]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added configure option --with-default-blacklist-file
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 16 Dec 2013 12:03:24 +0000 (13:03 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Mon, 16 Dec 2013 12:03:27 +0000 (13:03 +0100)
This option allows to specify a file containing blacklisted certificates.

configure.ac
lib/system.c

index 2074e96fb363a20489fc7dab496b7039c7a101b8..87430804f3bc2f5fec8e4b0eeea823211f4b2b63 100644 (file)
@@ -499,6 +499,10 @@ AC_ARG_WITH([default-crl-file],
   [AS_HELP_STRING([--with-default-crl-file=FILE],
     [use the given CRL file as default])])
 
+AC_ARG_WITH([default-blacklist-file],
+  [AS_HELP_STRING([--with-default-blacklist-file=FILE],
+    [use the given certificate blacklist file as default])])
+
 if test "x$with_default_trust_store_file" != x; then
   AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
     ["$with_default_trust_store_file"], [use the given file default trust store])
@@ -509,6 +513,11 @@ if test "x$with_default_crl_file" != x; then
     ["$with_default_crl_file"], [use the given CRL file])
 fi
 
+if test "x$with_default_blacklist_file" != x; then
+  AC_DEFINE_UNQUOTED([DEFAULT_BLACKLIST_FILE],
+    ["$with_default_blacklist_file"], [use the given certificate blacklist file])
+fi
+
 dnl Guile bindings.
 opt_guile_bindings=yes
 AC_MSG_CHECKING([whether building Guile bindings])
@@ -792,6 +801,7 @@ AC_MSG_NOTICE([System files:
 
   Trust store pkcs:     $with_default_trust_store_pkcs11
   Trust store file:     $with_default_trust_store_file
+  Blacklist file:       $with_default_blacklist_file
   CRL file:             $with_default_crl_file
   DNSSEC root key file: $unbound_root_key_file
 ])
index 930333c45e3a8a1a4ab15505c2dfb3da51a45053..a5a860f46400936580e41bb69406318ff0eaa0d6 100644 (file)
@@ -385,6 +385,13 @@ add_system_trust(gnutls_x509_trust_list_t list,
                r += ret;
 #endif
 
+#ifdef DEFAULT_BLACKLIST_FILE
+       ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+       if (ret < 0) {
+               _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+       }
+#endif
+
        return r;
 }
 #elif defined(_WIN32)
@@ -442,6 +449,13 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
                CertCloseStore(store, 0);
        }
 
+#ifdef DEFAULT_BLACKLIST_FILE
+       ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+       if (ret < 0) {
+               _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+       }
+#endif
+
        return r;
 }
 #elif defined(ANDROID) || defined(__ANDROID__)