caddytls: Support wildcard matching in ServerName conn policy matcher

This commit is contained in:
Matthew Holt 2020-03-20 15:51:37 -06:00
parent b583007c49
commit 3c1def2430
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
3 changed files with 105 additions and 2 deletions

View file

@ -76,6 +76,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
// using ServerName to match policies is extremely common, especially in configs
// with lots and lots of different policies; we can fast-track those by indexing
// them by SNI, so we don't have to iterate potentially thousands of policies
// (TODO: this map does not account for wildcards, see if this is a problem in practice?)
indexedBySNI := make(map[string]ConnectionPolicies)
if len(cp) > 30 {
for _, p := range cp {

View file

@ -16,6 +16,7 @@ package caddytls
import (
"crypto/tls"
"strings"
"github.com/caddyserver/caddy/v2"
)
@ -24,7 +25,9 @@ func init() {
caddy.RegisterModule(MatchServerName{})
}
// MatchServerName matches based on SNI.
// MatchServerName matches based on SNI. Names in
// this list may use left-most-label wildcards,
// similar to wildcard certificates.
type MatchServerName []string
// CaddyModule returns the Caddy module information.
@ -38,10 +41,23 @@ func (MatchServerName) CaddyModule() caddy.ModuleInfo {
// Match matches hello based on SNI.
func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool {
for _, name := range m {
// TODO: support wildcards (and regex?)
if hello.ServerName == name {
return true
}
// check for wildcard match on this name, but only
// bother if there is even a wildcard character
if !strings.Contains(name, "*") {
continue
}
labels := strings.Split(hello.ServerName, ".")
for i := range labels {
labels[i] = "*"
candidate := strings.Join(labels, ".")
if candidate == name {
return true
}
}
}
return false
}

View file

@ -0,0 +1,86 @@
// Copyright 2015 Matthew Holt and The Caddy Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package caddytls
import (
"crypto/tls"
"testing"
)
func TestServerNameMatcher(t *testing.T) {
for i, tc := range []struct {
names []string
input string
expect bool
}{
{
names: []string{"example.com"},
input: "example.com",
expect: true,
},
{
names: []string{"example.com"},
input: "foo.com",
expect: false,
},
{
names: []string{"example.com"},
input: "",
expect: false,
},
{
names: []string{},
input: "",
expect: false,
},
{
names: []string{"foo", "example.com"},
input: "example.com",
expect: true,
},
{
names: []string{"foo", "example.com"},
input: "sub.example.com",
expect: false,
},
{
names: []string{"foo", "example.com"},
input: "foo.com",
expect: false,
},
{
names: []string{"*.example.com"},
input: "example.com",
expect: false,
},
{
names: []string{"*.example.com"},
input: "sub.example.com",
expect: true,
},
{
names: []string{"*.example.com", "*.sub.example.com"},
input: "sub2.sub.example.com",
expect: true,
},
} {
chi := &tls.ClientHelloInfo{ServerName: tc.input}
actual := MatchServerName(tc.names).Match(chi)
if actual != tc.expect {
t.Errorf("Test %d: Expected %t but got %t (input=%s match=%v)",
i, tc.expect, actual, tc.input, tc.names)
}
}
}