Correctly verify abbreviated IPv6 SANs

IPv6 SAN-verification accommodates
["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2).
It also accommodates non-compressed addresses.

Previously the verification of IPv6 addresses would fail unless the
address syntax matched a specific format (no zero-compression, no
leading zeroes).

As an example, the IPv6 loopback address, if represented as `::1`, would
not verify.  Nor would it verify if represented as
`0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations
are valid, RFC-compliant representations.  The library would only accept
a very specific representation (i.e.  `0:0:0:0:0:0:0:1`).

This commit addresses that shortcoming, and ensures that any valid IPv6
representation will correctly verify.

1 files changed, 6 insertions, 5 deletions

diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
index 6a6f2b94..355eb2eb 100644
--- a/lib/openssl/ssl.rb
+++ b/lib/openssl/ssl.rb
@@ -12,6 +12,7 @@
 
 require "openssl/buffering"
 require "io/nonblock"
+require "ipaddr"
 
 module OpenSSL
   module SSL
@@ -272,11 +273,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
             return true if verify_hostname(hostname, san.value)
           when 7 # iPAddress in GeneralName (RFC5280)
             should_verify_common_name = false
-            # follows GENERAL_NAME_print() in x509v3/v3_alt.c
-            if san.value.size == 4
-              return true if san.value.unpack('C*').join('.') == hostname
-            elsif san.value.size == 16
-              return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
+            if san.value.size == 4 || san.value.size == 16
+              begin
+                return true if san.value == IPAddr.new(hostname).hton
+              rescue IPAddr::InvalidAddressError
+              end
             end
           end
         }