From b46aad6df449445a9fc4aa7b32bd40005438e3f7 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sat, 13 Apr 2024 14:18:05 +0200
Subject: Adding upstream version 2.9.5.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../connection/proxy_protocol_tlv_validation.vtc   | 142 +++++++++++++++++++++
 1 file changed, 142 insertions(+)
 create mode 100644 reg-tests/connection/proxy_protocol_tlv_validation.vtc

(limited to 'reg-tests/connection/proxy_protocol_tlv_validation.vtc')

diff --git a/reg-tests/connection/proxy_protocol_tlv_validation.vtc b/reg-tests/connection/proxy_protocol_tlv_validation.vtc
new file mode 100644
index 0000000..8c7d734
--- /dev/null
+++ b/reg-tests/connection/proxy_protocol_tlv_validation.vtc
@@ -0,0 +1,142 @@
+varnishtest "Check that the TLVs are properly validated"
+
+#REQUIRE_VERSION=2.4
+
+feature ignore_unknown_macro
+
+# We need one HAProxy for each test, because apparently the connection by
+# the client is reused, leading to connection resets.
+
+haproxy h1 -conf {
+    defaults
+        mode http
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    frontend a
+        bind "fd@${fe1}" accept-proxy
+        http-after-response set-header echo %[fc_pp_authority,hex]
+        http-request return status 200
+} -start
+
+# Validate that a correct header passes
+client c1 -connect ${h1_fe1_sock} {
+    # PROXY v2 signature
+    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
+    # version + PROXY
+    sendhex "21"
+    # TCP4
+    sendhex "11"
+    # length of the address (12) + length of the TLV (8)
+    sendhex "00 14"
+    # 127.0.0.1 42 127.0.0.1 1337
+    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
+    # PP2_TYPE_AUTHORITY + length of the value + "12345"
+    sendhex "02 00 05 31 32 33 34 35"
+
+    txreq -url "/"
+    rxresp
+    expect resp.http.echo == "3132333435"
+} -run
+
+haproxy h2 -conf {
+    defaults
+        mode http
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    frontend a
+        bind "fd@${fe1}" accept-proxy
+        http-after-response set-header echo %[fc_pp_authority,hex]
+        http-request return status 200
+} -start
+
+# Validate that a TLV after the end of the PROXYv2 header is not parsed
+# and handle by the HTTP parser, leading to a 400 bad request error
+client c2 -connect ${h2_fe1_sock} {
+    # PROXY v2 signature
+    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
+    # version + PROXY
+    sendhex "21"
+    # TCP4
+    sendhex "11"
+    # length of the address (12) + length of the TLV (8)
+    sendhex "00 14"
+    # 127.0.0.1 42 127.0.0.1 1337
+    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
+    # PP2_TYPE_AUTHORITY + length of the value + "12345"
+    sendhex "02 00 05 31 32 33 34 35"
+    # after the end of the PROXYv2 header: PP2_TYPE_AUTHORITY + length of the value + "54321"
+    sendhex "02 00 05 35 34 33 32 31"
+
+    txreq -url "/"
+    rxresp
+    expect resp.status == 400
+    expect resp.http.echo == <undef>
+} -run
+
+haproxy h3 -conf {
+    defaults
+        mode http
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    frontend a
+        bind "fd@${fe1}" accept-proxy
+        http-after-response set-header echo %[fc_pp_authority,hex]
+        http-request return status 200
+} -start
+
+# Validate that a TLV length exceeding the PROXYv2 length fails
+client c3 -connect ${h3_fe1_sock} {
+    # PROXY v2 signature
+    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
+    # version + PROXY
+    sendhex "21"
+    # TCP4
+    sendhex "11"
+    # length of the address (12) + too small length of the TLV (8)
+    sendhex "00 14"
+    # 127.0.0.1 42 127.0.0.1 1337
+    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
+    # PP2_TYPE_AUTHORITY + length of the value + "1234512345"
+    sendhex "02 00 0A 31 32 33 34 35 31 32 33 34 35"
+
+    txreq -url "/"
+    expect_close
+} -run
+
+haproxy h4 -conf {
+    defaults
+        mode http
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    frontend a
+        bind "fd@${fe1}" accept-proxy
+        http-after-response set-header echo %[fc_pp_authority,hex]
+        http-request return status 200
+} -start
+
+# Validate that TLVs not ending with the PROXYv2 header fail
+client c4 -connect ${h4_fe1_sock} {
+    # PROXY v2 signature
+    sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a"
+    # version + PROXY
+    sendhex "21"
+    # TCP4
+    sendhex "11"
+    # length of the address (12) + too big length of the TLV (8)
+    sendhex "00 14"
+    # 127.0.0.1 42 127.0.0.1 1337
+    sendhex "7F 00 00 01 7F 00 00 01 00 2A 05 39"
+    # PP2_TYPE_AUTHORITY + length of the value + "1234"
+    sendhex "02 00 04 31 32 33 34"
+
+    txreq -url "/"
+    expect_close
+} -run
-- 
cgit v1.2.3