nmav pushed to caml-crush (f22). "forbid C_WrapKey, and C_UnwrapKey"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 2 08:12:50 UTC 2015
>From e31accfe24d7f8f062319a453123b3a5c0da5de6 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Thu, 2 Apr 2015 09:38:45 +0200
Subject: forbid C_WrapKey, and C_UnwrapKey
diff --git a/filter.conf b/filter.conf
index d42e309..42e8934 100644
--- a/filter.conf
+++ b/filter.conf
@@ -61,9 +61,9 @@ allowed_ids = [("softhsm", [".*"])]
default OFF, uncomment and configure below to enable;
*)
-(*
-forbidden_functions = [("soft.*", []), ("softhsm", [])]
-*)
+(* In a softhsm key wrapping makes no sense and it can be used to recover keys
+ so it is disabled *)
+forbidden_functions = [("soft.*", [C_WrapKey, C_UnwrapKey])]
(* enforce_ro_sessions = [(a1, b1), (a2, b2) ...] is a list of couples where
'a' is a regular expression string representing module names, and 'b1',
@@ -121,7 +121,6 @@ filter_actions_post = [ (".*",
[
(******** This is optional: key usage segregation ******************************)
(* (C_Initialize, do_segregate_usage), *)
-
]
)
]
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/caml-crush.git/commit/?h=f22&id=e31accfe24d7f8f062319a453123b3a5c0da5de6
More information about the scm-commits
mailing list