From dae302d479816c7d23c78c125a346245082e0852 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 4 May 2026 18:53:33 +0200 Subject: [PATCH] REGTESTS: add a regtest to validate various NTLM transitions This test first performs two successive requests over the same connection where reuse is expected, then perform two 401 which must both work, testing both the transition from null->sess, and sess->sess. This test could be backported to detect changes related to private sessions. Thanks to Omkhar Arasaratnam for the test. --- reg-tests/http-messaging/http-ntlm.vtc | 55 ++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 reg-tests/http-messaging/http-ntlm.vtc diff --git a/reg-tests/http-messaging/http-ntlm.vtc b/reg-tests/http-messaging/http-ntlm.vtc new file mode 100644 index 000000000..dccad8ff6 --- /dev/null +++ b/reg-tests/http-messaging/http-ntlm.vtc @@ -0,0 +1,55 @@ +varnishtest "NTLM/Negotiate detection on reused H1 backend triggers NULL session deref" + +feature ignore_unknown_macro + +server s1 { + rxreq + txresp + + rxreq + txresp + + rxreq + txresp -status 401 -hdr "WWW-Authenticate: NTLM" + + rxreq + txresp -status 401 -hdr "WWW-Authenticate: NTLM" +} -start + +haproxy h1 -conf { + global + nbthread 1 + + defaults + mode http + option http-keep-alive + timeout connect "${HAPROXY_TEST_TIMEOUT-5s}" + timeout client "${HAPROXY_TEST_TIMEOUT-5s}" + timeout server "${HAPROXY_TEST_TIMEOUT-5s}" + + frontend fe + bind "fd@${fe}" + default_backend be + + backend be + http-reuse always + server srv ${s1_addr}:${s1_port} +} -start + +client c1 -connect ${h1_fe_sock} { + txreq -url "/" + rxresp + expect resp.status == 200 + + txreq -url "/" + rxresp + expect resp.status == 200 + + txreq -url "/" + rxresp + expect resp.status == 401 + + txreq -url "/" + rxresp + expect resp.status == 401 +} -run