diff options
| author | Stefan Bühler <stbuehler@web.de> | 2015-11-22 22:22:22 +0000 |
|---|---|---|
| committer | Stefan Bühler <stbuehler@web.de> | 2015-11-22 22:22:22 +0000 |
| commit | bfaa48260a1870ed102e3e4801a18bcb29369a89 (patch) | |
| tree | 383b16df82d121bcdb43e2d18c6ce70857630e0a /tests | |
| parent | b0a44212724d86b9ec8434337d53de69780f1a07 (diff) | |
| download | lighttpd-git-bfaa48260a1870ed102e3e4801a18bcb29369a89.tar.gz | |
[mod_secdownload] add required algorithm option; old behaviour available as "md5", new options "hmac-sha1" and "hmac-sha256"
Differential Revision: https://review.lighttpd.net/D7
From: Stefan Bühler <stbuehler@web.de>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3054 152afb58-edef-0310-8abb-c4023f1b3aa9
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/lighttpd.conf | 19 | ||||
| -rwxr-xr-x | tests/mod-secdownload.t | 130 |
2 files changed, 136 insertions, 13 deletions
diff --git a/tests/lighttpd.conf b/tests/lighttpd.conf index 83eee0e5..1893c5d4 100644 --- a/tests/lighttpd.conf +++ b/tests/lighttpd.conf @@ -170,6 +170,25 @@ $HTTP["host"] == "vvv.example.org" { secdownload.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" secdownload.uri-prefix = "/sec/" secdownload.timeout = 120 + secdownload.algorithm = "md5" +} + +$HTTP["host"] == "vvv-sha1.example.org" { + server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" + secdownload.secret = "verysecret" + secdownload.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" + secdownload.uri-prefix = "/sec/" + secdownload.timeout = 120 + secdownload.algorithm = "hmac-sha1" +} + +$HTTP["host"] == "vvv-sha256.example.org" { + server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" + secdownload.secret = "verysecret" + secdownload.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" + secdownload.uri-prefix = "/sec/" + secdownload.timeout = 120 + secdownload.algorithm = "hmac-sha256" } $HTTP["host"] == "zzz.example.org" { diff --git a/tests/mod-secdownload.t b/tests/mod-secdownload.t index c8cad385..96baf9d7 100755 --- a/tests/mod-secdownload.t +++ b/tests/mod-secdownload.t @@ -8,9 +8,11 @@ BEGIN { use strict; use IO::Socket; -use Test::More tests => 7; +use Test::More tests => 15; use LightyTest; use Digest::MD5 qw(md5_hex); +use Digest::SHA qw(hmac_sha1 hmac_sha256); +use MIME::Base64 qw(encode_base64url); my $tf = LightyTest->new(); my $t; @@ -18,9 +20,21 @@ my $t; ok($tf->start_proc == 0, "Starting lighttpd") or die(); my $secret = "verysecret"; -my $f = "/index.html"; -my $thex = sprintf("%08x", time); -my $m = md5_hex($secret.$f.$thex); +my ($f, $thex, $m); + +$t->{REQUEST} = ( <<EOF +GET /index.html HTTP/1.0 +Host: www.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; + +ok($tf->handle_http($t) == 0, 'skipping secdownload - direct access'); + +## MD5 +$f = "/index.html"; +$thex = sprintf("%08x", time); +$m = md5_hex($secret.$f.$thex); $t->{REQUEST} = ( <<EOF GET /sec/$m/$thex$f HTTP/1.0 @@ -29,7 +43,7 @@ EOF ); $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; -ok($tf->handle_http($t) == 0, 'secdownload'); +ok($tf->handle_http($t) == 0, 'secdownload (md5)'); $thex = sprintf("%08x", time - 1800); $m = md5_hex($secret.$f.$thex); @@ -41,7 +55,7 @@ EOF ); $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; -ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout)'); +ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (md5)'); $t->{REQUEST} = ( <<EOF GET /sec$f HTTP/1.0 @@ -50,30 +64,120 @@ EOF ); $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; -ok($tf->handle_http($t) == 0, 'secdownload - direct access'); +ok($tf->handle_http($t) == 0, 'secdownload - direct access (md5)'); + +$f = "/noexists"; +$thex = sprintf("%08x", time); +$m = md5_hex($secret.$f.$thex); $t->{REQUEST} = ( <<EOF -GET $f HTTP/1.0 -Host: www.example.org +GET /sec/$m/$thex$f HTTP/1.0 +Host: vvv.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; + +ok($tf->handle_http($t) == 0, 'secdownload - timeout (md5)'); + +## HMAC-SHA1 +$f = "/index.html"; +$thex = sprintf("%08x", time); +$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); + +$t->{REQUEST} = ( <<EOF +GET /sec/$m/$thex$f HTTP/1.0 +Host: vvv-sha1.example.org EOF ); $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; -ok($tf->handle_http($t) == 0, 'secdownload - conditional access'); +ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha1)'); + +$thex = sprintf("%08x", time - 1800); +$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); + +$t->{REQUEST} = ( <<EOF +GET /sec/$m/$thex$f HTTP/1.0 +Host: vvv-sha1.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; + +ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (hmac-sha1)'); + +$t->{REQUEST} = ( <<EOF +GET /sec$f HTTP/1.0 +Host: vvv-sha1.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; + +ok($tf->handle_http($t) == 0, 'secdownload - direct access (hmac-sha1)'); $f = "/noexists"; $thex = sprintf("%08x", time); -$m = md5_hex($secret.$f.$thex); +$m = encode_base64url(hmac_sha1("/$thex$f", $secret)); $t->{REQUEST} = ( <<EOF GET /sec/$m/$thex$f HTTP/1.0 -Host: vvv.example.org +Host: vvv-sha1.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; + +ok($tf->handle_http($t) == 0, 'secdownload - timeout (hmac-sha1)'); + +## HMAC-SHA256 +$f = "/index.html"; +$thex = sprintf("%08x", time); +$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); + +$t->{REQUEST} = ( <<EOF +GET /sec/$m/$thex$f HTTP/1.0 +Host: vvv-sha256.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ]; + +ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha256)'); + +$thex = sprintf("%08x", time - 1800); +$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); + +$t->{REQUEST} = ( <<EOF +GET /sec/$m/$thex$f HTTP/1.0 +Host: vvv-sha256.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ]; + +ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (hmac-sha256)'); + +$t->{REQUEST} = ( <<EOF +GET /sec$f HTTP/1.0 +Host: vvv-sha256.example.org +EOF + ); +$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; + +ok($tf->handle_http($t) == 0, 'secdownload - direct access (hmac-sha256)'); + + +$f = "/noexists"; +$thex = sprintf("%08x", time); +$m = encode_base64url(hmac_sha256("/$thex$f", $secret)); + +$t->{REQUEST} = ( <<EOF +GET /sec/$m/$thex$f HTTP/1.0 +Host: vvv-sha256.example.org EOF ); $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ]; -ok($tf->handle_http($t) == 0, 'secdownload - timeout'); +ok($tf->handle_http($t) == 0, 'secdownload - timeout (hmac-sha256)'); + +## THE END ok($tf->stop_proc == 0, "Stopping lighttpd"); |