Tim Duesterhus | f38175c | 2020-06-09 11:48:42 +0200 | [diff] [blame] | 1 | varnishtest "secure_memcmp converter Test" |
| 2 | |
| 3 | #REQUIRE_VERSION=2.2 |
| 4 | #REQUIRE_OPTION=OPENSSL |
| 5 | |
| 6 | feature ignore_unknown_macro |
| 7 | |
| 8 | server s1 { |
| 9 | rxreq |
Christopher Faulet | 12460db | 2022-03-01 11:03:00 +0100 | [diff] [blame] | 10 | txresp -hdr "Connection: close" |
Tim Duesterhus | f38175c | 2020-06-09 11:48:42 +0200 | [diff] [blame] | 11 | } -repeat 4 -start |
| 12 | |
| 13 | server s2 { |
| 14 | rxreq |
Christopher Faulet | 12460db | 2022-03-01 11:03:00 +0100 | [diff] [blame] | 15 | txresp -hdr "Connection: close" |
Tim Duesterhus | f38175c | 2020-06-09 11:48:42 +0200 | [diff] [blame] | 16 | } -repeat 7 -start |
| 17 | |
| 18 | haproxy h1 -conf { |
Willy Tarreau | e1465c1 | 2021-05-09 14:41:41 +0200 | [diff] [blame] | 19 | global |
| 20 | # WT: limit false-positives causing "HTTP header incomplete" due to |
| 21 | # idle server connections being randomly used and randomly expiring |
| 22 | # under us. |
| 23 | tune.idle-pool.shared off |
| 24 | |
Tim Duesterhus | f38175c | 2020-06-09 11:48:42 +0200 | [diff] [blame] | 25 | defaults |
| 26 | mode http |
| 27 | timeout connect 1s |
| 28 | timeout client 1s |
| 29 | timeout server 1s |
| 30 | |
| 31 | frontend fe |
| 32 | # This frontend matches two base64 encoded values and does not need to |
| 33 | # handle null bytes. |
| 34 | |
| 35 | bind "fd@${fe}" |
| 36 | |
| 37 | #### requests |
| 38 | http-request set-var(txn.hash) req.hdr(hash) |
| 39 | http-request set-var(txn.raw) req.hdr(raw) |
| 40 | |
| 41 | acl is_match var(txn.raw),sha1,base64,secure_memcmp(txn.hash) |
| 42 | |
| 43 | http-response set-header Match true if is_match |
| 44 | http-response set-header Match false if !is_match |
| 45 | |
| 46 | default_backend be |
| 47 | |
| 48 | frontend fe2 |
| 49 | # This frontend matches two binary values, needing to handle null |
| 50 | # bytes. |
| 51 | bind "fd@${fe2}" |
| 52 | |
| 53 | #### requests |
| 54 | http-request set-var(txn.hash) req.hdr(hash),b64dec |
| 55 | http-request set-var(txn.raw) req.hdr(raw) |
| 56 | |
| 57 | acl is_match var(txn.raw),sha1,secure_memcmp(txn.hash) |
| 58 | |
| 59 | http-response set-header Match true if is_match |
| 60 | http-response set-header Match false if !is_match |
| 61 | |
| 62 | default_backend be2 |
| 63 | |
| 64 | backend be |
| 65 | server s1 ${s1_addr}:${s1_port} |
| 66 | |
| 67 | backend be2 |
| 68 | server s2 ${s2_addr}:${s2_port} |
| 69 | } -start |
| 70 | |
| 71 | client c1 -connect ${h1_fe_sock} { |
| 72 | txreq -url "/" \ |
| 73 | -hdr "Raw: 1" \ |
| 74 | -hdr "Hash: NWoZK3kTsExUV00Ywo1G5jlUKKs=" |
| 75 | rxresp |
| 76 | expect resp.status == 200 |
| 77 | expect resp.http.match == "true" |
| 78 | txreq -url "/" \ |
| 79 | -hdr "Raw: 2" \ |
| 80 | -hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELA=" |
| 81 | rxresp |
| 82 | expect resp.status == 200 |
| 83 | expect resp.http.match == "true" |
| 84 | txreq -url "/" \ |
| 85 | -hdr "Raw: 2" \ |
| 86 | -hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELX=" |
| 87 | rxresp |
| 88 | expect resp.status == 200 |
| 89 | expect resp.http.match == "false" |
| 90 | txreq -url "/" \ |
| 91 | -hdr "Raw: 3" \ |
| 92 | -hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELA=" |
| 93 | rxresp |
| 94 | expect resp.status == 200 |
| 95 | expect resp.http.match == "false" |
| 96 | } -run |
| 97 | |
| 98 | client c2 -connect ${h1_fe2_sock} { |
| 99 | txreq -url "/" \ |
| 100 | -hdr "Raw: 1" \ |
| 101 | -hdr "Hash: NWoZK3kTsExUV00Ywo1G5jlUKKs=" |
| 102 | rxresp |
| 103 | expect resp.status == 200 |
| 104 | expect resp.http.match == "true" |
| 105 | txreq -url "/" \ |
| 106 | -hdr "Raw: 2" \ |
| 107 | -hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELA=" |
| 108 | rxresp |
| 109 | expect resp.status == 200 |
| 110 | expect resp.http.match == "true" |
| 111 | txreq -url "/" \ |
| 112 | -hdr "Raw: 2" \ |
| 113 | -hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELX=" |
| 114 | rxresp |
| 115 | expect resp.status == 200 |
| 116 | expect resp.http.match == "false" |
| 117 | txreq -url "/" \ |
| 118 | -hdr "Raw: 3" \ |
| 119 | -hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELA=" |
| 120 | rxresp |
| 121 | expect resp.status == 200 |
| 122 | expect resp.http.match == "false" |
| 123 | |
| 124 | # Test for values with leading nullbytes. |
| 125 | txreq -url "/" \ |
| 126 | -hdr "Raw: 6132845" \ |
| 127 | -hdr "Hash: AAAAVaeL9nNcSok1j6sd40EEw8s=" |
| 128 | rxresp |
| 129 | expect resp.status == 200 |
| 130 | expect resp.http.match == "true" |
| 131 | txreq -url "/" \ |
| 132 | -hdr "Raw: 49177200" \ |
| 133 | -hdr "Hash: AAAA9GLglTNv2JoMv2n/w9Xadhc=" |
| 134 | rxresp |
| 135 | expect resp.status == 200 |
| 136 | expect resp.http.match == "true" |
| 137 | txreq -url "/" \ |
| 138 | -hdr "Raw: 6132845" \ |
| 139 | -hdr "Hash: AAAA9GLglTNv2JoMv2n/w9Xadhc=" |
| 140 | rxresp |
| 141 | expect resp.status == 200 |
| 142 | expect resp.http.match == "false" |
| 143 | } -run |