From febb423d62e0781c3cac678d125ad3f4e16d30f0 Mon Sep 17 00:00:00 2001
From: SF Poon <shiup@hotmail.com>
Date: Mon, 21 May 2018 18:04:12 -0700
Subject: [PATCH] tls wild card check supports for port

If wild card dns check (both CN, or SAN) does not
contain port, it applies to all ports on the server.
---
 lib/tls.js                                    | 14 ++++++-
 .../test-tls-check-server-identity.js         | 37 +++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/lib/tls.js b/lib/tls.js
index dc8a6a29c71b76..1952340ec7b745 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -121,8 +121,20 @@ function check(hostParts, pattern, wildcards) {
 
   // Check host parts from right to left first.
   for (var i = hostParts.length - 1; i > 0; i -= 1) {
-    if (hostParts[i] !== patternParts[i])
+    if (hostParts[i] !== patternParts[i]) {
+      if ((i === (hostParts.length - 1)) &&
+          (patternParts[i].indexOf(':') === -1) &&
+          (hostParts[i].indexOf(':') > -1)) {
+        // the last part can contain port from the host, and it is
+        // legit for the dn and san to not include port to indicate
+        // all ports for the server is allowed
+        const justHostPart = hostParts[i].split(':')[0];
+        if (justHostPart === patternParts[i]) {
+          continue;
+        }
+      }
       return false;
+    }
   }
 
   const hostSubdomain = hostParts[0];
diff --git a/test/parallel/test-tls-check-server-identity.js b/test/parallel/test-tls-check-server-identity.js
index fe27770c1ebc84..2e6ddfc07be4c8 100644
--- a/test/parallel/test-tls-check-server-identity.js
+++ b/test/parallel/test-tls-check-server-identity.js
@@ -131,6 +131,43 @@ const tests = [
       subject: { CN: 'b.com' }
     }
   },
+  {
+    host: 'a.co.uk:2443', cert: {
+      subject: { CN: '*.co.uk' }
+    }
+  },
+  {
+    host: 'a.co.uk:2443', cert: {
+      subject: { CN: '*.co.uk:2443' }
+    }
+  },
+  {
+    host: 'a.co.uk:2443', cert: {
+      subject: { CN: '*.co.uk:8443' }
+    },
+    error: 'Host: a.co.uk:2443. is not ' +
+           'cert\'s CN: *.co.uk:8443'
+  },
+  {
+    host: 'a.co.uk:2443', cert: {
+      subjectaltname: 'DNS:*.co.uk',
+      subject: { CN: 'b.com' }
+    }
+  },
+  {
+    host: 'a.co.uk:2443', cert: {
+      subjectaltname: 'DNS:*.co.uk:2443',
+      subject: { CN: 'b.com' }
+    }
+  },
+  {
+    host: 'a.co.uk:2443', cert: {
+      subjectaltname: 'DNS:*.co.uk:8443',
+      subject: { CN: 'b.com' }
+    },
+    error: 'Host: a.co.uk:2443. is not in the cert\'s ' +
+           'altnames: DNS:*.co.uk:8443'
+  },
   {
     host: 'a.com', cert: {
       subjectaltname: 'DNS:*.a.com',