From a74d02f412215d4d8fd31af76e9c01f2fc774a8a Mon Sep 17 00:00:00 2001
From: levlam <levlam@telegram.org>
Date: Mon, 14 Sep 2020 03:58:57 +0300
Subject: [PATCH] Add option for checking IP address in the certificate as
 host.

GitOrigin-RevId: dba5b87a59f3d3d3241051ee0257a5786fdf4fb0
---
 tdnet/td/net/SslStream.cpp | 9 +++++----
 tdnet/td/net/SslStream.h   | 3 ++-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/tdnet/td/net/SslStream.cpp b/tdnet/td/net/SslStream.cpp
index 64f3af931..00d3cb0a4 100644
--- a/tdnet/td/net/SslStream.cpp
+++ b/tdnet/td/net/SslStream.cpp
@@ -291,7 +291,7 @@ Result<SslCtx> create_ssl_ctx(CSlice cert_file, SslStream::VerifyPeer verify_pee
 
 class SslStreamImpl {
  public:
-  Status init(CSlice host, CSlice cert_file, SslStream::VerifyPeer verify_peer) {
+  Status init(CSlice host, CSlice cert_file, SslStream::VerifyPeer verify_peer, bool check_ip_address_as_host) {
     static bool init_openssl = [] {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
       return OPENSSL_init_ssl(0, nullptr) != 0;
@@ -317,7 +317,7 @@ class SslStreamImpl {
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     X509_VERIFY_PARAM *param = SSL_get0_param(ssl_handle.get());
     X509_VERIFY_PARAM_set_hostflags(param, 0);
-    if (r_ip_address.is_ok()) {
+    if (r_ip_address.is_ok() && !check_ip_address_as_host) {
       LOG(DEBUG) << "Set verification IP address to " << r_ip_address.ok().get_ip_str();
       X509_VERIFY_PARAM_set1_ip_asc(param, r_ip_address.ok().get_ip_str().c_str());
     } else {
@@ -509,9 +509,10 @@ SslStream::SslStream(SslStream &&) = default;
 SslStream &SslStream::operator=(SslStream &&) = default;
 SslStream::~SslStream() = default;
 
-Result<SslStream> SslStream::create(CSlice host, CSlice cert_file, VerifyPeer verify_peer) {
+Result<SslStream> SslStream::create(CSlice host, CSlice cert_file, VerifyPeer verify_peer,
+                                    bool use_ip_address_as_host) {
   auto impl = make_unique<detail::SslStreamImpl>();
-  TRY_STATUS(impl->init(host, cert_file, verify_peer));
+  TRY_STATUS(impl->init(host, cert_file, verify_peer, use_ip_address_as_host));
   return SslStream(std::move(impl));
 }
 SslStream::SslStream(unique_ptr<detail::SslStreamImpl> impl) : impl_(std::move(impl)) {
diff --git a/tdnet/td/net/SslStream.h b/tdnet/td/net/SslStream.h
index d5bb6752c..07b832288 100644
--- a/tdnet/td/net/SslStream.h
+++ b/tdnet/td/net/SslStream.h
@@ -25,7 +25,8 @@ class SslStream {
 
   enum class VerifyPeer { On, Off };
 
-  static Result<SslStream> create(CSlice host, CSlice cert_file = CSlice(), VerifyPeer verify_peer = VerifyPeer::On);
+  static Result<SslStream> create(CSlice host, CSlice cert_file = CSlice(), VerifyPeer verify_peer = VerifyPeer::On,
+                                  bool check_ip_address_as_host = false);
 
   ByteFlowInterface &read_byte_flow();
   ByteFlowInterface &write_byte_flow();