--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <sched.h> /* IWYU pragma: keep */
+#include <setjmp.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define UNIT_TESTING
+#include <cmocka.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/proxy2.h>
+#include <isc/random.h>
+
+#include "proxyheader_test_data.h"
+
+#include <tests/isc.h>
+
+typedef struct dummy_handler_cbarg {
+ isc_proxy2_command_t cmd;
+ int socktype;
+ isc_sockaddr_t src_addr;
+ isc_sockaddr_t dst_addr;
+ size_t no_more_calls;
+ size_t tlvs;
+ size_t tls_subtlvs;
+ uint8_t tls_client_flags;
+ bool client_cert_verified;
+ isc_region_t tlv_data;
+ isc_region_t extra;
+ isc_region_t tls_version;
+ isc_region_t tls_common_name;
+} dummy_handler_cbarg_t;
+
+static bool
+dummy_subtlv_iter_cb(const uint8_t client, const bool client_cert_verified,
+ const isc_proxy2_tlv_subtype_tls_t tls_subtlv_type,
+ const isc_region_t *restrict data, void *cbarg) {
+ dummy_handler_cbarg_t *arg = (dummy_handler_cbarg_t *)cbarg;
+
+ UNUSED(client);
+ UNUSED(client_cert_verified);
+
+ arg->tls_subtlvs++;
+
+ switch (tls_subtlv_type) {
+ case ISC_PROXY2_TLV_SUBTYPE_TLS_VERSION:
+ arg->tls_version = *data;
+ break;
+ case ISC_PROXY2_TLV_SUBTYPE_TLS_CN:
+ arg->tls_common_name = *data;
+ break;
+ default:
+ break;
+ };
+
+ return (true);
+}
+
+static bool
+dummy_tlv_iter_cb(const isc_proxy2_tlv_type_t tlv_type,
+ const isc_region_t *restrict data, void *cbarg) {
+ dummy_handler_cbarg_t *arg = (dummy_handler_cbarg_t *)cbarg;
+
+ if (arg != NULL) {
+ arg->tlvs++;
+ }
+
+ if (tlv_type == ISC_PROXY2_TLV_TYPE_TLS) {
+ isc_result_t result = isc_proxy2_subtlv_tls_header_data(
+ data, &arg->tls_client_flags,
+ &arg->client_cert_verified);
+
+ assert_true(result == ISC_R_SUCCESS);
+
+ result = isc_proxy2_subtlv_tls_iterate(
+ data, dummy_subtlv_iter_cb, cbarg);
+
+ assert_true(result == ISC_R_SUCCESS);
+ }
+ return (true);
+}
+
+static void
+proxy2_handler_dummy(const isc_result_t result, const isc_proxy2_command_t cmd,
+ const int socktype,
+ const isc_sockaddr_t *restrict src_addr,
+ const isc_sockaddr_t *restrict dst_addr,
+ const isc_region_t *restrict tlv_blob,
+ const isc_region_t *restrict extra, void *cbarg) {
+ dummy_handler_cbarg_t *arg = (dummy_handler_cbarg_t *)cbarg;
+
+ UNUSED(extra);
+
+ if (result == ISC_R_NOMORE && arg != NULL) {
+ arg->no_more_calls++;
+ return;
+ } else if (result != ISC_R_SUCCESS) {
+ return;
+ }
+
+ if (cmd == ISC_PROXY2_CMD_PROXY && socktype != 0 /* unspec */) {
+ INSIST(src_addr != NULL);
+ INSIST(dst_addr != NULL);
+ } else if (cmd == ISC_PROXY2_CMD_LOCAL) {
+ INSIST(tlv_blob == NULL);
+ INSIST(src_addr == NULL);
+ INSIST(dst_addr == NULL);
+ }
+
+ if (arg != NULL) {
+ arg->cmd = cmd;
+ arg->socktype = socktype;
+ if (src_addr != NULL) {
+ INSIST(dst_addr != NULL);
+ arg->src_addr = *src_addr;
+ arg->dst_addr = *dst_addr;
+ }
+ }
+
+ if (tlv_blob) {
+ assert_true(isc_proxy2_tlv_data_verify(tlv_blob) ==
+ ISC_R_SUCCESS);
+ if (cbarg != NULL) {
+ isc_proxy2_tlv_iterate(tlv_blob, dummy_tlv_iter_cb,
+ cbarg);
+ }
+ }
+}
+
+static int
+setup_test_proxy(void **state) {
+ isc_proxy2_handler_t **handler = (isc_proxy2_handler_t **)state;
+ *handler = isc_proxy2_handler_new(mctx, 0, proxy2_handler_dummy, NULL);
+ return (0);
+}
+
+static int
+teardown_test_proxy(void **state) {
+ isc_proxy2_handler_free((isc_proxy2_handler_t **)state);
+
+ return (0);
+}
+
+static void
+test_header_data(isc_proxy2_handler_t *handler, const void *data,
+ const size_t size, const bool tear_apart,
+ const bool tear_randomly) {
+ isc_region_t region = { 0 };
+ isc_result_t result;
+
+ if (tear_apart) {
+ isc_buffer_t databuf = { 0 };
+ isc_buffer_init(&databuf, (void *)data, size);
+ isc_buffer_add(&databuf, size);
+
+ for (; isc_buffer_remaininglength(&databuf) > 0;) {
+ isc_region_t remaining = { 0 };
+ size_t sz = 1;
+
+ if (tear_randomly) {
+ sz = 1 + isc_random_uniform(
+ isc_buffer_remaininglength(
+ &databuf));
+ }
+
+ isc_buffer_remainingregion(&databuf, &remaining);
+ remaining.length = sz;
+
+ result = isc_proxy2_handler_push(handler, &remaining);
+ assert_true(isc_proxy2_handler_result(handler) ==
+ result);
+
+ isc_buffer_forward(&databuf, sz);
+ if (result == ISC_R_SUCCESS) {
+ break;
+ }
+ }
+
+ } else {
+ result = isc_proxy2_handler_push_data(handler, data, size);
+ assert_true(isc_proxy2_handler_result(handler) == result);
+ }
+
+ assert_true(isc_proxy2_handler_result(handler) == ISC_R_SUCCESS);
+ isc_proxy2_handler_header(handler, ®ion);
+ assert_true(region.length == size);
+ assert_true(memcmp(region.base, data, region.length) == 0);
+}
+
+static void
+verify_proxy_v2_header(isc_proxy2_handler_t *handler,
+ dummy_handler_cbarg_t *cbarg) {
+ char sabuf[ISC_SOCKADDR_FORMATSIZE] = { 0 };
+ isc_sockaddr_t src_addr = { 0 }, dst_addr = { 0 };
+ isc_result_t result;
+ int socktype = -1;
+
+ assert_true(cbarg->cmd == ISC_PROXY2_CMD_PROXY);
+ assert_true(cbarg->socktype == SOCK_STREAM);
+ assert_true(isc_sockaddr_pf(&cbarg->dst_addr) == AF_INET);
+ assert_true(isc_sockaddr_pf(&cbarg->src_addr) == AF_INET);
+
+ isc_sockaddr_format(&cbarg->dst_addr, sabuf, sizeof(sabuf));
+ assert_true(strcmp(sabuf, "127.0.0.66#11883") == 0);
+ isc_sockaddr_format(&cbarg->src_addr, sabuf, sizeof(sabuf));
+ assert_true(strcmp(sabuf, "127.0.0.1#56784") == 0);
+
+ if (handler != NULL) {
+ result = isc_proxy2_handler_addresses(handler, &socktype,
+ &src_addr, &dst_addr);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(isc_sockaddr_equal(&src_addr, &cbarg->src_addr));
+ assert_true(isc_sockaddr_equal(&dst_addr, &cbarg->dst_addr));
+ assert_true(socktype == cbarg->socktype);
+ }
+
+ assert_true(cbarg->tlvs == 0);
+ assert_true(cbarg->tls_subtlvs == 0);
+ assert_true(cbarg->tls_client_flags == 0);
+ assert_true(cbarg->client_cert_verified == false);
+}
+
+static void
+verify_proxy_v2_header_with_TLS(isc_proxy2_handler_t *handler,
+ dummy_handler_cbarg_t *cbarg) {
+ char sabuf[ISC_SOCKADDR_FORMATSIZE] = { 0 };
+ isc_sockaddr_t src_addr = { 0 }, dst_addr = { 0 };
+ isc_result_t result;
+ int socktype = -1;
+
+ assert_true(cbarg->cmd == ISC_PROXY2_CMD_PROXY);
+ assert_true(cbarg->socktype == SOCK_STREAM);
+ assert_true(isc_sockaddr_pf(&cbarg->dst_addr) == AF_INET);
+ assert_true(isc_sockaddr_pf(&cbarg->src_addr) == AF_INET);
+
+ isc_sockaddr_format(&cbarg->dst_addr, sabuf, sizeof(sabuf));
+ assert_true(strcmp(sabuf, "127.0.0.67#11883") == 0);
+ isc_sockaddr_format(&cbarg->src_addr, sabuf, sizeof(sabuf));
+ assert_true(strcmp(sabuf, "127.0.0.1#39754") == 0);
+
+ if (handler != NULL) {
+ result = isc_proxy2_handler_addresses(handler, &socktype,
+ &src_addr, &dst_addr);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(isc_sockaddr_equal(&src_addr, &cbarg->src_addr));
+ assert_true(isc_sockaddr_equal(&dst_addr, &cbarg->dst_addr));
+ assert_true(socktype == cbarg->socktype);
+ }
+
+ assert_true(cbarg->tlvs == 1);
+ assert_true(cbarg->tls_subtlvs == 1);
+ assert_true(cbarg->tls_client_flags == ISC_PROXY2_CLIENT_TLS);
+ assert_true(cbarg->client_cert_verified == true);
+
+ /* "TLSv1.2" (w/o trailing '\0') */
+ assert_true(cbarg->tls_version.length == 7);
+ assert_true(memcmp(cbarg->tls_version.base, "TLSv1.2", 7) == 0);
+}
+
+static void
+verify_proxy_v2_header_with_TLS_CN(isc_proxy2_handler_t *handler,
+ dummy_handler_cbarg_t *cbarg) {
+ char sabuf[ISC_SOCKADDR_FORMATSIZE] = { 0 };
+ isc_sockaddr_t src_addr = { 0 }, dst_addr = { 0 };
+ isc_result_t result;
+ int socktype = -1;
+
+ assert_true(cbarg->cmd == ISC_PROXY2_CMD_PROXY);
+ assert_true(cbarg->socktype == SOCK_STREAM);
+ assert_true(isc_sockaddr_pf(&cbarg->dst_addr) == AF_INET);
+ assert_true(isc_sockaddr_pf(&cbarg->src_addr) == AF_INET);
+
+ isc_sockaddr_format(&cbarg->dst_addr, sabuf, sizeof(sabuf));
+ assert_true(strcmp(sabuf, "127.0.0.67#11883") == 0);
+ isc_sockaddr_format(&cbarg->src_addr, sabuf, sizeof(sabuf));
+ assert_true(strcmp(sabuf, "127.0.0.1#40402") == 0);
+
+ if (handler != NULL) {
+ result = isc_proxy2_handler_addresses(handler, &socktype,
+ &src_addr, &dst_addr);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(isc_sockaddr_equal(&src_addr, &cbarg->src_addr));
+ assert_true(isc_sockaddr_equal(&dst_addr, &cbarg->dst_addr));
+ assert_true(socktype == cbarg->socktype);
+ }
+
+ assert_true(cbarg->tlvs == 1);
+ assert_true(cbarg->tls_subtlvs == 2); /* version and common name */
+ assert_true(cbarg->tls_client_flags ==
+ (ISC_PROXY2_CLIENT_TLS | ISC_PROXY2_CLIENT_CERT_SESS |
+ ISC_PROXY2_CLIENT_CERT_CONN));
+ assert_true(cbarg->client_cert_verified == true);
+
+ /* "TLSv1.2" (w/o trailing '\0') */
+ assert_true(cbarg->tls_version.length == 7);
+ assert_true(memcmp(cbarg->tls_version.base, "TLSv1.2", 7) == 0);
+
+ /* "mqttuser1" (w/o trailing '\0') */
+ assert_true(cbarg->tls_common_name.length == 9);
+ assert_true(memcmp(cbarg->tls_common_name.base, "mqttuser1", 9) == 0);
+}
+
+static void
+verify_proxy_v2_header_with_AF_UNIX(isc_proxy2_handler_t *handler,
+ dummy_handler_cbarg_t *cbarg) {
+ assert_true(cbarg->cmd == ISC_PROXY2_CMD_PROXY);
+ assert_true(cbarg->socktype == 0);
+
+ if (handler != NULL) {
+ int socktype = -1;
+ isc_result_t result;
+
+ result = isc_proxy2_handler_addresses(handler, &socktype, NULL,
+ NULL);
+
+ assert_int_equal(result, ISC_R_SUCCESS);
+
+ assert_int_equal(socktype, 0);
+ }
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_generic_test) {
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+ dummy_handler_cbarg_t cbarg = { 0 };
+
+ isc_proxy2_handler_setcb(handler, proxy2_handler_dummy, &cbarg);
+
+ test_header_data(handler, proxy_v2_header, sizeof(proxy_v2_header),
+ false, false);
+ verify_proxy_v2_header(handler, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_TLS,
+ sizeof(proxy_v2_header_with_TLS), false, false);
+ verify_proxy_v2_header_with_TLS(handler, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_TLS_CN,
+ sizeof(proxy_v2_header_with_TLS_CN), false, false);
+ verify_proxy_v2_header_with_TLS_CN(handler, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_AF_UNIX,
+ sizeof(proxy_v2_header_with_AF_UNIX), false, false);
+ verify_proxy_v2_header_with_AF_UNIX(handler, &cbarg);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_generic_byte_by_byte_test) {
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+ dummy_handler_cbarg_t cbarg = { 0 };
+
+ isc_proxy2_handler_setcb(handler, proxy2_handler_dummy, &cbarg);
+
+ test_header_data(handler, proxy_v2_header, sizeof(proxy_v2_header),
+ true, false);
+ verify_proxy_v2_header(handler, &cbarg);
+ assert_true(cbarg.no_more_calls == sizeof(proxy_v2_header) - 1);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_TLS,
+ sizeof(proxy_v2_header_with_TLS), true, false);
+ verify_proxy_v2_header_with_TLS(handler, &cbarg);
+ assert_true(cbarg.no_more_calls ==
+ sizeof(proxy_v2_header_with_TLS) - 1);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_TLS_CN,
+ sizeof(proxy_v2_header_with_TLS_CN), true, false);
+ verify_proxy_v2_header_with_TLS_CN(handler, &cbarg);
+ assert_true(cbarg.no_more_calls ==
+ sizeof(proxy_v2_header_with_TLS_CN) - 1);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_AF_UNIX,
+ sizeof(proxy_v2_header_with_AF_UNIX), true, false);
+ verify_proxy_v2_header_with_AF_UNIX(handler, &cbarg);
+ assert_true(cbarg.no_more_calls ==
+ sizeof(proxy_v2_header_with_AF_UNIX) - 1);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_generic_torn_apart_randomly_test) {
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+ dummy_handler_cbarg_t cbarg = { 0 };
+
+ isc_proxy2_handler_setcb(handler, proxy2_handler_dummy, &cbarg);
+
+ test_header_data(handler, proxy_v2_header, sizeof(proxy_v2_header),
+ true, true);
+ verify_proxy_v2_header(handler, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_TLS,
+ sizeof(proxy_v2_header_with_TLS), true, true);
+ verify_proxy_v2_header_with_TLS(handler, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_TLS_CN,
+ sizeof(proxy_v2_header_with_TLS_CN), true, true);
+ verify_proxy_v2_header_with_TLS_CN(handler, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ test_header_data(handler, (void *)proxy_v2_header_with_AF_UNIX,
+ sizeof(proxy_v2_header_with_AF_UNIX), true, true);
+ verify_proxy_v2_header_with_AF_UNIX(handler, &cbarg);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_direct_test) {
+ isc_result_t result;
+ isc_region_t region = { 0 };
+ dummy_handler_cbarg_t cbarg = { 0 };
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ region.base = (uint8_t *)proxy_v2_header;
+ region.length = sizeof(proxy_v2_header);
+ result = isc_proxy2_header_handle_directly(
+ ®ion, proxy2_handler_dummy, &cbarg);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(cbarg.no_more_calls == 0);
+ verify_proxy_v2_header(NULL, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ region.base = (uint8_t *)proxy_v2_header_with_TLS;
+ region.length = sizeof(proxy_v2_header_with_TLS);
+ result = isc_proxy2_header_handle_directly(
+ ®ion, proxy2_handler_dummy, &cbarg);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(cbarg.no_more_calls == 0);
+ isc_proxy2_tlv_iterate(&cbarg.tlv_data, dummy_tlv_iter_cb, &cbarg);
+ verify_proxy_v2_header_with_TLS(NULL, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ region.base = (uint8_t *)proxy_v2_header_with_TLS_CN;
+ region.length = sizeof(proxy_v2_header_with_TLS_CN);
+ result = isc_proxy2_header_handle_directly(
+ ®ion, proxy2_handler_dummy, &cbarg);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(cbarg.no_more_calls == 0);
+ isc_proxy2_tlv_iterate(&cbarg.tlv_data, dummy_tlv_iter_cb, &cbarg);
+ verify_proxy_v2_header_with_TLS_CN(NULL, &cbarg);
+
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ region.base = (uint8_t *)proxy_v2_header_with_AF_UNIX;
+ region.length = sizeof(proxy_v2_header_with_AF_UNIX);
+ result = isc_proxy2_header_handle_directly(
+ ®ion, proxy2_handler_dummy, &cbarg);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(cbarg.no_more_calls == 0);
+ verify_proxy_v2_header_with_AF_UNIX(NULL, &cbarg);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_detect_bad_signature_test) {
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+
+ for (size_t i = 0; i < ISC_PROXY2_HEADER_SIGNATURE_SIZE; i++) {
+ isc_result_t result;
+ uint8_t sig[ISC_PROXY2_HEADER_SIGNATURE_SIZE];
+ memmove(sig, ISC_PROXY2_HEADER_SIGNATURE,
+ ISC_PROXY2_HEADER_SIGNATURE_SIZE);
+
+ sig[i] = 0x0C; /* it is not present in the valid signature */
+
+ /*
+ * We are expected to detect bad signature as early as possible,
+ * so we are passing only a part of the header.
+ */
+ result = isc_proxy2_handler_push_data(handler, sig, i + 1);
+ assert_true(result == ISC_R_UNEXPECTED);
+ }
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_extra_data_test) {
+ isc_result_t result;
+ isc_buffer_t databuf;
+ isc_region_t region = { 0 };
+ size_t sz;
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+ uint8_t header[] = { 0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51,
+ 0x55, 0x49, 0x54, 0x0a, 0x21, 0x11, 0x00, 0x1e,
+ 0x7f, 0x00, 0x00, 0x01, 0x7f, 0x00, 0x00, 0x43,
+ 0x9b, 0x4a, 0x2e, 0x6b, 0x20, 0x00, 0x0f, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x07, 0x54,
+ 0x4c, 0x53, 0x76, 0x31, 0x2e, 0x32 };
+ uint8_t extra_data[] = { 0x10, 0x1a, 0x00, 0x04, 0x4d, 0x51, 0x54,
+ 0x54, 0x04, 0x02, 0x00, 0x3c, 0x00, 0x0e,
+ 0x4d, 0x51, 0x54, 0x54, 0x5f, 0x46, 0x58,
+ 0x5f, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74 };
+ uint8_t data[sizeof(header) + sizeof(extra_data)];
+
+ isc_buffer_init(&databuf, (void *)data, sizeof(data));
+
+ isc_buffer_putmem(&databuf, header, sizeof(header));
+ isc_buffer_putmem(&databuf, extra_data, sizeof(extra_data));
+
+ isc_buffer_remainingregion(&databuf, ®ion);
+
+ result = isc_proxy2_handler_push(handler, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ region = (isc_region_t){ 0 };
+ sz = isc_proxy2_handler_header(handler, ®ion);
+ assert_true(sz == sizeof(header));
+ assert_true(sz == region.length);
+ assert_true(memcmp(header, region.base, sz) == 0);
+
+ region = (isc_region_t){ 0 };
+ sz = isc_proxy2_handler_extra(handler, ®ion);
+ assert_true(sz == sizeof(extra_data));
+ assert_true(sz == region.length);
+ assert_true(memcmp(extra_data, region.base, sz) == 0);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_max_size_test) {
+ isc_result_t result;
+ isc_proxy2_handler_t handler;
+
+ UNUSED(state);
+
+ isc_proxy2_handler_init(&handler, mctx, sizeof(proxy_v2_header),
+ proxy2_handler_dummy, NULL);
+
+ result = isc_proxy2_handler_push_data(&handler, proxy_v2_header,
+ sizeof(proxy_v2_header));
+
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_proxy2_handler_uninit(&handler);
+
+ isc_proxy2_handler_init(&handler, mctx, sizeof(proxy_v2_header) - 1,
+ proxy2_handler_dummy, NULL);
+
+ result = isc_proxy2_handler_push_data(&handler, proxy_v2_header,
+ sizeof(proxy_v2_header));
+
+ assert_true(result == ISC_R_RANGE);
+
+ isc_proxy2_handler_uninit(&handler);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_make_header_test) {
+ isc_result_t result;
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+ isc_buffer_t databuf;
+ uint8_t data[ISC_PROXY2_MAX_SIZE];
+ isc_buffer_t sslbuf;
+ uint8_t ssldata[ISC_PROXY2_MAX_SIZE];
+ isc_region_t region = { 0 };
+ uint8_t extra[256] = { 0 };
+ const char *tls_version = "TLSv1.3";
+ const char *tls_cn = "name.test";
+ dummy_handler_cbarg_t cbarg = { 0 };
+ struct in_addr localhost4 = { 0 };
+ isc_sockaddr_t src_addrv4 = { 0 }, dst_addrv4 = { 0 },
+ src_addrv6 = { 0 }, dst_addrv6 = { 0 };
+ const uint16_t src_port = 1236;
+ const uint16_t dst_port = 9582;
+
+ localhost4.s_addr = htonl(INADDR_LOOPBACK);
+
+ isc_sockaddr_fromin(&src_addrv4, &localhost4, src_port);
+ isc_sockaddr_fromin(&dst_addrv4, &localhost4, dst_port);
+ isc_sockaddr_fromin6(&src_addrv6, &in6addr_loopback, src_port);
+ isc_sockaddr_fromin6(&dst_addrv6, &in6addr_loopback, dst_port);
+ isc_proxy2_handler_setcb(handler, proxy2_handler_dummy, &cbarg);
+
+ isc_buffer_init(&databuf, (void *)data, sizeof(data));
+ isc_buffer_init(&sslbuf, (void *)ssldata, sizeof(ssldata));
+
+ /* unspec */
+ result = isc_proxy2_make_header(&databuf, ISC_PROXY2_CMD_LOCAL, 0, NULL,
+ NULL, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ assert_true(region.length == ISC_PROXY2_HEADER_SIZE);
+
+ region = (isc_region_t){ .base = extra, .length = sizeof(extra) };
+ result = isc_proxy2_header_append_tlv(
+ &databuf, ISC_PROXY2_TLV_TYPE_NOOP, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ assert_true(region.length == ISC_PROXY2_HEADER_SIZE + sizeof(extra) +
+ ISC_PROXY2_TLV_HEADER_SIZE);
+
+ result = isc_proxy2_handler_push(handler, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(cbarg.tlvs == 0); /* in unspec mode we ignore TLVs */
+
+ /* AF_INET, SOCK_STREAM */
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ isc_buffer_clear(&databuf);
+
+ result = isc_proxy2_make_header(&databuf, ISC_PROXY2_CMD_PROXY,
+ SOCK_STREAM, &src_addrv4, &dst_addrv4,
+ NULL);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ assert_true(region.length == ISC_PROXY2_MIN_AF_INET_SIZE);
+
+ region = (isc_region_t){ .base = extra, .length = sizeof(extra) };
+ result = isc_proxy2_header_append_tlv(
+ &databuf, ISC_PROXY2_TLV_TYPE_NOOP, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ assert_true(region.length == ISC_PROXY2_MIN_AF_INET_SIZE +
+ sizeof(extra) +
+ ISC_PROXY2_TLV_HEADER_SIZE);
+
+ result = isc_proxy2_handler_push(handler, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ assert_true(cbarg.tlvs == 1); /* ISC_PROXY2_TLV_TYPE_NOOP */
+
+ assert_true(cbarg.socktype == SOCK_STREAM);
+ assert_true(isc_sockaddr_pf(&cbarg.src_addr) == AF_INET);
+ assert_true(isc_sockaddr_pf(&cbarg.dst_addr) == AF_INET);
+
+ assert_true(isc_sockaddr_equal(&cbarg.src_addr, &src_addrv4));
+ assert_true(isc_sockaddr_equal(&cbarg.dst_addr, &dst_addrv4));
+
+ /* AF_INET6, SOCK_STREAM (+ TLS version and CN) */
+ cbarg = (dummy_handler_cbarg_t){ 0 };
+ isc_buffer_clear(&databuf);
+
+ result = isc_proxy2_make_header(&databuf, ISC_PROXY2_CMD_PROXY,
+ SOCK_STREAM, &src_addrv6, &dst_addrv6,
+ NULL);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ assert_true(region.length == ISC_PROXY2_MIN_AF_INET6_SIZE);
+
+ region = (isc_region_t){ .base = extra, .length = sizeof(extra) };
+ result = isc_proxy2_header_append_tlv(
+ &databuf, ISC_PROXY2_TLV_TYPE_NOOP, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ result = isc_proxy2_make_tls_subheader(
+ &sslbuf, ISC_PROXY2_CLIENT_TLS | ISC_PROXY2_CLIENT_CERT_CONN,
+ true, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv_string(
+ &sslbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_VERSION, tls_version);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv_string(
+ &sslbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_CN, tls_cn);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&sslbuf, ®ion);
+ result = isc_proxy2_header_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ size_t expected = ISC_PROXY2_MIN_AF_INET6_SIZE + sizeof(extra) +
+ (4 * ISC_PROXY2_TLV_HEADER_SIZE) +
+ ISC_PROXY2_TLS_SUBHEADER_MIN_SIZE +
+ strlen(tls_version) + strlen(tls_cn);
+ assert_true(region.length == expected);
+
+ result = isc_proxy2_handler_push(handler, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ assert_true(cbarg.socktype == SOCK_STREAM);
+ assert_true(isc_sockaddr_pf(&cbarg.src_addr) == AF_INET6);
+ assert_true(isc_sockaddr_pf(&cbarg.dst_addr) == AF_INET6);
+
+ assert_true(isc_sockaddr_equal(&cbarg.src_addr, &src_addrv6));
+ assert_true(isc_sockaddr_equal(&cbarg.dst_addr, &dst_addrv6));
+
+ region = (isc_region_t){ 0 };
+ (void)isc_proxy2_handler_tlvs(handler, ®ion);
+ assert_true(isc_proxy2_tlv_data_verify(®ion) == ISC_R_SUCCESS);
+ /* ISC_PROXY2_TLV_TYPE_NOOP+ISC_PROXY2_TLV_TYPE_TLS */
+ assert_true(cbarg.tlvs == 2);
+ /* ISC_PROXY2_TLV_SUBTYPE_TLS_VERSION+ISC_PROXY2_TLV_SUBTYPE_TLS_CN */
+ assert_true(cbarg.tls_subtlvs == 2);
+
+ assert_true(cbarg.tls_version.length == strlen(tls_version));
+ assert_true(memcmp(cbarg.tls_version.base, tls_version,
+ strlen(tls_version)) == 0);
+
+ assert_true(cbarg.tls_common_name.length == strlen(tls_cn));
+ assert_true(memcmp(cbarg.tls_common_name.base, tls_cn,
+ strlen(tls_cn)) == 0);
+}
+
+static bool
+rebuild_subtlv_iter_cb(const uint8_t client, const bool client_cert_verified,
+ const isc_proxy2_tlv_subtype_tls_t tls_subtlv_type,
+ const isc_region_t *restrict data, void *cbarg) {
+ isc_result_t result;
+ isc_buffer_t *outbuf = (isc_buffer_t *)cbarg;
+
+ UNUSED(client);
+ UNUSED(client_cert_verified);
+
+ result = isc_proxy2_append_tlv(outbuf, tls_subtlv_type, data);
+ assert_true(result == ISC_R_SUCCESS);
+
+ return (true);
+}
+
+static bool
+rebuild_tlv_iter_cb(const isc_proxy2_tlv_type_t tlv_type,
+ const isc_region_t *restrict data, void *cbarg) {
+ isc_result_t result;
+ isc_buffer_t *outbuf = (isc_buffer_t *)cbarg;
+
+ if (tlv_type == ISC_PROXY2_TLV_TYPE_TLS) {
+ uint8_t client_flags = 0;
+ bool client_cert_verified = false;
+ isc_buffer_t databuf = { 0 };
+ isc_region_t region = { 0 };
+ uint8_t storage[ISC_PROXY2_MAX_SIZE];
+
+ isc_buffer_init(&databuf, (void *)storage, sizeof(storage));
+
+ /* get flags values */
+ result = isc_proxy2_subtlv_tls_header_data(
+ data, &client_flags, &client_cert_verified);
+ assert_true(result == ISC_R_SUCCESS);
+
+ /* create header */
+ result = isc_proxy2_make_tls_subheader(
+ &databuf, client_flags, client_cert_verified, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+
+ /* process and append values */
+ result = isc_proxy2_subtlv_tls_iterate(
+ data, rebuild_subtlv_iter_cb, &databuf);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_header_append_tlv(outbuf, tlv_type,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ } else {
+ result = isc_proxy2_header_append_tlv(outbuf, tlv_type, data);
+ assert_true(result == ISC_R_SUCCESS);
+ }
+
+ return (true);
+}
+
+static void
+proxy2_handler_rebuild_cb(const isc_result_t header_result,
+ const isc_proxy2_command_t cmd, const int socktype,
+ const isc_sockaddr_t *restrict src_addr,
+ const isc_sockaddr_t *restrict dst_addr,
+ const isc_region_t *restrict tlv_blob,
+ const isc_region_t *restrict extra, void *cbarg) {
+ isc_result_t result;
+ isc_buffer_t *outbuf = (isc_buffer_t *)cbarg;
+
+ if (header_result != ISC_R_SUCCESS) {
+ return;
+ }
+
+ result = isc_proxy2_make_header(outbuf, cmd, socktype, src_addr,
+ dst_addr, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+
+ if (tlv_blob != NULL) {
+ isc_proxy2_tlv_iterate(tlv_blob, rebuild_tlv_iter_cb, outbuf);
+ }
+
+ if (extra != NULL) {
+ result = isc_proxy2_tlv_data_verify(tlv_blob);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_putmem(outbuf, extra->base, extra->length);
+ }
+}
+
+static void
+proxy2_handler_rebuild(isc_buffer_t *restrict outbuf, const void *data,
+ const size_t size) {
+ isc_proxy2_handler_t handler = { 0 };
+
+ isc_proxy2_handler_init(&handler, mctx, 0, proxy2_handler_rebuild_cb,
+ outbuf);
+
+ isc_proxy2_handler_push_data(&handler, data, size);
+
+ isc_proxy2_handler_uninit(&handler);
+}
+
+static void
+try_rebuild_header(const void *data, size_t size) {
+ isc_buffer_t databuf = { 0 };
+ isc_region_t region = { 0 };
+ uint8_t storage[ISC_PROXY2_MAX_SIZE];
+
+ isc_buffer_init(&databuf, (void *)storage, sizeof(storage));
+
+ proxy2_handler_rebuild(&databuf, data, size);
+ isc_buffer_usedregion(&databuf, ®ion);
+ assert_true(region.length == size);
+ assert_true(memcmp(region.base, data, size) == 0);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_rebuild_header_test) {
+ try_rebuild_header(proxy_v2_header, sizeof(proxy_v2_header));
+ try_rebuild_header(proxy_v2_header_with_TLS,
+ sizeof(proxy_v2_header_with_TLS));
+ try_rebuild_header(proxy_v2_header_with_TLS_CN,
+ sizeof(proxy_v2_header_with_TLS_CN));
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_bad_header_signature_test) {
+ size_t i;
+ isc_result_t result;
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+
+ for (i = 0; i < ISC_PROXY2_HEADER_SIGNATURE_SIZE; i++) {
+ uint8_t sig[ISC_PROXY2_HEADER_SIGNATURE_SIZE];
+ memmove(sig, ISC_PROXY2_HEADER_SIGNATURE,
+ ISC_PROXY2_HEADER_SIGNATURE_SIZE);
+ sig[i] = 0x0C; /* 0x0C cannot be found in the signature */
+ result = isc_proxy2_handler_push_data(handler, sig,
+ sizeof(sig));
+ assert_true(result == ISC_R_UNEXPECTED);
+ isc_proxy2_handler_clear(handler);
+ }
+
+ result = isc_proxy2_handler_push_data(handler,
+ ISC_PROXY2_HEADER_SIGNATURE,
+ ISC_PROXY2_HEADER_SIGNATURE_SIZE);
+ assert_true(result == ISC_R_NOMORE);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_bad_proto_version_command_test) {
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+ isc_result_t result;
+ uint8_t *pver_cmd = NULL;
+ uint8_t botched_header[sizeof(proxy_v2_header)] = { 0 };
+
+ memmove(botched_header, proxy_v2_header, sizeof(proxy_v2_header));
+
+ pver_cmd = &botched_header[ISC_PROXY2_HEADER_SIGNATURE_SIZE];
+
+ assert_true(*pver_cmd == 0x21);
+
+ *pver_cmd = 0x31; /* unexpected version (3) followed by PROXY command */
+
+ result = isc_proxy2_handler_push_data(handler, botched_header,
+ sizeof(botched_header));
+ assert_true(result == ISC_R_NOTIMPLEMENTED);
+
+ *pver_cmd = 0x22; /* version two followed by unexpected command (2) */
+
+ result = isc_proxy2_handler_push_data(handler, botched_header,
+ sizeof(botched_header));
+ assert_true(result == ISC_R_UNEXPECTED);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_bad_family_socktype_test) {
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+ isc_result_t result;
+ uint8_t *pfam = NULL;
+ uint8_t botched_header[sizeof(proxy_v2_header)] = { 0 };
+
+ memmove(botched_header, proxy_v2_header, sizeof(proxy_v2_header));
+
+ pfam = &botched_header[ISC_PROXY2_HEADER_SIGNATURE_SIZE + 1];
+
+ assert_true(*pfam == 0x11);
+
+ *pfam = 0x41; /* unexpected family (4) followed by SOCK_STREAM (1)*/
+
+ result = isc_proxy2_handler_push_data(handler, botched_header,
+ sizeof(botched_header));
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ *pfam = 0x13; /* AF_INET (1) followed by unexpected sock type (3) */
+
+ result = isc_proxy2_handler_push_data(handler, botched_header,
+ sizeof(botched_header));
+ assert_true(result == ISC_R_UNEXPECTED);
+}
+
+static inline void
+update_header_length(uint8_t *botched_header, uint16_t newlen) {
+ newlen = htons(newlen);
+ memmove(&botched_header[ISC_PROXY2_HEADER_SIGNATURE_SIZE + 2], &newlen,
+ sizeof(newlen));
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_bad_unexpected_not_enough_length_test) {
+ isc_proxy2_handler_t *handler = (isc_proxy2_handler_t *)*state;
+ isc_result_t result;
+ uint8_t botched_header[sizeof(proxy_v2_header)] = { 0 };
+
+ memmove(botched_header, proxy_v2_header, sizeof(proxy_v2_header));
+
+ update_header_length(botched_header, 0);
+ result = isc_proxy2_handler_push_data(handler, botched_header,
+ sizeof(botched_header));
+ assert_true(result == ISC_R_RANGE);
+
+ update_header_length(botched_header, 4); /* not enough */
+ result = isc_proxy2_handler_push_data(handler, botched_header,
+ sizeof(botched_header));
+ assert_true(result == ISC_R_RANGE);
+
+ update_header_length(botched_header, UINT16_MAX); /* no more */
+ result = isc_proxy2_handler_push_data(handler, botched_header,
+ sizeof(botched_header));
+ assert_true(result == ISC_R_NOMORE);
+ isc_proxy2_handler_clear(handler);
+}
+
+ISC_RUN_TEST_IMPL(proxyheader_tlv_data_test) {
+ isc_result_t result;
+ isc_buffer_t databuf = { 0 };
+ isc_buffer_t tlsbuf = { 0 };
+ uint8_t data[ISC_PROXY2_MAX_SIZE] = { 0 };
+ uint8_t tlsdata[ISC_PROXY2_MAX_SIZE] = { 0 };
+ uint8_t zerodata[0xff] = { 0 };
+ isc_region_t region = { 0 };
+ const char *alpn = "dot";
+ const char *tls_version = "TLSv1.3";
+ const char *tls_cn = "name.test";
+
+ isc_buffer_init(&databuf, (void *)data, sizeof(data));
+ isc_buffer_init(&tlsbuf, (void *)tlsdata, sizeof(tlsdata));
+
+ /* zero filled data is not fine */
+ region.base = zerodata;
+ region.length = sizeof(zerodata);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ /* crc32c must be 4 bytes long */
+ isc_buffer_clear(&databuf);
+ region.base = (uint8_t *)zerodata;
+ region.length = sizeof(zerodata);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_CRC32C,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_RANGE);
+
+ isc_buffer_clear(&databuf);
+ region.base = (uint8_t *)zerodata;
+ region.length = 4;
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_CRC32C,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ /* unique id must be <= 128 bytes long */
+ isc_buffer_clear(&databuf);
+ region.base = (uint8_t *)zerodata;
+ region.length = sizeof(zerodata);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_UNIQUE_ID,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_RANGE);
+
+ isc_buffer_clear(&databuf);
+ region.base = (uint8_t *)zerodata;
+ region.length = 128;
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_UNIQUE_ID,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ /* two noops is fine */
+ isc_buffer_clear(&databuf);
+ region = (isc_region_t){ 0 };
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_NOOP,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_NOOP,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ /* one ALPN tag is fine */
+ isc_buffer_clear(&databuf);
+ result = isc_proxy2_append_tlv_string(&databuf,
+ ISC_PROXY2_TLV_TYPE_ALPN, alpn);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ /* two ALPN tags is not fine */
+ result = isc_proxy2_append_tlv_string(&databuf,
+ ISC_PROXY2_TLV_TYPE_ALPN, alpn);
+ assert_true(result == ISC_R_SUCCESS);
+
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ /* empty TLS subheader is tolerable */
+ isc_buffer_clear(&databuf);
+ isc_buffer_clear(&tlsbuf);
+ result = isc_proxy2_make_tls_subheader(&tlsbuf, 0, false, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ /* empty TLS subheader with no TLS version while one is expected */
+ isc_buffer_clear(&databuf);
+ isc_buffer_clear(&tlsbuf);
+ result = isc_proxy2_make_tls_subheader(&tlsbuf, ISC_PROXY2_CLIENT_TLS,
+ false, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ /* TLS subheader with TLS version */
+ isc_buffer_clear(&databuf);
+ isc_buffer_clear(&tlsbuf);
+ result = isc_proxy2_make_tls_subheader(&tlsbuf, ISC_PROXY2_CLIENT_TLS,
+ false, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ region.length = sizeof(tls_version);
+ result = isc_proxy2_append_tlv_string(
+ &tlsbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_VERSION, tls_version);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_SUCCESS);
+
+ /* TLS subheader with multiple TLS versions is not fine */
+ isc_buffer_clear(&databuf);
+ isc_buffer_clear(&tlsbuf);
+ result = isc_proxy2_make_tls_subheader(&tlsbuf, ISC_PROXY2_CLIENT_TLS,
+ false, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv_string(
+ &tlsbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_VERSION, tls_version);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv(
+ &tlsbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_VERSION, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ /* TLS subheader with unexpected TLS version */
+ isc_buffer_clear(&databuf);
+ isc_buffer_clear(&tlsbuf);
+ result = isc_proxy2_make_tls_subheader(&tlsbuf, 0, false, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv_string(
+ &tlsbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_VERSION, tls_version);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ /* TLS subheader with no CN while expected */
+ isc_buffer_clear(&databuf);
+ isc_buffer_clear(&tlsbuf);
+ result = isc_proxy2_make_tls_subheader(
+ &tlsbuf, ISC_PROXY2_CLIENT_TLS | ISC_PROXY2_CLIENT_CERT_CONN,
+ false, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv_string(
+ &tlsbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_VERSION, tls_version);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ /* TLS subheader with unexpected CN */
+ isc_buffer_clear(&databuf);
+ isc_buffer_clear(&tlsbuf);
+ result = isc_proxy2_make_tls_subheader(&tlsbuf, ISC_PROXY2_CLIENT_TLS,
+ false, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv_string(
+ &tlsbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_CN, tls_cn);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ /* TLS subheader with CN unexpected (because TLS flag is not set) */
+ isc_buffer_clear(&databuf);
+ isc_buffer_clear(&tlsbuf);
+ result = isc_proxy2_make_tls_subheader(
+ &tlsbuf,
+ ISC_PROXY2_CLIENT_CERT_CONN | ISC_PROXY2_CLIENT_CERT_SESS,
+ false, NULL);
+ assert_true(result == ISC_R_SUCCESS);
+ result = isc_proxy2_append_tlv_string(
+ &tlsbuf, ISC_PROXY2_TLV_SUBTYPE_TLS_CN, tls_cn);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&tlsbuf, ®ion);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_TLS,
+ ®ion);
+ assert_true(result == ISC_R_SUCCESS);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_UNEXPECTED);
+
+ /* botched TLV header */
+ isc_buffer_clear(&databuf);
+ region.base = (uint8_t *)zerodata;
+ region.length = sizeof(zerodata);
+ result = isc_proxy2_append_tlv(&databuf, ISC_PROXY2_TLV_TYPE_NOOP,
+ ®ion);
+ isc_buffer_subtract(&databuf, region.length / 2);
+ isc_buffer_usedregion(&databuf, ®ion);
+ result = isc_proxy2_tlv_data_verify(®ion);
+ assert_true(result == ISC_R_RANGE);
+}
+
+ISC_TEST_LIST_START
+ISC_TEST_ENTRY_CUSTOM(proxyheader_generic_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_generic_byte_by_byte_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_generic_torn_apart_randomly_test,
+ setup_test_proxy, teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_direct_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_detect_bad_signature_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_extra_data_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_max_size_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_make_header_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_rebuild_header_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_bad_header_signature_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_bad_proto_version_command_test,
+ setup_test_proxy, teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_bad_family_socktype_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_bad_unexpected_not_enough_length_test,
+ setup_test_proxy, teardown_test_proxy)
+ISC_TEST_ENTRY_CUSTOM(proxyheader_tlv_data_test, setup_test_proxy,
+ teardown_test_proxy)
+ISC_TEST_LIST_END
+
+ISC_TEST_MAIN
projects / thirdparty / bind9.git / commitdiff
