From: Willy Tarreau <w@1wt.eu>
Date: Fri, 19 Oct 2012 12:34:30 +0000 (+0200)
Subject: BUG: ssl: fix ssl_sni ACLs to correctly process regular expressions
X-Git-Tag: v1.5-dev13~136
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c866a38581152c25c8a6024da5645821aebdb46;p=thirdparty%2Fhaproxy.git

BUG: ssl: fix ssl_sni ACLs to correctly process regular expressions

ssl_sni_reg was using acl_parse_str which is wrong since we're parsing
a regex. Additionally, neither _end nor _reg may be looked up.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 53f6d83ce1..f5e68b1d35 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1774,8 +1774,8 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "ssl_npn",                acl_parse_str, smp_fetch_ssl_npn,            acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 #endif
 	{ "ssl_sni",                acl_parse_str, smp_fetch_ssl_sni,            acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
-	{ "ssl_sni_end",            acl_parse_str, smp_fetch_ssl_sni,            acl_match_end,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
-	{ "ssl_sni_reg",            acl_parse_str, smp_fetch_ssl_sni,            acl_match_reg,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_sni_end",            acl_parse_str, smp_fetch_ssl_sni,            acl_match_end,     ACL_USE_L6REQ_PERMANENT, 0 },
+	{ "ssl_sni_reg",            acl_parse_reg, smp_fetch_ssl_sni,            acl_match_reg,     ACL_USE_L6REQ_PERMANENT, 0 },
 	{ "ssl_verify_caerr",       acl_parse_int, smp_fetch_verify_caerr,       acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_verify_caerr_depth", acl_parse_int, smp_fetch_verify_caerr_depth, acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_verify_crterr",      acl_parse_int, smp_fetch_verify_crterr,      acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },