Use $Restrict

517be163 · Nils Goroll · fc9291af · 517be163 · 517be163 · 517be163
Unverified Commit 517be163 authored Jun 13, 2023 by Nils Goroll
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 13 deletions

vmod_crypto.c src/vmod_crypto.c +5 -13

vmod_crypto.rst src/vmod_crypto.rst +16 -0

vmod_crypto.vcc src/vmod_crypto.vcc +8 -0

No files found.
--- a/src/vmod_crypto.c
+++ b/src/vmod_crypto.c
@@ -227,23 +227,17 @@ vmod_key__fini(struct VPFX(crypto_key) **kp)
 	*kp = NULL;
 }
-static int
+static void
 key_ctx_ok(VRT_CTX)
 {
 	CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
+	assert(ctx->method == VCL_MET_INIT);
-	if (ctx->method == VCL_MET_INIT)
-		return (1);
-	VRT_fail(ctx, "key methods can only be used in vcl_init {}");
-	return (0);
 }
 VCL_BLOB
 vmod_key_use(VRT_CTX, struct VPFX(crypto_key) *k)
 {
-	if (! key_ctx_ok(ctx))
+	key_ctx_ok(ctx);
-		return (NULL);
 	CHECK_OBJ_NOTNULL(k, VMOD_CRYPTO_KEY_MAGIC);
 	return (VRT_blob(ctx, "xkey.use()", k, sizeof *k, CRYPTO_KEY_BLOB));
@@ -339,8 +333,7 @@ privkey_pem(VRT_CTX, VCL_STRING pem, VCL_STRING password)
 static struct VPFX(crypto_key) *
 crypto_key_ok(VRT_CTX, VCL_STRING name, struct VPFX(crypto_key) *k)
 {
-	if (! key_ctx_ok(ctx))
+	key_ctx_ok(ctx);
-		return (NULL);
 	CHECK_OBJ_NOTNULL(k, VMOD_CRYPTO_KEY_MAGIC);
@@ -381,8 +374,7 @@ vmod_key_rsa(VRT_CTX, struct VPFX(crypto_key) *k, struct VARGS(key_rsa) *args) {
 	EVP_PKEY *pkey;
 	RSA *rsa;
-	if (! key_ctx_ok(ctx))
+	key_ctx_ok(ctx);
-		return;
 	CHECK_OBJ_NOTNULL(k, VMOD_CRYPTO_KEY_MAGIC);

--- a/src/vmod_crypto.rst
+++ b/src/vmod_crypto.rst
@@ -95,6 +95,10 @@ BLOB xkey.use()
 Wrap the key in a blob to be passed to `crypto.verifier()`_
+Restricted to: ``vcl_init``.
 .. _xkey.pem_pubkey():
 VOID xkey.pem_pubkey(STRING)
@@ -108,6 +112,10 @@ comprise RSA and DSA.
 Any error is fatal to vcl initialization.
+Restricted to: ``vcl_init``.
 .. _xkey.pem_privkey():
 VOID xkey.pem_privkey(STRING, STRING password=0)
@@ -122,6 +130,10 @@ comprise RSA and DSA.
 Any error is fatal to vcl initialization.
+Restricted to: ``vcl_init``.
 .. _xkey.rsa():
 VOID xkey.rsa(BLOB n, BLOB e, [BLOB d])
@@ -131,6 +143,10 @@ Create an RSA key from the parameters n, e, and optionally d.
 Any error is fatal to vcl initialization.
+Restricted to: ``vcl_init``.
 .. _crypto.verifier():
 new xverifier = crypto.verifier(ENUM digest, [STRING pem], [BLOB key])

--- a/src/vmod_crypto.vcc
+++ b/src/vmod_crypto.vcc
@@ -48,6 +48,8 @@ $Method BLOB .use()
 Wrap the key in a blob to be passed to `crypto.verifier()`_
+$Restrict vcl_init
 $Method VOID .pem_pubkey(STRING)
 Create a key from the PEM-encoded public key.
@@ -58,6 +60,8 @@ comprise RSA and DSA.
 Any error is fatal to vcl initialization.
+$Restrict vcl_init
 $Method VOID .pem_privkey(STRING, STRING password=0)
 Create a key from the PEM-encoded private key, optionally decrypting
@@ -69,12 +73,16 @@ comprise RSA and DSA.
 Any error is fatal to vcl initialization.
+$Restrict vcl_init
 $Method VOID .rsa(BLOB n, BLOB e, [BLOB d])
 Create an RSA key from the parameters n, e, and optionally d.
 Any error is fatal to vcl initialization.
+$Restrict vcl_init
 $Object verifier(ENUM {md_null, md4, md5, sha1, sha224,
 	sha256, sha384, sha512, ripemd160, rmd160, whirlpool} digest,
 	[STRING pem], [BLOB key])