http, tls: better support for IPv6 addresses

- Properly handle IPv6 in Host header when setting servername.
- When comparing IP addresses against addresses in the subjectAltName
  field of a certificate, format the address correctly before
  doing the string comparison.

PR-URL: https://github.com/nodejs/node/pull/14772
Fixes: https://github.com/nodejs/node/issues/14736
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/lib/tls.js b/lib/tls.js
index 2d1c539532..a82535df61 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -31,6 +31,7 @@ const net = require('net');
 const url = require('url');
 const binding = process.binding('crypto');
 const Buffer = require('buffer').Buffer;
+const canonicalizeIP = process.binding('cares_wrap').canonicalizeIP;
 
 // Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations
 // every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more
@@ -181,7 +182,7 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
         const uri = url.parse(name.slice(4));
         uriNames.push(uri.hostname);  // TODO(bnoordhuis) Also use scheme.
       } else if (name.startsWith('IP Address:')) {
-        ips.push(name.slice(11));
+        ips.push(canonicalizeIP(name.slice(11)));
       }
     }
   }
@@ -190,7 +191,7 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
   let reason = 'Unknown reason';
 
   if (net.isIP(host)) {
-    valid = ips.includes(host);
+    valid = ips.includes(canonicalizeIP(host));
     if (!valid)
       reason = `IP: ${host} is not in the cert's list: ${ips.join(', ')}`;
     // TODO(bnoordhuis) Also check URI SANs that are IP addresses.