From c87f82f0ce58ec714b3e13fbe69c322a0d612c67 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Thu, 26 Mar 2020 14:01:38 -0600
Subject: [PATCH] caddytls: Match automation policies by wildcard subjects too

https://caddy.community/t/wildcard-snis-not-being-matched/7271/24?u=matt

Also use new CertMagic function for matching wildcard names
---
 go.mod                       |  6 +++---
 go.sum                       | 12 ++++++------
 modules/caddytls/matchers.go | 18 ++----------------
 modules/caddytls/tls.go      |  2 +-
 4 files changed, 12 insertions(+), 26 deletions(-)

diff --git a/go.mod b/go.mod
index 06dd81f14..3cd325c02 100644
--- a/go.mod
+++ b/go.mod
@@ -5,10 +5,10 @@ go 1.14
 require (
 	github.com/Masterminds/sprig/v3 v3.0.2
 	github.com/alecthomas/chroma v0.7.2-0.20200305040604-4f3623dce67a
-	github.com/caddyserver/certmagic v0.10.4
+	github.com/caddyserver/certmagic v0.10.5
 	github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
 	github.com/go-acme/lego/v3 v3.5.0
-	github.com/google/cel-go v0.4.0
+	github.com/google/cel-go v0.4.1
 	github.com/jsternberg/zap-logfmt v1.2.0
 	github.com/klauspost/compress v1.10.3
 	github.com/klauspost/cpuid v1.2.3
@@ -21,7 +21,7 @@ require (
 	github.com/smallstep/cli v0.14.0-rc.3
 	github.com/smallstep/truststore v0.9.4
 	github.com/vulcand/oxy v1.1.0
-	github.com/yuin/goldmark v1.1.25
+	github.com/yuin/goldmark v1.1.26
 	github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691
 	go.uber.org/zap v1.14.1
 	golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59
diff --git a/go.sum b/go.sum
index 2eea89d7c..309990855 100644
--- a/go.sum
+++ b/go.sum
@@ -120,8 +120,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK
 github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
-github.com/caddyserver/certmagic v0.10.4 h1:3jRzfMnOVsmGo2XYZ7mkksgoB14my1CTmqc1Apx7qsg=
-github.com/caddyserver/certmagic v0.10.4/go.mod h1:Y8jcUBctgk/IhpAzlHKfimZNyXCkfGgRTC0orl8gROQ=
+github.com/caddyserver/certmagic v0.10.5 h1:Dg4ipO1y23rWvFmiiRqhtUTh5Hy7PmfoFvPfDpnE8Z8=
+github.com/caddyserver/certmagic v0.10.5/go.mod h1:Y8jcUBctgk/IhpAzlHKfimZNyXCkfGgRTC0orl8gROQ=
 github.com/cenkalti/backoff/v4 v4.0.0 h1:6VeaLF9aI+MAUQ95106HwWzYZgJJpZ4stumjj6RFYAU=
 github.com/cenkalti/backoff/v4 v4.0.0/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -298,8 +298,8 @@ github.com/golangci/revgrep v0.0.0-20180812185044-276a5c0a1039/go.mod h1:qOQCunE
 github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/cel-go v0.4.0 h1:9i5p9ms/kph/Lau3qL7DtnF49g3+/iBoi3KrMdnPTOU=
-github.com/google/cel-go v0.4.0/go.mod h1:F0UncVAXNlNjl/4C8hqGdoV6APmuFpetoMJSLIQLBPU=
+github.com/google/cel-go v0.4.1 h1:2kqc5arTucvtLJzXVUbmiUh7n2xjizwZijPrpEsagAE=
+github.com/google/cel-go v0.4.1/go.mod h1:F0UncVAXNlNjl/4C8hqGdoV6APmuFpetoMJSLIQLBPU=
 github.com/google/cel-spec v0.3.0/go.mod h1:MjQm800JAGhOZXI7vatnVpmIaFTR6L8FHcKk+piiKpI=
 github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.0/go.mod h1:i+Q7XY+ArBveOUT36jiHGfuSK1fHICIg6sUkRxPAbCs=
@@ -758,8 +758,8 @@ github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQ
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yuin/goldmark v1.1.22/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.25 h1:isv+Q6HQAmmL2Ofcmg8QauBmDPlUUnSoNhEcC940Rds=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.26 h1:81MfIApzizD8JqKIjnWy2Vxj7GgmQUrJlh/jYWH8yGk=
+github.com/yuin/goldmark v1.1.26/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691 h1:VWSxtAiQNh3zgHJpdpkpVYjTPqRE3P6UZCOPa1nRDio=
 github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691/go.mod h1:YLF3kDffRfUH/bTxOxHhV6lxwIB3Vfj91rEwNMS9MXo=
 go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk=
diff --git a/modules/caddytls/matchers.go b/modules/caddytls/matchers.go
index 1f5f9b616..50da60978 100644
--- a/modules/caddytls/matchers.go
+++ b/modules/caddytls/matchers.go
@@ -16,9 +16,9 @@ package caddytls
 
 import (
 	"crypto/tls"
-	"strings"
 
 	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/certmagic"
 )
 
 func init() {
@@ -41,23 +41,9 @@ func (MatchServerName) CaddyModule() caddy.ModuleInfo {
 // Match matches hello based on SNI.
 func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool {
 	for _, name := range m {
-		if hello.ServerName == name {
+		if certmagic.MatchWildcard(hello.ServerName, name) {
 			return true
 		}
-
-		// check for wildcard match on this name, but only
-		// bother if there is even a wildcard character
-		if !strings.Contains(name, "*") {
-			continue
-		}
-		labels := strings.Split(hello.ServerName, ".")
-		for i := range labels {
-			labels[i] = "*"
-			candidate := strings.Join(labels, ".")
-			if candidate == name {
-				return true
-			}
-		}
 	}
 	return false
 }
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 076e01726..b2c6324d3 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -329,7 +329,7 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
 			return ap // no host filter is an automatic match
 		}
 		for _, h := range ap.Subjects {
-			if h == name {
+			if certmagic.MatchWildcard(name, h) {
 				return ap
 			}
 		}