BUG/MEDIUM: ssl: crt-list negative filters don't work

The negative filters which are supposed to exclude a SNI from a wildcard, never worked. Indeed the negative filters were skipped in the code. To fix the issue, this patch looks for negative filters that are on the same line as a the wildcard that just matched. This patch should fix issue #818. It must be backported in 2.2. The problem also exists in versions > 1.8 but the infrastructure required to fix this was only introduced in 2.1. In older versions we should probably change the documentation to state that negative filters are useless.
2025-04-19 05:25:41 +00:00 · 2020-08-17 14:31:19 +02:00 · 2020-08-17 14:31:19 +02:00 · 30f9e095f5
commit 30f9e095f5
parent 77016daabe
1 changed files with 19 additions and 1 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -2357,13 +2357,31 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 	for (i = 0; i < 2; i++) {
 		if (i == 0) 	/* lookup in full qualified names */
 			node = ebst_lookup(&s->sni_ctx, trash.area);
-		else if (i == 1 && wildp) /* lookup in wildcards names */
+		else if (i == 1 && wildp)  /* lookup in wildcards names */
 			node = ebst_lookup(&s->sni_w_ctx, wildp);
 		else
 			break;
+
 		for (n = node; n; n = ebmb_next_dup(n)) {
+
 			/* lookup a not neg filter */
 			if (!container_of(n, struct sni_ctx, name)->neg) {
+				struct sni_ctx *sni, *sni_tmp;
+				int skip = 0;
+
+				if (i == 1 && wildp) { /* wildcard */
+					/* If this is a wildcard, look for an exclusion on the same crt-list line */
+					sni = container_of(n, struct sni_ctx, name);
+					list_for_each_entry(sni_tmp, &sni->ckch_inst->sni_ctx, by_ckch_inst) {
+						if (sni_tmp->neg && (!strcmp((const char *)sni_tmp->name.key, trash.area))) {
+							skip = 1;
+							break;
+						}
+					}
+					if (skip)
+						continue;
+				}
+
 				switch(container_of(n, struct sni_ctx, name)->kinfo.sig) {
 				case TLSEXT_signature_ecdsa:
 					if (!node_ecdsa)