改善 SNI 匹配机制, 使用证书中的域名进行匹配.

Jackarain · Jackarain · commit 8b607a20bfe0 · 2024-11-17T10:15:17.000+08:00
diff --git a/proxy/include/proxy/proxy_server.hpp b/proxy/include/proxy/proxy_server.hpp
@@ -4631,6 +4631,38 @@ R"x*x*x(<html>
 
 		virtual ~proxy_server() = default;
 
+		bool rfc2818_verification_match_pattern(
+			const char* pattern, std::size_t pattern_length, const char* host)
+		{
+			const char* p = pattern;
+			const char* p_end = p + pattern_length;
+			const char* h = host;
+
+			while (p != p_end && *h)
+			{
+				if (*p == '*')
+				{
+					++p;
+					while (*h && *h != '.')
+					{
+						if (rfc2818_verification_match_pattern(p, p_end - p, h++))
+							return true;
+					}
+				}
+				else if (std::tolower(*p) == std::tolower(*h))
+				{
+					++p;
+					++h;
+				}
+				else
+				{
+					return false;
+				}
+			}
+
+			return p == p_end && !*h;
+		}
+
 		pem_file determine_pem_type(const std::string& filepath) noexcept
 		{
 			pem_file result{ filepath, pem_type::none };
@@ -4954,10 +4986,24 @@ R"x*x*x(<html>
 
 				for (auto& ctx : m_certificates)
 				{
-					if (ctx.domain_ == servername && ctx.ssl_context_.has_value())
+					if (ctx.ssl_context_.has_value())
 					{
-						SSL_set_SSL_CTX(ssl, ctx.ssl_context_->native_handle());
-						return SSL_TLSEXT_ERR_OK;
+						if (rfc2818_verification_match_pattern(
+							ctx.domain_.c_str(), ctx.domain_.length(), servername))
+						{
+							SSL_set_SSL_CTX(ssl, ctx.ssl_context_->native_handle());
+							return SSL_TLSEXT_ERR_OK;
+						}
+
+						for (auto& alt_name : ctx.alt_names_)
+						{
+							if (rfc2818_verification_match_pattern(
+								alt_name.c_str(), alt_name.length(), servername))
+							{
+								SSL_set_SSL_CTX(ssl, ctx.ssl_context_->native_handle());
+								return SSL_TLSEXT_ERR_OK;
+							}
+						}
 					}
 					if (ctx.domain_.empty())
 						default_ctx = &ctx;
