summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2016-07-16 23:25:53 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2016-07-16 23:25:53 -0400
commit00cc4d7c0ecd9be2c5f1cd6a5397b78f75830905 (patch)
tree4e3e0cb9511ba0fa9aa67040db980370dd147ddd /tests
parent052a049f29ca7478d5e86924add77bce481d68bf (diff)
downloadlighttpd1.4-00cc4d7c0ecd9be2c5f1cd6a5397b78f75830905.tar.gz
lighttpd1.4-00cc4d7c0ecd9be2c5f1cd6a5397b78f75830905.zip
[mod_auth] fix Digest auth to be better than Basic (fixes #1844)
Make Digest authentication more compliant with RFC. Excerpt from https://www.rfc-editor.org/rfc/rfc7616.txt Section 5.13: The bottom line is that any compliant implementation will be relatively weak by cryptographic standards, but any compliant implementation will be far superior to Basic Authentication. x-ref: "Serious security problem in Digest Authentication" https://redmine.lighttpd.net/issues/1844
Diffstat (limited to 'tests')
-rwxr-xr-xtests/mod-auth.t49
1 files changed, 28 insertions, 21 deletions
diff --git a/tests/mod-auth.t b/tests/mod-auth.t
index cc03aa8a..ba76b040 100755
--- a/tests/mod-auth.t
+++ b/tests/mod-auth.t
@@ -8,7 +8,7 @@ BEGIN {
use strict;
use IO::Socket;
-use Test::More tests => 19;
+use Test::More tests => 20;
use LightyTest;
my $tf = LightyTest->new();
@@ -133,6 +133,9 @@ EOF
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
ok($tf->handle_http($t) == 0, 'Digest-Auth: missing qop, no crash');
+# (Note: test case is invalid; mismatch between request line and uri="..."
+# is not what is intended to be tested here, but that is what is invalid)
+# https://redmine.lighttpd.net/issues/477
## this should not crash
$t->{REQUEST} = ( <<EOF
GET /server-status HTTP/1.0
@@ -155,34 +158,38 @@ EOF
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid Base64');
-
$t->{REQUEST} = ( <<EOF
GET /server-status HTTP/1.0
-User-Agent: Wget/1.9.1
-Authorization: Digest username="jan", realm="jan",
- nonce="b1d12348b4620437c43dd61c50ae4639", algorithm="md5-sess",
- uri="/MJ-BONG.xm.mpc", qop=auth, noncecount=00000001",
- cnonce="036FCA5B86F7E7C4965C7F9B8FE714B7",
- nc="asd",
- response="29B32C2953C763C6D033C8A49983B87E"
+Authorization: Digest username="jan", realm="download archiv",
+ nonce="b3b26457000000003a9b34a3cd56d26e48a52a498ac9765d4b",
+ uri="/server-status", qop=auth, nc=00000001,
+ algorithm="md5-sess", response="049b000fb00ab51dddea6f093a96aa2e"
EOF
);
-$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 400 } ];
ok($tf->handle_http($t) == 0, 'Digest-Auth: md5-sess + missing cnonce');
-$t->{REQUEST} = ( <<EOF
+ $t->{REQUEST} = ( <<EOF
GET /server-status HTTP/1.0
-User-Agent: Wget/1.9.1
-Authorization: Digest username="jan", realm="jan",
- nonce="b1d12348b4620437c43dd61c50ae4639", algorithm="md5-sess",
- uri="/MJ-BONG.xm.mpc", qop=auth, noncecount=00000001",
- cnonce="036FCA5B86F7E7C4965C7F9B8FE714B7",
- nc="asd",
- response="29B32C2953C763C6D033C8A49983B87E"
+Authorization: Digest username="jan", realm="download archiv",
+ nonce="b3b26457000000003a9b34a3cd56d26e48a52a498ac9765d4b",
+ uri="/server-status", qop=auth, nc=00000001, cnonce="65ee1b37",
+ algorithm="md5", response="049b000fb00ab51dddea6f093a96aa2e"
EOF
- );
-$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
-ok($tf->handle_http($t) == 0, 'Digest-Auth: trailing WS');
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401, 'WWW-Authenticate' => '/, stale=true$/' } ];
+ok($tf->handle_http($t) == 0, 'Digest-Auth: stale nonce');
+
+$t->{REQUEST} = ( <<EOF
+GET /server-status HTTP/1.0
+Authorization: Digest username="jan", realm="download archiv",
+ nonce="b3b26457000000003a9b34a3cd56d26e48a52a498ac9765d4b",
+ uri="/server-status", qop=auth, nc=00000001, cnonce="65ee1b37",
+ algorithm="md5", response="049b000fb00ab51dddea6f093a96aa2e"
+EOF
+ ); # note: trailing whitespace at end of request line above is intentional
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401, 'WWW-Authenticate' => '/, stale=true$/' } ];
+ok($tf->handle_http($t) == 0, 'Digest-Auth: trailing WS, stale nonce');