Unverified Commit 808a8eee authored by Nils Goroll's avatar Nils Goroll

adjust to current varnish-cache (6.4 / post-6.4 master)

The changes are mostly mechanical

- replace use of the blobcode vmod with vmod blob and adjust to new
  function signatures
- use struct vrt_blob for blobs and adjust to new struct members
- use separate pointers for generating output (blobs are const)
- use optional arguments for functions (minimal adjustments of
  existing code)
- replace WS_Reserve() with WS_ReserveAll()
- wipe needs the TRUST_ME() macro to un-const blobs

unresolved issues:

- padding errors lead to "vmod blob error: cannot encode, out of space",
  the respective tests have been moved to
  tests.disabled/padding_error.vtc
parent 9e6cf927
This diff is collapsed.
# looks like -*- vcl -*-
varnishtest "padding"
varnish v1 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(FINISH);
}
} -start
# Padding errors
#
# XXX these tests lead to "vmod blob error: cannot encode, out of space"
# even for workspace_client=512k
varnish v1 -vcl {
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo_pkcs7_1
= blob.blob(HEX, "666F6F0E0D0D0D0D0D0D0D0D0D0D0D0D");
new foo_pkcs7_2
= blob.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D11");
new foo_iso7816_1
= blob.blob(HEX, "666F6F80000000000001000000000000");
new foo_iso7816_2
= blob.blob(HEX, "666F6F00000000000000000000000000");
new foo_x923_1
= blob.blob(HEX, "666F6F0000000001000000000000000D");
new foo_x923_2
= blob.blob(HEX, "666F6F00000000000000000000000011");
new empty_pkcs7_1
= blob.blob(HEX, "0F101010101010101010101010101010");
new empty_pkcs7_2
= blob.blob(HEX, "10101010101010101010101010101011");
new empty_iso7816_1
= blob.blob(HEX, "00000000000000000000000000000000");
new empty_iso7816_2
= blob.blob(HEX, "80010000000000000000000000000000");
new empty_x923_1
= blob.blob(HEX, "01000000000000000000000000000010");
new empty_x923_2
= blob.blob(HEX, "00000000000000000000000000000011");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.foo-pkcs7-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7_1.get()));
set resp.http.foo-pkcs7-plain-1
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher-1)));
set resp.http.foo-pkcs7-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7_2.get()));
set resp.http.foo-pkcs7-plain-2
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher-2)));
set resp.http.foo-iso7816-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816_1.get()));
set resp.http.foo-iso7816-plain-1
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher-1)));
set resp.http.foo-iso7816-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816_2.get()));
set resp.http.foo-iso7816-plain-2
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher-2)));
set resp.http.foo-x923-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-1
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-x923-cipher-1)));
set resp.http.foo-x923-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-2
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-x923-cipher-2)));
set resp.http.empty-pkcs7-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7_1.get()));
set resp.http.empty-pkcs7-plain-1
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher-1)));
set resp.http.empty-pkcs7-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7_2.get()));
set resp.http.empty-pkcs7-plain-2
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher-2)));
set resp.http.empty-iso7816-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816_1.get()));
set resp.http.empty-iso7816-plain-1
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher-1)));
set resp.http.empty-iso7816-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816_2.get()));
set resp.http.empty-iso7816-plain-2
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher-2)));
set resp.http.empty-x923-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-1
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-x923-cipher-1)));
set resp.http.empty-x923-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-2
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-x923-cipher-2)));
return(deliver);
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.foo-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-1 == ""
expect resp.http.foo-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-2 == ""
expect resp.http.foo-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-1 == ""
expect resp.http.foo-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-2 == ""
expect resp.http.foo-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-1 == ""
expect resp.http.foo-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-2 == ""
expect resp.http.empty-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-1 == ""
expect resp.http.empty-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-2 == ""
expect resp.http.empty-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-1 == ""
expect resp.http.empty-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-2 == ""
expect resp.http.empty-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-1 == ""
expect resp.http.empty-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-2 == ""
} -run
logexpect l1 -v v1 -d 1 -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = End
} -run
......@@ -10,7 +10,7 @@ varnishtest "random_bool()"
# several threads.
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......
......@@ -10,7 +10,7 @@ varnishtest "random() at quality level VERY_STRONG"
# varnishtest -t 300
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -20,9 +20,9 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.very_strong
= blobcode.encode(HEXUC, gcrypt.random(VERY_STRONG, 16B));
= blob.encode(HEX, UPPER, gcrypt.random(VERY_STRONG, 16B));
set resp.http.very_strong_task
= blobcode.encode(HEXUC, gcrypt.random());
= blob.encode(HEX, UPPER, gcrypt.random());
return(deliver);
}
} -start
......
This diff is collapsed.
......@@ -14,53 +14,53 @@ varnish v1 -vcl {
# NULL key is illegal
varnish v1 -errvcl {vmod gcrypt error: key is NULL in aes constructor} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(encoded="");
new k = blob.blob(encoded="");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
# Key too short
varnish v1 -errvcl {vmod gcrypt error: Cannot set key in aes constructor} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "0");
new k = blob.blob(HEX, "0");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
# Key too long
varnish v1 -errvcl {vmod gcrypt error: Key length 17 is longer than the maximum supported length 16 for AES cipher in aes constructor} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX,
new k = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f10");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new cbc = gcrypt.symmetric(AES, CBC, NONE, key=k.get());
new ctr = gcrypt.symmetric(AES, CTR, key=k.get());
new null = blobcode.blob(encoded="");
new short = blobcode.blob(encoded="Too short");
new long = blobcode.blob(HEX,
new null = blob.blob(encoded="");
new short = blob.blob(encoded="Too short");
new long = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f10");
}
......@@ -73,84 +73,84 @@ varnish v1 -vcl {
# NULL plaintext is illegal
set resp.http.plain-null
= blobcode.encode(HEXUC, cbc.encrypt(null.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(null.get()));
# NULL IV is illegal when required
set resp.http.enc-iv-null
= blobcode.encode(HEXUC, cbc.encrypt(k.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(k.get()));
# IV shorter than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.enc-iv-short
= blobcode.encode(HEXUC, cbc.encrypt(k.get(), short.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(k.get(), short.get()));
# IV longer than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.enc-iv-long
= blobcode.encode(HEXUC, cbc.encrypt(k.get(), long.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(k.get(), long.get()));
# When no padding is specified, the length of the plaintext
# must be an exact multiple of the block length.
set resp.http.enc-plain-short
= blobcode.encode(HEXUC, cbc.encrypt(short.get(), k.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(short.get(), k.get()));
set resp.http.enc-plain-long
= blobcode.encode(HEXUC, cbc.encrypt(long.get(), k.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(long.get(), k.get()));
# NULL CTR is illegal when required
set resp.http.enc-ctr-null
= blobcode.encode(HEXUC, ctr.encrypt(k.get()));
= blob.encode(HEX, UPPER, ctr.encrypt(k.get()));
# CTR shorter than the block length is illegal
set resp.http.enc-ctr-short
= blobcode.encode(HEXUC, ctr.encrypt(k.get(),
= blob.encode(HEX, UPPER, ctr.encrypt(k.get(),
ctr=short.get()));
# CTR longer than the block length is illegal
set resp.http.enc-ctr-long
= blobcode.encode(HEXUC, ctr.encrypt(k.get(),
= blob.encode(HEX, UPPER, ctr.encrypt(k.get(),
ctr=long.get()));
# Errors in .decrypt()
# NULL ciphertext is illegal
set resp.http.cipher-null
= blobcode.encode(HEXUC, cbc.decrypt(null.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(null.get()));
# NULL IV is illegal when required
set resp.http.dec-iv-null
= blobcode.encode(HEXUC, cbc.decrypt(k.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(k.get()));
# IV shorter than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.dec-iv-short
= blobcode.encode(HEXUC, cbc.decrypt(k.get(), short.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(k.get(), short.get()));
# IV longer than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.dec-iv-long
= blobcode.encode(HEXUC, cbc.decrypt(k.get(), long.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(k.get(), long.get()));
# When no padding is specified, the length of the ciphertext
# must be an exact multiple of the block length.
set resp.http.dec-cipher-short
= blobcode.encode(HEXUC, cbc.decrypt(short.get(), k.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(short.get(), k.get()));
set resp.http.dec-cipher-long
= blobcode.encode(HEXUC, cbc.decrypt(long.get(), k.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(long.get(), k.get()));
# NULL CTR is illegal when required
set resp.http.dec-ctr-null
= blobcode.encode(HEXUC, ctr.decrypt(k.get()));
= blob.encode(HEX, UPPER, ctr.decrypt(k.get()));
# CTR shorter than the block length is illegal
set resp.http.dec-ctr-short
= blobcode.encode(HEXUC, ctr.decrypt(k.get(),
= blob.encode(HEX, UPPER, ctr.decrypt(k.get(),
ctr=short.get()));
# CTR longer than the block length is illegal
set resp.http.dec-ctr-long
= blobcode.encode(HEXUC, ctr.decrypt(k.get(),
= blob.encode(HEX, UPPER, ctr.decrypt(k.get(),
ctr=long.get()));
return(deliver);
......
......@@ -5,24 +5,24 @@ varnishtest "disable secmem in the init function"
# DISABLE_SECMEM
varnish v1 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(DISABLE_SECMEM);
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
}
} -start
varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
}
......@@ -32,25 +32,25 @@ varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v1 -stop
varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(INIT_SECMEM);
gcrypt.init(DISABLE_SECMEM);
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
}
} -start
varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
}
......@@ -58,25 +58,25 @@ varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v2 -stop
varnish v3 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(INIT_SECMEM);
gcrypt.init(INIT_SECMEM, 0B);
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
}
} -start
varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
}
......@@ -84,14 +84,14 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v3 -stop
varnish v4 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(DISABLE_SECMEM);
gcrypt.init(INIT_SECMEM);
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
} -start
......@@ -19,7 +19,7 @@ varnish v1 -errvcl {vmod gcrypt error: libgcrypt initialization not finished in
}
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -32,13 +32,13 @@ varnish v1 -vcl {
}
sub vcl_synth {
set resp.http.f1 = blobcode.encode(IDENTITY,
set resp.http.f1 = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/f.txt"));
set resp.http.f2 = blobcode.encode(IDENTITY,
set resp.http.f2 = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/f.txt"));
set resp.http.n = blobcode.encode(IDENTITY,
set resp.http.n = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/nonexistent.txt"));
set resp.http.fifo = blobcode.encode(IDENTITY,
set resp.http.fifo = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/fifo.txt"));
return(deliver);
......
......@@ -48,11 +48,11 @@ varnish v3 -vcl {
varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
}
......@@ -61,12 +61,12 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v3 -stop
varnish v4 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
} -start
......@@ -80,23 +80,23 @@ varnish v1 -stop
varnish v2 -vcl {backend b { .host = "${bad_ip}"; } } -start
varnish v2 -errvcl {libgcrypt initialization not finished in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
......@@ -105,11 +105,11 @@ varnish v2 -vcl {
# object instances without having to call init(FINISH) again.
varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
This diff is collapsed.
......@@ -9,7 +9,7 @@ varnishtest "random() and random_int(), _real() and _bool()"
# varnishtest.
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -19,22 +19,22 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.nonce16
= blobcode.encode(HEXUC, gcrypt.random(NONCE, 16B));
= blob.encode(HEX, UPPER, gcrypt.random(NONCE, 16B));
set resp.http.nonce16-task
= blobcode.encode(HEXUC, gcrypt.random());
= blob.encode(HEX, UPPER, gcrypt.random());
set resp.http.strong32
= blobcode.encode(HEXUC, gcrypt.random(STRONG, 32B));
= blob.encode(HEX, UPPER, gcrypt.random(STRONG, 32B));
set resp.http.strong32-task-noarg
= blobcode.encode(HEXUC, gcrypt.random());
= blob.encode(HEX, UPPER, gcrypt.random());
set resp.http.strong32-task-n0
= blobcode.encode(HEXUC, gcrypt.random(n=0B));
= blob.encode(HEX, UPPER, gcrypt.random(n=0B));
set resp.http.strong32-task-enum
= blobcode.encode(HEXUC, gcrypt.random(VERY_STRONG));
= blob.encode(HEX, UPPER, gcrypt.random(VERY_STRONG));
set resp.http.strong32-task-n0-enum
= blobcode.encode(HEXUC, gcrypt.random(NONCE, n=0B));
= blob.encode(HEX, UPPER, gcrypt.random(NONCE, n=0B));
set resp.http.error
= blobcode.encode(HEXUC, gcrypt.random(n=1B));
= blob.encode(HEX, UPPER, gcrypt.random(n=1B));
set resp.http.strong-int = gcrypt.random_int(STRONG);
set resp.http.nonce-int = gcrypt.random_int(NONCE);
......@@ -111,7 +111,7 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" {
} -run
varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -124,7 +124,7 @@ varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL}
# random_real()
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -150,7 +150,7 @@ client c1 -repeat 20 {
# random_bool()
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......
......@@ -3,27 +3,27 @@
varnishtest "wipe()"
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new b16
= blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
= blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
gcrypt.wipe(b16.get());
new b4 = blobcode.blob(HEX, "00010203");
new b4 = blob.blob(HEX, "00010203");
gcrypt.wipe(b4.get());
new b12 = blobcode.blob(HEX, "000102030405060708090a0b");
new b12 = blob.blob(HEX, "000102030405060708090a0b");
gcrypt.wipe(b12.get());
new hobbes = blobcode.blob(IDENTITY,
new hobbes = blob.blob(IDENTITY,
"Man is distinguished, not only by his reason, but by this singular passion from other animals, which is a lust of the mind, that by a perseverance of delight in the continued and indefatigable generation of knowledge, exceeds the short vehemence of any carnal pleasure.");
gcrypt.wipe(hobbes.get());
new foo = blobcode.blob(encoded="foo");
new empty = blobcode.blob(encoded="");
new foo = blob.blob(encoded="foo");
new empty = blob.blob(encoded="");
}
sub vcl_recv {
......@@ -31,13 +31,13 @@ varnish v1 -vcl {
}
sub vcl_synth {
set resp.http.b16 = blobcode.encode(HEXUC, b16.get());
set resp.http.b4 = blobcode.encode(HEXUC, b4.get());
set resp.http.b12 = blobcode.encode(HEXUC, b12.get());
set resp.http.hobbes = blobcode.encode(HEXUC, hobbes.get());
set resp.http.b16 = blob.encode(HEX, UPPER, b16.get());
set resp.http.b4 = blob.encode(HEX, UPPER, b4.get());
set resp.http.b12 = blob.encode(HEX, UPPER, b12.get());
set resp.http.hobbes = blob.encode(HEX, UPPER, hobbes.get());
gcrypt.wipe(foo.get());
set resp.http.foo = blobcode.encode(HEXUC, foo.get());
set resp.http.foo = blob.encode(HEX, UPPER, foo.get());
gcrypt.wipe(empty.get());
......@@ -63,12 +63,12 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" {
} -run
varnish v1 -errvcl {vmod gcrypt error: empty blob in gcrypt.wipe()} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new empty = blobcode.blob(encoded="");
new empty = blob.blob(encoded="");
gcrypt.wipe(empty.get());
}
}
This diff is collapsed.
......@@ -5,7 +5,7 @@
# Author: Geoffrey Simmons <geoffrey.simmons@uplex.de>
#
$Module gcrypt 3 access the libgcrypt cryptographic library
$Module gcrypt 3 "access the libgcrypt cryptographic library"
::
......@@ -50,13 +50,13 @@ allows the VMOD to concentrate strictly on cryptographic operations,
separate from concerns of binary-to-text encodings. BLOBs are not
created by any part of native VCL, and can only be created by other
VMODs, so it is necessary to use this VMOD together with another one
that does so (such as VMOD ``blobcode`` for binary-to-text encodings,
see `SEE ALSO`_).
that does so (such as VMOD ``blob`` for binary-to-text encodings,
which is part of varnish-cache).
This is a simple usage example::
import gcrypt;
import blobcode;
import blob;
sub vcl_init {
# Finalize default initialization of the libgcrypt library.
......@@ -76,19 +76,19 @@ This is a simple usage example::
# response header X-Cipher, and the hex-encoded counter vector to
# the response header X-Ctr; and remove X-Msg from the response.
sub vcl_deliver {
# Use the blobcode VMOD to convert the contents of X-Msg to a
# Use the blob VMOD to convert the contents of X-Msg to a
# BLOB, and to encode the encrypted ciphertext in hex with
# lower-case digits. Use the random() function to generate a
# counter vector as a 128 bit nonce.
set resp.http.X-Cipher
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg),
= blob.encode(HEXLC,
aes.encrypt(blob.decode(encoded=req.http.X-Msg),
ctr=gcrypt.random(NONCE, 16B)));
# Use the no-argument version of random() to retrieve the
# counter vector that was just generated, and use the
# blobcode VMOD to encode it as lower-case hex.
set resp.http.X-CTR = blobcode.encode(HEXLC, gcrypt.random());
# blob VMOD to encode it as lower-case hex.
set resp.http.X-CTR = blob.encode(HEXLC, gcrypt.random());
# Remove the plaintext from the response header.
unset resp.http.X-Msg;
......@@ -313,21 +313,21 @@ of the VCL load with an error message, under these conditions:
Examples::
import gcrypt;
import blobcode;
import blob;
# Assume in the following that initialization has been finalized.