From 963425eb828123bf61bc40c9faa935a4c4832295 Mon Sep 17 00:00:00 2001
From: Evan Rittenhouse <erittenhouse@cloudflare.com>
Date: Wed, 3 Sep 2025 11:19:59 -0700
Subject: [PATCH] Add binding for X509_check_ip_asc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The binding corresponds to
https://boringssl.googlesource.com/boringssl.git/+/refs/heads/master/include/openssl/x509.h#4690.

To see the SANs covered by the specified cert, use:

```shell
❯ openssl x509 -in ./boring/test/alt_name_cert.pem -noout -text | grep -A1 "Subject Alternative Name"
            X509v3 Subject Alternative Name:
                DNS:example.com, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, email:test@example.com, URI:http://www.example.com
```
---
 boring/src/x509/mod.rs       |  7 +++++++
 boring/src/x509/tests/mod.rs | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs
index 52f24fca..0dbfcb15 100644
--- a/boring/src/x509/mod.rs
+++ b/boring/src/x509/mod.rs
@@ -745,6 +745,13 @@ impl X509Ref {
         }
     }
 
+    #[corresponds(X509_check_ip_asc)]
+    pub fn check_ip_asc(&self, address: &str) -> Result<bool, ErrorStack> {
+        let c_str = CString::new(address).map_err(ErrorStack::internal_error)?;
+
+        unsafe { cvt_n(ffi::X509_check_ip_asc(self.as_ptr(), c_str.as_ptr(), 0)).map(|n| n == 1) }
+    }
+
     to_pem! {
         /// Serializes the certificate into a PEM-encoded X509 structure.
         ///
diff --git a/boring/src/x509/tests/mod.rs b/boring/src/x509/tests/mod.rs
index c7919466..0ab054ab 100644
--- a/boring/src/x509/tests/mod.rs
+++ b/boring/src/x509/tests/mod.rs
@@ -513,3 +513,16 @@ fn test_load_subject_der() {
     ];
     X509Name::from_der(SUBJECT_DER).unwrap();
 }
+
+#[test]
+fn test_check_ip_asc() {
+    // Covers 127.0.0.1 and 0:0:0:0:0:0:0:1
+    let cert = include_bytes!("../../../test/alt_name_cert.pem");
+    let cert = X509::from_pem(cert).unwrap();
+
+    assert!(cert.check_ip_asc("127.0.0.1").unwrap());
+    assert!(!cert.check_ip_asc("127.0.0.2").unwrap());
+
+    assert!(cert.check_ip_asc("0:0:0:0:0:0:0:1").unwrap());
+    assert!(!cert.check_ip_asc("0:0:0:0:0:0:0:2").unwrap());
+}