[fix] normalize IP address in SAN verify to match CRuby

Use IPAddr for comparison instead of plain string equality, so that
equivalent IPv6 representations (e.g. ::1 vs 0:0:0:0:0:0:0:1) match
correctly. Ported IPv4/IPv6 tests from CRuby's test_ssl.rb.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: kares

lib/openssl/ssl.rb

@@ -12,6 +12,7 @@
 
 require "openssl/buffering"
 require "io/nonblock"
+require "ipaddr"
 require "socket"
 
 module OpenSSL
@@ -319,15 +320,10 @@ def verify_certificate_identity(cert, hostname)
           #when 7 # iPAddress in GeneralName (RFC5280)
           elsif /\AIP(?: Address)?:(.*)/ =~ general_name
             should_verify_common_name = false
-            return true if $1 == hostname
-            # NOTE: bellow logic makes little sense JRuby reads exts differently
-            # follows GENERAL_NAME_print() in x509v3/v3_alt.c
-            # if san.value.size == 4 || san.value.size == 16
-            #    begin
-            #      return true if $1 == IPAddr.new(hostname).to_s
-            #    rescue IPAddr::InvalidAddressError
-            #    end
-            # end
+            begin
+              return true if IPAddr.new($1) == IPAddr.new(hostname)
+            rescue IPAddr::InvalidAddressError
+            end
           end
         }
       }

src/test/ruby/ssl/test_ssl.rb

@@ -80,6 +80,45 @@ def test_post_connection_check
     end
   end
 
+  # ported from CRuby's test/openssl/test_ssl.rb
+  def test_verify_certificate_identity_ipv4
+    cert = create_cert_with_san("IP:192.168.7.1")
+    assert_equal true,  OpenSSL::SSL.verify_certificate_identity(cert, "192.168.7.1")
+    assert_equal false, OpenSSL::SSL.verify_certificate_identity(cert, "192.168.7.255")
+    assert_equal false, OpenSSL::SSL.verify_certificate_identity(cert, "192.168.7.2")
+  end
+
+  # ported from CRuby's test/openssl/test_ssl.rb
+  def test_verify_certificate_identity_ipv6
+    cert = create_cert_with_san("IP:13::17")
+    assert_equal true,  OpenSSL::SSL.verify_certificate_identity(cert, "13::17")
+    assert_equal false, OpenSSL::SSL.verify_certificate_identity(cert, "13::18")
+    # expanded form
+    assert_equal true,  OpenSSL::SSL.verify_certificate_identity(cert, "13:0:0:0:0:0:0:17")
+    assert_equal false, OpenSSL::SSL.verify_certificate_identity(cert, "44:0:0:0:0:0:0:17")
+    # fully expanded with leading zeros
+    assert_equal true,  OpenSSL::SSL.verify_certificate_identity(cert, "0013:0000:0000:0000:0000:0000:0000:0017")
+    assert_equal false, OpenSSL::SSL.verify_certificate_identity(cert, "1313:0000:0000:0000:0000:0000:0000:0017")
+  end
+
+  def test_verify_certificate_identity_dns_no_ip_match
+    cert = create_cert_with_san("DNS:example.com")
+    assert_equal true,  OpenSSL::SSL.verify_certificate_identity(cert, "example.com")
+    assert_equal false, OpenSSL::SSL.verify_certificate_identity(cert, "192.168.7.1")
+  end
+
+  private
+
+  def create_cert_with_san(san)
+    ef = OpenSSL::X509::ExtensionFactory.new
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = OpenSSL::X509::Name.parse("/DC=some/DC=site/CN=Some Site")
+    cert.add_extension ef.create_ext("subjectAltName", san)
+    cert
+  end
+
+  public
+
   def test_post_connect_check_with_anon_ciphers
     unless OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
       return skip('OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 not enabled')