From a5849f85497c4432fa9c9beb549ad883f36259de Mon Sep 17 00:00:00 2001
From: Justine Tunney <jtunney@gmail.com>
Date: Sat, 11 Jun 2022 19:25:03 -0700
Subject: [PATCH] Improve redbean wildcard certificate support

---
 net/https/certhashost.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/net/https/certhashost.c b/net/https/certhashost.c
index 9a1112f50..a151d7015 100644
--- a/net/https/certhashost.c
+++ b/net/https/certhashost.c
@@ -25,15 +25,18 @@ bool CertHasHost(const mbedtls_x509_crt *cert, const void *s, size_t n) {
     if ((cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) ==
         MBEDTLS_X509_SAN_DNS_NAME) {
       if (cur->buf.len > 2 && cur->buf.p[0] == '*' && cur->buf.p[1] == '.') {
-        // handle subject alt name like *.foo.com (matching foo.com)
-        if (SlicesEqualCase(s, n, cur->buf.p + 2, cur->buf.len - 2)) {
-          return true;
-        }
-        // handle subject alt name like *.foo.com (matching bar.foo.com)
+        // handle subject alt name like *.foo.com
+        // - match examples
+        //   - bar.foo.com
+        //   - zoo.foo.com
+        // - does not match
+        //   - foo.com
+        //   - zoo.bar.foo.com
         if (n > cur->buf.len - 1 &&
             SlicesEqualCase((char *)s + n - (cur->buf.len - 1),
                             cur->buf.len - 1, cur->buf.p + 1,
-                            cur->buf.len - 1)) {
+                            cur->buf.len - 1) &&
+            !memchr(s, '.', n - (cur->buf.len - 1))) {
           return true;
         }
       } else {