Properly handle IPs in hostname verification

openssl-sys/src/lib.rs

@@ -2587,6 +2587,12 @@ extern "C" {
         name: *const c_char,
         namelen: size_t,
     ) -> c_int;
+    #[cfg(not(any(ossl101, libressl)))]
+    pub fn X509_VERIFY_PARAM_set1_ip(
+        param: *mut X509_VERIFY_PARAM,
+        ip: *const c_uchar,
+        iplen: size_t,
+    ) -> c_int;
 
     pub fn d2i_DHparams(k: *mut *mut DH, pp: *mut *const c_uchar, length: c_long) -> *mut DH;
     pub fn i2d_DHparams(dh: *const DH, pp: *mut *mut c_uchar) -> c_int;

openssl/src/ssl/connector.rs

@@ -355,7 +355,10 @@ fn setup_verify(ctx: &mut SslContextBuilder) {
 fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     let param = ssl._param_mut();
     param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-    param.set_host(domain)
+    match domain.parse() {
+        Ok(ip) => param.set_ip(ip),
+        Err(_) => param.set_host(domain),
+    }
 }
 
 #[cfg(ossl101)]

openssl/src/verify.rs

@@ -1,6 +1,7 @@
 use libc::c_uint;
 use ffi;
 use foreign_types::ForeignTypeRef;
+use std::net::IpAddr;
 
 use cvt;
 use error::ErrorStack;
@@ -43,4 +44,25 @@ impl X509VerifyParamRef {
             )).map(|_| ())
         }
     }
+
+    pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> {
+        unsafe {
+            let mut buf = [0; 16];
+            let len = match ip {
+                IpAddr::V4(addr) => {
+                    buf[..4].copy_from_slice(&addr.octets());
+                    4
+                }
+                IpAddr::V6(addr) => {
+                    buf.copy_from_slice(&addr.octets());
+                    16
+                }
+            };
+            cvt(ffi::X509_VERIFY_PARAM_set1_ip(
+                self.as_ptr(),
+                buf.as_ptr() as *const _,
+                len,
+            )).map(|_| ())
+        }
+    }
 }