# If $STR is not already on a line by itself in $FILE, insert it at the start.
# Entries are inserted at the start of the ignore list to ensure existing
# entries starting with ! are not overridden. Such entries support
-# whitelisting exceptions after a more generic blacklist pattern.
+# allowlisting exceptions after a more generic blocklist pattern.
insert_if_absent() {
file=$1
str=$2
[AS_HELP_STRING([--with-default-crl-file=FILE],
[use the given CRL file as default])])
+AC_ARG_WITH([default-blocklist-file],
+ [AS_HELP_STRING([--with-default-blocklist-file=FILE],
+ [use the given certificate blocklist file as default])])
+
AC_ARG_WITH([default-blacklist-file],
[AS_HELP_STRING([--with-default-blacklist-file=FILE],
- [use the given certificate blacklist file as default])])
+ [use --with-default-blocklist-file instead])],
+ [AC_MSG_ERROR([use --with-default-blocklist-file instead])])
if test "x$with_default_trust_store_file" != x; then
AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
["$with_default_crl_file"], [use the given CRL file])
fi
-if test "x$with_default_blacklist_file" != x; then
- AC_DEFINE_UNQUOTED([DEFAULT_BLACKLIST_FILE],
- ["$with_default_blacklist_file"], [use the given certificate blacklist file])
+if test "x$with_default_blocklist_file" != x; then
+ AC_DEFINE_UNQUOTED([DEFAULT_BLOCKLIST_FILE],
+ ["$with_default_blocklist_file"], [use the given certificate blocklist file])
fi
dnl Guile bindings.
Trust store pkcs11: $with_default_trust_store_pkcs11
Trust store dir: $with_default_trust_store_dir
Trust store file: $with_default_trust_store_file
- Blacklist file: $with_default_blacklist_file
+ Blocklist file: $with_default_blocklist_file
CRL file: $with_default_crl_file
Configuration file: $system_config_file
DNSSEC root key file: $unbound_root_key_file
Note however, that the API ensures that the early return will not happen
if the false start requirements are not satisfied. That is, on ciphersuites which are not
-whitelisted for false start or on insufficient key sizes, the handshake
+enabled for false start or on insufficient key sizes, the handshake
process will complete properly (i.e., no early return). To verify that false start was used you
may use @funcref{gnutls_session_get_flags} and check for the @acronym{GNUTLS_SFLAGS_FALSE_START}
-flag. For GnuTLS the false start is whitelisted for the following
+flag. For GnuTLS the false start is enabled for the following
key exchange methods (see @xcite{RFC7918} for rationale)
@itemize
@item DHE
provides a more dynamic list of Root CA certificates, as opposed to a static
list in a file or directory.
-That store, allows for blacklisting of CAs or certificates, as well as
+That store, allows for distrusting of CAs or certificates, as well as
categorization of the Root CAs (Web verification, Code signing, etc.), in
addition to restricting their purpose via stapled extensions@footnote{See
the 'Restricting the scope of CA certificates' post at @url{https://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html}}.
*/
if ((ret = check_g_n(data_g, _n_g, data_n, _n_n)) < 0) {
_gnutls_audit_log(session,
- "SRP group parameters are not in the white list; rejecting.\n");
+ "Unknown SRP group parameters; rejecting.\n");
return gnutls_assert_val(ret);
}
* in the specified token. This is useful in combination with
* %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED or
* %GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_DISTRUSTED,
- * to check whether a CA is present or a certificate is blacklisted in
+ * to check whether a CA is present or a certificate is distrusted in
* a trust PKCS #11 module.
*
* This function can be used with a @url of "pkcs11:", and in that case all modules
r += ret;
#endif
-#ifdef DEFAULT_BLACKLIST_FILE
- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+#ifdef DEFAULT_BLOCKLIST_FILE
+ ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+ _gnutls_debug_log("Could not load blocklist file '%s'\n", DEFAULT_BLOCKLIST_FILE);
}
#endif
CertCloseStore(store, 0);
}
-#ifdef DEFAULT_BLACKLIST_FILE
- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+#ifdef DEFAULT_BLOCKLIST_FILE
+ ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+ _gnutls_debug_log("Could not load blocklist file '%s'\n", DEFAULT_BLOCKLIST_FILE);
}
#endif
CFRelease(certs);
}
-#ifdef DEFAULT_BLACKLIST_FILE
- ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
+#ifdef DEFAULT_BLOCKLIST_FILE
+ ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLOCKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
- _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
+ _gnutls_debug_log("Could not load blocklist file '%s'\n", DEFAULT_BLOCKLIST_FILE);
}
#endif
if (!list)
return;
- for (j = 0; j < list->blacklisted_size; j++) {
- gnutls_x509_crt_deinit(list->blacklisted[j]);
+ for (j = 0; j < list->distrusted_size; j++) {
+ gnutls_x509_crt_deinit(list->distrusted[j]);
}
- gnutls_free(list->blacklisted);
+ gnutls_free(list->distrusted);
for (j = 0; j < list->keep_certs_size; j++) {
gnutls_x509_crt_deinit(list->keep_certs[j]);
*
* Note that this function can accept certificates and authorities
* not yet known. In that case they will be kept in a separate
- * black list that will be used during certificate verification.
+ * block list that will be used during certificate verification.
* Unlike gnutls_x509_trust_list_add_cas() there is no deinitialization
* restriction for certificate list provided in this function.
*
}
}
- if (unlikely(INT_ADD_OVERFLOW(list->blacklisted_size, 1))) {
+ if (unlikely(INT_ADD_OVERFLOW(list->distrusted_size, 1))) {
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
}
- /* Add the CA (or plain) certificate to the black list as well.
+ /* Add the CA (or plain) certificate to the block list as well.
* This will prevent a subordinate CA from being valid, and
* ensure that a server certificate will also get rejected.
*/
- list->blacklisted =
- _gnutls_reallocarray_fast(list->blacklisted,
- list->blacklisted_size + 1,
- sizeof(list->blacklisted[0]));
- if (list->blacklisted == NULL)
+ list->distrusted =
+ _gnutls_reallocarray_fast(list->distrusted,
+ list->distrusted_size + 1,
+ sizeof(list->distrusted[0]));
+ if (list->distrusted == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
- list->blacklisted[list->blacklisted_size] = crt_cpy(clist[i]);
- if (list->blacklisted[list->blacklisted_size] != NULL)
- list->blacklisted_size++;
+ list->distrusted[list->distrusted_size] = crt_cpy(clist[i]);
+ if (list->distrusted[list->distrusted_size] != NULL)
+ list->distrusted_size++;
}
return r;
}
static
-int check_if_in_blacklist(gnutls_x509_crt_t * cert_list, unsigned int cert_list_size,
- gnutls_x509_crt_t * blacklist, unsigned int blacklist_size)
+int check_if_in_blocklist(gnutls_x509_crt_t * cert_list, unsigned int cert_list_size,
+ gnutls_x509_crt_t * blocklist, unsigned int blocklist_size)
{
unsigned i, j;
- if (blacklist_size == 0)
+ if (blocklist_size == 0)
return 0;
for (i=0;i<cert_list_size;i++) {
- for (j=0;j<blacklist_size;j++) {
- if (gnutls_x509_crt_equals(cert_list[i], blacklist[j]) != 0) {
+ for (j=0;j<blocklist_size;j++) {
+ if (gnutls_x509_crt_equals(cert_list[i], blocklist[j]) != 0) {
return 1;
}
}
1]->raw_issuer_dn.size);
hash %= list->size;
- ret = check_if_in_blacklist(cert_list, cert_list_size,
- list->blacklisted, list->blacklisted_size);
+ ret = check_if_in_blocklist(cert_list, cert_list_size,
+ list->distrusted, list->distrusted_size);
if (ret != 0) {
*voutput = 0;
*voutput |= GNUTLS_CERT_REVOKED;
cert->raw_issuer_dn.size);
hash %= list->size;
- ret = check_if_in_blacklist(&cert, 1,
- list->blacklisted, list->blacklisted_size);
+ ret = check_if_in_blocklist(&cert, 1,
+ list->distrusted, list->distrusted_size);
if (ret != 0) {
*voutput = 0;
*voutput |= GNUTLS_CERT_REVOKED;
*/
gnutls_datum_t x509_rdn_sequence;
- gnutls_x509_crt_t *blacklisted;
- unsigned int blacklisted_size;
+ gnutls_x509_crt_t *distrusted;
+ unsigned int distrusted_size;
/* certificates that will be deallocated when this struct
* will be deinitialized */
* @type: The format of the certificates
*
* This function will remove the provided certificate authorities
- * from the trusted list, and add them into a black list when needed.
+ * from the trusted list, and add them into a block list when needed.
*
* See also gnutls_x509_trust_list_remove_cas().
*
* @type: The format of the certificates
*
* This function will remove the given certificate authorities
- * from the trusted list, and add them into a black list when needed.
+ * from the trusted list, and add them into a block list when needed.
* PKCS 11 URLs are also accepted, instead
* of files, by this function.
*
return status;
}
- /* check for blacklists */
+ /* check for blocklists */
for (i = 0; i < clist_size; i++) {
if (gnutls_pkcs11_crt_is_known (url, certificate_list[i],
GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
goto cleanup;
}
- /* check if the raw issuer is blacklisted (it can happen if
- * the issuer is both in the trusted list and the blacklisted)
+ /* check if the raw issuer is distrusted (it can happen if
+ * the issuer is both in the trusted list and the distrusted)
*/
if (gnutls_pkcs11_crt_is_known (url, issuer,
GNUTLS_PKCS11_OBJ_FLAG_PRESENT_IN_TRUSTED_MODULE|
},
{
"long-option": "mark-distrusted",
- "description": "When retrieving objects, it requires the objects to be distrusted (blacklisted)",
+ "description": "When retrieving objects, it requires the objects to be distrusted",
"detail": "Ensures that the objects retrieved have the CKA_X_TRUST flag.\nThis is p11-kit trust module extension, thus this flag is only valid with\np11-kit registered trust modules.",
"conflicts": [
"mark-trusted"
]
}
]
-}
\ No newline at end of file
+}
projects / thirdparty / gnutls.git / commitdiff
