www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

make it possible for proxy to use CRL callback

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94336 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Doug MacEachern
2002-03-30 06:36:56 +00:00
parent 51bbfbacd5
commit 97b59112b8
2 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/ssl/mod_ssl.h
View File

@@ -628,7 +628,7 @@ int ssl_hook_Handler(request_rec *);
RSA *ssl_callback_TmpRSA(SSL *, int, int);
DH *ssl_callback_TmpDH(SSL *, int, int);
int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, server_rec *);
int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);

13
modules/ssl/ssl_engine_kernel.c
View File

@@ -1320,7 +1320,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
* Additionally perform CRL-based revocation checks
*/
if (ok) {
if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, s))) {
if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) {
errnum = X509_STORE_CTX_get_error(ctx);
}
}
@@ -1366,9 +1366,12 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
return ok;
}
int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
{
server_rec *s = c->base_server;
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(c);
modssl_ctx_t *mctx = myCtxConfig(sslconn);
X509_OBJECT obj;
X509_NAME *subject, *issuer;
X509 *cert;
@@ -1379,7 +1382,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* Unless a revocation store for CRLs was created we
* cannot do any CRL-based verification, of course.
*/
if (!sc->server->crl) {
if (!mctx->crl) {
return ok;
}
@@ -1426,7 +1429,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* the current certificate in order to verify it's integrity.
*/
memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(sc->server->crl,
rc = SSL_X509_STORE_lookup(mctx->crl,
X509_LU_CRL, subject, &obj);
crl = obj.data.crl;
@@ -1503,7 +1506,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
* the current certificate in order to check for revocation.
*/
memset((char *)&obj, 0, sizeof(obj));
rc = SSL_X509_STORE_lookup(sc->server->crl,
rc = SSL_X509_STORE_lookup(mctx->crl,
X509_LU_CRL, issuer, &obj);
crl = obj.data.crl;