Upgrade chrome's OpenSSL to same version Android ships with.

openssl/crypto/x509v3/v3_addr.c

 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
  */
 /* ====================================================================
  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ skipping 124 matching lines @@
            f->addressFamily->data != NULL)
           ? ((f->addressFamily->data[0] << 8) |
              (f->addressFamily->data[1]))
           : 0);
 }
 
 /*
  * Expand the bitstring form of an address into a raw byte array.
  * At the moment this is coded for simplicity, not speed.
  */
-static void addr_expand(unsigned char *addr,
+static int addr_expand(unsigned char *addr,
                         const ASN1_BIT_STRING *bs,
                         const int length,
                         const unsigned char fill)
 {
-  OPENSSL_assert(bs->length >= 0 && bs->length <= length);
+  if (bs->length < 0 || bs->length > length)
+    return 0;
   if (bs->length > 0) {
     memcpy(addr, bs->data, bs->length);
     if ((bs->flags & 7) != 0) {
       unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
       if (fill == 0)
         addr[bs->length - 1] &= ~mask;
       else
         addr[bs->length - 1] |= mask;
     }
   }
   memset(addr + bs->length, fill, length - bs->length);
+  return 1;
 }
 
 /*
  * Extract the prefix length from a bitstring.
  */
 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
 
 /*
  * i2r handler for one address bitstring.
  */
 static int i2r_address(BIO *out,
                        const unsigned afi,
                        const unsigned char fill,
                        const ASN1_BIT_STRING *bs)
 {
   unsigned char addr[ADDR_RAW_BUF_LEN];
   int i, n;
 
+  if (bs->length < 0)
+    return 0;
   switch (afi) {
   case IANA_AFI_IPV4:
-    addr_expand(addr, bs, 4, fill);
+    if (!addr_expand(addr, bs, 4, fill))
+      return 0;
     BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
     break;
   case IANA_AFI_IPV6:
-    addr_expand(addr, bs, 16, fill);
+    if (!addr_expand(addr, bs, 16, fill))
+      return 0;
     for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
       ;
     for (i = 0; i < n; i += 2)
       BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : ""));
     if (i < 16)
       BIO_puts(out, ":");
     if (i == 0)
       BIO_puts(out, ":");
     break;
   default:
@@ skipping 32 matching lines @@
       BIO_puts(out, "\n");
       continue;
     }
   }
   return 1;
 }
 
 /*
  * i2r handler for an IPAddrBlocks extension.
  */
-static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method,
+static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
                             void *ext,
                             BIO *out,
                             int indent)
 {
   const IPAddrBlocks *addr = ext;
   int i;
   for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
     IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
     const unsigned int afi = v3_addr_get_afi(f);
     switch (afi) {
@@ skipping 52 matching lines @@
         return 0;
       break;
     }
   }
   return 1;
 }
 
 /*
  * Sort comparison function for a sequence of IPAddressOrRange
  * elements.
+ *
+ * There's no sane answer we can give if addr_expand() fails, and an
+ * assertion failure on externally supplied data is seriously uncool,
+ * so we just arbitrarily declare that if given invalid inputs this
+ * function returns -1.  If this messes up your preferred sort order
+ * for garbage input, tough noogies.
  */
 static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
                                 const IPAddressOrRange *b,
                                 const int length)
 {
   unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
-  int prefixlen_a = 0;
-  int prefixlen_b = 0;
+  int prefixlen_a = 0, prefixlen_b = 0;
   int r;
 
   switch (a->type) {
   case IPAddressOrRange_addressPrefix:
-    addr_expand(addr_a, a->u.addressPrefix, length, 0x00);
+    if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
+      return -1;
     prefixlen_a = addr_prefixlen(a->u.addressPrefix);
     break;
   case IPAddressOrRange_addressRange:
-    addr_expand(addr_a, a->u.addressRange->min, length, 0x00);
+    if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
+      return -1;
     prefixlen_a = length * 8;
     break;
   }
 
   switch (b->type) {
   case IPAddressOrRange_addressPrefix:
-    addr_expand(addr_b, b->u.addressPrefix, length, 0x00);
+    if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
+      return -1;
     prefixlen_b = addr_prefixlen(b->u.addressPrefix);
     break;
   case IPAddressOrRange_addressRange:
-    addr_expand(addr_b, b->u.addressRange->min, length, 0x00);
+    if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
+      return -1;
     prefixlen_b = length * 8;
     break;
   }
 
   if ((r = memcmp(addr_a, addr_b, length)) != 0)
     return r;
   else
     return prefixlen_a - prefixlen_b;
 }
 
@@ skipping 21 matching lines @@
  * Calculate whether a range collapses to a prefix.
  * See last paragraph of RFC 3779 2.2.3.7.
  */
 static int range_should_be_prefix(const unsigned char *min,
                                   const unsigned char *max,
                                   const int length)
 {
   unsigned char mask;
   int i, j;
 
+  OPENSSL_assert(memcmp(min, max, length) <= 0);
   for (i = 0; i < length && min[i] == max[i]; i++)
     ;
   for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
     ;
   if (i < j)
     return -1;
   if (i > j)
     return i * 8;
   mask = min[i] ^ max[i];
   switch (mask) {
@@ skipping 198 matching lines @@
        f->ipAddressChoice->u.inherit != NULL))
     return NULL;
   if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
     aors = f->ipAddressChoice->u.addressesOrRanges;
   if (aors != NULL)
     return aors;
   if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
     return NULL;
   switch (afi) {
   case IANA_AFI_IPV4:
-    (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
     break;
   case IANA_AFI_IPV6:
-    (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
     break;
   }
   f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
   f->ipAddressChoice->u.addressesOrRanges = aors;
   return aors;
 }
 
 /*
  * Add a prefix.
  */
@@ skipping 31 matching lines @@
     return 0;
   if (sk_IPAddressOrRange_push(aors, aor))
     return 1;
   IPAddressOrRange_free(aor);
   return 0;
 }
 
 /*
  * Extract min and max values from an IPAddressOrRange.
  */
-static void extract_min_max(IPAddressOrRange *aor,
+static int extract_min_max(IPAddressOrRange *aor,
                             unsigned char *min,
                             unsigned char *max,
                             int length)
 {
-  OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
+  if (aor == NULL || min == NULL || max == NULL)
+    return 0;
   switch (aor->type) {
   case IPAddressOrRange_addressPrefix:
-    addr_expand(min, aor->u.addressPrefix, length, 0x00);
-    addr_expand(max, aor->u.addressPrefix, length, 0xFF);
-    return;
+    return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
+            addr_expand(max, aor->u.addressPrefix, length, 0xFF));
   case IPAddressOrRange_addressRange:
-    addr_expand(min, aor->u.addressRange->min, length, 0x00);
-    addr_expand(max, aor->u.addressRange->max, length, 0xFF);
-    return;
+    return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
+            addr_expand(max, aor->u.addressRange->max, length, 0xFF));
   }
+  return 0;
 }
 
 /*
  * Public wrapper for extract_min_max().
  */
 int v3_addr_get_range(IPAddressOrRange *aor,
                       const unsigned afi,
                       unsigned char *min,
                       unsigned char *max,
                       const int length)
 {
   int afi_length = length_from_afi(afi);
   if (aor == NULL || min == NULL || max == NULL ||
       afi_length == 0 || length < afi_length ||
       (aor->type != IPAddressOrRange_addressPrefix &&
-       aor->type != IPAddressOrRange_addressRange))
+       aor->type != IPAddressOrRange_addressRange) ||
+      !extract_min_max(aor, min, max, afi_length))
     return 0;
-  extract_min_max(aor, min, max, afi_length);
+
   return afi_length;
 }
 
 /*
  * Sort comparision function for a sequence of IPAddressFamily.
  *
  * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
  * the ordering: I can read it as meaning that IPv6 without a SAFI
  * comes before IPv4 with a SAFI, which seems pretty weird.  The
  * examples in appendix B suggest that the author intended the
@@ skipping 61 matching lines @@
     /*
      * It's an IPAddressOrRanges sequence, check it.
      */
     aors = f->ipAddressChoice->u.addressesOrRanges;
     if (sk_IPAddressOrRange_num(aors) == 0)
       return 0;
     for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
       IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
       IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
 
-      extract_min_max(a, a_min, a_max, length);
-      extract_min_max(b, b_min, b_max, length);
+      if (!extract_min_max(a, a_min, a_max, length) ||
+          !extract_min_max(b, b_min, b_max, length))
+        return 0;
 
       /*
        * Punt misordered list, overlapping start, or inverted range.
        */
       if (memcmp(a_min, b_min, length) >= 0 ||
           memcmp(a_min, a_max, length) > 0 ||
           memcmp(b_min, b_max, length) > 0)
         return 0;
 
       /*
        * Punt if adjacent or overlapping.  Check for adjacency by
        * subtracting one from b_min first.
        */
       for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
         ;
       if (memcmp(a_max, b_min, length) >= 0)
         return 0;
 
       /*
        * Check for range that should be expressed as a prefix.
        */
       if (a->type == IPAddressOrRange_addressRange &&
           range_should_be_prefix(a_min, a_max, length) >= 0)
         return 0;
     }
 
     /*
-     * Check final range to see if it should be a prefix.
+     * Check range to see if it's inverted or should be a
+     * prefix.
      */
     j = sk_IPAddressOrRange_num(aors) - 1;
     {
       IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
-      if (a->type == IPAddressOrRange_addressRange) {
-        extract_min_max(a, a_min, a_max, length);
-        if (range_should_be_prefix(a_min, a_max, length) >= 0)
+      if (a != NULL && a->type == IPAddressOrRange_addressRange) {
+        if (!extract_min_max(a, a_min, a_max, length))
+          return 0;
+        if (memcmp(a_min, a_max, length) > 0 ||
+            range_should_be_prefix(a_min, a_max, length) >= 0)
           return 0;
       }
     }
   }
 
   /*
    * If we made it through all that, we're happy.
    */
   return 1;
 }
@@ skipping 13 matching lines @@
 
   /*
    * Clean up representation issues, punt on duplicates or overlaps.
    */
   for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
     IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
     IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
     unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
     unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
 
-    extract_min_max(a, a_min, a_max, length);
-    extract_min_max(b, b_min, b_max, length);
+    if (!extract_min_max(a, a_min, a_max, length) ||
+        !extract_min_max(b, b_min, b_max, length))
+      return 0;
+
+    /*
+     * Punt inverted ranges.
+     */
+    if (memcmp(a_min, a_max, length) > 0 ||
+        memcmp(b_min, b_max, length) > 0)
+      return 0;
 
     /*
      * Punt overlaps.
      */
     if (memcmp(a_max, b_min, length) >= 0)
       return 0;
 
     /*
      * Merge if a and b are adjacent.  We check for
      * adjacency by subtracting one from b_min first.
      */
     for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
       ;
     if (memcmp(a_max, b_min, length) == 0) {
       IPAddressOrRange *merged;
       if (!make_addressRange(&merged, a_min, b_max, length))
         return 0;
-      sk_IPAddressOrRange_set(aors, i, merged);
-      (void)sk_IPAddressOrRange_delete(aors, i + 1);
+      (void) sk_IPAddressOrRange_set(aors, i, merged);
+      (void) sk_IPAddressOrRange_delete(aors, i + 1);
       IPAddressOrRange_free(a);
       IPAddressOrRange_free(b);
       --i;
       continue;
     }
   }
 
+  /*
+   * Check for inverted final range.
+   */
+  j = sk_IPAddressOrRange_num(aors) - 1;
+  {
+    IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
+    if (a != NULL && a->type == IPAddressOrRange_addressRange) {
+      unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
+      extract_min_max(a, a_min, a_max, length);
+      if (memcmp(a_min, a_max, length) > 0)
+        return 0;
+    }
+  }
+
   return 1;
 }
 
 /*
  * Whack an IPAddrBlocks extension into canonical form.
  */
 int v3_addr_canonize(IPAddrBlocks *addr)
 {
   int i;
   for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
     IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
     if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
         !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
                                     v3_addr_get_afi(f)))
       return 0;
   }
-  (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
+  (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
   sk_IPAddressFamily_sort(addr);
   OPENSSL_assert(v3_addr_is_canonical(addr));
   return 1;
 }
 
 /*
  * v2i handler for the IPAddrBlocks extension.
  */
-static void *v2i_IPAddrBlocks(struct v3_ext_method *method,
+static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
                               struct v3_ext_ctx *ctx,
                               STACK_OF(CONF_VALUE) *values)
 {
   static const char v4addr_chars[] = "0123456789.";
   static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
   IPAddrBlocks *addr = NULL;
   char *s = NULL, *t;
   int i;
   
   if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
@@ skipping 102 matching lines @@
       if (i1 == i2 || s[i2] != '\0') {
         X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
         X509V3_conf_err(val);
         goto err;
       }
       if (a2i_ipadd(max, s + i1) != length) {
         X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
         X509V3_conf_err(val);
         goto err;
       }
+      if (memcmp(min, max, length_from_afi(afi)) > 0) {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
+        X509V3_conf_err(val);
+        goto err;
+      }
       if (!v3_addr_add_range(addr, afi, safi, min, max)) {
         X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
         goto err;
       }
       break;
     case '\0':
       if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
         X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
         goto err;
       }
@@ skipping 65 matching lines @@
   unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
   int p, c;
 
   if (child == NULL || parent == child)
     return 1;
   if (parent == NULL)
     return 0;
 
   p = 0;
   for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
-    extract_min_max(sk_IPAddressOrRange_value(child, c),
-                    c_min, c_max, length);
+    if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
+                         c_min, c_max, length))
+      return -1;
     for (;; p++) {
       if (p >= sk_IPAddressOrRange_num(parent))
         return 0;
-      extract_min_max(sk_IPAddressOrRange_value(parent, p),
-                      p_min, p_max, length);
+      if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
+                           p_min, p_max, length))
+        return 0;
       if (memcmp(p_max, c_max, length) < 0)
         continue;
       if (memcmp(p_min, c_min, length) > 0)
         return 0;
       break;
     }
   }
 
   return 1;
 }
 
 /*
  * Test whether a is a subset of b.
  */
 int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
 {
   int i;
   if (a == NULL || a == b)
     return 1;
   if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
     return 0;
-  (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
   for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
     IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
     int j = sk_IPAddressFamily_find(b, fa);
     IPAddressFamily *fb;
     fb = sk_IPAddressFamily_value(b, j);
     if (fb == NULL)
        return 0;
     if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 
                        fa->ipAddressChoice->u.addressesOrRanges,
                        length_from_afi(v3_addr_get_afi(fb))))
@@ skipping 21 matching lines @@
 
 /*
  * Core code for RFC 3779 2.3 path validation.
  */
 static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
                                           STACK_OF(X509) *chain,
                                           IPAddrBlocks *ext)
 {
   IPAddrBlocks *child = NULL;
   int i, j, ret = 1;
-  X509 *x = NULL;
+  X509 *x;
 
   OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
   OPENSSL_assert(ctx != NULL || ext != NULL);
   OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
 
   /*
    * Figure out where to start.  If we don't have an extension to
    * check, we're done.  Otherwise, check canonical form and
    * set up for walking up the chain.
    */
   if (ext != NULL) {
     i = -1;
+    x = NULL;
   } else {
     i = 0;
     x = sk_X509_value(chain, i);
     OPENSSL_assert(x != NULL);
     if ((ext = x->rfc3779_addr) == NULL)
       goto done;
   }
   if (!v3_addr_is_canonical(ext))
     validation_err(X509_V_ERR_INVALID_EXTENSION);
-  (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
   if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
     X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
     ret = 0;
     goto done;
   }
 
   /*
    * Now walk up the chain.  No cert may list resources that its
    * parent doesn't list.
    */
   for (i++; i < sk_X509_num(chain); i++) {
     x = sk_X509_value(chain, i);
     OPENSSL_assert(x != NULL);
     if (!v3_addr_is_canonical(x->rfc3779_addr))
       validation_err(X509_V_ERR_INVALID_EXTENSION);
     if (x->rfc3779_addr == NULL) {
       for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
         IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
         if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
           validation_err(X509_V_ERR_UNNESTED_RESOURCE);
           break;
         }
       }
       continue;
     }
-    (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
     for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
       IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
       int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
       IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
       if (fp == NULL) {
         if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
           validation_err(X509_V_ERR_UNNESTED_RESOURCE);
           break;
         }
         continue;
       }
       if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
         if (fc->ipAddressChoice->type == IPAddressChoice_inherit ||
             addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 
                           fc->ipAddressChoice->u.addressesOrRanges,
                           length_from_afi(v3_addr_get_afi(fc))))
           sk_IPAddressFamily_set(child, j, fp);
         else
           validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       }
     }
   }
 
   /*
    * Trust anchor can't inherit.
    */
+  OPENSSL_assert(x != NULL);
   if (x->rfc3779_addr != NULL) {
     for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
       IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
       if (fp->ipAddressChoice->type == IPAddressChoice_inherit &&
           sk_IPAddressFamily_find(child, fp) >= 0)
         validation_err(X509_V_ERR_UNNESTED_RESOURCE);
     }
   }
 
  done:
@@ skipping 22 matching lines @@
   if (ext == NULL)
     return 1;
   if (chain == NULL || sk_X509_num(chain) == 0)
     return 0;
   if (!allow_inheritance && v3_addr_inherits(ext))
     return 0;
   return v3_addr_validate_path_internal(NULL, chain, ext);
 }
 
 #endif /* OPENSSL_NO_RFC3779 */