1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
varnishtest "secure_memcmp converter Test"
#REQUIRE_OPTION=OPENSSL
feature ignore_unknown_macro
server s1 {
rxreq
txresp -hdr "Connection: close"
} -repeat 4 -start
server s2 {
rxreq
txresp -hdr "Connection: close"
} -repeat 7 -start
haproxy h1 -conf {
global
.if feature(THREAD)
thread-groups 1
.endif
# WT: limit false-positives causing "HTTP header incomplete" due to
# idle server connections being randomly used and randomly expiring
# under us.
tune.idle-pool.shared off
defaults
mode http
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend fe
# This frontend matches two base64 encoded values and does not need to
# handle null bytes.
bind "fd@${fe}"
#### requests
http-request set-var(txn.hash) req.hdr(hash)
http-request set-var(txn.raw) req.hdr(raw)
acl is_match var(txn.raw),sha1,base64,secure_memcmp(txn.hash)
http-response set-header Match true if is_match
http-response set-header Match false if !is_match
default_backend be
frontend fe2
# This frontend matches two binary values, needing to handle null
# bytes.
bind "fd@${fe2}"
#### requests
http-request set-var(txn.hash) req.hdr(hash),b64dec
http-request set-var(txn.raw) req.hdr(raw)
acl is_match var(txn.raw),sha1,secure_memcmp(txn.hash)
http-response set-header Match true if is_match
http-response set-header Match false if !is_match
default_backend be2
backend be
server s1 ${s1_addr}:${s1_port}
backend be2
server s2 ${s2_addr}:${s2_port}
} -start
client c1 -connect ${h1_fe_sock} {
txreq -url "/" \
-hdr "Raw: 1" \
-hdr "Hash: NWoZK3kTsExUV00Ywo1G5jlUKKs="
rxresp
expect resp.status == 200
expect resp.http.match == "true"
txreq -url "/" \
-hdr "Raw: 2" \
-hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELA="
rxresp
expect resp.status == 200
expect resp.http.match == "true"
txreq -url "/" \
-hdr "Raw: 2" \
-hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELX="
rxresp
expect resp.status == 200
expect resp.http.match == "false"
txreq -url "/" \
-hdr "Raw: 3" \
-hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELA="
rxresp
expect resp.status == 200
expect resp.http.match == "false"
} -run
client c2 -connect ${h1_fe2_sock} {
txreq -url "/" \
-hdr "Raw: 1" \
-hdr "Hash: NWoZK3kTsExUV00Ywo1G5jlUKKs="
rxresp
expect resp.status == 200
expect resp.http.match == "true"
txreq -url "/" \
-hdr "Raw: 2" \
-hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELA="
rxresp
expect resp.status == 200
expect resp.http.match == "true"
txreq -url "/" \
-hdr "Raw: 2" \
-hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELX="
rxresp
expect resp.status == 200
expect resp.http.match == "false"
txreq -url "/" \
-hdr "Raw: 3" \
-hdr "Hash: 2kuSN7rMzfGcB2DKt67EqDWQELA="
rxresp
expect resp.status == 200
expect resp.http.match == "false"
# Test for values with leading nullbytes.
txreq -url "/" \
-hdr "Raw: 6132845" \
-hdr "Hash: AAAAVaeL9nNcSok1j6sd40EEw8s="
rxresp
expect resp.status == 200
expect resp.http.match == "true"
txreq -url "/" \
-hdr "Raw: 49177200" \
-hdr "Hash: AAAA9GLglTNv2JoMv2n/w9Xadhc="
rxresp
expect resp.status == 200
expect resp.http.match == "true"
txreq -url "/" \
-hdr "Raw: 6132845" \
-hdr "Hash: AAAA9GLglTNv2JoMv2n/w9Xadhc="
rxresp
expect resp.status == 200
expect resp.http.match == "false"
} -run
|
