From dc92a514efc9fee1b7e6c90b70dff71f5f5a3110 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@palantir.com>
Date: Wed, 20 Sep 2017 10:04:09 -0400
Subject: [PATCH] Properly handle IPs in hostname verification

---
 openssl-sys/src/lib.rs       |  6 ++++++
 openssl/src/ssl/connector.rs |  5 ++++-
 openssl/src/verify.rs        | 22 ++++++++++++++++++++++
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/openssl-sys/src/lib.rs b/openssl-sys/src/lib.rs
index 81145432..b7951f0a 100644
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@@ -2587,6 +2587,12 @@ extern "C" {
         name: *const c_char,
         namelen: size_t,
     ) -> c_int;
+    #[cfg(not(any(ossl101, libressl)))]
+    pub fn X509_VERIFY_PARAM_set1_ip(
+        param: *mut X509_VERIFY_PARAM,
+        ip: *const c_uchar,
+        iplen: size_t,
+    ) -> c_int;
 
     pub fn d2i_DHparams(k: *mut *mut DH, pp: *mut *const c_uchar, length: c_long) -> *mut DH;
     pub fn i2d_DHparams(dh: *const DH, pp: *mut *mut c_uchar) -> c_int;
diff --git a/openssl/src/ssl/connector.rs b/openssl/src/ssl/connector.rs
index 8f568054..076f246f 100644
--- a/openssl/src/ssl/connector.rs
+++ b/openssl/src/ssl/connector.rs
@@ -355,7 +355,10 @@ fn setup_verify(ctx: &mut SslContextBuilder) {
 fn setup_verify_hostname(ssl: &mut Ssl, domain: &str) -> Result<(), ErrorStack> {
     let param = ssl._param_mut();
     param.set_hostflags(::verify::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-    param.set_host(domain)
+    match domain.parse() {
+        Ok(ip) => param.set_ip(ip),
+        Err(_) => param.set_host(domain),
+    }
 }
 
 #[cfg(ossl101)]
diff --git a/openssl/src/verify.rs b/openssl/src/verify.rs
index 002b0ca0..7b2fa612 100644
--- a/openssl/src/verify.rs
+++ b/openssl/src/verify.rs
@@ -1,6 +1,7 @@
 use libc::c_uint;
 use ffi;
 use foreign_types::ForeignTypeRef;
+use std::net::IpAddr;
 
 use cvt;
 use error::ErrorStack;
@@ -43,4 +44,25 @@ impl X509VerifyParamRef {
             )).map(|_| ())
         }
     }
+
+    pub fn set_ip(&mut self, ip: IpAddr) -> Result<(), ErrorStack> {
+        unsafe {
+            let mut buf = [0; 16];
+            let len = match ip {
+                IpAddr::V4(addr) => {
+                    buf[..4].copy_from_slice(&addr.octets());
+                    4
+                }
+                IpAddr::V6(addr) => {
+                    buf.copy_from_slice(&addr.octets());
+                    16
+                }
+            };
+            cvt(ffi::X509_VERIFY_PARAM_set1_ip(
+                self.as_ptr(),
+                buf.as_ptr() as *const _,
+                len,
+            )).map(|_| ())
+        }
+    }
 }