Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
L
libvmod-gcrypt
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
uplex-varnish
libvmod-gcrypt
Commits
521844db
Commit
521844db
authored
May 22, 2017
by
Geoff Simmons
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Various doc fixes.
parent
8ffab708
Pipeline
#217
skipped
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
44 additions
and
28 deletions
+44
-28
README.rst
README.rst
+22
-14
vmod_gcrypt.vcc
src/vmod_gcrypt.vcc
+22
-14
No files found.
README.rst
View file @
521844db
...
@@ -94,11 +94,11 @@ This is a simple usage example::
...
@@ -94,11 +94,11 @@ This is a simple usage example::
# header X-Msg. Assign the hex-encoded encrypted message to the
# header X-Msg. Assign the hex-encoded encrypted message to the
# response header X-Cipher, and the hex-encoded counter vector to
# response header X-Cipher, and the hex-encoded counter vector to
# the response header X-Ctr; and remove X-Msg from the response.
# the response header X-Ctr; and remove X-Msg from the response.
sub vcl_
recv
{
sub vcl_
deliver
{
# Use the blobcode VMOD to
decode to convert the contents of
# Use the blobcode VMOD to
convert the contents of X-Msg to a
#
X-Msg to a BLOB, and to encode the encrypted ciphertext in
#
BLOB, and to encode the encrypted ciphertext in hex with
#
hex with lower-case digits. Use the random() function to
#
lower-case digits. Use the random() function to generate a
#
generate a
counter vector as a 128 bit nonce.
# counter vector as a 128 bit nonce.
set resp.http.X-Cipher
set resp.http.X-Cipher
= blobcode.encode(HEXLC,
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg),
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg),
...
@@ -133,11 +133,11 @@ Varnish:
...
@@ -133,11 +133,11 @@ Varnish:
are lowered when secure memory is initialized. This applies to the
are lowered when secure memory is initialized. This applies to the
varnishd child process.
varnishd child process.
The use of secure memory is
disabled by default. With the VMOD, you
The use of secure memory is
turned off by default for the creation of
can specify the use of secure memory by setting the ``secure`` flag to
new objects. With the VMOD, you can specify the use of secure memory
``true`` in a constructor for symmetric encryption, and configure the
by setting the ``secure`` flag to ``true`` in a constructor for
s
ize of the pool, or disable secure memory, using the ``init()``
s
ymmetric encryption, and configure the size of the pool, or disable
function, as described below.
secure memory, using the ``init()``
function, as described below.
libgcrypt logging
libgcrypt logging
-----------------
-----------------
...
@@ -340,7 +340,8 @@ of the VCL load with an error message, under these conditions:
...
@@ -340,7 +340,8 @@ of the VCL load with an error message, under these conditions:
disabled.
disabled.
* Any failure of the libgcrypt library to initialize internal
* Any failure of the libgcrypt library to initialize internal
structures to be used for this object.
structures to be used for this object. This happens, for example, if
the key length is to short for the chosen cipher.
Examples::
Examples::
...
@@ -579,12 +580,12 @@ Example::
...
@@ -579,12 +580,12 @@ Example::
sub vcl_resp {
sub vcl_resp {
# The length of the IV MUST match the block size of the
# The length of the IV MUST match the block size of the
# cipher in use --
64 bits (8
bytes) for AES. For CBC, the IV
# cipher in use --
128 bits (16
bytes) for AES. For CBC, the IV
# MUST be unpredictable, so we use quality level STRONG.
# MUST be unpredictable, so we use quality level STRONG.
set resp.http.X-Encrypted
set resp.http.X-Encrypted
= blobcode.encode(BASE64,
= blobcode.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg),
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg),
iv=gcrypt.random(STRONG,
8
B)));
iv=gcrypt.random(STRONG,
16
B)));
# Now call random() with no arguments to retrive the IV that
# Now call random() with no arguments to retrive the IV that
# was generated, to be sent in the base64-encoded response
# was generated, to be sent in the base64-encoded response
...
@@ -792,9 +793,16 @@ the following points, but this list is by no means exhaustive:
...
@@ -792,9 +793,16 @@ the following points, but this list is by no means exhaustive:
never be re-used with the same encryption key. For CBC mode, the IV
never be re-used with the same encryption key. For CBC mode, the IV
must also be unpredictable; for example, the ``STRONG`` quality
must also be unpredictable; for example, the ``STRONG`` quality
level should be used if the ``random()`` function is used to
level should be used if the ``random()`` function is used to
generate IVs for C
FB
. For the other modes, unpredictability is not
generate IVs for C
BC
. For the other modes, unpredictability is not
required, and the ``NONCE`` level is sufficient.
required, and the ``NONCE`` level is sufficient.
* libgcrypt permits certain operations that are poor practice, such as
setting an init vector whose length is not equal to the block length
of a symmetric cipher, but emits a warning message. The VMOD follows
the library in allowing these operations to proceed, but you should
check the Varnish log for the warnings, and correct any such
problems.
* Make sure that you have a secure procedure in place for generating
* Make sure that you have a secure procedure in place for generating
and storing cryptographic keys, and for changing the keys
and storing cryptographic keys, and for changing the keys
periodically.
periodically.
...
...
src/vmod_gcrypt.vcc
View file @
521844db
...
@@ -77,11 +77,11 @@ This is a simple usage example::
...
@@ -77,11 +77,11 @@ This is a simple usage example::
# header X-Msg. Assign the hex-encoded encrypted message to the
# header X-Msg. Assign the hex-encoded encrypted message to the
# response header X-Cipher, and the hex-encoded counter vector to
# response header X-Cipher, and the hex-encoded counter vector to
# the response header X-Ctr; and remove X-Msg from the response.
# the response header X-Ctr; and remove X-Msg from the response.
sub vcl_
recv
{
sub vcl_
deliver
{
# Use the blobcode VMOD to
decode to convert the contents of
# Use the blobcode VMOD to
convert the contents of X-Msg to a
#
X-Msg to a BLOB, and to encode the encrypted ciphertext in
#
BLOB, and to encode the encrypted ciphertext in hex with
#
hex with lower-case digits. Use the random() function to
#
lower-case digits. Use the random() function to generate a
#
generate a
counter vector as a 128 bit nonce.
# counter vector as a 128 bit nonce.
set resp.http.X-Cipher
set resp.http.X-Cipher
= blobcode.encode(HEXLC,
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg),
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg),
...
@@ -116,11 +116,11 @@ Varnish:
...
@@ -116,11 +116,11 @@ Varnish:
are lowered when secure memory is initialized. This applies to the
are lowered when secure memory is initialized. This applies to the
varnishd child process.
varnishd child process.
The use of secure memory is
disabled by default. With the VMOD, you
The use of secure memory is
turned off by default for the creation of
can specify the use of secure memory by setting the ``secure`` flag to
new objects. With the VMOD, you can specify the use of secure memory
``true`` in a constructor for symmetric encryption, and configure the
by setting the ``secure`` flag to ``true`` in a constructor for
s
ize of the pool, or disable secure memory, using the ``init()``
s
ymmetric encryption, and configure the size of the pool, or disable
function, as described below.
secure memory, using the ``init()``
function, as described below.
libgcrypt logging
libgcrypt logging
-----------------
-----------------
...
@@ -303,7 +303,8 @@ of the VCL load with an error message, under these conditions:
...
@@ -303,7 +303,8 @@ of the VCL load with an error message, under these conditions:
disabled.
disabled.
* Any failure of the libgcrypt library to initialize internal
* Any failure of the libgcrypt library to initialize internal
structures to be used for this object.
structures to be used for this object. This happens, for example, if
the key length is to short for the chosen cipher.
Examples::
Examples::
...
@@ -522,12 +523,12 @@ Example::
...
@@ -522,12 +523,12 @@ Example::
sub vcl_resp {
sub vcl_resp {
# The length of the IV MUST match the block size of the
# The length of the IV MUST match the block size of the
# cipher in use --
64 bits (8
bytes) for AES. For CBC, the IV
# cipher in use --
128 bits (16
bytes) for AES. For CBC, the IV
# MUST be unpredictable, so we use quality level STRONG.
# MUST be unpredictable, so we use quality level STRONG.
set resp.http.X-Encrypted
set resp.http.X-Encrypted
= blobcode.encode(BASE64,
= blobcode.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg),
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg),
iv=gcrypt.random(STRONG,
8
B)));
iv=gcrypt.random(STRONG,
16
B)));
# Now call random() with no arguments to retrive the IV that
# Now call random() with no arguments to retrive the IV that
# was generated, to be sent in the base64-encoded response
# was generated, to be sent in the base64-encoded response
...
@@ -721,9 +722,16 @@ the following points, but this list is by no means exhaustive:
...
@@ -721,9 +722,16 @@ the following points, but this list is by no means exhaustive:
never be re-used with the same encryption key. For CBC mode, the IV
never be re-used with the same encryption key. For CBC mode, the IV
must also be unpredictable; for example, the ``STRONG`` quality
must also be unpredictable; for example, the ``STRONG`` quality
level should be used if the ``random()`` function is used to
level should be used if the ``random()`` function is used to
generate IVs for C
FB
. For the other modes, unpredictability is not
generate IVs for C
BC
. For the other modes, unpredictability is not
required, and the ``NONCE`` level is sufficient.
required, and the ``NONCE`` level is sufficient.
* libgcrypt permits certain operations that are poor practice, such as
setting an init vector whose length is not equal to the block length
of a symmetric cipher, but emits a warning message. The VMOD follows
the library in allowing these operations to proceed, but you should
check the Varnish log for the warnings, and correct any such
problems.
* Make sure that you have a secure procedure in place for generating
* Make sure that you have a secure procedure in place for generating
and storing cryptographic keys, and for changing the keys
and storing cryptographic keys, and for changing the keys
periodically.
periodically.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment