certs: Add ability to preload revocation certs

[sfrench/cifs-2.6.git] / certs / blacklist.c

diff --git a/certs/blacklist.c b/certs/blacklist.c
index 2b8644123d5fd58cdbffad1645207bea414426a6..c9a435b15af40679513d596ad845e31359a7c4df 100644 (file)
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -17,9 +17,15 @@
 #include <linux/uidgid.h>
 #include <keys/system_keyring.h>
 #include "blacklist.h"
+#include "common.h"
 
 static struct key *blacklist_keyring;
 
+#ifdef CONFIG_SYSTEM_REVOCATION_LIST
+extern __initconst const u8 revocation_certificate_list[];
+extern __initconst const unsigned long revocation_certificate_list_size;
+#endif
+
 /*
  * The description must be a type prefix, a colon and then an even number of
  * hex digits.  The hash is kept in the description.
@@ -220,3 +226,18 @@ static int __init blacklist_init(void)
  * Must be initialised before we try and load the keys into the keyring.
  */
 device_initcall(blacklist_init);
+
+#ifdef CONFIG_SYSTEM_REVOCATION_LIST
+/*
+ * Load the compiled-in list of revocation X.509 certificates.
+ */
+static __init int load_revocation_certificate_list(void)
+{
+       if (revocation_certificate_list_size)
+               pr_notice("Loading compiled-in revocation X.509 certificates\n");
+
+       return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size,
+                                    blacklist_keyring);
+}
+late_initcall(load_revocation_certificate_list);
+#endif