From 6f96785106cb85286ff27e3bb47faef1fb2983be Mon Sep 17 00:00:00 2001
From: Doug MacEachern <dougm@apache.org>
Date: Sat, 30 Mar 2002 06:36:56 +0000
Subject: [PATCH] make it possible for proxy to use CRL callback

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94336 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/mod_ssl.h           |  2 +-
 modules/ssl/ssl_engine_kernel.c | 13 ++++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index 6146ad8351..1d2c623e8b 100644
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -628,7 +628,7 @@ int          ssl_hook_Handler(request_rec *);
 RSA         *ssl_callback_TmpRSA(SSL *, int, int);
 DH          *ssl_callback_TmpDH(SSL *, int, int);
 int          ssl_callback_SSLVerify(int, X509_STORE_CTX *);
-int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, server_rec *);
+int          ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
 int          ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
 int          ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index f544b4ebd3..f27a491e19 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1320,7 +1320,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
      * Additionally perform CRL-based revocation checks
      */
     if (ok) {
-        if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, s))) {
+        if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) {
             errnum = X509_STORE_CTX_get_error(ctx);
         }
     }
@@ -1366,9 +1366,12 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     return ok;
 }
 
-int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
+int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
 {
+    server_rec *s       = c->base_server;
     SSLSrvConfigRec *sc = mySrvConfig(s);
+    SSLConnRec *sslconn = myConnConfig(c);
+    modssl_ctx_t *mctx  = myCtxConfig(sslconn);
     X509_OBJECT obj;
     X509_NAME *subject, *issuer;
     X509 *cert;
@@ -1379,7 +1382,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
      * Unless a revocation store for CRLs was created we
      * cannot do any CRL-based verification, of course.
      */
-    if (!sc->server->crl) {
+    if (!mctx->crl) {
         return ok;
     }
 
@@ -1426,7 +1429,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
      * the current certificate in order to verify it's integrity.
      */
     memset((char *)&obj, 0, sizeof(obj));
-    rc = SSL_X509_STORE_lookup(sc->server->crl,
+    rc = SSL_X509_STORE_lookup(mctx->crl,
                                X509_LU_CRL, subject, &obj);
     crl = obj.data.crl;
 
@@ -1503,7 +1506,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s)
      * the current certificate in order to check for revocation.
      */
     memset((char *)&obj, 0, sizeof(obj));
-    rc = SSL_X509_STORE_lookup(sc->server->crl,
+    rc = SSL_X509_STORE_lookup(mctx->crl,
                                X509_LU_CRL, issuer, &obj);
 
     crl = obj.data.crl;
-- 
2.50.1