Split X509_check_ca() into a small self and an internal function

#define ns_reject(x, usage) \

	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))

int X509_check_ca(X509 *x)

static int check_ca(const X509 *x)

{

	if(!(x->ex_flags & EXFLAG_SET)) {

		CRYPTO_w_lock(CRYPTO_LOCK_X509);

		x509v3_cache_extensions(x);

		CRYPTO_w_unlock(CRYPTO_LOCK_X509);

	}

	/* keyUsage if present should allow cert signing */

	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;

	if(x->ex_flags & EXFLAG_BCONS) {

	}

}

int X509_check_ca(X509 *x)

{

	if(!(x->ex_flags & EXFLAG_SET)) {

		CRYPTO_w_lock(CRYPTO_LOCK_X509);

		x509v3_cache_extensions(x);

		CRYPTO_w_unlock(CRYPTO_LOCK_X509);

	}

	return check_ca(x);

}

/* Check SSL CA: common checks for SSL client and server */

static int check_ssl_ca(const X509 *x)

{

	int ca_ret;

	ca_ret = X509_check_ca(x);

	ca_ret = check_ca(x);

	if(!ca_ret) return 0;

	/* check nsCertType if present */

	if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;

	if(xku_reject(x,XKU_SMIME)) return 0;

	if(ca) {

		int ca_ret;

		ca_ret = X509_check_ca(x);

		ca_ret = check_ca(x);

		if(!ca_ret) return 0;

		/* check nsCertType if present */

		if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;

{

	if(ca) {

		int ca_ret;

		if((ca_ret = X509_check_ca(x)) != 2) return ca_ret;

		if((ca_ret = check_ca(x)) != 2) return ca_ret;

		else return 0;

	}

	if(ku_reject(x, KU_CRL_SIGN)) return 0;

{

	/* Must be a valid CA.  Should we really support the "I don't know"

	   value (2)? */

	if(ca) return X509_check_ca(x);

	if(ca) return check_ca(x);

	/* leaf certificate is checked in OCSP_verify() */

	return 1;

}