'sha224', 'Selection is out of bounds'
            #"digest[best]"   string => hash( readfile("/tmp/test.txt", "inf" ), "best" );    # error: Fatal CFEngine error: In function 'hash', error in variable 'best', 'Selection is out of bounds'
            #"digest[sha]"    string => hash( readfile("/tmp/test.txt", "inf" ), "sha" );     # error: Fatal CFEngine error: In function 'hash', error in variable 'sha', 'Selection is out of bounds'
            #"digest[crypt]"    string => hash( readfile("/tmp/test.txt", "inf" ), "crypt" ); # error: Fatal CFEngine error: In function 'hash', error in variable 'crypt', 'Selection is out of bounds'
      
            "digests" slist => sort( getindices( expected_digest ) );
      
        classes:
            # Define a class for each hashmatch that was as expected.
            "_tmp_test_txt_$(digests)_match"
              expression => hashmatch("/tmp/test.txt",
                                      "$(digests)",
                                      "$(expected_digest[$(digests)])");
      
        files:
            # Promise the file content.
            "/tmp/test.txt"
              content => "Hello World!";
      
        reports:
      
            "Classes defined as result of expected hashmatch():$(const.n)$(const.t)$(with)"
              with => join( "$(const.n)$(const.t)", classesmatching( "_tmp_test_txt_.*" ) );
      
            "$(digests) expected $(expected_digest[$(digests)])";
            "$(digests) got  $(digest[$(digests)])";
      }
      

      Execution Output:

      R: Classes defined as result of expected hashmatch():
      	_tmp_test_txt_sha512_match
      	_tmp_test_txt_sha384_match
      	_tmp_test_txt_sha256_match
      	_tmp_test_txt_sha224_match
      	_tmp_test_txt_sha1_match
      	_tmp_test_txt_md5_match
      R: md5 expected ed076287532e86365e841e92bfc50d8c
      R: sha1 expected 2ef7bde608ce5404e97d5f042f95f89f1c232871
      R: sha224 expected 4575bb4ec129df6380cedde6d71217fe0536f8ffc4e18bca530a7a1b
      R: sha256 expected 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
      R: sha384 expected bfd76c0ebbd006fee583410547c1887b0292be76d582d96c242d2a792723e3fd6fd061f9d5cfd13b8f961358e6adba4a
      R: sha512 expected 861844d6704e8573fec34d967e20bcfef3d424cf48be04e6dc08f2bd58c729743371015ead891cc3cf1c9d34b49264b510751b1ff9e537937bc46b5d6ff4ecc8
      R: md5 got  ed076287532e86365e841e92bfc50d8c
      R: sha1 got  2ef7bde608ce5404e97d5f042f95f89f1c232871
      R: sha256 got  7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
      R: sha384 got  bfd76c0ebbd006fee583410547c1887b0292be76d582d96c242d2a792723e3fd6fd061f9d5cfd13b8f961358e6adba4a
      R: sha512 got  861844d6704e8573fec34d967e20bcfef3d424cf48be04e6dc08f2bd58c729743371015ead891cc3cf1c9d34b49264b510751b1ff9e537937bc46b5d6ff4ecc8
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              a10042 Nick Anderson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: