From 842e2033b739c5cf68c443a048827df3d05306fd Mon Sep 17 00:00:00 2001
From: levlam <levlam@telegram.org>
Date: Sat, 16 May 2020 18:43:49 +0300
Subject: [PATCH] Fix IP address verification in TLS certificate.

GitOrigin-RevId: 5275f8be34e9459a13a87e6fbd056754ceb515d4
---
 benchmark/wget.cpp                  | 3 +++
 tdnet/td/net/SslStream.cpp          | 9 ++++++---
 tdutils/td/utils/port/IPAddress.cpp | 6 +++---
 tdutils/td/utils/port/IPAddress.h   | 2 +-
 4 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/benchmark/wget.cpp b/benchmark/wget.cpp
index 1774af0a..4bd4e9dc 100644
--- a/benchmark/wget.cpp
+++ b/benchmark/wget.cpp
@@ -27,6 +27,9 @@ int main(int argc, char *argv[]) {
   scheduler
       ->create_actor_unsafe<td::Wget>(0, "Client",
                                       td::PromiseCreator::lambda([](td::Result<td::unique_ptr<td::HttpQuery>> res) {
+                                        if (res.is_error()) {
+                                          LOG(FATAL) << res.error();
+                                        }
                                         LOG(ERROR) << *res.ok();
                                         td::Scheduler::instance()->finish();
                                       }),
diff --git a/tdnet/td/net/SslStream.cpp b/tdnet/td/net/SslStream.cpp
index d74b30a9..27f7ac17 100644
--- a/tdnet/td/net/SslStream.cpp
+++ b/tdnet/td/net/SslStream.cpp
@@ -323,10 +323,13 @@ class SslStreamImpl {
 
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     X509_VERIFY_PARAM *param = SSL_get0_param(ssl_handle);
-    /* Enable automatic hostname checks */
-    // TODO: X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
     X509_VERIFY_PARAM_set_hostflags(param, 0);
-    X509_VERIFY_PARAM_set1_host(param, host.c_str(), 0);
+    if (r_ip_address.is_ok()) {
+      X509_VERIFY_PARAM_set1_ip_asc(param, r_ip_address.ok().get_ip_str().c_str());
+      // X509_VERIFY_PARAM_set1_host(param, host.c_str(), 0);
+    } else {
+      X509_VERIFY_PARAM_set1_host(param, host.c_str(), 0);
+    }
 #else
 #warning DANGEROUS! HTTPS HOST WILL NOT BE CHECKED. INSTALL OPENSSL >= 1.0.2 OR IMPLEMENT HTTPS HOST CHECK MANUALLY
 #endif
diff --git a/tdutils/td/utils/port/IPAddress.cpp b/tdutils/td/utils/port/IPAddress.cpp
index 57b9f5a1..a79dfbd1 100644
--- a/tdutils/td/utils/port/IPAddress.cpp
+++ b/tdutils/td/utils/port/IPAddress.cpp
@@ -521,9 +521,9 @@ string IPAddress::ipv6_to_str(Slice ipv6) {
   return ::td::get_ip_str(AF_INET6, ipv6.ubegin()).str();
 }
 
-Slice IPAddress::get_ip_str() const {
+CSlice IPAddress::get_ip_str() const {
   if (!is_valid()) {
-    return Slice("0.0.0.0");
+    return CSlice("0.0.0.0");
   }
 
   switch (get_address_family()) {
@@ -533,7 +533,7 @@ Slice IPAddress::get_ip_str() const {
       return ::td::get_ip_str(AF_INET, &ipv4_addr_.sin_addr);
     default:
       UNREACHABLE();
-      return Slice();
+      return CSlice();
   }
 }
 
diff --git a/tdutils/td/utils/port/IPAddress.h b/tdutils/td/utils/port/IPAddress.h
index 2d036d56..4af10c11 100644
--- a/tdutils/td/utils/port/IPAddress.h
+++ b/tdutils/td/utils/port/IPAddress.h
@@ -42,7 +42,7 @@ class IPAddress {
   string get_ipv6() const;
 
   // returns result in a static thread-local buffer, which may be overwritten by any subsequent method call
-  Slice get_ip_str() const;
+  CSlice get_ip_str() const;
 
   static string ipv4_to_str(uint32 ipv4);
   static string ipv6_to_str(Slice ipv6);