mod_ssl namespacing: Move SSL_CTX_use_certificate_chain() into ssl_engine_init.c

and make it a static function called use_certificate_chain(). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1677834 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2015-05-05 14:29:11 +00:00
parent aa6037fa61
commit a5c1e92732
3 changed files with 60 additions and 69 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -830,6 +830,65 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
    return APR_SUCCESS;
 }

+/*
+ * Read a file that optionally contains the server certificate in PEM
+ * format, possibly followed by a sequence of CA certificates that
+ * should be sent to the peer in the SSL Certificate message.
+ */
+static int use_certificate_chain(
+    SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
+{
+    BIO *bio;
+    X509 *x509;
+    unsigned long err;
+    int n;
+
+    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
+        return -1;
+    if (BIO_read_filename(bio, file) <= 0) {
+        BIO_free(bio);
+        return -1;
+    }
+    /* optionally skip a leading server certificate */
+    if (skipfirst) {
+        if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
+            BIO_free(bio);
+            return -1;
+        }
+        X509_free(x509);
+    }
+    /* free a perhaps already configured extra chain */
+#ifdef OPENSSL_NO_SSL_INTERN
+    SSL_CTX_clear_extra_chain_certs(ctx);
+#else
+    if (ctx->extra_certs != NULL) {
+        sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
+        ctx->extra_certs = NULL;
+    }
+#endif
+    /* create new extra chain by loading the certs */
+    n = 0;
+    while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
+        if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
+            X509_free(x509);
+            BIO_free(bio);
+            return -1;
+        }
+        n++;
+    }
+    /* Make sure that only the error is just an EOF */
+    if ((err = ERR_peek_error()) > 0) {
+        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
+              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+            BIO_free(bio);
+            return -1;
+        }
+        while (ERR_get_error() > 0) ;
+    }
+    BIO_free(bio);
+    return n;
+}
+
 static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
                                            apr_pool_t *p,
                                            apr_pool_t *ptemp,
@@ -865,9 +924,7 @@ static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
        }
    }

-    n = SSL_CTX_use_certificate_chain(mctx->ssl_ctx,
-                                      (char *)chain,
-                                      skip_first, NULL);
+    n = use_certificate_chain(mctx->ssl_ctx, (char *)chain, skip_first, NULL);
    if (n < 0) {
        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
                "Failed to configure CA certificate chain!");
--- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
@@ -443,71 +443,6 @@ EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
 }
 #endif

-/*  _________________________________________________________________
-**
-**  Extra Server Certificate Chain Support
-**  _________________________________________________________________
-*/
-
-/*
- * Read a file that optionally contains the server certificate in PEM
- * format, possibly followed by a sequence of CA certificates that
- * should be sent to the peer in the SSL Certificate message.
- */
-int SSL_CTX_use_certificate_chain(
-    SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
-{
-    BIO *bio;
-    X509 *x509;
-    unsigned long err;
-    int n;
-
-    if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
-        return -1;
-    if (BIO_read_filename(bio, file) <= 0) {
-        BIO_free(bio);
-        return -1;
-    }
-    /* optionally skip a leading server certificate */
-    if (skipfirst) {
-        if ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) == NULL) {
-            BIO_free(bio);
-            return -1;
-        }
-        X509_free(x509);
-    }
-    /* free a perhaps already configured extra chain */
-#ifdef OPENSSL_NO_SSL_INTERN
-    SSL_CTX_clear_extra_chain_certs(ctx);
-#else
-    if (ctx->extra_certs != NULL) {
-        sk_X509_pop_free((STACK_OF(X509) *)ctx->extra_certs, X509_free);
-        ctx->extra_certs = NULL;
-    }
-#endif
-    /* create new extra chain by loading the certs */
-    n = 0;
-    while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
-        if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
-            X509_free(x509);
-            BIO_free(bio);
-            return -1;
-        }
-        n++;
-    }
-    /* Make sure that only the error is just an EOF */
-    if ((err = ERR_peek_error()) > 0) {
-        if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM
-              && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
-            BIO_free(bio);
-            return -1;
-        }
-        while (ERR_get_error() > 0) ;
-    }
-    BIO_free(bio);
-    return n;
-}
-
 /*  _________________________________________________________________
 **
 **  Session Stuff
--- a/modules/ssl/ssl_util_ssl.h
+++ b/modules/ssl/ssl_util_ssl.h
@@ -67,7 +67,6 @@ char       *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsn
 char       *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
 BOOL        modssl_X509_getSAN(apr_pool_t *, X509 *, int, int, apr_array_header_t **);
 BOOL        modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
-int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, pem_password_cb *);
 char       *SSL_SESSION_id2sz(unsigned char *, int, char *, int);

 #endif /* __SSL_UTIL_SSL_H__ */