From c87f82f0ce58ec714b3e13fbe69c322a0d612c67 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Thu, 26 Mar 2020 14:01:38 -0600 Subject: [PATCH] caddytls: Match automation policies by wildcard subjects too https://caddy.community/t/wildcard-snis-not-being-matched/7271/24?u=matt Also use new CertMagic function for matching wildcard names --- go.mod | 6 +++--- go.sum | 12 ++++++------ modules/caddytls/matchers.go | 18 ++---------------- modules/caddytls/tls.go | 2 +- 4 files changed, 12 insertions(+), 26 deletions(-) diff --git a/go.mod b/go.mod index 06dd81f1..3cd325c0 100644 --- a/go.mod +++ b/go.mod @@ -5,10 +5,10 @@ go 1.14 require ( github.com/Masterminds/sprig/v3 v3.0.2 github.com/alecthomas/chroma v0.7.2-0.20200305040604-4f3623dce67a - github.com/caddyserver/certmagic v0.10.4 + github.com/caddyserver/certmagic v0.10.5 github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac github.com/go-acme/lego/v3 v3.5.0 - github.com/google/cel-go v0.4.0 + github.com/google/cel-go v0.4.1 github.com/jsternberg/zap-logfmt v1.2.0 github.com/klauspost/compress v1.10.3 github.com/klauspost/cpuid v1.2.3 @@ -21,7 +21,7 @@ require ( github.com/smallstep/cli v0.14.0-rc.3 github.com/smallstep/truststore v0.9.4 github.com/vulcand/oxy v1.1.0 - github.com/yuin/goldmark v1.1.25 + github.com/yuin/goldmark v1.1.26 github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691 go.uber.org/zap v1.14.1 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 diff --git a/go.sum b/go.sum index 2eea89d7..30999085 100644 --- a/go.sum +++ b/go.sum @@ -120,8 +120,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= -github.com/caddyserver/certmagic v0.10.4 h1:3jRzfMnOVsmGo2XYZ7mkksgoB14my1CTmqc1Apx7qsg= -github.com/caddyserver/certmagic v0.10.4/go.mod h1:Y8jcUBctgk/IhpAzlHKfimZNyXCkfGgRTC0orl8gROQ= +github.com/caddyserver/certmagic v0.10.5 h1:Dg4ipO1y23rWvFmiiRqhtUTh5Hy7PmfoFvPfDpnE8Z8= +github.com/caddyserver/certmagic v0.10.5/go.mod h1:Y8jcUBctgk/IhpAzlHKfimZNyXCkfGgRTC0orl8gROQ= github.com/cenkalti/backoff/v4 v4.0.0 h1:6VeaLF9aI+MAUQ95106HwWzYZgJJpZ4stumjj6RFYAU= github.com/cenkalti/backoff/v4 v4.0.0/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -298,8 +298,8 @@ github.com/golangci/revgrep v0.0.0-20180812185044-276a5c0a1039/go.mod h1:qOQCunE github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/cel-go v0.4.0 h1:9i5p9ms/kph/Lau3qL7DtnF49g3+/iBoi3KrMdnPTOU= -github.com/google/cel-go v0.4.0/go.mod h1:F0UncVAXNlNjl/4C8hqGdoV6APmuFpetoMJSLIQLBPU= +github.com/google/cel-go v0.4.1 h1:2kqc5arTucvtLJzXVUbmiUh7n2xjizwZijPrpEsagAE= +github.com/google/cel-go v0.4.1/go.mod h1:F0UncVAXNlNjl/4C8hqGdoV6APmuFpetoMJSLIQLBPU= github.com/google/cel-spec v0.3.0/go.mod h1:MjQm800JAGhOZXI7vatnVpmIaFTR6L8FHcKk+piiKpI= github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg= github.com/google/certificate-transparency-go v1.1.0/go.mod h1:i+Q7XY+ArBveOUT36jiHGfuSK1fHICIg6sUkRxPAbCs= @@ -758,8 +758,8 @@ github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yuin/goldmark v1.1.22/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.1.25 h1:isv+Q6HQAmmL2Ofcmg8QauBmDPlUUnSoNhEcC940Rds= -github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.26 h1:81MfIApzizD8JqKIjnWy2Vxj7GgmQUrJlh/jYWH8yGk= +github.com/yuin/goldmark v1.1.26/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691 h1:VWSxtAiQNh3zgHJpdpkpVYjTPqRE3P6UZCOPa1nRDio= github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691/go.mod h1:YLF3kDffRfUH/bTxOxHhV6lxwIB3Vfj91rEwNMS9MXo= go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk= diff --git a/modules/caddytls/matchers.go b/modules/caddytls/matchers.go index 1f5f9b61..50da6097 100644 --- a/modules/caddytls/matchers.go +++ b/modules/caddytls/matchers.go @@ -16,9 +16,9 @@ package caddytls import ( "crypto/tls" - "strings" "github.com/caddyserver/caddy/v2" + "github.com/caddyserver/certmagic" ) func init() { @@ -41,23 +41,9 @@ func (MatchServerName) CaddyModule() caddy.ModuleInfo { // Match matches hello based on SNI. func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool { for _, name := range m { - if hello.ServerName == name { + if certmagic.MatchWildcard(hello.ServerName, name) { return true } - - // check for wildcard match on this name, but only - // bother if there is even a wildcard character - if !strings.Contains(name, "*") { - continue - } - labels := strings.Split(hello.ServerName, ".") - for i := range labels { - labels[i] = "*" - candidate := strings.Join(labels, ".") - if candidate == name { - return true - } - } } return false } diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 076e0172..b2c6324d 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -329,7 +329,7 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy { return ap // no host filter is an automatic match } for _, h := range ap.Subjects { - if h == name { + if certmagic.MatchWildcard(name, h) { return ap } }