Fix IP address verification in TLS certificate.

GitOrigin-RevId: 5275f8be34e9459a13a87e6fbd056754ceb515d4
2020-05-16 18:43:49 +03:00 · 2020-05-16 18:43:49 +03:00 · 842e2033b7
commit 842e2033b7
parent 7bdff46710
4 changed files with 13 additions and 7 deletions
--- a/benchmark/wget.cpp
+++ b/benchmark/wget.cpp
@ -27,6 +27,9 @@ int main(int argc, char *argv[]) {
  scheduler
      ->create_actor_unsafe<td::Wget>(0, "Client",
                                      td::PromiseCreator::lambda([](td::Result<td::unique_ptr<td::HttpQuery>> res) {
+                                        if (res.is_error()) {
+                                          LOG(FATAL) << res.error();
+                                        }
                                        LOG(ERROR) << *res.ok();
                                        td::Scheduler::instance()->finish();
                                      }),
--- a/tdnet/td/net/SslStream.cpp
+++ b/tdnet/td/net/SslStream.cpp
@ -323,10 +323,13 @@ class SslStreamImpl {

 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
    X509_VERIFY_PARAM *param = SSL_get0_param(ssl_handle);
-    /* Enable automatic hostname checks */
-    // TODO: X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
    X509_VERIFY_PARAM_set_hostflags(param, 0);
-    X509_VERIFY_PARAM_set1_host(param, host.c_str(), 0);
+    if (r_ip_address.is_ok()) {
+      X509_VERIFY_PARAM_set1_ip_asc(param, r_ip_address.ok().get_ip_str().c_str());
+      // X509_VERIFY_PARAM_set1_host(param, host.c_str(), 0);
+    } else {
+      X509_VERIFY_PARAM_set1_host(param, host.c_str(), 0);
+    }
 #else
 #warning DANGEROUS! HTTPS HOST WILL NOT BE CHECKED. INSTALL OPENSSL >= 1.0.2 OR IMPLEMENT HTTPS HOST CHECK MANUALLY
 #endif
--- a/tdutils/td/utils/port/IPAddress.cpp
+++ b/tdutils/td/utils/port/IPAddress.cpp
@ -521,9 +521,9 @@ string IPAddress::ipv6_to_str(Slice ipv6) {
  return ::td::get_ip_str(AF_INET6, ipv6.ubegin()).str();
 }

-Slice IPAddress::get_ip_str() const {
+CSlice IPAddress::get_ip_str() const {
  if (!is_valid()) {
-    return Slice("0.0.0.0");
+    return CSlice("0.0.0.0");
  }

  switch (get_address_family()) {
@ -533,7 +533,7 @@ Slice IPAddress::get_ip_str() const {
      return ::td::get_ip_str(AF_INET, &ipv4_addr_.sin_addr);
    default:
      UNREACHABLE();
-      return Slice();
+      return CSlice();
  }
 }

--- a/tdutils/td/utils/port/IPAddress.h
+++ b/tdutils/td/utils/port/IPAddress.h
@ -42,7 +42,7 @@ class IPAddress {
  string get_ipv6() const;

  // returns result in a static thread-local buffer, which may be overwritten by any subsequent method call
-  Slice get_ip_str() const;
+  CSlice get_ip_str() const;

  static string ipv4_to_str(uint32 ipv4);
  static string ipv6_to_str(Slice ipv6);