adjust to current varnish-cache (6.4 / post-6.4 master)

The changes are mostly mechanical

- replace use of the blobcode vmod with vmod blob and adjust to new
  function signatures
- use struct vrt_blob for blobs and adjust to new struct members
- use separate pointers for generating output (blobs are const)
- use optional arguments for functions (minimal adjustments of
  existing code)
- replace WS_Reserve() with WS_ReserveAll()
- wipe needs the TRUST_ME() macro to un-const blobs

unresolved issues:

- padding errors lead to "vmod blob error: cannot encode, out of space",
  the respective tests have been moved to
  tests.disabled/padding_error.vtc

src/tests.disabled/padding_error.vtc

+# looks like -*- vcl -*-
+
+varnishtest "padding"
+
+varnish v1 -vcl {
+	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
+	backend b { .host = "${bad_ip}"; }
+
+	sub vcl_init {
+		gcrypt.init(FINISH);
+	}
+} -start
+
+# Padding errors
+#
+# XXX these tests lead to "vmod blob error: cannot encode, out of space"
+# even for workspace_client=512k
+
+varnish v1 -vcl {
+	import blob;
+	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
+	backend b { .host = "${bad_ip}"; }
+
+	sub vcl_init {
+		new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
+		new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
+		new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
+		new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
+		new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
+
+		new foo_pkcs7_1
+		    = blob.blob(HEX, "666F6F0E0D0D0D0D0D0D0D0D0D0D0D0D");
+		new foo_pkcs7_2
+		    = blob.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D11");
+		new foo_iso7816_1
+		    = blob.blob(HEX, "666F6F80000000000001000000000000");
+		new foo_iso7816_2
+		    = blob.blob(HEX, "666F6F00000000000000000000000000");
+		new foo_x923_1
+		    = blob.blob(HEX, "666F6F0000000001000000000000000D");
+		new foo_x923_2
+		    = blob.blob(HEX, "666F6F00000000000000000000000011");
+
+		new empty_pkcs7_1
+		    = blob.blob(HEX, "0F101010101010101010101010101010");
+		new empty_pkcs7_2
+		    = blob.blob(HEX, "10101010101010101010101010101011");
+		new empty_iso7816_1
+		    = blob.blob(HEX, "00000000000000000000000000000000");
+		new empty_iso7816_2
+		    = blob.blob(HEX, "80010000000000000000000000000000");
+		new empty_x923_1
+		    = blob.blob(HEX, "01000000000000000000000000000010");
+		new empty_x923_2
+		    = blob.blob(HEX, "00000000000000000000000000000011");
+	}
+
+	sub vcl_recv {
+		return(synth(200));
+	}
+
+	sub vcl_synth {
+		set resp.http.foo-pkcs7-cipher-1
+		    = blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7_1.get()));
+		set resp.http.foo-pkcs7-plain-1
+		    = blob.encode(blob=pkcs7.decrypt(
+		        blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher-1)));
+		set resp.http.foo-pkcs7-cipher-2
+		    = blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7_2.get()));
+		set resp.http.foo-pkcs7-plain-2
+		    = blob.encode(blob=pkcs7.decrypt(
+		        blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher-2)));
+		set resp.http.foo-iso7816-cipher-1
+		   = blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816_1.get()));
+		set resp.http.foo-iso7816-plain-1
+		    = blob.encode(blob=iso7816.decrypt(
+		      blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher-1)));
+		set resp.http.foo-iso7816-cipher-2
+		   = blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816_2.get()));
+		set resp.http.foo-iso7816-plain-2
+		    = blob.encode(blob=iso7816.decrypt(
+		      blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher-2)));
+		set resp.http.foo-x923-cipher-1
+		    = blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923_1.get()));
+		set resp.http.foo-x923-plain-1
+		    = blob.encode(blob=x923.decrypt(
+		        blob.decode(BASE64, encoded=resp.http.foo-x923-cipher-1)));
+		set resp.http.foo-x923-cipher-2
+		    = blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923_1.get()));
+		set resp.http.foo-x923-plain-2
+		    = blob.encode(blob=x923.decrypt(
+		        blob.decode(BASE64, encoded=resp.http.foo-x923-cipher-2)));
+
+		set resp.http.empty-pkcs7-cipher-1
+		   = blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7_1.get()));
+		set resp.http.empty-pkcs7-plain-1
+		    = blob.encode(blob=pkcs7.decrypt(
+		      blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher-1)));
+		set resp.http.empty-pkcs7-cipher-2
+		   = blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7_2.get()));
+		set resp.http.empty-pkcs7-plain-2
+		    = blob.encode(blob=pkcs7.decrypt(
+		      blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher-2)));
+		set resp.http.empty-iso7816-cipher-1
+		 = blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816_1.get()));
+		set resp.http.empty-iso7816-plain-1
+		    = blob.encode(blob=iso7816.decrypt(
+		    blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher-1)));
+		set resp.http.empty-iso7816-cipher-2
+		 = blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816_2.get()));
+		set resp.http.empty-iso7816-plain-2
+		    = blob.encode(blob=iso7816.decrypt(
+		    blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher-2)));
+		set resp.http.empty-x923-cipher-1
+		    = blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923_1.get()));
+		set resp.http.empty-x923-plain-1
+		    = blob.encode(blob=x923.decrypt(
+		       blob.decode(BASE64, encoded=resp.http.empty-x923-cipher-1)));
+		set resp.http.empty-x923-cipher-2
+		    = blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923_1.get()));
+		set resp.http.empty-x923-plain-2
+		    = blob.encode(blob=x923.decrypt(
+		       blob.decode(BASE64, encoded=resp.http.empty-x923-cipher-2)));
+		return(deliver);
+	}
+}
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+	expect resp.http.foo-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.foo-pkcs7-plain-1 == ""
+	expect resp.http.foo-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.foo-pkcs7-plain-2 == ""
+	expect resp.http.foo-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.foo-iso7816-plain-1 == ""
+	expect resp.http.foo-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.foo-iso7816-plain-2 == ""
+	expect resp.http.foo-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.foo-x923-plain-1 == ""
+	expect resp.http.foo-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.foo-x923-plain-2 == ""
+	expect resp.http.empty-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.empty-pkcs7-plain-1 == ""
+	expect resp.http.empty-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.empty-pkcs7-plain-2 == ""
+	expect resp.http.empty-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.empty-iso7816-plain-1 == ""
+	expect resp.http.empty-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.empty-iso7816-plain-2 == ""
+	expect resp.http.empty-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.empty-x923-plain-1 == ""
+	expect resp.http.empty-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
+	expect resp.http.empty-x923-plain-2 == ""
+} -run
+
+logexpect l1 -v v1 -d 1 -q "VCL_Error" {
+	expect 0 * Begin req
+	expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
+	expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
+	expect * = End
+} -run
+

src/tests.disabled/random_bool.vtc

@@ -10,7 +10,7 @@ varnishtest "random_bool()"
 # several threads.
 
 varnish v1 -vcl {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 

src/tests.disabled/very_strong_random.vtc

@@ -10,7 +10,7 @@ varnishtest "random() at quality level VERY_STRONG"
 # varnishtest -t 300
 
 varnish v1 -vcl {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
@@ -20,9 +20,9 @@ varnish v1 -vcl {
 
 	sub vcl_synth {
 		set resp.http.very_strong
-		    = blobcode.encode(HEXUC, gcrypt.random(VERY_STRONG, 16B));
+		    = blob.encode(HEX, UPPER, gcrypt.random(VERY_STRONG, 16B));
 		set resp.http.very_strong_task
-		    = blobcode.encode(HEXUC, gcrypt.random());
+		    = blob.encode(HEX, UPPER, gcrypt.random());
 		return(deliver);
 	}
 } -start

src/tests/aes_fail.vtc

@@ -14,53 +14,53 @@ varnish v1 -vcl {
 
 # NULL key is illegal
 varnish v1 -errvcl {vmod gcrypt error: key is NULL in aes constructor} {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(encoded="");
+		new k = blob.blob(encoded="");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get());
 	}
 }
 
 # Key too short
 varnish v1 -errvcl {vmod gcrypt error: Cannot set key in aes constructor} {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX, "0");
+		new k = blob.blob(HEX, "0");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get());
 	}
 }
 
 # Key too long
 varnish v1 -errvcl {vmod gcrypt error: Key length 17 is longer than the maximum supported length 16 for AES cipher in aes constructor} {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX,
+		new k = blob.blob(HEX,
 		                      "000102030405060708090a0b0c0d0e0f10");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get());
 	}
 }
 
 varnish v1 -vcl {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
+		new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
 		new cbc = gcrypt.symmetric(AES, CBC, NONE, key=k.get());
 		new ctr = gcrypt.symmetric(AES, CTR, key=k.get());
-		new null = blobcode.blob(encoded="");
-		new short = blobcode.blob(encoded="Too short");
-		new long = blobcode.blob(HEX,
+		new null = blob.blob(encoded="");
+		new short = blob.blob(encoded="Too short");
+		new long = blob.blob(HEX,
 		                         "000102030405060708090a0b0c0d0e0f10");
 	}
 
@@ -73,84 +73,84 @@ varnish v1 -vcl {
 
 		# NULL plaintext is illegal
 		set resp.http.plain-null
-		    = blobcode.encode(HEXUC, cbc.encrypt(null.get()));
+		    = blob.encode(HEX, UPPER, cbc.encrypt(null.get()));
 
 		# NULL IV is illegal when required
 		set resp.http.enc-iv-null
-		    = blobcode.encode(HEXUC, cbc.encrypt(k.get()));
+		    = blob.encode(HEX, UPPER, cbc.encrypt(k.get()));
 
 		# IV shorter than the block length is not an error, but
 		# invokes a libgcrypt log warning
 		set resp.http.enc-iv-short
-		    = blobcode.encode(HEXUC, cbc.encrypt(k.get(), short.get()));
+		    = blob.encode(HEX, UPPER, cbc.encrypt(k.get(), short.get()));
 
 		# IV longer than the block length is not an error, but
 		# invokes a libgcrypt log warning
 		set resp.http.enc-iv-long
-		    = blobcode.encode(HEXUC, cbc.encrypt(k.get(), long.get()));
+		    = blob.encode(HEX, UPPER, cbc.encrypt(k.get(), long.get()));
 
 		# When no padding is specified, the length of the plaintext
 		# must be an exact multiple of the block length.
 		set resp.http.enc-plain-short
-		    = blobcode.encode(HEXUC, cbc.encrypt(short.get(), k.get()));
+		    = blob.encode(HEX, UPPER, cbc.encrypt(short.get(), k.get()));
 
 		set resp.http.enc-plain-long
-		    = blobcode.encode(HEXUC, cbc.encrypt(long.get(), k.get()));
+		    = blob.encode(HEX, UPPER, cbc.encrypt(long.get(), k.get()));
 
 		# NULL CTR is illegal when required
 		set resp.http.enc-ctr-null
-		    = blobcode.encode(HEXUC, ctr.encrypt(k.get()));
+		    = blob.encode(HEX, UPPER, ctr.encrypt(k.get()));
 
 		# CTR shorter than the block length is illegal
 		set resp.http.enc-ctr-short
-		    = blobcode.encode(HEXUC, ctr.encrypt(k.get(),
+		    = blob.encode(HEX, UPPER, ctr.encrypt(k.get(),
 		                                         ctr=short.get()));
 
 		# CTR longer than the block length is illegal
 		set resp.http.enc-ctr-long
-		    = blobcode.encode(HEXUC, ctr.encrypt(k.get(),
+		    = blob.encode(HEX, UPPER, ctr.encrypt(k.get(),
 		                                         ctr=long.get()));
 
 		# Errors in .decrypt()
 
 		# NULL ciphertext is illegal
 		set resp.http.cipher-null
-		    = blobcode.encode(HEXUC, cbc.decrypt(null.get()));
+		    = blob.encode(HEX, UPPER, cbc.decrypt(null.get()));
 
 		# NULL IV is illegal when required
 		set resp.http.dec-iv-null
-		    = blobcode.encode(HEXUC, cbc.decrypt(k.get()));
+		    = blob.encode(HEX, UPPER, cbc.decrypt(k.get()));
 
 		# IV shorter than the block length is not an error, but
 		# invokes a libgcrypt log warning
 		set resp.http.dec-iv-short
-		    = blobcode.encode(HEXUC, cbc.decrypt(k.get(), short.get()));
+		    = blob.encode(HEX, UPPER, cbc.decrypt(k.get(), short.get()));
 
 		# IV longer than the block length is not an error, but
 		# invokes a libgcrypt log warning
 		set resp.http.dec-iv-long
-		    = blobcode.encode(HEXUC, cbc.decrypt(k.get(), long.get()));
+		    = blob.encode(HEX, UPPER, cbc.decrypt(k.get(), long.get()));
 
 		# When no padding is specified, the length of the ciphertext
 		# must be an exact multiple of the block length.
 		set resp.http.dec-cipher-short
-		    = blobcode.encode(HEXUC, cbc.decrypt(short.get(), k.get()));
+		    = blob.encode(HEX, UPPER, cbc.decrypt(short.get(), k.get()));
 
 		set resp.http.dec-cipher-long
-		    = blobcode.encode(HEXUC, cbc.decrypt(long.get(), k.get()));
+		    = blob.encode(HEX, UPPER, cbc.decrypt(long.get(), k.get()));
 
 		# NULL CTR is illegal when required
 		set resp.http.dec-ctr-null
-		    = blobcode.encode(HEXUC, ctr.decrypt(k.get()));
+		    = blob.encode(HEX, UPPER, ctr.decrypt(k.get()));
 
 		# CTR shorter than the block length is illegal
 		set resp.http.dec-ctr-short
-		    = blobcode.encode(HEXUC, ctr.decrypt(k.get(),
+		    = blob.encode(HEX, UPPER, ctr.decrypt(k.get(),
 		                                         ctr=short.get()));
 
 		# CTR longer than the block length is illegal
 		set resp.http.dec-ctr-long
-		    = blobcode.encode(HEXUC, ctr.decrypt(k.get(),
+		    = blob.encode(HEX, UPPER, ctr.decrypt(k.get(),
 		                                         ctr=long.get()));
 
 		return(deliver);

src/tests/disable_secmem.vtc

@@ -5,24 +5,24 @@ varnishtest "disable secmem in the init function"
 # DISABLE_SECMEM
 varnish v1 -vcl {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
 		gcrypt.init(DISABLE_SECMEM);
 		gcrypt.init(FINISH);
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
 	}
 } -start
 
 varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
 	}
 }
@@ -32,25 +32,25 @@ varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
 varnish v1 -stop
 varnish v2 -vcl {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
 		gcrypt.init(INIT_SECMEM);
 		gcrypt.init(DISABLE_SECMEM);
 		gcrypt.init(FINISH);
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
 	}
 } -start
 
 varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
 	}
 }
@@ -58,25 +58,25 @@ varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
 varnish v2 -stop
 varnish v3 -vcl {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
 		gcrypt.init(INIT_SECMEM);
 		gcrypt.init(INIT_SECMEM, 0B);
 		gcrypt.init(FINISH);
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
 	}
 } -start
 
 varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
 	}
 }
@@ -84,14 +84,14 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
 varnish v3 -stop
 varnish v4 -vcl {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
 		gcrypt.init(DISABLE_SECMEM);
 		gcrypt.init(INIT_SECMEM);
 		gcrypt.init(FINISH);
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
 	}
 } -start

src/tests/fileread.vtc

@@ -19,7 +19,7 @@ varnish v1 -errvcl {vmod gcrypt error: libgcrypt initialization not finished in
 }
 
 varnish v1 -vcl {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
@@ -32,13 +32,13 @@ varnish v1 -vcl {
 	}
 
 	sub vcl_synth {
-		set resp.http.f1 = blobcode.encode(IDENTITY,
+		set resp.http.f1 = blob.encode(IDENTITY, DEFAULT,
 		                            gcrypt.fileread("${tmpdir}/f.txt"));
-		set resp.http.f2 = blobcode.encode(IDENTITY,
+		set resp.http.f2 = blob.encode(IDENTITY, DEFAULT,
 		                            gcrypt.fileread("${tmpdir}/f.txt"));
-		set resp.http.n = blobcode.encode(IDENTITY,
+		set resp.http.n = blob.encode(IDENTITY, DEFAULT,
 		                  gcrypt.fileread("${tmpdir}/nonexistent.txt"));
-		set resp.http.fifo = blobcode.encode(IDENTITY,
+		set resp.http.fifo = blob.encode(IDENTITY, DEFAULT,
 		                         gcrypt.fileread("${tmpdir}/fifo.txt"));
 
 		return(deliver);

src/tests/init_secmem.vtc

@@ -48,11 +48,11 @@ varnish v3 -vcl {
 
 varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
 	}
 }
@@ -61,12 +61,12 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
 varnish v3 -stop
 varnish v4 -vcl {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
 		gcrypt.init(FINISH);
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
 	}
 } -start

src/tests/init_usage.vtc

@@ -80,23 +80,23 @@ varnish v1 -stop
 varnish v2 -vcl {backend b { .host = "${bad_ip}"; } } -start
 varnish v2 -errvcl {libgcrypt initialization not finished in aes constructor} {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get());
 	}
 }
 
 varnish v2 -vcl {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
 		gcrypt.init(FINISH);
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get());
 	}
 }
@@ -105,11 +105,11 @@ varnish v2 -vcl {
 # object instances without having to call init(FINISH) again.
 varnish v2 -vcl {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	import blobcode;
+	import blob;
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
+		new k = blob.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get());
 	}
 }

src/tests/random.vtc

@@ -9,7 +9,7 @@ varnishtest "random() and random_int(), _real() and _bool()"
 # varnishtest.
 
 varnish v1 -vcl {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
@@ -19,22 +19,22 @@ varnish v1 -vcl {
 
 	sub vcl_synth {
 		set resp.http.nonce16
-		    = blobcode.encode(HEXUC, gcrypt.random(NONCE, 16B));
+		    = blob.encode(HEX, UPPER, gcrypt.random(NONCE, 16B));
 		set resp.http.nonce16-task
-		    = blobcode.encode(HEXUC, gcrypt.random());
+		    = blob.encode(HEX, UPPER, gcrypt.random());
 		set resp.http.strong32
-		    = blobcode.encode(HEXUC, gcrypt.random(STRONG, 32B));
+		    = blob.encode(HEX, UPPER, gcrypt.random(STRONG, 32B));
 		set resp.http.strong32-task-noarg
-		    = blobcode.encode(HEXUC, gcrypt.random());
+		    = blob.encode(HEX, UPPER, gcrypt.random());
 		set resp.http.strong32-task-n0
-		    = blobcode.encode(HEXUC, gcrypt.random(n=0B));
+		    = blob.encode(HEX, UPPER, gcrypt.random(n=0B));
 		set resp.http.strong32-task-enum
-		    = blobcode.encode(HEXUC, gcrypt.random(VERY_STRONG));
+		    = blob.encode(HEX, UPPER, gcrypt.random(VERY_STRONG));
 		set resp.http.strong32-task-n0-enum
-		    = blobcode.encode(HEXUC, gcrypt.random(NONCE, n=0B));
+		    = blob.encode(HEX, UPPER, gcrypt.random(NONCE, n=0B));
 
 		set resp.http.error
-		    = blobcode.encode(HEXUC, gcrypt.random(n=1B));
+		    = blob.encode(HEX, UPPER, gcrypt.random(n=1B));
 
 		set resp.http.strong-int = gcrypt.random_int(STRONG);
 		set resp.http.nonce-int = gcrypt.random_int(NONCE);
@@ -111,7 +111,7 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" {
 } -run
 
 varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL} {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
@@ -124,7 +124,7 @@ varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL}
 
 # random_real()
 varnish v1 -vcl {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
@@ -150,7 +150,7 @@ client c1 -repeat 20 {
 
 # random_bool()
 varnish v1 -vcl {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 

src/tests/wipe.vtc

@@ -3,27 +3,27 @@
 varnishtest "wipe()"
 
 varnish v1 -vcl {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
 		new b16
-		    = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
+		    = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
 		gcrypt.wipe(b16.get());
 
-		new b4 = blobcode.blob(HEX, "00010203");
+		new b4 = blob.blob(HEX, "00010203");
 		gcrypt.wipe(b4.get());
 
-		new b12 = blobcode.blob(HEX, "000102030405060708090a0b");
+		new b12 = blob.blob(HEX, "000102030405060708090a0b");
 		gcrypt.wipe(b12.get());
 
-		new hobbes = blobcode.blob(IDENTITY,
+		new hobbes = blob.blob(IDENTITY,
 "Man is distinguished, not only by his reason, but by this singular passion from other animals, which is a lust of the mind, that by a perseverance of delight in the continued and indefatigable generation of knowledge, exceeds the short vehemence of any carnal pleasure.");
 		gcrypt.wipe(hobbes.get());
 
-		new foo = blobcode.blob(encoded="foo");
-		new empty = blobcode.blob(encoded="");
+		new foo = blob.blob(encoded="foo");
+		new empty = blob.blob(encoded="");
 	}
 
 	sub vcl_recv {
@@ -31,13 +31,13 @@ varnish v1 -vcl {
 	}
 
 	sub vcl_synth {
-		set resp.http.b16 = blobcode.encode(HEXUC, b16.get());
-		set resp.http.b4 = blobcode.encode(HEXUC, b4.get());
-		set resp.http.b12 = blobcode.encode(HEXUC, b12.get());
-		set resp.http.hobbes = blobcode.encode(HEXUC, hobbes.get());
+		set resp.http.b16 = blob.encode(HEX, UPPER, b16.get());
+		set resp.http.b4 = blob.encode(HEX, UPPER, b4.get());
+		set resp.http.b12 = blob.encode(HEX, UPPER, b12.get());
+		set resp.http.hobbes = blob.encode(HEX, UPPER, hobbes.get());
 
 		gcrypt.wipe(foo.get());
-		set resp.http.foo = blobcode.encode(HEXUC, foo.get());
+		set resp.http.foo = blob.encode(HEX, UPPER, foo.get());
 
 		gcrypt.wipe(empty.get());
 
@@ -63,12 +63,12 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" {
 } -run
 
 varnish v1 -errvcl {vmod gcrypt error: empty blob in gcrypt.wipe()} {
-	import blobcode;
+	import blob;
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		new empty = blobcode.blob(encoded="");
+		new empty = blob.blob(encoded="");
 		gcrypt.wipe(empty.get());
 	}
 }

src/vmod_gcrypt.vcc

@@ -5,7 +5,7 @@
 # Author: Geoffrey Simmons <geoffrey.simmons@uplex.de>
 #
 
-$Module gcrypt 3 access the libgcrypt cryptographic library
+$Module gcrypt 3 "access the libgcrypt cryptographic library"
 
 ::
 
@@ -50,13 +50,13 @@ allows the VMOD to concentrate strictly on cryptographic operations,
 separate from concerns of binary-to-text encodings. BLOBs are not
 created by any part of native VCL, and can only be created by other
 VMODs, so it is necessary to use this VMOD together with another one
-that does so (such as VMOD ``blobcode`` for binary-to-text encodings,
-see `SEE ALSO`_).
+that does so (such as VMOD ``blob`` for binary-to-text encodings,
+which is part of varnish-cache).
 
 This is a simple usage example::
 
   import gcrypt;
-  import blobcode;
+  import blob;
 
   sub vcl_init {
       # Finalize default initialization of the libgcrypt library.
@@ -76,19 +76,19 @@ This is a simple usage example::
   # response header X-Cipher, and the hex-encoded counter vector to
   # the response header X-Ctr; and remove X-Msg from the response.
   sub vcl_deliver {
-      # Use the blobcode VMOD to convert the contents of X-Msg to a
+      # Use the blob VMOD to convert the contents of X-Msg to a
       # BLOB, and to encode the encrypted ciphertext in hex with
       # lower-case digits. Use the random() function to generate a
       # counter vector as a 128 bit nonce.
       set resp.http.X-Cipher
-          = blobcode.encode(HEXLC,
-              aes.encrypt(blobcode.decode(encoded=req.http.X-Msg),
+          = blob.encode(HEXLC,
+              aes.encrypt(blob.decode(encoded=req.http.X-Msg),
                           ctr=gcrypt.random(NONCE, 16B)));
 
       # Use the no-argument version of random() to retrieve the
       # counter vector that was just generated, and use the
-      # blobcode VMOD to encode it as lower-case hex.
-      set resp.http.X-CTR = blobcode.encode(HEXLC, gcrypt.random());
+      # blob VMOD to encode it as lower-case hex.
+      set resp.http.X-CTR = blob.encode(HEXLC, gcrypt.random());
 
       # Remove the plaintext from the response header.
       unset resp.http.X-Msg;
@@ -313,21 +313,21 @@ of the VCL load with an error message, under these conditions:
 Examples::
 
   import gcrypt;
-  import blobcode;
+  import blob;
 
   # Assume in the following that initialization has been finalized.
 
   sub vcl_init {
-      # Use the blobcode VMOD to create some BLOBs for the cryptographic
+      # Use the blob VMOD to create some BLOBs for the cryptographic
       # keys, whose lengths are 16, 24 and 32 bytes for AES-128, -192
       # and -256, respectively.
       # NOTE: The keys used in this manual's examples are chosen to
       # make the key lengths easy to recognize. DO NOT copy them
       # into production VCL!
-      new k128 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
-      new k192 = blobcode.blob(HEX,
+      new k128 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
+      new k192 = blob.blob(HEX,
                     "000102030405060708090a0b0c0d0e0f1011121314151617");
-      new k256 = blobcode.blob(HEX,
+      new k256 = blob.blob(HEX,
     "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f");
 
       # Create an object for AES-128 with CTR mode (no padding
@@ -387,19 +387,19 @@ Examples::
   sub vcl_deliver {
       # Encrypt X-Msg-128 with AES-128 and the counter vector, and
       # return the ciphertext in a base64-encoded response header.
-      set resp.http.X-Cipher-128 = blobcode.encode(BASE64,
-          aes128.encrypt(blobcode.decode(encoded=resp.http.X-Msg-128),
-                         ctr=blobcode.decode(BASE64, resp.http.X-Ctr)));
+      set resp.http.X-Cipher-128 = blob.encode(BASE64,
+          aes128.encrypt(blob.decode(encoded=resp.http.X-Msg-128),
+                         ctr=blob.decode(BASE64, resp.http.X-Ctr)));
 
       # Encrypt X-Msg-192 with AES-192 and init vector X-IV-192.
-      set resp.http.X-Cipher-192 = blobcode.encode(BASE64,
-          aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg-192),
-                         iv=blobcode.decode(BASE64, resp.http.X-IV-192)));
+      set resp.http.X-Cipher-192 = blob.encode(BASE64,
+          aes192.encrypt(blob.decode(encoded=resp.http.X-Msg-192),
+                         iv=blob.decode(BASE64, resp.http.X-IV-192)));
 
       # Encrypt X-Msg-256 with AES-256 and init vector X-IV-256.
-      set resp.http.X-Cipher-256 = blobcode.encode(BASE64,
-          aes256.encrypt(blobcode.decode(encoded=resp.http.X-Msg-256),
-                         iv=blobcode.decode(BASE64, resp.http.X-IV-256)));
+      set resp.http.X-Cipher-256 = blob.encode(BASE64,
+          aes256.encrypt(blob.decode(encoded=resp.http.X-Msg-256),
+                         iv=blob.decode(BASE64, resp.http.X-IV-256)));
   }
 
 $Method BLOB .decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
@@ -441,19 +441,19 @@ Examples::
   sub vcl_recv {
       # Decrypt X-Msg-128 with AES-128 and the counter vector, and
       # return the plaintext in a base64-encoded request header.
-      set req.http.X-Cipher-128 = blobcode.encode(BASE64,
-          aes128.decrypt(blobcode.decode(encoded=req.http.X-Msg-128),
-                         ctr=blobcode.decode(BASE64, req.http.X-Ctr)));
+      set req.http.X-Cipher-128 = blob.encode(BASE64,
+          aes128.decrypt(blob.decode(encoded=req.http.X-Msg-128),
+                         ctr=blob.decode(BASE64, req.http.X-Ctr)));
 
       # Decrypt X-Msg-192 with AES-192 and init vector X-IV-192.
-      set req.http.X-Cipher-192 = blobcode.encode(BASE64,
-          aes192.decrypt(blobcode.decode(encoded=req.http.X-Msg-192),
-                         iv=blobcode.decode(BASE64, req.http.X-IV-192)));
+      set req.http.X-Cipher-192 = blob.encode(BASE64,
+          aes192.decrypt(blob.decode(encoded=req.http.X-Msg-192),
+                         iv=blob.decode(BASE64, req.http.X-IV-192)));
 
       # Decrypt X-Msg-256 with AES-256 and init vector X-IV-256.
-      set req.http.X-Cipher-256 = blobcode.encode(BASE64,
-          aes256.decrypt(blobcode.decode(encoded=req.http.X-Msg-256),
-                         iv=blobcode.decode(BASE64, req.http.X-IV-256)));
+      set req.http.X-Cipher-256 = blob.encode(BASE64,
+          aes256.decrypt(blob.decode(encoded=req.http.X-Msg-256),
+                         iv=blob.decode(BASE64, req.http.X-IV-256)));
   }
 
 $Function BLOB fileread(PRIV_TASK, STRING path)
@@ -542,7 +542,7 @@ Example::
                                     key=gcrypt.fileread("/path/to/key"));
   }
 
-$Function BLOB random(PRIV_TASK, ENUM {STRONG, VERY_STRONG, NONCE} quality=0,
+$Function BLOB random(PRIV_TASK, [ENUM {STRONG, VERY_STRONG, NONCE} quality],
 		      BYTES n=0)
 
 Return a BLOB containing ``n`` bytes of pseudo-random data. The
@@ -617,14 +617,14 @@ Example::
       # cipher in use -- 128 bits (16 bytes) for AES. For CBC, the IV
       # MUST be unpredictable, so we use quality level STRONG.
       set resp.http.X-Encrypted
-          = blobcode.encode(BASE64,
-              aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg),
+          = blob.encode(BASE64,
+              aes192.encrypt(blob.decode(encoded=resp.http.X-Msg),
                              iv=gcrypt.random(STRONG, 16B)));
 
       # Now call random() with no arguments to retrive the IV that
       # was generated, to be sent in the base64-encoded response
       # header X-IV.
-      set resp.http.X-IV = blobcode.encode(BASE64, gcrypt.random());
+      set resp.http.X-IV = blob.encode(BASE64, gcrypt.random());
 
       # Remove the plaintext from the response header.
       unset resp.http.X-Msg;
@@ -715,7 +715,7 @@ Example::
   # secure memory, wipe the BLOB from which the key was read.  This
   # ensures that the key is only stored in secure memory.
   sub vcl_init {
-      new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
+      new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
       new aes = gcrypt.symmetric(AES, CTR, key=k.get(), secure=true);
       gcrypt.wipe(key.get());
   }
@@ -840,7 +840,7 @@ enter into cryptographic operations -- keys, plaintexts, ciphertexts,
 IVs and counters. But these are typically obtained from sources that
 are readable from other elements of Varnish.
 
-As can be seen in the examples above that use VMOD blobcode to create
+As can be seen in the examples above that use VMOD blob to create
 key objects, the contents of a key are readable in the VCL source.  If
 you are using the VMOD that way, consider storing VCL sources so that
 they are only readable by the owner of the Varnish child process.
@@ -938,7 +938,6 @@ SEE ALSO
 * pthread_key_create(3)
 * libgcrypt: https://gnupg.org/software/libgcrypt/index.html
 * source repository: https://code.uplex.de/uplex-varnish/libvmod-gcrypt
-* VMOD blobcode: https://code.uplex.de/uplex-varnish/libvmod-blobcode
 * developer contact: <varnish-support@uplex.de>, and at the source
   repository site