Attention is currently required from: plaisthos, ralf_lici.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/686?usp=email
to look at the new patch set (#2).
Change subject: Add support for TLV parsing in the PROXY protocol
......................................................................
Add support for TLV parsing in the PROXY protocol
Version 2 of the PROXY protocol appends extra data in Type-Length-Value
vector format at the end of the header. This commit parses and processes
or stores the additional information extracted from TLVs.
Change-Id: Ia593f72f6baa6e16d2fd9b21b383b709682f9499
Signed-off-by: Ralf Lici <r...@mandelbit.com>
---
M src/openvpn/haproxy_protocol.c
M src/openvpn/haproxy_protocol.h
M tests/unit_tests/openvpn/test_haproxy_protocol.c
3 files changed, 448 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/86/686/2
diff --git a/src/openvpn/haproxy_protocol.c b/src/openvpn/haproxy_protocol.c
index 1786d2f..cc7cfb6 100644
--- a/src/openvpn/haproxy_protocol.c
+++ b/src/openvpn/haproxy_protocol.c
@@ -40,6 +40,74 @@
HAPROXY_PROTOCOL_PARSING_STATE_IGNORE = 1,
} haproxy_protocol_parsing_state_t;
+static const uint32_t CRC32C_TABLE[256] =
+{
+ 0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L,
+ 0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL,
+ 0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL,
+ 0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L,
+ 0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
+ 0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L,
+ 0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L,
+ 0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL,
+ 0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL,
+ 0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
+ 0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L,
+ 0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL,
+ 0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L,
+ 0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL,
+ 0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
+ 0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L,
+ 0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L,
+ 0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L,
+ 0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L,
+ 0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
+ 0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L,
+ 0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L,
+ 0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L,
+ 0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L,
+ 0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
+ 0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L,
+ 0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L,
+ 0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L,
+ 0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L,
+ 0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
+ 0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L,
+ 0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L,
+ 0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL,
+ 0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L,
+ 0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
+ 0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL,
+ 0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L,
+ 0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL,
+ 0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL,
+ 0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
+ 0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L,
+ 0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL,
+ 0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL,
+ 0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L,
+ 0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
+ 0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L,
+ 0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L,
+ 0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL,
+ 0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L,
+ 0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
+ 0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL,
+ 0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L,
+ 0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL,
+ 0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L,
+ 0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
+ 0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL,
+ 0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL,
+ 0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L,
+ 0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L,
+ 0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
+ 0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L,
+ 0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL,
+ 0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL,
+ 0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L
+};
+
static const size_t HAPROXY_PROTOCOL_V2_ADDR_LEN_IPV4 = 12;
static const size_t HAPROXY_PROTOCOL_V2_ADDR_LEN_IPV6 = 36;
static const size_t HAPROXY_PROTOCOL_V2_ADDR_LEN_UNIX = 216;
@@ -90,6 +158,17 @@
}
}
+uint32_t
+haproxy_protocol_crc32c(const uint8_t *data, int len)
+{
+ uint32_t crc = 0xFFFFFFFF;
+ while (len-- > 0)
+ {
+ crc = (crc >> 8) ^ CRC32C_TABLE[(crc ^ (*data++)) & 0xFF];
+ }
+ return (crc ^ 0xFFFFFFFF);
+}
+
/*
* Parse a port number from a string.
*
@@ -317,6 +396,271 @@
}
/*
+ * Parse a string based TLV and store the value in 'out'.
+ *
+ * @param tlv_info - The struct containing the garbage collector.
+ * @param out - The output variable to store the parsed value.
+ * @param type_str - A string representation of the TLV type (for logging).
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+haproxy_protocol_parse_string_tlv(struct haproxy_protocol_tlv_info *tlv_info,
+ char **out, char *type_str,
+ const uint16_t len, const uint8_t *value)
+{
+ if (len == 0)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: %s TLV empty", type_str);
+ return;
+ }
+
+ *out = (char *)gc_malloc(len + 1, false, &tlv_info->gc);
+ memcpy(*out, value, len);
+ (*out)[len] = '\0';
+
+ if (type_str)
+ {
+ msg(M_DEBUG, "PROXY protocol v2: %s TLV: %s", type_str, *out);
+ }
+}
+
+/*
+ * Parse the CRC32C TLV and check if it matches the calculated CRC32C.
+ * If there's a mismatch set the parsing state to invalid to drop the header->
+ *
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ *
+ * @return - true if the CRC32C value matches the calculated CRC32C.
+ */
+bool
+haproxy_protocol_parse_crc32c_tlv(const uint16_t len, const uint8_t *value)
+{
+ if (len != 4)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: CRC32C TLV invalid length");
+ parsing_state = HAPROXY_PROTOCOL_PARSING_STATE_INVALID;
+ return false;
+ }
+
+ uint32_t expected = ntohl(*(uint32_t *)value);
+
+ /* fill the crc32c field with 0s to calculate the crc32c */
+ *(uint32_t *)value = 0;
+ uint32_t calculated = haproxy_protocol_crc32c((const uint8_t *)header,
header_len);
+
+ if (expected != calculated)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: CRC32C mismatch, expected: 0x%08x
calculated: 0x%08x.", expected, calculated);
+ parsing_state = HAPROXY_PROTOCOL_PARSING_STATE_INVALID;
+ return false;
+ }
+ msg(M_DEBUG, "PROXY protocol v2: CRC32C match");
+ return true;
+}
+
+/*
+ * Parse the UNIQUE_ID TLV and store the value in hpi->unique_id
+ * (and hpi->unique_id_len).
+ *
+ * @param tlv_info - The struct to store the parsed data.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+haproxy_protocol_parse_uid_tlv(struct haproxy_protocol_tlv_info *tlv_info,
+ const uint16_t len, const uint8_t *value)
+{
+ if (len == 0)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: UNIQUE_ID TLV empty");
+ return;
+ }
+ else if (len > HAPROXY_PROTOCOL_V2_TLV_UNIQUE_ID_MAX_LEN)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: UNIQUE_ID TLV too long");
+ return;
+ }
+
+ tlv_info->unique_id_len = len;
+ memcpy(tlv_info->unique_id, value, len);
+ msg(M_DEBUG, "PROXY protocol v2: UNIQUE_ID: %.*s",
(int)tlv_info->unique_id_len, tlv_info->unique_id);
+}
+
+/*
+ * Parse the SSL TLV (and eventually its sub-TLVs) and store the values in
+ * hpi->tlv_info.
+ *
+ * @param tlv_info - The struct to store the parsed data.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+haproxy_protocol_parse_ssl_tlv(struct haproxy_protocol_tlv_info *tlv_info,
+ const uint16_t len, const uint8_t *value)
+{
+ const struct haproxy_protocol_tlv_ssl *ssl = (const struct
haproxy_protocol_tlv_ssl *)(value);
+ uint16_t pos = sizeof(*ssl);
+
+ if (len == 0)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: SSL TLV empty");
+ return;
+ }
+
+ if (!ssl->client)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: SSL TLV invalid client field");
+ return;
+ }
+ if (ssl->client & HAPROXY_PROTOCOL_V2_CLIENT_SSL)
+ {
+ msg(M_DEBUG, "PROXY protocol v2: client connected over SSL/TLS");
+ }
+ if (ssl->client & HAPROXY_PROTOCOL_V2_CLIENT_CERT_CONN)
+ {
+ msg(M_DEBUG, "PROXY protocol v2: client provided a certificate over
the "
+ "current connection");
+ }
+ if (ssl->client & HAPROXY_PROTOCOL_V2_CLIENT_CERT_SESS)
+ {
+ msg(M_DEBUG, "PROXY protocol v2: client provided a certificate at
least "
+ "once over the TLS session this connection belongs to");
+ }
+
+ msg(M_DEBUG, "PROXY protocol v2: client certificate verification status:
%s",
+ ssl->verify ? "failure" : "success");
+ tlv_info->ssl_client = ssl->client;
+ tlv_info->ssl_verify = ssl->verify;
+
+ while (pos < len)
+ {
+ const struct haproxy_protocol_tlv *sub = (const struct
haproxy_protocol_tlv *)(value + pos);
+ uint16_t sub_len = (sub->length_hi << 8) | sub->length_lo;
+ if (pos + sizeof(*sub) + sub_len > len)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: SSL sub-TLV length (%d) "
+ "exceeds buffer size (%d)",
+ sub_len, (int)(len - pos - sizeof(*sub)));
+ return;
+ }
+ switch (sub->type)
+ {
+ case HAPROXY_PROTOCOL_TLV_SUBTYPE_SSL_VERSION:
+ haproxy_protocol_parse_string_tlv(tlv_info,
&tlv_info->ssl_version,
+ "SSL_VERSION", sub_len,
sub->value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_SUBTYPE_SSL_CN:
+ haproxy_protocol_parse_string_tlv(tlv_info, &tlv_info->ssl_cn,
+ "SSL_CN", sub_len,
sub->value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_SUBTYPE_SSL_CIPHER:
+ haproxy_protocol_parse_string_tlv(tlv_info,
&tlv_info->ssl_cipher,
+ "SSL_CIPHER", sub_len,
sub->value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_SUBTYPE_SSL_SIG_ALG:
+ haproxy_protocol_parse_string_tlv(tlv_info,
&tlv_info->ssl_sig_alg,
+ "SSL_SIG_ALG", sub_len,
sub->value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_SUBTYPE_SSL_KEY_ALG:
+ haproxy_protocol_parse_string_tlv(tlv_info,
&tlv_info->ssl_key_alg,
+ "SSL_KEY_ALG", sub_len,
sub->value);
+ break;
+
+ default:
+ msg(M_NONFATAL, "PROXY protocol v2: SSL unknown sub-TLV type
0x%02x", sub->type);
+ break;
+ }
+ pos += sizeof(*sub) + sub_len;
+ }
+}
+
+/*
+ * Parse a TLV and store the value in the haproxy protocol info structure.
+ *
+ * @param hpi - The haproxy protocol info structure to store the parsed data.
+ * @param type - The TLV type.
+ * @param len - The length of the TLV value.
+ * @param value - The TLV value.
+ */
+void
+haproxy_protocol_parse_tlv(struct haproxy_protocol_tlv_info *tlv_info,
+ const uint8_t type, const uint16_t len,
+ const uint8_t *value)
+{
+ switch (type)
+ {
+ case HAPROXY_PROTOCOL_TLV_TYPE_ALPN:
+ haproxy_protocol_parse_string_tlv(tlv_info, &tlv_info->alpn,
"ALPN", len, value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_TYPE_AUTHORITY:
+ haproxy_protocol_parse_string_tlv(tlv_info, &tlv_info->authority,
"AUTHORITY", len, value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_TYPE_CRC32C:
+ haproxy_protocol_parse_crc32c_tlv(len, value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_TYPE_NOOP:
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_TYPE_UNIQUE_ID:
+ haproxy_protocol_parse_uid_tlv(tlv_info, len, value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_TYPE_SSL:
+ haproxy_protocol_parse_ssl_tlv(tlv_info, len, value);
+ break;
+
+ case HAPROXY_PROTOCOL_TLV_TYPE_NETNS:
+ haproxy_protocol_parse_string_tlv(tlv_info, &tlv_info->netns,
"NETNS", len, value);
+ break;
+
+ default:
+ msg(M_NONFATAL, "PROXY protocol v2: unknown TLV type 0x%02x",
type);
+ break;
+ }
+}
+
+/*
+ * Parse the TLVs in the PROXY protocol v2 header->
+ *
+ * @param hpi - The haproxy protocol info structure to store the parsed data.
+ * @param buf - The buffer containing the TLVs.
+ * @param buf_len - The length of the buffer.
+ *
+ * @return - The number of bytes parsed or -1 if an error occurred.
+ */
+int
+haproxy_protocol_parse_tlvs(struct haproxy_protocol_tlv_info *tlv_info,
+ const uint8_t *buf, const int buf_len)
+{
+ const uint8_t *end = buf + buf_len;
+ const uint8_t *start = buf;
+
+ tlv_info->gc = gc_new();
+ while (buf < end && parsing_state == HAPROXY_PROTOCOL_PARSING_STATE_OK)
+ {
+ const struct haproxy_protocol_tlv *tlv = (const struct
haproxy_protocol_tlv *)buf;
+ uint16_t tlv_len = (tlv->length_hi << 8) | tlv->length_lo;
+ if (buf + sizeof(*tlv) + tlv_len > end)
+ {
+ msg(M_NONFATAL, "PROXY protocol v2: TLV length exceeds buffer
size");
+ return -1;
+ }
+ haproxy_protocol_parse_tlv(tlv_info, tlv->type, tlv_len, tlv->value);
+ buf += sizeof(*tlv) + tlv_len;
+ }
+ return (int)(buf - start);
+}
+
+/*
* Parse the PROXY protocol v2 header
*
* @param hpi - The haproxy protocol info structure to store the parsed data.
@@ -452,7 +796,9 @@
{
if ((header->v2.ver_cmd & HAPROXY_PROTOCOL_V2_VER_MASK) ==
HAPROXY_PROTOCOL_V2_VER)
{
- haproxy_protocol_parse_v2(hpi);
+ const int pos = haproxy_protocol_parse_v2(hpi);
+ haproxy_protocol_parse_tlvs(&hpi->tlv, buf + pos,
+ header_len - pos);
if (parsing_state != HAPROXY_PROTOCOL_PARSING_STATE_OK)
{
msg(M_DEBUG, "PROXY protocol v2: %s header",
@@ -484,4 +830,5 @@
header = NULL;
header_len = 0;
parsing_state = HAPROXY_PROTOCOL_PARSING_STATE_OK;
+ gc_free(&hpi->tlv.gc);
}
diff --git a/src/openvpn/haproxy_protocol.h b/src/openvpn/haproxy_protocol.h
index 5ffcfa5..6415bf2 100644
--- a/src/openvpn/haproxy_protocol.h
+++ b/src/openvpn/haproxy_protocol.h
@@ -88,6 +88,22 @@
HAPROXY_PROTOCOL_VERSION_2,
} haproxy_protocol_version_t;
+struct haproxy_protocol_tlv
+{
+ uint8_t type;
+ uint8_t length_hi;
+ uint8_t length_lo;
+ uint8_t value[0];
+};
+
+#pragma pack(push, 1)
+struct haproxy_protocol_tlv_ssl
+{
+ uint8_t client;
+ uint32_t verify;
+} __attribute__((packed));
+#pragma pack(pop)
+
#pragma pack(push, 1)
typedef union
{
@@ -127,12 +143,32 @@
} __attribute__((packed)) haproxy_protocol_header_t;
#pragma pack(pop)
+struct haproxy_protocol_tlv_info
+{
+ struct gc_arena gc;
+
+ char *alpn;
+ char *authority;
+ uint8_t unique_id[HAPROXY_PROTOCOL_V2_TLV_UNIQUE_ID_MAX_LEN + 1];
+ uint16_t unique_id_len;
+ uint8_t ssl_client;
+ uint32_t ssl_verify;
+ char *ssl_version;
+ char *ssl_cn;
+ char *ssl_cipher;
+ char *ssl_sig_alg;
+ char *ssl_key_alg;
+ char *netns;
+};
+
struct haproxy_protocol_info
{
haproxy_protocol_version_t version;
int sock_type;
struct openvpn_sockaddr src;
struct openvpn_sockaddr dst;
+
+ struct haproxy_protocol_tlv_info tlv;
};
/*
diff --git a/tests/unit_tests/openvpn/test_haproxy_protocol.c
b/tests/unit_tests/openvpn/test_haproxy_protocol.c
index 0464315..f1070ce 100644
--- a/tests/unit_tests/openvpn/test_haproxy_protocol.c
+++ b/tests/unit_tests/openvpn/test_haproxy_protocol.c
@@ -121,6 +121,19 @@
HP2_V4_DST_PORT,
};
+static uint8_t HP2_TEST_WRONG_CRC32C[] = {
+ HP2_SIG,
+ HAPROXY_PROTOCOL_V2_VER | HAPROXY_PROTOCOL_V2_PROXY_CMD,
+ HAPROXY_PROTOCOL_V2_AF_INET | HAPROXY_PROTOCOL_V2_TP_STREAM,
+ 0x00, 0x7c, /* length */
+ HP2_V4_SRC_ADDR,
+ HP2_V4_DST_ADDR,
+ HP2_V4_SRC_PORT,
+ HP2_V4_DST_PORT,
+ HP2_TLV,
+ 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00 /* crc32c */
+};
+
static uint8_t HP2_TEST_PROXY_TCP4[] = {
HP2_SIG,
HAPROXY_PROTOCOL_V2_VER | HAPROXY_PROTOCOL_V2_PROXY_CMD,
@@ -232,9 +245,30 @@
}
static bool
+compare_hpi_tlv(void **state, struct haproxy_protocol_info *actual, struct
haproxy_protocol_info *expected)
+{
+ return strcmp(actual->tlv.alpn, expected->tlv.alpn) == 0
+ && strcmp(actual->tlv.authority, expected->tlv.authority) == 0
+ && actual->tlv.unique_id_len == expected->tlv.unique_id_len
+ && memcmp(actual->tlv.unique_id, expected->tlv.unique_id,
actual->tlv.unique_id_len) == 0
+ && actual->tlv.ssl_client == expected->tlv.ssl_client
+ && actual->tlv.ssl_verify == expected->tlv.ssl_verify
+ && strcmp(actual->tlv.ssl_version, expected->tlv.ssl_version) == 0
+ && strcmp(actual->tlv.ssl_cn, expected->tlv.ssl_cn) == 0
+ && strcmp(actual->tlv.ssl_cipher, expected->tlv.ssl_cipher) == 0
+ && strcmp(actual->tlv.ssl_sig_alg, expected->tlv.ssl_sig_alg) == 0
+ && strcmp(actual->tlv.ssl_key_alg, expected->tlv.ssl_key_alg) == 0
+ && strcmp(actual->tlv.netns, expected->tlv.netns) == 0;
+}
+
+static bool
compare_hpi(void **state, struct haproxy_protocol_info *actual, struct
haproxy_protocol_info *expected)
{
- return compare_hpi_basic(state, actual, expected);
+ if (actual->version != HAPROXY_PROTOCOL_VERSION_2)
+ {
+ return compare_hpi_basic(state, actual, expected);
+ }
+ return compare_hpi_basic(state, actual, expected) &&
compare_hpi_tlv(state, actual, expected);
}
static int
@@ -305,6 +339,11 @@
memset((actual), 0, sizeof(struct haproxy_protocol_info));
assert_false(haproxy_protocol_parse(actual, HP2_TEST_LOCAL,
sizeof(HP2_TEST_LOCAL)));
+ /* v2 wrong crc32c */
+ haproxy_protocol_reset(actual);
+ memset((actual), 0, sizeof(struct haproxy_protocol_info));
+ assert_false(haproxy_protocol_parse(actual, HP2_TEST_WRONG_CRC32C,
sizeof(HP2_TEST_WRONG_CRC32C)));
+
/* v2 TCP4 */
haproxy_protocol_reset(actual);
haproxy_protocol_reset(expected);
@@ -318,6 +357,18 @@
expected->dst.addr.in4.sin_family = AF_INET;
expected->dst.addr.in4.sin_port = ntohs(1195);
expected->dst.addr.in4.sin_addr.s_addr = htonl(0x0a0a1401);
+ expected->tlv.alpn = "h23";
+ expected->tlv.authority = "example.com";
+ expected->tlv.unique_id_len = 15;
+ memcpy(expected->tlv.unique_id,
"\x75\x6E\x69\x71\x75\x65\x2D\x69\x64\x2D\x76\x61\x6C\x75\x65", 15);
+ expected->tlv.ssl_client = HAPROXY_PROTOCOL_V2_CLIENT_SSL;
+ expected->tlv.ssl_verify = 0;
+ expected->tlv.ssl_version = "TLS1.3";
+ expected->tlv.ssl_cn = "client";
+ expected->tlv.ssl_cipher = "AES256";
+ expected->tlv.ssl_sig_alg = "SHA256";
+ expected->tlv.ssl_key_alg = "RSA2048";
+ expected->tlv.netns = "netns-1";
haproxy_protocol_parse(actual, HP2_TEST_PROXY_TCP4,
sizeof(HP2_TEST_PROXY_TCP4));
assert_true(compare_hpi(state, actual, expected));
@@ -334,6 +385,18 @@
expected->dst.addr.in6.sin6_family = AF_INET6;
expected->dst.addr.in6.sin6_port = ntohs(1195);
inet_pton(AF_INET6, "2001:db8:20::1", &expected->dst.addr.in6.sin6_addr);
+ expected->tlv.alpn = "h23";
+ expected->tlv.authority = "example.com";
+ expected->tlv.unique_id_len = 15;
+ memcpy(expected->tlv.unique_id,
"\x75\x6E\x69\x71\x75\x65\x2D\x69\x64\x2D\x76\x61\x6C\x75\x65", 15);
+ expected->tlv.ssl_client = HAPROXY_PROTOCOL_V2_CLIENT_SSL;
+ expected->tlv.ssl_verify = 0;
+ expected->tlv.ssl_version = "TLS1.3";
+ expected->tlv.ssl_cn = "client";
+ expected->tlv.ssl_cipher = "AES256";
+ expected->tlv.ssl_sig_alg = "SHA256";
+ expected->tlv.ssl_key_alg = "RSA2048";
+ expected->tlv.netns = "netns-1";
haproxy_protocol_parse(actual, HP2_TEST_PROXY_TCP6,
sizeof(HP2_TEST_PROXY_TCP6));
assert_true(compare_hpi(state, actual, expected));
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/686?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia593f72f6baa6e16d2fd9b21b383b709682f9499
Gerrit-Change-Number: 686
Gerrit-PatchSet: 2
Gerrit-Owner: ralf_lici <r...@mandelbit.com>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-Attention: ralf_lici <r...@mandelbit.com>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
