Merge pull request #731 from sfackler/ip-hostv0.9.18

Properly handle IPs in hostname verification

2 files changed, 26 insertions, 1 deletions

diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 8f568054..076f246f 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -355,7 +355,10 @@ fn setup_verify(ctx: &mut SslContextBuilder) {
 fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     let param = ssl._param_mut();
     param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-    param.set_host(domain)
+    match domain.parse() {
+        Ok(ip) => param.set_ip(ip),
+        Err(_) => param.set_host(domain),
+    }
 }
 
 #[cfg(ossl101)]
diff --git a/openssl/src/verify.rs b/openssl/src/verify.rs
index 002b0ca0..7b2fa612 100644
--- a/openssl/src/verify.rs
+++ b/openssl/src/verify.rs
@@ -1,6 +1,7 @@
 use libc::c_uint;
 use ffi;
 use foreign_types::ForeignTypeRef;
+use std::net::IpAddr;
 
 use cvt;
 use error::ErrorStack;
@@ -43,4 +44,25 @@ impl X509VerifyParamRef {
             )).map(|_| ())
         }
     }
+
+    pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> {
+        unsafe {
+            let mut buf = [0; 16];
+            let len = match ip {
+                IpAddr::V4(addr) => {
+                    buf[..4].copy_from_slice(&addr.octets());
+                    4
+                }
+                IpAddr::V6(addr) => {
+                    buf.copy_from_slice(&addr.octets());
+                    16
+                }
+            };
+            cvt(ffi::X509_VERIFY_PARAM_set1_ip(
+                self.as_ptr(),
+                buf.as_ptr() as *const _,
+                len,
+            )).map(|_| ())
+        }
+    }
 }