REGTESTS: add a regtest to validate various NTLM transitions

This test first performs two successive requests over the same connection where reuse is expected, then perform two 401 which must both work, testing both the transition from null->sess, and sess->sess. This test could be backported to detect changes related to private sessions. Thanks to Omkhar Arasaratnam for the test.
2026-05-05 04:56:10 +02:00 · 2026-05-04 18:53:33 +02:00 · 2026-05-04 18:53:33 +02:00 · dae302d479
commit dae302d479
parent 4fc1e39371
1 changed files with 55 additions and 0 deletions
--- a/reg-tests/http-messaging/http-ntlm.vtc
+++ b/reg-tests/http-messaging/http-ntlm.vtc
@ -0,0 +1,55 @@
+varnishtest "NTLM/Negotiate detection on reused H1 backend triggers NULL session deref"
+
+feature ignore_unknown_macro
+
+server s1 {
+    rxreq
+    txresp
+
+    rxreq
+    txresp
+
+    rxreq
+    txresp -status 401 -hdr "WWW-Authenticate: NTLM"
+
+    rxreq
+    txresp -status 401 -hdr "WWW-Authenticate: NTLM"
+} -start
+
+haproxy h1 -conf {
+    global
+        nbthread 1
+
+    defaults
+        mode http
+        option http-keep-alive
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+
+    frontend fe
+        bind "fd@${fe}"
+        default_backend be
+
+    backend be
+        http-reuse always
+        server srv ${s1_addr}:${s1_port}
+} -start
+
+client c1 -connect ${h1_fe_sock} {
+    txreq -url "/"
+    rxresp
+    expect resp.status == 200
+
+    txreq -url "/"
+    rxresp
+    expect resp.status == 200
+
+    txreq -url "/"
+    rxresp
+    expect resp.status == 401
+
+    txreq -url "/"
+    rxresp
+    expect resp.status == 401
+} -run