Skip to content

L
libvmod-gcrypt
Unverified Commit 808a8eee authored by Nils Goroll's avatar Nils Goroll
1 Browse files
Options

adjust to current varnish-cache (6.4 / post-6.4 master) 

The changes are mostly mechanical

- replace use of the blobcode vmod with vmod blob and adjust to new
  function signatures
- use struct vrt_blob for blobs and adjust to new struct members
- use separate pointers for generating output (blobs are const)
- use optional arguments for functions (minimal adjustments of
  existing code)
- replace WS_Reserve() with WS_ReserveAll()
- wipe needs the TRUST_ME() macro to un-const blobs

unresolved issues:

- padding errors lead to "vmod blob error: cannot encode, out of space",
  the respective tests have been moved to
  tests.disabled/padding_error.vtc
parent 9e6cf927
Hide whitespace changes
Inline Side-by-side
Showing with 828 additions and 805 deletions
README.rst
View file @ 808a8eee
..
.. NB: This file is machine generated, DO NOT EDIT!
..
.. Edit vmod.vcc and run make instead
.. Edit ../src/vmod_gcrypt.vcc and run make instead
..
.. role:: ref(emphasis)
.. _vmod_gcrypt(3):
===========
vmod_gcrypt
===========
......@@ -21,9 +19,34 @@ access the libgcrypt cryptographic library
SYNOPSIS
========
import gcrypt [from "path"] ;
.. parsed-literal::
import gcrypt [as name] [from "path"]
VOID init(ENUM, BYTES n)
new xsymmetric = gcrypt.symmetric(ENUM cipher, ENUM mode, ENUM padding, BLOB key, BOOL secure, BOOL cbc_cts)
BLOB xsymmetric.encrypt(BLOB plaintext, [BLOB iv], [BLOB ctr])
BLOB xsymmetric.decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
BLOB fileread(STRING path)
BLOB random([ENUM quality], BYTES n)
INT random_int(ENUM quality, INT bound)
REAL random_real(ENUM)
BOOL random_bool(ENUM)
VOID wipe(BLOB)
STRING version()
STRING gcrypt_version()
::
gcrypt.init(ENUM {INIT_SECMEM, DISABLE_SECMEM} [, BYTES n])
......@@ -67,13 +90,13 @@ allows the VMOD to concentrate strictly on cryptographic operations,
separate from concerns of binary-to-text encodings. BLOBs are not
created by any part of native VCL, and can only be created by other
VMODs, so it is necessary to use this VMOD together with another one
that does so (such as VMOD ``blobcode`` for binary-to-text encodings,
see `SEE ALSO`_).
that does so (such as VMOD ``blob`` for binary-to-text encodings,
which is part of varnish-cache).
This is a simple usage example::
import gcrypt;
import blobcode;
import blob;
sub vcl_init {
# Finalize default initialization of the libgcrypt library.
......@@ -93,19 +116,19 @@ This is a simple usage example::
# response header X-Cipher, and the hex-encoded counter vector to
# the response header X-Ctr; and remove X-Msg from the response.
sub vcl_deliver {
# Use the blobcode VMOD to convert the contents of X-Msg to a
# Use the blob VMOD to convert the contents of X-Msg to a
# BLOB, and to encode the encrypted ciphertext in hex with
# lower-case digits. Use the random() function to generate a
# counter vector as a 128 bit nonce.
set resp.http.X-Cipher
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg),
= blob.encode(HEXLC,
aes.encrypt(blob.decode(encoded=req.http.X-Msg),
ctr=gcrypt.random(NONCE, 16B)));
# Use the no-argument version of random() to retrieve the
# counter vector that was just generated, and use the
# blobcode VMOD to encode it as lower-case hex.
set resp.http.X-CTR = blobcode.encode(HEXLC, gcrypt.random());
# blob VMOD to encode it as lower-case hex.
set resp.http.X-CTR = blob.encode(HEXLC, gcrypt.random());
# Remove the plaintext from the response header.
unset resp.http.X-Msg;
......@@ -161,28 +184,14 @@ described below), but if it does:
* A Varnish panic is invoked with the error message from libgcrypt.
CONTENTS
========
.. _gcrypt.init():
* VOID init(ENUM {INIT_SECMEM,DISABLE_SECMEM,FINISH}, BYTES)
* symmetric(ENUM {AES,AES128,RIJNDAEL,RIJNDAEL128,AES192,RIJNDAEL192,AES256,RIJNDAEL256}, ENUM {ECB,CFB,CBC,OFB,CTR}, ENUM {PKCS7,ISO7816,X923,NONE}, BLOB, BOOL, BOOL)
* BLOB fileread(PRIV_TASK, STRING)
* BLOB random(PRIV_TASK, ENUM {STRONG,VERY_STRONG,NONCE}, BYTES)
* INT random_int(ENUM {STRONG,NONCE}, INT)
* REAL random_real(ENUM {STRONG,NONCE})
* BOOL random_bool(ENUM {STRONG,NONCE})
* VOID wipe(BLOB)
* STRING version()
* STRING gcrypt_version()
.. _func_init:
init
----
VOID init(ENUM, BYTES n)
------------------------
::
VOID init(ENUM {INIT_SECMEM,DISABLE_SECMEM,FINISH}, BYTES n=1)
VOID init(ENUM {INIT_SECMEM, DISABLE_SECMEM, FINISH}, BYTES n=1)
Initialize the libgcrypt library, currently to manage the use of
secure memory. The ENUM specifies an operation for initialization.
......@@ -194,9 +203,15 @@ created; details below.
With ``INIT_SECMEM``, you can configure the size of the secure memory
pool to ``n`` bytes (the ``n`` parameter is ignored for the other
ENUMs). The data type for ``n`` is BYTES, so the value must be written
with a suffix such as B or KB. Secure memory is enabled by default and
set to a default size (32 KiB in libgcrypt 1.6.3), so you don't have
to call ``init()`` with ``INIT_SECMEM`` to use the default.
with a suffix such as B or KB. Secure memory is enabled by default
and, if configured, a minimum size is enforced by libgcrypt (32 KiB in
libgcrypt 1.6.3), so you don't have to call ``init()`` with
``INIT_SECMEM`` to use the default.
The most likely cause for ``INIT_SECMEM`` to fail with ``Cannot
initialize secure memory ... gcrypt/General error`` is that locking
the memory failed. In this case ensure that the resource limits are
configured appropriately (check ``ulimit -l``).
Setting ``n`` to 0B with ``INIT_SECMEM`` disables secure memory, and
hence has the same effect as calling ``init(DISABLE_SECMEM)``. If
......@@ -268,14 +283,21 @@ Examples::
gcrypt.init(FINISH);
}
.. _obj_symmetric:
.. _gcrypt.symmetric():
symmetric
---------
new xsymmetric = gcrypt.symmetric(ENUM cipher, ENUM mode, ENUM padding, BLOB key, BOOL secure, BOOL cbc_cts)
------------------------------------------------------------------------------------------------------------
::
new OBJ = symmetric(ENUM {AES,AES128,RIJNDAEL,RIJNDAEL128,AES192,RIJNDAEL192,AES256,RIJNDAEL256} cipher, ENUM {ECB,CFB,CBC,OFB,CTR} mode, ENUM {PKCS7,ISO7816,X923,NONE} padding="PKCS7", BLOB key, BOOL secure=0, BOOL cbc_cts=0)
new xsymmetric = gcrypt.symmetric(
ENUM {AES, AES128, RIJNDAEL, RIJNDAEL128, AES192, RIJNDAEL192, AES256, RIJNDAEL256} cipher,
ENUM {ECB, CFB, CBC, OFB, CTR} mode,
ENUM {PKCS7, ISO7816, X923, NONE} padding=PKCS7,
BLOB key,
BOOL secure=0,
BOOL cbc_cts=0
)
Create an object for encryption and decryption with symmetric ciphers.
Currently, only AES is supported, with key lengths 128, 192 and 256.
......@@ -349,21 +371,21 @@ of the VCL load with an error message, under these conditions:
Examples::
import gcrypt;
import blobcode;
import blob;
# Assume in the following that initialization has been finalized.
sub vcl_init {
# Use the blobcode VMOD to create some BLOBs for the cryptographic
# Use the blob VMOD to create some BLOBs for the cryptographic
# keys, whose lengths are 16, 24 and 32 bytes for AES-128, -192
# and -256, respectively.
# NOTE: The keys used in this manual's examples are chosen to
# make the key lengths easy to recognize. DO NOT copy them
# into production VCL!
new k128 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k192 = blobcode.blob(HEX,
new k128 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k192 = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f1011121314151617");
new k256 = blobcode.blob(HEX,
new k256 = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f");
# Create an object for AES-128 with CTR mode (no padding
......@@ -381,14 +403,14 @@ Examples::
cbc_cts=true, secure=true);
}
.. _func_symmetric.encrypt:
.. _xsymmetric.encrypt():
symmetric.encrypt
-----------------
BLOB xsymmetric.encrypt(BLOB plaintext, [BLOB iv], [BLOB ctr])
--------------------------------------------------------------
::
BLOB symmetric.encrypt(BLOB plaintext, BLOB iv=0, BLOB ctr=0)
BLOB xsymmetric.encrypt(BLOB plaintext, [BLOB iv], [BLOB ctr])
Encrypt the contents of ``plaintext`` according to the parameters
specified for this ``symmetric`` object, and return the ciphertext as
......@@ -430,29 +452,29 @@ Examples::
sub vcl_deliver {
# Encrypt X-Msg-128 with AES-128 and the counter vector, and
# return the ciphertext in a base64-encoded response header.
set resp.http.X-Cipher-128 = blobcode.encode(BASE64,
aes128.encrypt(blobcode.decode(encoded=resp.http.X-Msg-128),
ctr=blobcode.decode(BASE64, resp.http.X-Ctr)));
set resp.http.X-Cipher-128 = blob.encode(BASE64,
aes128.encrypt(blob.decode(encoded=resp.http.X-Msg-128),
ctr=blob.decode(BASE64, resp.http.X-Ctr)));
# Encrypt X-Msg-192 with AES-192 and init vector X-IV-192.
set resp.http.X-Cipher-192 = blobcode.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg-192),
iv=blobcode.decode(BASE64, resp.http.X-IV-192)));
set resp.http.X-Cipher-192 = blob.encode(BASE64,
aes192.encrypt(blob.decode(encoded=resp.http.X-Msg-192),
iv=blob.decode(BASE64, resp.http.X-IV-192)));
# Encrypt X-Msg-256 with AES-256 and init vector X-IV-256.
set resp.http.X-Cipher-256 = blobcode.encode(BASE64,
aes256.encrypt(blobcode.decode(encoded=resp.http.X-Msg-256),
iv=blobcode.decode(BASE64, resp.http.X-IV-256)));
set resp.http.X-Cipher-256 = blob.encode(BASE64,
aes256.encrypt(blob.decode(encoded=resp.http.X-Msg-256),
iv=blob.decode(BASE64, resp.http.X-IV-256)));
}
.. _func_symmetric.decrypt:
.. _xsymmetric.decrypt():
symmetric.decrypt
-----------------
BLOB xsymmetric.decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
---------------------------------------------------------------
::
BLOB symmetric.decrypt(BLOB ciphertext, BLOB iv=0, BLOB ctr=0)
BLOB xsymmetric.decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
Decrypt the contents of ``ciphertext`` according to the parameters
specified for this ``symmetric`` object, and return the plaintext as
......@@ -491,29 +513,25 @@ Examples::
sub vcl_recv {
# Decrypt X-Msg-128 with AES-128 and the counter vector, and
# return the plaintext in a base64-encoded request header.
set req.http.X-Cipher-128 = blobcode.encode(BASE64,
aes128.decrypt(blobcode.decode(encoded=req.http.X-Msg-128),
ctr=blobcode.decode(BASE64, req.http.X-Ctr)));
set req.http.X-Cipher-128 = blob.encode(BASE64,
aes128.decrypt(blob.decode(encoded=req.http.X-Msg-128),
ctr=blob.decode(BASE64, req.http.X-Ctr)));
# Decrypt X-Msg-192 with AES-192 and init vector X-IV-192.
set req.http.X-Cipher-192 = blobcode.encode(BASE64,
aes192.decrypt(blobcode.decode(encoded=req.http.X-Msg-192),
iv=blobcode.decode(BASE64, req.http.X-IV-192)));
set req.http.X-Cipher-192 = blob.encode(BASE64,
aes192.decrypt(blob.decode(encoded=req.http.X-Msg-192),
iv=blob.decode(BASE64, req.http.X-IV-192)));
# Decrypt X-Msg-256 with AES-256 and init vector X-IV-256.
set req.http.X-Cipher-256 = blobcode.encode(BASE64,
aes256.decrypt(blobcode.decode(encoded=req.http.X-Msg-256),
iv=blobcode.decode(BASE64, req.http.X-IV-256)));
set req.http.X-Cipher-256 = blob.encode(BASE64,
aes256.decrypt(blob.decode(encoded=req.http.X-Msg-256),
iv=blob.decode(BASE64, req.http.X-IV-256)));
}
.. _func_fileread:
fileread
--------
::
.. _gcrypt.fileread():
BLOB fileread(PRIV_TASK, STRING path)
BLOB fileread(STRING path)
--------------------------
Return the contents of the file at ``path`` in a BLOB. This function
is provided for the specific purpose of reading sensitive data that
......@@ -599,14 +617,17 @@ Example::
key=gcrypt.fileread("/path/to/key"));
}
.. _func_random:
.. _gcrypt.random():
random
------
BLOB random([ENUM quality], BYTES n)
------------------------------------
::
BLOB random(PRIV_TASK, ENUM {STRONG,VERY_STRONG,NONCE} quality=0, BYTES n=0)
BLOB random(
[ENUM {STRONG, VERY_STRONG, NONCE} quality],
BYTES n=0
)
Return a BLOB containing ``n`` bytes of pseudo-random data. The
cryptographic strength of random number generation is determined by
......@@ -680,27 +701,23 @@ Example::
# cipher in use -- 128 bits (16 bytes) for AES. For CBC, the IV
# MUST be unpredictable, so we use quality level STRONG.
set resp.http.X-Encrypted
= blobcode.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg),
= blob.encode(BASE64,
aes192.encrypt(blob.decode(encoded=resp.http.X-Msg),
iv=gcrypt.random(STRONG, 16B)));
# Now call random() with no arguments to retrive the IV that
# was generated, to be sent in the base64-encoded response
# header X-IV.
set resp.http.X-IV = blobcode.encode(BASE64, gcrypt.random());
set resp.http.X-IV = blob.encode(BASE64, gcrypt.random());
# Remove the plaintext from the response header.
unset resp.http.X-Msg;
}
.. _func_random_int:
random_int
----------
::
.. _gcrypt.random_int():
INT random_int(ENUM {STRONG,NONCE} quality, INT bound=0)
INT random_int(ENUM {STRONG, NONCE} quality, INT bound=0)
---------------------------------------------------------
Returns a random integer, using the random number generator with the
quality level specified by the ENUM ``quality``. These are the same
......@@ -723,14 +740,10 @@ Example::
# Assign a random group number from 0 to 99 to a request.
set req.http.X-Group = gcrypt.random_int(NONCE, 100);
.. _func_random_real:
.. _gcrypt.random_real():
random_real
-----------
::
REAL random_real(ENUM {STRONG,NONCE})
REAL random_real(ENUM {STRONG, NONCE})
--------------------------------------
Returns a random REAL that is greater than or equal to 0.0 and less
than 1.0, using the random number generator with the specified quality
......@@ -753,14 +766,10 @@ Example::
# Assign an unpredictable REAL from -1.0 to 1.0 to a request.
set req.http.X-Real = gcrypt.random_real(STRONG) * 2 - 1;
.. _func_random_bool:
.. _gcrypt.random_bool():
random_bool
-----------
::
BOOL random_bool(ENUM {STRONG,NONCE})
BOOL random_bool(ENUM {STRONG, NONCE})
--------------------------------------
Returns a random boolean using the randomness generator with the
specified quality level. The permitted levels are ``NONCE`` and
......@@ -783,14 +792,10 @@ Example::
call do_that;
}
.. _func_wipe:
wipe
----
::
.. _gcrypt.wipe():
VOID wipe(BLOB)
VOID wipe(BLOB)
---------------
Overwrites the memory region denoted by the BLOB, leaving it with all
zeroes.
......@@ -806,19 +811,15 @@ Example::
# secure memory, wipe the BLOB from which the key was read. This
# ensures that the key is only stored in secure memory.
sub vcl_init {
new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new aes = gcrypt.symmetric(AES, CTR, key=k.get(), secure=true);
gcrypt.wipe(key.get());
}
.. _func_version:
.. _gcrypt.version():
version
-------
::
STRING version()
STRING version()
----------------
Returns the version string for this VMOD.
......@@ -826,14 +827,10 @@ Example::
std.log("Using VMOD gcrypt version " + gcrypt.version());
.. _func_gcrypt_version:
gcrypt_version
--------------
.. _gcrypt.gcrypt_version():
::
STRING gcrypt_version()
STRING gcrypt_version()
-----------------------
Returns the version string for the ``libgcrypt`` library with which
the VMOD is linked.
......@@ -945,7 +942,7 @@ enter into cryptographic operations -- keys, plaintexts, ciphertexts,
IVs and counters. But these are typically obtained from sources that
are readable from other elements of Varnish.
As can be seen in the examples above that use VMOD blobcode to create
As can be seen in the examples above that use VMOD blob to create
key objects, the contents of a key are readable in the VCL source. If
you are using the VMOD that way, consider storing VCL sources so that
they are only readable by the owner of the Varnish child process.
......@@ -1043,7 +1040,6 @@ SEE ALSO
* pthread_key_create(3)
* libgcrypt: https://gnupg.org/software/libgcrypt/index.html
* source repository: https://code.uplex.de/uplex-varnish/libvmod-gcrypt
* VMOD blobcode: https://code.uplex.de/uplex-varnish/libvmod-blobcode
* developer contact: <varnish-support@uplex.de>, and at the source
repository site
......@@ -1057,4 +1053,3 @@ COPYRIGHT
Author: Geoffrey Simmons <geoffrey.simmons@uplex.de>
src/tests.disabled/padding_error.vtc 0 → 100644
View file @ 808a8eee
# looks like -*- vcl -*-
varnishtest "padding"
varnish v1 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(FINISH);
}
} -start
# Padding errors
#
# XXX these tests lead to "vmod blob error: cannot encode, out of space"
# even for workspace_client=512k
varnish v1 -vcl {
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo_pkcs7_1
= blob.blob(HEX, "666F6F0E0D0D0D0D0D0D0D0D0D0D0D0D");
new foo_pkcs7_2
= blob.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D11");
new foo_iso7816_1
= blob.blob(HEX, "666F6F80000000000001000000000000");
new foo_iso7816_2
= blob.blob(HEX, "666F6F00000000000000000000000000");
new foo_x923_1
= blob.blob(HEX, "666F6F0000000001000000000000000D");
new foo_x923_2
= blob.blob(HEX, "666F6F00000000000000000000000011");
new empty_pkcs7_1
= blob.blob(HEX, "0F101010101010101010101010101010");
new empty_pkcs7_2
= blob.blob(HEX, "10101010101010101010101010101011");
new empty_iso7816_1
= blob.blob(HEX, "00000000000000000000000000000000");
new empty_iso7816_2
= blob.blob(HEX, "80010000000000000000000000000000");
new empty_x923_1
= blob.blob(HEX, "01000000000000000000000000000010");
new empty_x923_2
= blob.blob(HEX, "00000000000000000000000000000011");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.foo-pkcs7-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7_1.get()));
set resp.http.foo-pkcs7-plain-1
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher-1)));
set resp.http.foo-pkcs7-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7_2.get()));
set resp.http.foo-pkcs7-plain-2
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher-2)));
set resp.http.foo-iso7816-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816_1.get()));
set resp.http.foo-iso7816-plain-1
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher-1)));
set resp.http.foo-iso7816-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816_2.get()));
set resp.http.foo-iso7816-plain-2
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher-2)));
set resp.http.foo-x923-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-1
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-x923-cipher-1)));
set resp.http.foo-x923-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-2
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-x923-cipher-2)));
set resp.http.empty-pkcs7-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7_1.get()));
set resp.http.empty-pkcs7-plain-1
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher-1)));
set resp.http.empty-pkcs7-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7_2.get()));
set resp.http.empty-pkcs7-plain-2
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher-2)));
set resp.http.empty-iso7816-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816_1.get()));
set resp.http.empty-iso7816-plain-1
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher-1)));
set resp.http.empty-iso7816-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816_2.get()));
set resp.http.empty-iso7816-plain-2
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher-2)));
set resp.http.empty-x923-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-1
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-x923-cipher-1)));
set resp.http.empty-x923-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-2
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-x923-cipher-2)));
return(deliver);
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.foo-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-1 == ""
expect resp.http.foo-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-2 == ""
expect resp.http.foo-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-1 == ""
expect resp.http.foo-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-2 == ""
expect resp.http.foo-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-1 == ""
expect resp.http.foo-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-2 == ""
expect resp.http.empty-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-1 == ""
expect resp.http.empty-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-2 == ""
expect resp.http.empty-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-1 == ""
expect resp.http.empty-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-2 == ""
expect resp.http.empty-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-1 == ""
expect resp.http.empty-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-2 == ""
} -run
logexpect l1 -v v1 -d 1 -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = End
} -run
src/tests.disabled/random_bool.vtc
View file @ 808a8eee
......@@ -10,7 +10,7 @@ varnishtest "random_bool()"
# several threads.
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......
src/tests.disabled/very_strong_random.vtc
View file @ 808a8eee
......@@ -10,7 +10,7 @@ varnishtest "random() at quality level VERY_STRONG"
# varnishtest -t 300
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -20,9 +20,9 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.very_strong
= blobcode.encode(HEXUC, gcrypt.random(VERY_STRONG, 16B));
= blob.encode(HEX, UPPER, gcrypt.random(VERY_STRONG, 16B));
set resp.http.very_strong_task
= blobcode.encode(HEXUC, gcrypt.random());
= blob.encode(HEX, UPPER, gcrypt.random());
return(deliver);
}
} -start
......
src/tests/aes.vtc
View file @ 808a8eee
......@@ -13,15 +13,15 @@ varnish v1 -vcl {
# from selftest() in libgcrypt cipher/rijndael.c
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX, "E8E9EAEBEDEEEFF0F2F3F4F5F7F8F9FA");
new k1 = blob.blob(HEX, "E8E9EAEBEDEEEFF0F2F3F4F5F7F8F9FA");
new aes = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new p1 = blobcode.blob(HEX, "014BAF2278A69D331D5180103643E99A");
new c1 = blobcode.blob(HEX, "6743C3D1519AB4F2CD9A78AB09A511BD");
new p1 = blob.blob(HEX, "014BAF2278A69D331D5180103643E99A");
new c1 = blob.blob(HEX, "6743C3D1519AB4F2CD9A78AB09A511BD");
# The next 3 cipher ENUMs are just aliases for AES.
new aes128 = gcrypt.symmetric(AES128, ECB, NONE, key=k1.get());
new rijndael
......@@ -36,21 +36,21 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.aes-ciphertext
= blobcode.encode(HEXUC, aes.encrypt(p1.get()));
= blob.encode(HEX, UPPER, aes.encrypt(p1.get()));
set resp.http.aes-plaintext
= blobcode.encode(HEXUC, aes.decrypt(c1.get()));
= blob.encode(HEX, UPPER, aes.decrypt(c1.get()));
set resp.http.aes128-ciphertext
= blobcode.encode(HEXUC, aes128.encrypt(p1.get()));
= blob.encode(HEX, UPPER, aes128.encrypt(p1.get()));
set resp.http.aes128-plaintext
= blobcode.encode(HEXUC, aes128.decrypt(c1.get()));
= blob.encode(HEX, UPPER, aes128.decrypt(c1.get()));
set resp.http.rijndael-ciphertext
= blobcode.encode(HEXUC, rijndael.encrypt(p1.get()));
= blob.encode(HEX, UPPER, rijndael.encrypt(p1.get()));
set resp.http.rijndael-plaintext
= blobcode.encode(HEXUC, rijndael.decrypt(c1.get()));
= blob.encode(HEX, UPPER, rijndael.decrypt(c1.get()));
set resp.http.rijndael128-ciphertext
= blobcode.encode(HEXUC, rijndael128.encrypt(p1.get()));
= blob.encode(HEX, UPPER, rijndael128.encrypt(p1.get()));
set resp.http.rijndael128-plaintext
= blobcode.encode(HEXUC, rijndael128.decrypt(c1.get()));
= blob.encode(HEX, UPPER, rijndael128.decrypt(c1.get()));
return(deliver);
}
}
......@@ -70,22 +70,22 @@ client c1 {
} -run
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
new k1 = blob.blob(HEX,
"04050607090A0B0C0E0F10111314151618191A1B1D1E1F20");
new aes192 = gcrypt.symmetric(AES192, ECB, NONE, key=k1.get());
new p1 = blobcode.blob(HEX, "76777475F1F2F3F4F8F9E6E777707172");
new c1 = blobcode.blob(HEX, "5D1EF20DCED6BCBC12131AC7C54788AA");
new p1 = blob.blob(HEX, "76777475F1F2F3F4F8F9E6E777707172");
new c1 = blob.blob(HEX, "5D1EF20DCED6BCBC12131AC7C54788AA");
new k2 = blobcode.blob(HEX,
new k2 = blob.blob(HEX,
"08090A0B0D0E0F10121314151718191A1C1D1E1F21222324262728292B2C2D2E");
new aes256 = gcrypt.symmetric(AES256, ECB, NONE, key=k2.get());
new p2 = blobcode.blob(HEX, "069A007FC76A459F98BAF917FEDF9521");
new c2 = blobcode.blob(HEX, "080E9517EB1677719ACF728086040AE3");
new p2 = blob.blob(HEX, "069A007FC76A459F98BAF917FEDF9521");
new c2 = blob.blob(HEX, "080E9517EB1677719ACF728086040AE3");
# RIJNDAEL192 and -256 are aliases for AES192 and -256.
new rijndael192
......@@ -100,21 +100,21 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.aes192-ciphertext
= blobcode.encode(HEXUC, aes192.encrypt(p1.get()));
= blob.encode(HEX, UPPER, aes192.encrypt(p1.get()));
set resp.http.aes192-plaintext
= blobcode.encode(HEXUC, aes192.decrypt(c1.get()));
= blob.encode(HEX, UPPER, aes192.decrypt(c1.get()));
set resp.http.rijndael192-ciphertext
= blobcode.encode(HEXUC, rijndael192.encrypt(p1.get()));
= blob.encode(HEX, UPPER, rijndael192.encrypt(p1.get()));
set resp.http.rijndael192-plaintext
= blobcode.encode(HEXUC, rijndael192.decrypt(c1.get()));
= blob.encode(HEX, UPPER, rijndael192.decrypt(c1.get()));
set resp.http.aes256-ciphertext
= blobcode.encode(HEXUC, aes256.encrypt(p2.get()));
= blob.encode(HEX, UPPER, aes256.encrypt(p2.get()));
set resp.http.aes256-plaintext
= blobcode.encode(HEXUC, aes256.decrypt(c2.get()));
= blob.encode(HEX, UPPER, aes256.decrypt(c2.get()));
set resp.http.rijndael256-ciphertext
= blobcode.encode(HEXUC, rijndael256.encrypt(p2.get()));
= blob.encode(HEX, UPPER, rijndael256.encrypt(p2.get()));
set resp.http.rijndael256-plaintext
= blobcode.encode(HEXUC, rijndael256.decrypt(c2.get()));
= blob.encode(HEX, UPPER, rijndael256.decrypt(c2.get()));
return(deliver);
}
}
......@@ -135,50 +135,50 @@ client c1 {
# from seltest_fips_128_38a() in libgcrypt cipher/rijndael.c
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "2b7e151628aed2a6abf7158809cf4f3c");
new iv = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new p1 = blobcode.blob(HEX, "6bc1bee22e409f96e93d7e117393172a");
new p2 = blobcode.blob(HEX, "ae2d8a571e03ac9c9eb76fac45af8e51");
new p3 = blobcode.blob(HEX, "30c81c46a35ce411e5fbc1191a0a52ef");
new p4 = blobcode.blob(HEX, "f69f2445df4f9b17ad2b417be66c3710");
new p = blobcode.blob(HEX,
new k = blob.blob(HEX, "2b7e151628aed2a6abf7158809cf4f3c");
new iv = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new p1 = blob.blob(HEX, "6bc1bee22e409f96e93d7e117393172a");
new p2 = blob.blob(HEX, "ae2d8a571e03ac9c9eb76fac45af8e51");
new p3 = blob.blob(HEX, "30c81c46a35ce411e5fbc1191a0a52ef");
new p4 = blob.blob(HEX, "f69f2445df4f9b17ad2b417be66c3710");
new p = blob.blob(HEX,
"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710");
new c1 = blobcode.blob(HEX, "3b3fd92eb72dad20333449f8e83cfb4a");
new c1 = blob.blob(HEX, "3b3fd92eb72dad20333449f8e83cfb4a");
new aes_cfb = gcrypt.symmetric(AES, CFB, key=k.get());
new c_cfb2
= blobcode.blob(HEX, "c8a64537a0b3a93fcde3cdad9f1ce58b");
= blob.blob(HEX, "c8a64537a0b3a93fcde3cdad9f1ce58b");
new c_cfb3
= blobcode.blob(HEX, "26751f67a3cbb140b1808cf187a4f4df");
= blob.blob(HEX, "26751f67a3cbb140b1808cf187a4f4df");
new c_cfb4
= blobcode.blob(HEX, "c04b05357c5d1c0eeac4c66f9ff7f2e6");
= blob.blob(HEX, "c04b05357c5d1c0eeac4c66f9ff7f2e6");
new c_cfb
= blobcode.blob(HEX,
= blob.blob(HEX,
"3b3fd92eb72dad20333449f8e83cfb4ac8a64537a0b3a93fcde3cdad9f1ce58b26751f67a3cbb140b1808cf187a4f4dfc04b05357c5d1c0eeac4c66f9ff7f2e6");
new aes_ofb = gcrypt.symmetric(AES, OFB, key=k.get());
new c_ofb2
= blobcode.blob(HEX, "7789508d16918f03f53c52dac54ed825");
= blob.blob(HEX, "7789508d16918f03f53c52dac54ed825");
new c_ofb3
= blobcode.blob(HEX, "9740051e9c5fecf64344f7a82260edcc");
= blob.blob(HEX, "9740051e9c5fecf64344f7a82260edcc");
new c_ofb4
= blobcode.blob(HEX, "304c6528f659c77866a510d9c1d6ae5e");
= blob.blob(HEX, "304c6528f659c77866a510d9c1d6ae5e");
new c_ofb
= blobcode.blob(HEX,
= blob.blob(HEX,
"3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e");
new out1
= blobcode.blob(HEX, "50fe67cc996d32b6da0937e99bafec60");
= blob.blob(HEX, "50fe67cc996d32b6da0937e99bafec60");
new out2
= blobcode.blob(HEX, "d9a4dada0892239f6b8b3d7680e15674");
= blob.blob(HEX, "d9a4dada0892239f6b8b3d7680e15674");
new out3
= blobcode.blob(HEX, "a78819583f0308e7a6bf36b1386abf23");
= blob.blob(HEX, "a78819583f0308e7a6bf36b1386abf23");
}
sub vcl_recv {
......@@ -187,65 +187,65 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.cfb-ciphertext-1
= blobcode.encode(HEXLC, aes_cfb.encrypt(p1.get(),
= blob.encode(HEX, LOWER, aes_cfb.encrypt(p1.get(),
iv=iv.get()));
set resp.http.cfb-plaintext-1
= blobcode.encode(HEXLC, aes_cfb.decrypt(c1.get(),
= blob.encode(HEX, LOWER, aes_cfb.decrypt(c1.get(),
iv=iv.get()));
set resp.http.cfb-ciphertext-2
= blobcode.encode(HEXLC, aes_cfb.encrypt(p2.get(),
= blob.encode(HEX, LOWER, aes_cfb.encrypt(p2.get(),
iv=c1.get()));
set resp.http.cfb-plaintext-2
= blobcode.encode(HEXLC, aes_cfb.decrypt(c_cfb2.get(),
= blob.encode(HEX, LOWER, aes_cfb.decrypt(c_cfb2.get(),
iv=c1.get()));
set resp.http.cfb-ciphertext-3
= blobcode.encode(HEXLC, aes_cfb.encrypt(p3.get(),
= blob.encode(HEX, LOWER, aes_cfb.encrypt(p3.get(),
iv=c_cfb2.get()));
set resp.http.cfb-plaintext-3
= blobcode.encode(HEXLC, aes_cfb.decrypt(c_cfb3.get(),
= blob.encode(HEX, LOWER, aes_cfb.decrypt(c_cfb3.get(),
iv=c_cfb2.get()));
set resp.http.cfb-ciphertext-4
= blobcode.encode(HEXLC, aes_cfb.encrypt(p4.get(),
= blob.encode(HEX, LOWER, aes_cfb.encrypt(p4.get(),
iv=c_cfb3.get()));
set resp.http.cfb-plaintext-4
= blobcode.encode(HEXLC, aes_cfb.decrypt(c_cfb4.get(),
= blob.encode(HEX, LOWER, aes_cfb.decrypt(c_cfb4.get(),
iv=c_cfb3.get()));
set resp.http.cfb-ciphertext
= blobcode.encode(HEXLC, aes_cfb.encrypt(p.get(),
= blob.encode(HEX, LOWER, aes_cfb.encrypt(p.get(),
iv=iv.get()));
set resp.http.cfb-plaintext
= blobcode.encode(HEXLC, aes_cfb.decrypt(c_cfb.get(),
= blob.encode(HEX, LOWER, aes_cfb.decrypt(c_cfb.get(),
iv=iv.get()));
set resp.http.ofb-ciphertext-1
= blobcode.encode(HEXLC, aes_ofb.encrypt(p1.get(),
= blob.encode(HEX, LOWER, aes_ofb.encrypt(p1.get(),
iv=iv.get()));
set resp.http.ofb-plaintext-1
= blobcode.encode(HEXLC, aes_ofb.decrypt(c1.get(),
= blob.encode(HEX, LOWER, aes_ofb.decrypt(c1.get(),
iv=iv.get()));
set resp.http.ofb-ciphertext-2
= blobcode.encode(HEXLC, aes_ofb.encrypt(p2.get(),
= blob.encode(HEX, LOWER, aes_ofb.encrypt(p2.get(),
iv=out1.get()));
set resp.http.ofb-plaintext-2
= blobcode.encode(HEXLC, aes_ofb.decrypt(c_ofb2.get(),
= blob.encode(HEX, LOWER, aes_ofb.decrypt(c_ofb2.get(),
iv=out1.get()));
set resp.http.ofb-ciphertext-3
= blobcode.encode(HEXLC, aes_ofb.encrypt(p3.get(),
= blob.encode(HEX, LOWER, aes_ofb.encrypt(p3.get(),
iv=out2.get()));
set resp.http.ofb-plaintext-3
= blobcode.encode(HEXLC, aes_ofb.decrypt(c_ofb3.get(),
= blob.encode(HEX, LOWER, aes_ofb.decrypt(c_ofb3.get(),
iv=out2.get()));
set resp.http.ofb-ciphertext-4
= blobcode.encode(HEXLC, aes_ofb.encrypt(p4.get(),
= blob.encode(HEX, LOWER, aes_ofb.encrypt(p4.get(),
iv=out3.get()));
set resp.http.ofb-plaintext-4
= blobcode.encode(HEXLC, aes_ofb.decrypt(c_ofb4.get(),
= blob.encode(HEX, LOWER, aes_ofb.decrypt(c_ofb4.get(),
iv=out3.get()));
set resp.http.ofb-ciphertext
= blobcode.encode(HEXLC, aes_ofb.encrypt(p.get(),
= blob.encode(HEX, LOWER, aes_ofb.encrypt(p.get(),
iv=iv.get()));
set resp.http.ofb-plaintext
= blobcode.encode(HEXLC, aes_ofb.decrypt(c_ofb.get(),
= blob.encode(HEX, LOWER, aes_ofb.decrypt(c_ofb.get(),
iv=iv.get()));
return(deliver);
}
......@@ -284,13 +284,13 @@ client c1 {
# from check_aes128_cbc_cts_cipher() in libgcrypt tests/basic.c
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(encoded="chicken teriyaki");
new iv = blobcode.blob(encoded="");
new k = blob.blob(encoded="chicken teriyaki");
new iv = blob.blob(encoded="");
new aes = gcrypt.symmetric(AES, CBC, key=k.get(), cbc_cts=true);
}
......@@ -302,68 +302,68 @@ varnish v1 -vcl {
set resp.http.plaintext =
"I would like the General Gau's Chicken, please, and wonton soup.";
set resp.http.ciphertext17
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode_n(17,
encoded=resp.http.plaintext),
set resp.http.ciphertext17
= blob.encode(HEX, LOWER,
aes.encrypt(blob.decode(length=17,
encoded=resp.http.plaintext),
iv=iv.get()));
set resp.http.ciphertext31
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode_n(31,
encoded=resp.http.plaintext),
= blob.encode(HEX, LOWER,
aes.encrypt(blob.decode(length=31,
encoded=resp.http.plaintext),
iv=iv.get()));
set resp.http.ciphertext32
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode_n(32,
encoded=resp.http.plaintext),
= blob.encode(HEX, LOWER,
aes.encrypt(blob.decode(length=32,
encoded=resp.http.plaintext),
iv=iv.get()));
set resp.http.ciphertext47
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode_n(47,
encoded=resp.http.plaintext),
= blob.encode(HEX, LOWER,
aes.encrypt(blob.decode(length=47,
encoded=resp.http.plaintext),
iv=iv.get()));
set resp.http.ciphertext48
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode_n(48,
encoded=resp.http.plaintext),
= blob.encode(HEX, LOWER,
aes.encrypt(blob.decode(length=48,
encoded=resp.http.plaintext),
iv=iv.get()));
set resp.http.ciphertext64
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode_n(64,
encoded=resp.http.plaintext),
= blob.encode(HEX, LOWER,
aes.encrypt(blob.decode(length=64,
encoded=resp.http.plaintext),
iv=iv.get()));
set resp.http.ciphertext
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode(
encoded=resp.http.plaintext),
= blob.encode(HEX, LOWER,
aes.encrypt(blob.decode(
encoded=resp.http.plaintext),
iv=iv.get()));
set resp.http.plaintext17
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX,
resp.http.ciphertext17),
set resp.http.plaintext17
= blob.encode(blob=aes.decrypt(blob.decode(HEX,
encoded=resp.http.ciphertext17),
iv=iv.get()));
set resp.http.plaintext31
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX,
resp.http.ciphertext31),
set resp.http.plaintext31
= blob.encode(blob=aes.decrypt(blob.decode(HEX,
encoded=resp.http.ciphertext31),
iv=iv.get()));
set resp.http.plaintext32
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX,
resp.http.ciphertext32),
set resp.http.plaintext32
= blob.encode(blob=aes.decrypt(blob.decode(HEX,
encoded=resp.http.ciphertext32),
iv=iv.get()));
set resp.http.plaintext47
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX,
resp.http.ciphertext47),
set resp.http.plaintext47
= blob.encode(blob=aes.decrypt(blob.decode(HEX,
encoded=resp.http.ciphertext47),
iv=iv.get()));
set resp.http.plaintext48
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX,
resp.http.ciphertext48),
set resp.http.plaintext48
= blob.encode(blob=aes.decrypt(blob.decode(HEX,
encoded=resp.http.ciphertext48),
iv=iv.get()));
set resp.http.plaintext64
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX,
resp.http.ciphertext64),
set resp.http.plaintext64
= blob.encode(blob=aes.decrypt(blob.decode(HEX,
encoded=resp.http.ciphertext64),
iv=iv.get()));
set resp.http.plaintext
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX,
resp.http.ciphertext),
set resp.http.plaintext
= blob.encode(blob=aes.decrypt(blob.decode(HEX,
encoded=resp.http.ciphertext),
iv=iv.get()));
return(deliver);
......@@ -392,67 +392,67 @@ client c1 {
# from check_ctr_cipher() in libgcrypt tests/basic.c
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new ctr1 = blobcode.blob(HEX,
new ctr1 = blob.blob(HEX,
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
new ctr2 = blobcode.blob(HEX,
new ctr2 = blob.blob(HEX,
"f0f1f2f3f4f5f6f7f8f9fafbfcfdff00");
new ctr3 = blobcode.blob(HEX,
new ctr3 = blob.blob(HEX,
"f0f1f2f3f4f5f6f7f8f9fafbfcfdff01");
new ctr4 = blobcode.blob(HEX,
new ctr4 = blob.blob(HEX,
"f0f1f2f3f4f5f6f7f8f9fafbfcfdff02");
new p1 = blobcode.blob(HEX, "6bc1bee22e409f96e93d7e117393172a");
new p2 = blobcode.blob(HEX, "ae2d8a571e03ac9c9eb76fac45af8e51");
new p3 = blobcode.blob(HEX, "30c81c46a35ce411e5fbc1191a0a52ef");
new p4 = blobcode.blob(HEX, "f69f2445df4f9b17ad2b417be66c3710");
new p = blobcode.blob(HEX,
new p1 = blob.blob(HEX, "6bc1bee22e409f96e93d7e117393172a");
new p2 = blob.blob(HEX, "ae2d8a571e03ac9c9eb76fac45af8e51");
new p3 = blob.blob(HEX, "30c81c46a35ce411e5fbc1191a0a52ef");
new p4 = blob.blob(HEX, "f69f2445df4f9b17ad2b417be66c3710");
new p = blob.blob(HEX,
"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710");
new k128 = blobcode.blob(HEX,
new k128 = blob.blob(HEX,
"2b7e151628aed2a6abf7158809cf4f3c");
new aes128 = gcrypt.symmetric(AES, CTR, key=k128.get());
new c128_1 = blobcode.blob(HEX,
new c128_1 = blob.blob(HEX,
"874d6191b620e3261bef6864990db6ce");
new c128_2 = blobcode.blob(HEX,
new c128_2 = blob.blob(HEX,
"9806f66b7970fdff8617187bb9fffdff");
new c128_3 = blobcode.blob(HEX,
new c128_3 = blob.blob(HEX,
"5ae4df3edbd5d35e5b4f09020db03eab");
new c128_4 = blobcode.blob(HEX,
new c128_4 = blob.blob(HEX,
"1e031dda2fbe03d1792170a0f3009cee");
new c128 = blobcode.blob(HEX,
new c128 = blob.blob(HEX,
"874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee");
new k192 = blobcode.blob(HEX,
new k192 = blob.blob(HEX,
"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b");
new aes192 = gcrypt.symmetric(AES192, CTR, key=k192.get());
new c192_1 = blobcode.blob(HEX,
new c192_1 = blob.blob(HEX,
"1abc932417521ca24f2b0459fe7e6e0b");
new c192_2 = blobcode.blob(HEX,
new c192_2 = blob.blob(HEX,
"090339ec0aa6faefd5ccc2c6f4ce8e94");
new c192_3 = blobcode.blob(HEX,
new c192_3 = blob.blob(HEX,
"1e36b26bd1ebc670d1bd1d665620abf7");
new c192_4 = blobcode.blob(HEX,
new c192_4 = blob.blob(HEX,
"4f78a7f6d29809585a97daec58c6b050");
new c192 = blobcode.blob(HEX,
new c192 = blob.blob(HEX,
"1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e941e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050");
new k256 = blobcode.blob(HEX,
new k256 = blob.blob(HEX,
"603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4");
new aes256 = gcrypt.symmetric(AES256, CTR, key=k256.get());
new c256_1 = blobcode.blob(HEX,
new c256_1 = blob.blob(HEX,
"601ec313775789a5b7a7f504bbf3d228");
new c256_2 = blobcode.blob(HEX,
new c256_2 = blob.blob(HEX,
"f443e3ca4d62b59aca84e990cacaf5c5");
new c256_3 = blobcode.blob(HEX,
new c256_3 = blob.blob(HEX,
"2b0930daa23de94ce87017ba2d84988d");
new c256_4 = blobcode.blob(HEX,
new c256_4 = blob.blob(HEX,
"dfc9c58db67aada613c2dd08457941a6");
new c256 = blobcode.blob(HEX,
new c256 = blob.blob(HEX,
"601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c52b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6");
}
......@@ -461,67 +461,67 @@ varnish v1 -vcl {
}
sub vcl_synth {
set resp.http.c128-1 = blobcode.encode(HEXLC,
set resp.http.c128-1 = blob.encode(HEX, LOWER,
aes128.encrypt(p1.get(), ctr=ctr1.get()));
set resp.http.p128-1 = blobcode.encode(HEXLC,
set resp.http.p128-1 = blob.encode(HEX, LOWER,
aes128.decrypt(c128_1.get(), ctr=ctr1.get()));
set resp.http.c128-2 = blobcode.encode(HEXLC,
set resp.http.c128-2 = blob.encode(HEX, LOWER,
aes128.encrypt(p2.get(), ctr=ctr2.get()));
set resp.http.p128-2 = blobcode.encode(HEXLC,
set resp.http.p128-2 = blob.encode(HEX, LOWER,
aes128.decrypt(c128_2.get(), ctr=ctr2.get()));
set resp.http.c128-3 = blobcode.encode(HEXLC,
set resp.http.c128-3 = blob.encode(HEX, LOWER,
aes128.encrypt(p3.get(), ctr=ctr3.get()));
set resp.http.p128-3 = blobcode.encode(HEXLC,
set resp.http.p128-3 = blob.encode(HEX, LOWER,
aes128.decrypt(c128_3.get(), ctr=ctr3.get()));
set resp.http.c128-4 = blobcode.encode(HEXLC,
set resp.http.c128-4 = blob.encode(HEX, LOWER,
aes128.encrypt(p4.get(), ctr=ctr4.get()));
set resp.http.p128-4 = blobcode.encode(HEXLC,
set resp.http.p128-4 = blob.encode(HEX, LOWER,
aes128.decrypt(c128_4.get(), ctr=ctr4.get()));
set resp.http.c128 = blobcode.encode(HEXLC,
set resp.http.c128 = blob.encode(HEX, LOWER,
aes128.encrypt(p.get(), ctr=ctr1.get()));
set resp.http.p128 = blobcode.encode(HEXLC,
set resp.http.p128 = blob.encode(HEX, LOWER,
aes128.decrypt(c128.get(), ctr=ctr1.get()));
set resp.http.c192-1 = blobcode.encode(HEXLC,
set resp.http.c192-1 = blob.encode(HEX, LOWER,
aes192.encrypt(p1.get(), ctr=ctr1.get()));
set resp.http.p192-1 = blobcode.encode(HEXLC,
set resp.http.p192-1 = blob.encode(HEX, LOWER,
aes192.decrypt(c192_1.get(), ctr=ctr1.get()));
set resp.http.c192-2 = blobcode.encode(HEXLC,
set resp.http.c192-2 = blob.encode(HEX, LOWER,
aes192.encrypt(p2.get(), ctr=ctr2.get()));
set resp.http.p192-2 = blobcode.encode(HEXLC,
set resp.http.p192-2 = blob.encode(HEX, LOWER,
aes192.decrypt(c192_2.get(), ctr=ctr2.get()));
set resp.http.c192-3 = blobcode.encode(HEXLC,
set resp.http.c192-3 = blob.encode(HEX, LOWER,
aes192.encrypt(p3.get(), ctr=ctr3.get()));
set resp.http.p192-3 = blobcode.encode(HEXLC,
set resp.http.p192-3 = blob.encode(HEX, LOWER,
aes192.decrypt(c192_3.get(), ctr=ctr3.get()));
set resp.http.c192-4 = blobcode.encode(HEXLC,
set resp.http.c192-4 = blob.encode(HEX, LOWER,
aes192.encrypt(p4.get(), ctr=ctr4.get()));
set resp.http.p192-4 = blobcode.encode(HEXLC,
set resp.http.p192-4 = blob.encode(HEX, LOWER,
aes192.decrypt(c192_4.get(), ctr=ctr4.get()));
set resp.http.c192 = blobcode.encode(HEXLC,
set resp.http.c192 = blob.encode(HEX, LOWER,
aes192.encrypt(p.get(), ctr=ctr1.get()));
set resp.http.p192 = blobcode.encode(HEXLC,
set resp.http.p192 = blob.encode(HEX, LOWER,
aes192.decrypt(c192.get(), ctr=ctr1.get()));
set resp.http.c256-1 = blobcode.encode(HEXLC,
set resp.http.c256-1 = blob.encode(HEX, LOWER,
aes256.encrypt(p1.get(), ctr=ctr1.get()));
set resp.http.p256-1 = blobcode.encode(HEXLC,
set resp.http.p256-1 = blob.encode(HEX, LOWER,
aes256.decrypt(c256_1.get(), ctr=ctr1.get()));
set resp.http.c256-2 = blobcode.encode(HEXLC,
set resp.http.c256-2 = blob.encode(HEX, LOWER,
aes256.encrypt(p2.get(), ctr=ctr2.get()));
set resp.http.p256-2 = blobcode.encode(HEXLC,
set resp.http.p256-2 = blob.encode(HEX, LOWER,
aes256.decrypt(c256_2.get(), ctr=ctr2.get()));
set resp.http.c256-3 = blobcode.encode(HEXLC,
set resp.http.c256-3 = blob.encode(HEX, LOWER,
aes256.encrypt(p3.get(), ctr=ctr3.get()));
set resp.http.p256-3 = blobcode.encode(HEXLC,
set resp.http.p256-3 = blob.encode(HEX, LOWER,
aes256.decrypt(c256_3.get(), ctr=ctr3.get()));
set resp.http.c256-4 = blobcode.encode(HEXLC,
set resp.http.c256-4 = blob.encode(HEX, LOWER,
aes256.encrypt(p4.get(), ctr=ctr4.get()));
set resp.http.p256-4 = blobcode.encode(HEXLC,
set resp.http.p256-4 = blob.encode(HEX, LOWER,
aes256.decrypt(c256_4.get(), ctr=ctr4.get()));
set resp.http.c256 = blobcode.encode(HEXLC,
set resp.http.c256 = blob.encode(HEX, LOWER,
aes256.encrypt(p.get(), ctr=ctr1.get()));
set resp.http.p256 = blobcode.encode(HEXLC,
set resp.http.p256 = blob.encode(HEX, LOWER,
aes256.decrypt(c256.get(), ctr=ctr1.get()));
return(deliver);
......@@ -569,126 +569,126 @@ client c1 {
# from Google cryptogwt CipherTestVectors.java, test AES/CBC/PKCS7
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new p6 = blobcode.blob(HEX, "f6cee5ff28fd");
new k6 = blobcode.blob(HEX, "ac5800ac3cb59c7c14f36019e43b44fe");
new i6 = blobcode.blob(HEX, "f013ce1ec901b5b60a85a986b3b72eba");
new c6 = blobcode.blob(HEX, "e8a846fd9718507371604504d4ca1ac7");
new p6 = blob.blob(HEX, "f6cee5ff28fd");
new k6 = blob.blob(HEX, "ac5800ac3cb59c7c14f36019e43b44fe");
new i6 = blob.blob(HEX, "f013ce1ec901b5b60a85a986b3b72eba");
new c6 = blob.blob(HEX, "e8a846fd9718507371604504d4ca1ac7");
new aes6 = gcrypt.symmetric(AES, CBC, PKCS7, key=k6.get());
new p7 = blobcode.blob(HEX, "76cdfdf52a9753");
new k7 = blobcode.blob(HEX, "24c4328aeffc0ca354a3215a3da23a38");
new i7 = blobcode.blob(HEX, "c43c6269bb8c1dbba3bc22b7ba7e24b1");
new c7 = blobcode.blob(HEX, "009e935f3fe4d57b57fc3127a8873d8c");
new p7 = blob.blob(HEX, "76cdfdf52a9753");
new k7 = blob.blob(HEX, "24c4328aeffc0ca354a3215a3da23a38");
new i7 = blob.blob(HEX, "c43c6269bb8c1dbba3bc22b7ba7e24b1");
new c7 = blob.blob(HEX, "009e935f3fe4d57b57fc3127a8873d8c");
new aes7 = gcrypt.symmetric(AES, CBC, PKCS7, key=k7.get());
new p8 = blobcode.blob(HEX, "b103c928531d8875");
new k8 = blobcode.blob(HEX, "4035227440a779dbd1ed75c6ae78cef5");
new i8 = blobcode.blob(HEX, "8faff161a5ec06e051066a571d1729d9");
new c8 = blobcode.blob(HEX, "b3d8df2c3147b0752a7e6bbbcc9d5758");
new p8 = blob.blob(HEX, "b103c928531d8875");
new k8 = blob.blob(HEX, "4035227440a779dbd1ed75c6ae78cef5");
new i8 = blob.blob(HEX, "8faff161a5ec06e051066a571d1729d9");
new c8 = blob.blob(HEX, "b3d8df2c3147b0752a7e6bbbcc9d5758");
new aes8 = gcrypt.symmetric(AES, CBC, PKCS7, key=k8.get());
new p9 = blobcode.blob(HEX, "590b10224087872724");
new k9 = blobcode.blob(HEX, "507008732ea559915e5e45d9710e3ed2");
new i9 = blobcode.blob(HEX, "342b22c1cbf1c92b8e63a38de99ffb09");
new c9 = blobcode.blob(HEX, "c11a034ed324aeae9cd5857ae4cd776f");
new p9 = blob.blob(HEX, "590b10224087872724");
new k9 = blob.blob(HEX, "507008732ea559915e5e45d9710e3ed2");
new i9 = blob.blob(HEX, "342b22c1cbf1c92b8e63a38de99ffb09");
new c9 = blob.blob(HEX, "c11a034ed324aeae9cd5857ae4cd776f");
new aes9 = gcrypt.symmetric(AES, CBC, PKCS7, key=k9.get());
new p10 = blobcode.blob(HEX, "ccecfa22708b6d06439c");
new p10 = blob.blob(HEX, "ccecfa22708b6d06439c");
new k10 =
blobcode.blob(HEX, "a060441b1b7cc2af405be4f6f5c58e22");
blob.blob(HEX, "a060441b1b7cc2af405be4f6f5c58e22");
new i10 =
blobcode.blob(HEX, "429d3240207e77e9b9dade05426fe3cb");
blob.blob(HEX, "429d3240207e77e9b9dade05426fe3cb");
new c10 =
blobcode.blob(HEX, "b61ff0a956b420347daa25bb76964b51");
blob.blob(HEX, "b61ff0a956b420347daa25bb76964b51");
new aes10 = gcrypt.symmetric(AES, CBC, PKCS7, key=k10.get());
new p11 = blobcode.blob(HEX, "8ff539940bae985f2f88f3");
new p11 = blob.blob(HEX, "8ff539940bae985f2f88f3");
new k11 =
blobcode.blob(HEX, "721888e260b8925fe51183b88d65fb17");
blob.blob(HEX, "721888e260b8925fe51183b88d65fb17");
new i11 =
blobcode.blob(HEX, "5308c58068cbc05a5461a43bf744b61e");
blob.blob(HEX, "5308c58068cbc05a5461a43bf744b61e");
new c11 =
blobcode.blob(HEX, "3ee8bdb21b00e0103ccbf9afb9b5bd9a");
blob.blob(HEX, "3ee8bdb21b00e0103ccbf9afb9b5bd9a");
new aes11 = gcrypt.symmetric(AES, CBC, PKCS7, key=k11.get());
new p12 = blobcode.blob(HEX, "4c84974b5b2109d5bc90e1f0");
new p12 = blob.blob(HEX, "4c84974b5b2109d5bc90e1f0");
new k12 =
blobcode.blob(HEX, "80ba985c93763f99ff4be6cdee6ab977");
blob.blob(HEX, "80ba985c93763f99ff4be6cdee6ab977");
new i12 =
blobcode.blob(HEX, "ca8e99719be2e842e81bf15c606bb916");
blob.blob(HEX, "ca8e99719be2e842e81bf15c606bb916");
new c12 =
blobcode.blob(HEX, "3e087f92a998ad531e0ff8e996098382");
blob.blob(HEX, "3e087f92a998ad531e0ff8e996098382");
new aes12 = gcrypt.symmetric(AES, CBC, PKCS7, key=k12.get());
new p13 = blobcode.blob(HEX, "13eb26baf2b688574cadac6dba");
new p13 = blob.blob(HEX, "13eb26baf2b688574cadac6dba");
new k13 =
blobcode.blob(HEX, "1fe107d14dd8b152580f3dea8591fc3b");
blob.blob(HEX, "1fe107d14dd8b152580f3dea8591fc3b");
new i13 =
blobcode.blob(HEX, "7b6070a896d41d227cc0cebbd92d797e");
blob.blob(HEX, "7b6070a896d41d227cc0cebbd92d797e");
new c13 =
blobcode.blob(HEX, "a4bfd6586344bcdef94f09d871ca8a16");
blob.blob(HEX, "a4bfd6586344bcdef94f09d871ca8a16");
new aes13 = gcrypt.symmetric(AES, CBC, PKCS7, key=k13.get());
new p14 = blobcode.blob(HEX, "5fcb46a197ddf80a40f94dc21531");
new p14 = blob.blob(HEX, "5fcb46a197ddf80a40f94dc21531");
new k14 =
blobcode.blob(HEX, "4d3dae5d9e19950f278b0dd4314e3768");
blob.blob(HEX, "4d3dae5d9e19950f278b0dd4314e3768");
new i14 =
blobcode.blob(HEX, "80190b58666f15dbaf892cf0bceb2a50");
blob.blob(HEX, "80190b58666f15dbaf892cf0bceb2a50");
new c14 =
blobcode.blob(HEX, "2b166eae7a2edfea7a482e5f7377069e");
blob.blob(HEX, "2b166eae7a2edfea7a482e5f7377069e");
new aes14 = gcrypt.symmetric(AES, CBC, PKCS7, key=k14.get());
new p15 = blobcode.blob(HEX, "6842455a2992c2e5193056a5524075");
new p15 = blob.blob(HEX, "6842455a2992c2e5193056a5524075");
new k15 =
blobcode.blob(HEX, "0784fa652e733cb699f250b0df2c4b41");
blob.blob(HEX, "0784fa652e733cb699f250b0df2c4b41");
new i15 =
blobcode.blob(HEX, "106519760fb3ef97e1ccea073b27122d");
blob.blob(HEX, "106519760fb3ef97e1ccea073b27122d");
new c15 =
blobcode.blob(HEX, "56a8e0c3ee3315f913693c0ca781e917");
blob.blob(HEX, "56a8e0c3ee3315f913693c0ca781e917");
new aes15 = gcrypt.symmetric(AES, CBC, PKCS7, key=k15.get());
new p16 =
blobcode.blob(HEX, "c9a44f6f75e98ddbca7332167f5c45e3");
blob.blob(HEX, "c9a44f6f75e98ddbca7332167f5c45e3");
new k16 =
blobcode.blob(HEX, "04952c3fcf497a4d449c41e8730c5d9a");
blob.blob(HEX, "04952c3fcf497a4d449c41e8730c5d9a");
new i16 =
blobcode.blob(HEX, "53549bf7d5553b727458c1abaf0ba167");
new c16 = blobcode.blob(HEX,
blob.blob(HEX, "53549bf7d5553b727458c1abaf0ba167");
new c16 = blob.blob(HEX,
"7fa290322ca7a1a04b61a1147ff20fe66fde58510a1d0289d11c0ddf6f4decfd");
new aes16 = gcrypt.symmetric(AES, CBC, PKCS7, key=k16.get());
new p32 = blobcode.blob(HEX,
new p32 = blob.blob(HEX,
"1ba93ee6f83752df47909585b3f28e56693f89e169d3093eee85175ea3a46cd3");
new k32 =
blobcode.blob(HEX, "2ae7081caebe54909820620a44a60a0f");
blob.blob(HEX, "2ae7081caebe54909820620a44a60a0f");
new i32 =
blobcode.blob(HEX, "fc5e783fbe7be12f58b1f025d82ada50");
new c32 = blobcode.blob(HEX,
blob.blob(HEX, "fc5e783fbe7be12f58b1f025d82ada50");
new c32 = blob.blob(HEX,
"7944957a99e473e2c07eb496a83ec4e55db2fb44ebdd42bb611e0def29b23a73ac37eb0f4f5d86f090f3ddce3980425a");
new aes32 = gcrypt.symmetric(AES, CBC, PKCS7, key=k32.get());
new p33 = blobcode.blob(HEX,
new p33 = blob.blob(HEX,
"0397f4f6820b1f9386f14403be5ac16e50213bd473b4874b9bcbf5f318ee686b1d");
new k33 =
blobcode.blob(HEX, "898be9cc5004ed0fa6e117c9a3099d31");
blob.blob(HEX, "898be9cc5004ed0fa6e117c9a3099d31");
new i33 =
blobcode.blob(HEX, "9dea7621945988f96491083849b068df");
new c33 = blobcode.blob(HEX,
blob.blob(HEX, "9dea7621945988f96491083849b068df");
new c33 = blob.blob(HEX,
"e232cd6ef50047801ee681ec30f61d53cfd6b0bca02fd03c1b234baa10ea82ac9dab8b960926433a19ce6dea08677e34");
new aes33 = gcrypt.symmetric(AES, CBC, PKCS7, key=k33.get());
# The string is: {"encrypt" : "foo"}
new p_j = blobcode.blob(encoded="{"+{""encrypt" : "foo""}+"}");
new p_j = blob.blob(encoded="{"+{""encrypt" : "foo""}+"}");
new k_j =
blobcode.blob(HEX, "dc28c4a23ec612dc63a23d32a5ecdaab");
blob.blob(HEX, "dc28c4a23ec612dc63a23d32a5ecdaab");
new i_j =
blobcode.blob(HEX, "00000000000000000000000000000000");
new c_j = blobcode.blob(HEX,
blob.blob(HEX, "00000000000000000000000000000000");
new c_j = blob.blob(HEX,
"c58c18a02297685e11148e51cbde72e644262e6bc875a3270f207f9e3936c1dd");
new aes_j = gcrypt.symmetric(AES, CBC, PKCS7, key=k_j.get());
}
......@@ -699,60 +699,60 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.c6 =
blobcode.encode(HEXLC, aes6.encrypt(p6.get(), iv=i6.get()));
blob.encode(HEX, LOWER, aes6.encrypt(p6.get(), iv=i6.get()));
set resp.http.p6 =
blobcode.encode(HEXLC, aes6.decrypt(c6.get(), iv=i6.get()));
blob.encode(HEX, LOWER, aes6.decrypt(c6.get(), iv=i6.get()));
set resp.http.c7 =
blobcode.encode(HEXLC, aes7.encrypt(p7.get(), iv=i7.get()));
blob.encode(HEX, LOWER, aes7.encrypt(p7.get(), iv=i7.get()));
set resp.http.p7 =
blobcode.encode(HEXLC, aes7.decrypt(c7.get(), iv=i7.get()));
blob.encode(HEX, LOWER, aes7.decrypt(c7.get(), iv=i7.get()));
set resp.http.c8 =
blobcode.encode(HEXLC, aes8.encrypt(p8.get(), iv=i8.get()));
blob.encode(HEX, LOWER, aes8.encrypt(p8.get(), iv=i8.get()));
set resp.http.p8 =
blobcode.encode(HEXLC, aes8.decrypt(c8.get(), iv=i8.get()));
blob.encode(HEX, LOWER, aes8.decrypt(c8.get(), iv=i8.get()));
set resp.http.c9 =
blobcode.encode(HEXLC, aes9.encrypt(p9.get(), iv=i9.get()));
blob.encode(HEX, LOWER, aes9.encrypt(p9.get(), iv=i9.get()));
set resp.http.p9 =
blobcode.encode(HEXLC, aes9.decrypt(c9.get(), iv=i9.get()));
set resp.http.c10 = blobcode.encode(HEXLC,
blob.encode(HEX, LOWER, aes9.decrypt(c9.get(), iv=i9.get()));
set resp.http.c10 = blob.encode(HEX, LOWER,
aes10.encrypt(p10.get(), iv=i10.get()));
set resp.http.p10 = blobcode.encode(HEXLC,
set resp.http.p10 = blob.encode(HEX, LOWER,
aes10.decrypt(c10.get(), iv=i10.get()));
set resp.http.c11 = blobcode.encode(HEXLC,
set resp.http.c11 = blob.encode(HEX, LOWER,
aes11.encrypt(p11.get(), iv=i11.get()));
set resp.http.p11 = blobcode.encode(HEXLC,
set resp.http.p11 = blob.encode(HEX, LOWER,
aes11.decrypt(c11.get(), iv=i11.get()));
set resp.http.c12 = blobcode.encode(HEXLC,
set resp.http.c12 = blob.encode(HEX, LOWER,
aes12.encrypt(p12.get(), iv=i12.get()));
set resp.http.p12 = blobcode.encode(HEXLC,
set resp.http.p12 = blob.encode(HEX, LOWER,
aes12.decrypt(c12.get(), iv=i12.get()));
set resp.http.c13 = blobcode.encode(HEXLC,
set resp.http.c13 = blob.encode(HEX, LOWER,
aes13.encrypt(p13.get(), iv=i13.get()));
set resp.http.p13 = blobcode.encode(HEXLC,
set resp.http.p13 = blob.encode(HEX, LOWER,
aes13.decrypt(c13.get(), iv=i13.get()));
set resp.http.c14 = blobcode.encode(HEXLC,
set resp.http.c14 = blob.encode(HEX, LOWER,
aes14.encrypt(p14.get(), iv=i14.get()));
set resp.http.p14 = blobcode.encode(HEXLC,
set resp.http.p14 = blob.encode(HEX, LOWER,
aes14.decrypt(c14.get(), iv=i14.get()));
set resp.http.c15 = blobcode.encode(HEXLC,
set resp.http.c15 = blob.encode(HEX, LOWER,
aes15.encrypt(p15.get(), iv=i15.get()));
set resp.http.p15 = blobcode.encode(HEXLC,
set resp.http.p15 = blob.encode(HEX, LOWER,
aes15.decrypt(c15.get(), iv=i15.get()));
set resp.http.c16 = blobcode.encode(HEXLC,
set resp.http.c16 = blob.encode(HEX, LOWER,
aes16.encrypt(p16.get(), iv=i16.get()));
set resp.http.p16 = blobcode.encode(HEXLC,
set resp.http.p16 = blob.encode(HEX, LOWER,
aes16.decrypt(c16.get(), iv=i16.get()));
set resp.http.c32 = blobcode.encode(HEXLC,
set resp.http.c32 = blob.encode(HEX, LOWER,
aes32.encrypt(p32.get(), iv=i32.get()));
set resp.http.p32 = blobcode.encode(HEXLC,
set resp.http.p32 = blob.encode(HEX, LOWER,
aes32.decrypt(c32.get(), iv=i32.get()));
set resp.http.c33 = blobcode.encode(HEXLC,
set resp.http.c33 = blob.encode(HEX, LOWER,
aes33.encrypt(p33.get(), iv=i33.get()));
set resp.http.p33 = blobcode.encode(HEXLC,
set resp.http.p33 = blob.encode(HEX, LOWER,
aes33.decrypt(c33.get(), iv=i33.get()));
set resp.http.c_j = blobcode.encode(HEXLC,
set resp.http.c_j = blob.encode(HEX, LOWER,
aes_j.encrypt(p_j.get(), iv=i_j.get()));
set resp.http.p_j = blobcode.encode(IDENTITY,
set resp.http.p_j = blob.encode(IDENTITY, DEFAULT,
aes_j.decrypt(c_j.get(), iv=i_j.get()));
return(deliver);
}
......@@ -794,15 +794,15 @@ client c1 {
# Use random() to create an IV and a counter.
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new ctr = gcrypt.symmetric(AES, CTR, key=k1.get());
new cbc = gcrypt.symmetric(AES, CBC, key=k1.get(), cbc_cts=true);
new p1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new p1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
}
sub vcl_recv {
......@@ -811,25 +811,25 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.ctr-ciphertext
= blobcode.encode(HEXLC,
= blob.encode(HEX, LOWER,
ctr.encrypt(p1.get(),
ctr=gcrypt.random(NONCE, 16B)));
set resp.http.ctr-ctr
= blobcode.encode(HEXLC, gcrypt.random());
= blob.encode(HEX, LOWER, gcrypt.random());
set resp.http.ctr-plaintext
= blobcode.encode(HEXLC,
ctr.decrypt(blobcode.decode(HEX, resp.http.ctr-ciphertext),
ctr=blobcode.decode(HEX, resp.http.ctr-ctr)));
= blob.encode(HEX, LOWER,
ctr.decrypt(blob.decode(HEX, encoded=resp.http.ctr-ciphertext),
ctr=blob.decode(HEX, encoded=resp.http.ctr-ctr)));
set resp.http.cbc-ciphertext
= blobcode.encode(HEXLC,
= blob.encode(HEX, LOWER,
cbc.encrypt(p1.get(),
iv=gcrypt.random(STRONG, 16B)));
set resp.http.cbc-iv
= blobcode.encode(HEXLC, gcrypt.random());
= blob.encode(HEX, LOWER, gcrypt.random());
set resp.http.cbc-plaintext
= blobcode.encode(HEXLC,
cbc.decrypt(blobcode.decode(HEX, resp.http.cbc-ciphertext),
iv=blobcode.decode(HEX, resp.http.cbc-iv)));
= blob.encode(HEX, LOWER,
cbc.decrypt(blob.decode(HEX, encoded=resp.http.cbc-ciphertext),
iv=blob.decode(HEX, encoded=resp.http.cbc-iv)));
return(deliver);
}
}
......@@ -848,16 +848,16 @@ client c1 {
# Repeat the previous test using secure memory
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new ctr = gcrypt.symmetric(AES, CTR, key=k1.get(), secure=true);
new cbc = gcrypt.symmetric(AES, CBC, key=k1.get(),
cbc_cts=true, secure=true);
new p1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new p1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
}
sub vcl_recv {
......@@ -866,25 +866,25 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.ctr-ciphertext
= blobcode.encode(HEXLC,
= blob.encode(HEX, LOWER,
ctr.encrypt(p1.get(),
ctr=gcrypt.random(NONCE, 16B)));
set resp.http.ctr-ctr
= blobcode.encode(HEXLC, gcrypt.random());
= blob.encode(HEX, LOWER, gcrypt.random());
set resp.http.ctr-plaintext
= blobcode.encode(HEXLC,
ctr.decrypt(blobcode.decode(HEX, resp.http.ctr-ciphertext),
ctr=blobcode.decode(HEX, resp.http.ctr-ctr)));
= blob.encode(HEX, LOWER,
ctr.decrypt(blob.decode(HEX, encoded=resp.http.ctr-ciphertext),
ctr=blob.decode(HEX, encoded=resp.http.ctr-ctr)));
set resp.http.cbc-ciphertext
= blobcode.encode(HEXLC,
= blob.encode(HEX, LOWER,
cbc.encrypt(p1.get(),
iv=gcrypt.random(STRONG, 16B)));
set resp.http.cbc-iv
= blobcode.encode(HEXLC, gcrypt.random());
= blob.encode(HEX, LOWER, gcrypt.random());
set resp.http.cbc-plaintext
= blobcode.encode(HEXLC,
cbc.decrypt(blobcode.decode(HEX, resp.http.cbc-ciphertext),
iv=blobcode.decode(HEX, resp.http.cbc-iv)));
= blob.encode(HEX, LOWER,
cbc.decrypt(blob.decode(HEX, encoded=resp.http.cbc-ciphertext),
iv=blob.decode(HEX, encoded=resp.http.cbc-iv)));
return(deliver);
}
}
......
src/tests/aes_fail.vtc
View file @ 808a8eee
......@@ -14,53 +14,53 @@ varnish v1 -vcl {
# NULL key is illegal
varnish v1 -errvcl {vmod gcrypt error: key is NULL in aes constructor} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(encoded="");
new k = blob.blob(encoded="");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
# Key too short
varnish v1 -errvcl {vmod gcrypt error: Cannot set key in aes constructor} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "0");
new k = blob.blob(HEX, "0");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
# Key too long
varnish v1 -errvcl {vmod gcrypt error: Key length 17 is longer than the maximum supported length 16 for AES cipher in aes constructor} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX,
new k = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f10");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new cbc = gcrypt.symmetric(AES, CBC, NONE, key=k.get());
new ctr = gcrypt.symmetric(AES, CTR, key=k.get());
new null = blobcode.blob(encoded="");
new short = blobcode.blob(encoded="Too short");
new long = blobcode.blob(HEX,
new null = blob.blob(encoded="");
new short = blob.blob(encoded="Too short");
new long = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f10");
}
......@@ -73,84 +73,84 @@ varnish v1 -vcl {
# NULL plaintext is illegal
set resp.http.plain-null
= blobcode.encode(HEXUC, cbc.encrypt(null.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(null.get()));
# NULL IV is illegal when required
set resp.http.enc-iv-null
= blobcode.encode(HEXUC, cbc.encrypt(k.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(k.get()));
# IV shorter than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.enc-iv-short
= blobcode.encode(HEXUC, cbc.encrypt(k.get(), short.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(k.get(), short.get()));
# IV longer than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.enc-iv-long
= blobcode.encode(HEXUC, cbc.encrypt(k.get(), long.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(k.get(), long.get()));
# When no padding is specified, the length of the plaintext
# must be an exact multiple of the block length.
set resp.http.enc-plain-short
= blobcode.encode(HEXUC, cbc.encrypt(short.get(), k.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(short.get(), k.get()));
set resp.http.enc-plain-long
= blobcode.encode(HEXUC, cbc.encrypt(long.get(), k.get()));
= blob.encode(HEX, UPPER, cbc.encrypt(long.get(), k.get()));
# NULL CTR is illegal when required
set resp.http.enc-ctr-null
= blobcode.encode(HEXUC, ctr.encrypt(k.get()));
= blob.encode(HEX, UPPER, ctr.encrypt(k.get()));
# CTR shorter than the block length is illegal
set resp.http.enc-ctr-short
= blobcode.encode(HEXUC, ctr.encrypt(k.get(),
= blob.encode(HEX, UPPER, ctr.encrypt(k.get(),
ctr=short.get()));
# CTR longer than the block length is illegal
set resp.http.enc-ctr-long
= blobcode.encode(HEXUC, ctr.encrypt(k.get(),
= blob.encode(HEX, UPPER, ctr.encrypt(k.get(),
ctr=long.get()));
# Errors in .decrypt()
# NULL ciphertext is illegal
set resp.http.cipher-null
= blobcode.encode(HEXUC, cbc.decrypt(null.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(null.get()));
# NULL IV is illegal when required
set resp.http.dec-iv-null
= blobcode.encode(HEXUC, cbc.decrypt(k.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(k.get()));
# IV shorter than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.dec-iv-short
= blobcode.encode(HEXUC, cbc.decrypt(k.get(), short.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(k.get(), short.get()));
# IV longer than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.dec-iv-long
= blobcode.encode(HEXUC, cbc.decrypt(k.get(), long.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(k.get(), long.get()));
# When no padding is specified, the length of the ciphertext
# must be an exact multiple of the block length.
set resp.http.dec-cipher-short
= blobcode.encode(HEXUC, cbc.decrypt(short.get(), k.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(short.get(), k.get()));
set resp.http.dec-cipher-long
= blobcode.encode(HEXUC, cbc.decrypt(long.get(), k.get()));
= blob.encode(HEX, UPPER, cbc.decrypt(long.get(), k.get()));
# NULL CTR is illegal when required
set resp.http.dec-ctr-null
= blobcode.encode(HEXUC, ctr.decrypt(k.get()));
= blob.encode(HEX, UPPER, ctr.decrypt(k.get()));
# CTR shorter than the block length is illegal
set resp.http.dec-ctr-short
= blobcode.encode(HEXUC, ctr.decrypt(k.get(),
= blob.encode(HEX, UPPER, ctr.decrypt(k.get(),
ctr=short.get()));
# CTR longer than the block length is illegal
set resp.http.dec-ctr-long
= blobcode.encode(HEXUC, ctr.decrypt(k.get(),
= blob.encode(HEX, UPPER, ctr.decrypt(k.get(),
ctr=long.get()));
return(deliver);
......
src/tests/disable_secmem.vtc
View file @ 808a8eee
......@@ -5,24 +5,24 @@ varnishtest "disable secmem in the init function"
# DISABLE_SECMEM
varnish v1 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(DISABLE_SECMEM);
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
}
} -start
varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
}
......@@ -32,25 +32,25 @@ varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v1 -stop
varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(INIT_SECMEM);
gcrypt.init(DISABLE_SECMEM);
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
}
} -start
varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
}
......@@ -58,25 +58,25 @@ varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v2 -stop
varnish v3 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(INIT_SECMEM);
gcrypt.init(INIT_SECMEM, 0B);
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
}
} -start
varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
}
......@@ -84,14 +84,14 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v3 -stop
varnish v4 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(DISABLE_SECMEM);
gcrypt.init(INIT_SECMEM);
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
} -start
src/tests/fileread.vtc
View file @ 808a8eee
......@@ -19,7 +19,7 @@ varnish v1 -errvcl {vmod gcrypt error: libgcrypt initialization not finished in
}
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -32,13 +32,13 @@ varnish v1 -vcl {
}
sub vcl_synth {
set resp.http.f1 = blobcode.encode(IDENTITY,
set resp.http.f1 = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/f.txt"));
set resp.http.f2 = blobcode.encode(IDENTITY,
set resp.http.f2 = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/f.txt"));
set resp.http.n = blobcode.encode(IDENTITY,
set resp.http.n = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/nonexistent.txt"));
set resp.http.fifo = blobcode.encode(IDENTITY,
set resp.http.fifo = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/fifo.txt"));
return(deliver);
......
src/tests/init_secmem.vtc
View file @ 808a8eee
......@@ -48,11 +48,11 @@ varnish v3 -vcl {
varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
}
......@@ -61,12 +61,12 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v3 -stop
varnish v4 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
}
} -start
src/tests/init_usage.vtc
View file @ 808a8eee
......@@ -80,23 +80,23 @@ varnish v1 -stop
varnish v2 -vcl {backend b { .host = "${bad_ip}"; } } -start
varnish v2 -errvcl {libgcrypt initialization not finished in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
......@@ -105,11 +105,11 @@ varnish v2 -vcl {
# object instances without having to call init(FINISH) again.
varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000");
new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
src/tests/padding.vtc
View file @ 808a8eee
......@@ -14,18 +14,18 @@ varnish v1 -vcl {
# Test padding -- encrypt with padding, decrypt with no padding, and
# verify that the result has padding bytes as expected.
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo = blobcode.blob(encoded="foo");
new foo = blob.blob(encoded="foo");
}
sub vcl_recv {
......@@ -34,39 +34,39 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.foo-pkcs7-cipher
= blobcode.encode(BASE64, pkcs7.encrypt(foo.get()));
= blob.encode(BASE64, DEFAULT, pkcs7.encrypt(foo.get()));
set resp.http.foo-pkcs7-plain
= blobcode.encode(HEXUC, none.decrypt(
blobcode.decode(BASE64, resp.http.foo-pkcs7-cipher)));
= blob.encode(HEX, UPPER, none.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher)));
set resp.http.foo-iso7816-cipher
= blobcode.encode(BASE64, iso7816.encrypt(foo.get()));
= blob.encode(BASE64, DEFAULT, iso7816.encrypt(foo.get()));
set resp.http.foo-iso7816-plain
= blobcode.encode(HEXUC, none.decrypt(
blobcode.decode(BASE64, resp.http.foo-iso7816-cipher)));
= blob.encode(HEX, UPPER, none.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher)));
set resp.http.foo-x923-cipher
= blobcode.encode(BASE64, x923.encrypt(foo.get()));
= blob.encode(BASE64, DEFAULT, x923.encrypt(foo.get()));
set resp.http.foo-x923-plain
= blobcode.encode(HEXUC, none.decrypt(
blobcode.decode(BASE64, resp.http.foo-x923-cipher)));
= blob.encode(HEX, UPPER, none.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-x923-cipher)));
set resp.http.empty-pkcs7-cipher
= blobcode.encode(BASE64,
pkcs7.encrypt(blobcode.decode(encoded="")));
= blob.encode(BASE64, DEFAULT,
pkcs7.encrypt(blob.decode(encoded="")));
set resp.http.empty-pkcs7-plain
= blobcode.encode(HEXUC, none.decrypt(
blobcode.decode(BASE64, resp.http.empty-pkcs7-cipher)));
= blob.encode(HEX, UPPER, none.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher)));
set resp.http.empty-iso7816-cipher
= blobcode.encode(BASE64,
iso7816.encrypt(blobcode.decode(encoded="")));
= blob.encode(BASE64, DEFAULT,
iso7816.encrypt(blob.decode(encoded="")));
set resp.http.empty-iso7816-plain
= blobcode.encode(HEXUC, none.decrypt(
blobcode.decode(BASE64, resp.http.empty-iso7816-cipher)));
= blob.encode(HEX, UPPER, none.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher)));
set resp.http.empty-x923-cipher
= blobcode.encode(BASE64,
x923.encrypt(blobcode.decode(encoded="")));
= blob.encode(BASE64, DEFAULT,
x923.encrypt(blob.decode(encoded="")));
set resp.http.empty-x923-plain
= blobcode.encode(HEXUC, none.decrypt(
blobcode.decode(BASE64, resp.http.empty-x923-cipher)));
= blob.encode(HEX, UPPER, none.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-x923-cipher)));
return(deliver);
}
}
......@@ -94,30 +94,30 @@ client c1 {
# added. Then decrypt with padding, and verify that the result has
# padding removed.
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo_pkcs7
= blobcode.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D0D");
= blob.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D0D");
new foo_iso7816
= blobcode.blob(HEX, "666F6F80000000000000000000000000");
= blob.blob(HEX, "666F6F80000000000000000000000000");
new foo_x923
= blobcode.blob(HEX, "666F6F0000000000000000000000000D");
= blob.blob(HEX, "666F6F0000000000000000000000000D");
new empty_pkcs7
= blobcode.blob(HEX, "10101010101010101010101010101010");
= blob.blob(HEX, "10101010101010101010101010101010");
new empty_iso7816
= blobcode.blob(HEX, "80000000000000000000000000000000");
= blob.blob(HEX, "80000000000000000000000000000000");
new empty_x923
= blobcode.blob(HEX, "00000000000000000000000000000010");
= blob.blob(HEX, "00000000000000000000000000000010");
}
sub vcl_recv {
......@@ -126,36 +126,36 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.foo-pkcs7-cipher
= blobcode.encode(BASE64, none.encrypt(foo_pkcs7.get()));
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7.get()));
set resp.http.foo-pkcs7-plain
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.foo-pkcs7-cipher)));
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher)));
set resp.http.foo-iso7816-cipher
= blobcode.encode(BASE64, none.encrypt(foo_iso7816.get()));
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816.get()));
set resp.http.foo-iso7816-plain
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.foo-iso7816-cipher)));
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher)));
set resp.http.foo-x923-cipher
= blobcode.encode(BASE64, none.encrypt(foo_x923.get()));
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923.get()));
set resp.http.foo-x923-plain
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.foo-x923-cipher)));
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-x923-cipher)));
set resp.http.empty-pkcs7-cipher
= blobcode.encode(BASE64, none.encrypt(empty_pkcs7.get()));
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7.get()));
set resp.http.empty-pkcs7-plain
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.empty-pkcs7-cipher)));
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher)));
set resp.http.empty-iso7816-cipher
= blobcode.encode(BASE64, none.encrypt(empty_iso7816.get()));
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816.get()));
set resp.http.empty-iso7816-plain
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.empty-iso7816-cipher)));
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher)));
set resp.http.empty-x923-cipher
= blobcode.encode(BASE64, none.encrypt(empty_x923.get()));
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923.get()));
set resp.http.empty-x923-plain
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.empty-x923-cipher)));
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-x923-cipher)));
return(deliver);
}
}
......@@ -178,160 +178,3 @@ client c1 {
expect resp.http.empty-x923-plain == ""
} -run
# Padding errors
varnish v1 -vcl {
import blobcode;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo_pkcs7_1
= blobcode.blob(HEX, "666F6F0E0D0D0D0D0D0D0D0D0D0D0D0D");
new foo_pkcs7_2
= blobcode.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D11");
new foo_iso7816_1
= blobcode.blob(HEX, "666F6F80000000000001000000000000");
new foo_iso7816_2
= blobcode.blob(HEX, "666F6F00000000000000000000000000");
new foo_x923_1
= blobcode.blob(HEX, "666F6F0000000001000000000000000D");
new foo_x923_2
= blobcode.blob(HEX, "666F6F00000000000000000000000011");
new empty_pkcs7_1
= blobcode.blob(HEX, "0F101010101010101010101010101010");
new empty_pkcs7_2
= blobcode.blob(HEX, "10101010101010101010101010101011");
new empty_iso7816_1
= blobcode.blob(HEX, "00000000000000000000000000000000");
new empty_iso7816_2
= blobcode.blob(HEX, "80010000000000000000000000000000");
new empty_x923_1
= blobcode.blob(HEX, "01000000000000000000000000000010");
new empty_x923_2
= blobcode.blob(HEX, "00000000000000000000000000000011");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.foo-pkcs7-cipher-1
= blobcode.encode(BASE64, none.encrypt(foo_pkcs7_1.get()));
set resp.http.foo-pkcs7-plain-1
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.foo-pkcs7-cipher-1)));
set resp.http.foo-pkcs7-cipher-2
= blobcode.encode(BASE64, none.encrypt(foo_pkcs7_2.get()));
set resp.http.foo-pkcs7-plain-2
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.foo-pkcs7-cipher-2)));
set resp.http.foo-iso7816-cipher-1
= blobcode.encode(BASE64, none.encrypt(foo_iso7816_1.get()));
set resp.http.foo-iso7816-plain-1
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.foo-iso7816-cipher-1)));
set resp.http.foo-iso7816-cipher-2
= blobcode.encode(BASE64, none.encrypt(foo_iso7816_2.get()));
set resp.http.foo-iso7816-plain-2
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.foo-iso7816-cipher-2)));
set resp.http.foo-x923-cipher-1
= blobcode.encode(BASE64, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-1
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.foo-x923-cipher-1)));
set resp.http.foo-x923-cipher-2
= blobcode.encode(BASE64, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-2
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.foo-x923-cipher-2)));
set resp.http.empty-pkcs7-cipher-1
= blobcode.encode(BASE64, none.encrypt(empty_pkcs7_1.get()));
set resp.http.empty-pkcs7-plain-1
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.empty-pkcs7-cipher-1)));
set resp.http.empty-pkcs7-cipher-2
= blobcode.encode(BASE64, none.encrypt(empty_pkcs7_2.get()));
set resp.http.empty-pkcs7-plain-2
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.empty-pkcs7-cipher-2)));
set resp.http.empty-iso7816-cipher-1
= blobcode.encode(BASE64, none.encrypt(empty_iso7816_1.get()));
set resp.http.empty-iso7816-plain-1
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.empty-iso7816-cipher-1)));
set resp.http.empty-iso7816-cipher-2
= blobcode.encode(BASE64, none.encrypt(empty_iso7816_2.get()));
set resp.http.empty-iso7816-plain-2
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.empty-iso7816-cipher-2)));
set resp.http.empty-x923-cipher-1
= blobcode.encode(BASE64, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-1
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.empty-x923-cipher-1)));
set resp.http.empty-x923-cipher-2
= blobcode.encode(BASE64, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-2
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.empty-x923-cipher-2)));
return(deliver);
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.foo-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-1 == ""
expect resp.http.foo-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-2 == ""
expect resp.http.foo-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-1 == ""
expect resp.http.foo-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-2 == ""
expect resp.http.foo-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-1 == ""
expect resp.http.foo-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-2 == ""
expect resp.http.empty-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-1 == ""
expect resp.http.empty-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-2 == ""
expect resp.http.empty-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-1 == ""
expect resp.http.empty-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-2 == ""
expect resp.http.empty-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-1 == ""
expect resp.http.empty-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-2 == ""
} -run
logexpect l1 -v v1 -d 1 -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = End
} -run
src/tests/random.vtc
View file @ 808a8eee
......@@ -9,7 +9,7 @@ varnishtest "random() and random_int(), _real() and _bool()"
# varnishtest.
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -19,22 +19,22 @@ varnish v1 -vcl {
sub vcl_synth {
set resp.http.nonce16
= blobcode.encode(HEXUC, gcrypt.random(NONCE, 16B));
= blob.encode(HEX, UPPER, gcrypt.random(NONCE, 16B));
set resp.http.nonce16-task
= blobcode.encode(HEXUC, gcrypt.random());
= blob.encode(HEX, UPPER, gcrypt.random());
set resp.http.strong32
= blobcode.encode(HEXUC, gcrypt.random(STRONG, 32B));
= blob.encode(HEX, UPPER, gcrypt.random(STRONG, 32B));
set resp.http.strong32-task-noarg
= blobcode.encode(HEXUC, gcrypt.random());
= blob.encode(HEX, UPPER, gcrypt.random());
set resp.http.strong32-task-n0
= blobcode.encode(HEXUC, gcrypt.random(n=0B));
= blob.encode(HEX, UPPER, gcrypt.random(n=0B));
set resp.http.strong32-task-enum
= blobcode.encode(HEXUC, gcrypt.random(VERY_STRONG));
= blob.encode(HEX, UPPER, gcrypt.random(VERY_STRONG));
set resp.http.strong32-task-n0-enum
= blobcode.encode(HEXUC, gcrypt.random(NONCE, n=0B));
= blob.encode(HEX, UPPER, gcrypt.random(NONCE, n=0B));
set resp.http.error
= blobcode.encode(HEXUC, gcrypt.random(n=1B));
= blob.encode(HEX, UPPER, gcrypt.random(n=1B));
set resp.http.strong-int = gcrypt.random_int(STRONG);
set resp.http.nonce-int = gcrypt.random_int(NONCE);
......@@ -111,7 +111,7 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" {
} -run
varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -124,7 +124,7 @@ varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL}
# random_real()
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......@@ -150,7 +150,7 @@ client c1 -repeat 20 {
# random_bool()
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
......
src/tests/wipe.vtc
View file @ 808a8eee
......@@ -3,27 +3,27 @@
varnishtest "wipe()"
varnish v1 -vcl {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new b16
= blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
= blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
gcrypt.wipe(b16.get());
new b4 = blobcode.blob(HEX, "00010203");
new b4 = blob.blob(HEX, "00010203");
gcrypt.wipe(b4.get());
new b12 = blobcode.blob(HEX, "000102030405060708090a0b");
new b12 = blob.blob(HEX, "000102030405060708090a0b");
gcrypt.wipe(b12.get());
new hobbes = blobcode.blob(IDENTITY,
new hobbes = blob.blob(IDENTITY,
"Man is distinguished, not only by his reason, but by this singular passion from other animals, which is a lust of the mind, that by a perseverance of delight in the continued and indefatigable generation of knowledge, exceeds the short vehemence of any carnal pleasure.");
gcrypt.wipe(hobbes.get());
new foo = blobcode.blob(encoded="foo");
new empty = blobcode.blob(encoded="");
new foo = blob.blob(encoded="foo");
new empty = blob.blob(encoded="");
}
sub vcl_recv {
......@@ -31,13 +31,13 @@ varnish v1 -vcl {
}
sub vcl_synth {
set resp.http.b16 = blobcode.encode(HEXUC, b16.get());
set resp.http.b4 = blobcode.encode(HEXUC, b4.get());
set resp.http.b12 = blobcode.encode(HEXUC, b12.get());
set resp.http.hobbes = blobcode.encode(HEXUC, hobbes.get());
set resp.http.b16 = blob.encode(HEX, UPPER, b16.get());
set resp.http.b4 = blob.encode(HEX, UPPER, b4.get());
set resp.http.b12 = blob.encode(HEX, UPPER, b12.get());
set resp.http.hobbes = blob.encode(HEX, UPPER, hobbes.get());
gcrypt.wipe(foo.get());
set resp.http.foo = blobcode.encode(HEXUC, foo.get());
set resp.http.foo = blob.encode(HEX, UPPER, foo.get());
gcrypt.wipe(empty.get());
......@@ -63,12 +63,12 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" {
} -run
varnish v1 -errvcl {vmod gcrypt error: empty blob in gcrypt.wipe()} {
import blobcode;
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new empty = blobcode.blob(encoded="");
new empty = blob.blob(encoded="");
gcrypt.wipe(empty.get());
}
}
src/vmod_gcrypt.c
View file @ 808a8eee
......@@ -45,6 +45,8 @@
#include "cache/cache.h"
#include "vas.h"
#include "vqueue.h"
#include "vcl.h"
#include "vsb.h"
#include "vcc_if.h"
#include "vmod_gcrypt.h"
......@@ -109,6 +111,7 @@ static int rnd_boolk_inited = 0;
#define BLOB_VMOD_GCRYPT_TYPE 0xa003140d
// XXX replace all with VRT_fail()?
static void
errmsg(VRT_CTX, const char *fmt, ...)
{
......@@ -118,7 +121,7 @@ errmsg(VRT_CTX, const char *fmt, ...)
if (ctx->method == VCL_MET_INIT) {
AN(ctx->msg);
VSB_vprintf(ctx->msg, fmt, args);
VRT_handling(ctx, VCL_RET_FAIL);
VRT_fail(ctx, " ");
}
else if (ctx->vsl)
VSLbv(ctx->vsl, SLT_VCL_Error, fmt, args);
......@@ -181,7 +184,7 @@ gcrypt_fatal(void *priv, int err, const char *text)
}
int
event(VRT_CTX, struct vmod_priv *priv, enum vcl_event_e e)
vmod_event(VRT_CTX, struct vmod_priv *priv, enum vcl_event_e e)
{
(void) ctx;
(void) priv;
......@@ -291,11 +294,10 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp,
vcl_name);
return;
}
if (key == NULL || key->priv == NULL) {
if (key == NULL || key->blob == NULL) {
VERR(ctx, "key is NULL in %s constructor", vcl_name);
return;
}
assert(key->len >= 0);
if (secure && !secmem_enabled) {
VERR(ctx, "secure memory not enabled in %s constructor",
vcl_name);
......@@ -350,7 +352,7 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp,
vcl_name, gcry_strsource(err), gcry_strerror(err));
return;
}
err = gcry_cipher_setkey(hd, key->priv, key->len);
err = gcry_cipher_setkey(hd, key->blob, key->len);
gcry_cipher_close(hd);
if (err != GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set key in %s constructor: %s/%s",
......@@ -383,7 +385,7 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp,
VERRNOMEM(ctx, "copying key in %s constructor", vcl_name);
return;
}
memcpy(symmetric->key, key->priv, key->len);
memcpy(symmetric->key, key->blob, key->len);
symmetric->vcl_name = strdup(vcl_name);
if (symmetric->vcl_name == NULL) {
VERRNOMEM(ctx, "copying object name in %s constructor",
......@@ -463,30 +465,37 @@ get_symmetric_hd(VRT_CTX,
return hd;
}
VCL_BLOB
vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
VCL_BLOB plainblob, VCL_BLOB iv, VCL_BLOB ctr)
VCL_BLOB vmod_symmetric_encrypt(VRT_CTX,
struct VPFX(gcrypt_symmetric) *symmetric,
struct VARGS(symmetric_encrypt)* args)
{
VCL_BLOB plainblob = args->plaintext, iv = NULL, ctr = NULL;
size_t len, blocklen;
uintptr_t snap;
void *plaintext, *ciphertext;
const void *plaintext;
void *ciphertext;
gcry_error_t err = GPG_ERR_NO_ERROR;
gcry_cipher_hd_t *hd;
VCL_BLOB b;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
CHECK_OBJ_NOTNULL(symmetric, VMOD_GCRYPT_SYMMETRIC_MAGIC);
if (plainblob == NULL || plainblob->priv == NULL) {
if (plainblob == NULL || plainblob->blob == NULL) {
VERR(ctx, "Plaintext BLOB is NULL in %s.encrypt()",
symmetric->vcl_name);
return NULL;
}
if (args->valid_iv)
iv = args->iv;
if (args->valid_ctr)
ctr = args->ctr;
snap = WS_Snapshot(ctx->ws);
blocklen = gcry_cipher_get_algo_blklen(symmetric->algo);
AN(blocklen);
if (symmetric->padding != NONE) {
plaintext = (padf[symmetric->padding])(ctx->ws, plainblob->priv,
plaintext = (padf[symmetric->padding])(ctx->ws, plainblob->blob,
plainblob->len, blocklen,
&len);
if (plaintext == NULL) {
......@@ -496,7 +505,7 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
}
}
else {
plaintext = plainblob->priv;
plaintext = plainblob->blob;
len = plainblob->len;
}
if ((ciphertext = WS_Alloc(ctx->ws, len)) == NULL) {
......@@ -514,11 +523,10 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
"%s.encrypt()", symmetric->vcl_name);
goto fail;
}
assert(iv->len >= 0);
/* A NULL iv of length 0 is permitted. */
if (iv->priv == NULL)
if (iv->blob == NULL)
assert(iv->len == 0);
if ((err = gcry_cipher_setiv(*hd, iv->priv, iv->len))
if ((err = gcry_cipher_setiv(*hd, iv->blob, iv->len))
!= GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set initialization vector in "
"%s.encrypt(): %s/%s", symmetric->vcl_name,
......@@ -527,13 +535,12 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
}
}
if (need_ctr[symmetric->mode]) {
if (ctr == NULL || ctr->priv == NULL) {
if (ctr == NULL || ctr->blob == NULL) {
VERR(ctx, "Required counter vector is NULL in "
"%s.encrypt()", symmetric->vcl_name);
goto fail;
}
assert(ctr->len >= 0);
if ((err = gcry_cipher_setctr(*hd, ctr->priv, ctr->len))
if ((err = gcry_cipher_setctr(*hd, ctr->blob, ctr->len))
!= GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set counter vector in %s.encrypt(): "
"%s/%s", symmetric->vcl_name, gcry_strsource(err),
......@@ -562,24 +569,29 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
return NULL;
}
VCL_BLOB
vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
VCL_BLOB ciphertext, VCL_BLOB iv, VCL_BLOB ctr)
VCL_BLOB vmod_symmetric_decrypt(VRT_CTX,
struct VPFX(gcrypt_symmetric) *symmetric,
struct VARGS(symmetric_decrypt) *args)
{
VCL_BLOB ciphertext = args->ciphertext, iv = NULL, ctr = NULL;
uintptr_t snap;
struct vmod_priv *plaintext;
struct vrt_blob *plaintext;
void *plain;
gcry_error_t err = GPG_ERR_NO_ERROR;
gcry_cipher_hd_t *hd;
size_t blocklen;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
CHECK_OBJ_NOTNULL(symmetric, VMOD_GCRYPT_SYMMETRIC_MAGIC);
if (ciphertext == NULL || ciphertext->priv == NULL) {
if (ciphertext == NULL || ciphertext->blob == NULL) {
VERR(ctx, "Ciphertext BLOB is NULL in %s.decrypt()",
symmetric->vcl_name);
return NULL;
}
assert(ciphertext->len >= 0);
if (args->valid_iv)
iv = args->iv;
if (args->valid_ctr)
ctr = args->ctr;
snap = WS_Snapshot(ctx->ws);
if ((plaintext = WS_Alloc(ctx->ws, sizeof(*plaintext))) == NULL) {
......@@ -588,8 +600,8 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
return NULL;
}
plaintext->priv = WS_Front(ctx->ws);
if (WS_Reserve(ctx->ws, 0) < (unsigned) ciphertext->len) {
plaintext->blob = plain = WS_Front(ctx->ws);
if (WS_ReserveAll(ctx->ws) < (unsigned) ciphertext->len) {
VERRNOMEM(ctx, "Allocating plaintext result in %s.decrypt()",
symmetric->vcl_name);
WS_Reset(ctx->ws, snap);
......@@ -605,11 +617,10 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
"%s.decrypt()", symmetric->vcl_name);
goto fail;
}
assert(iv->len >= 0);
/* A NULL iv of length 0 is permitted. */
if (iv->priv == NULL)
if (iv->blob == NULL)
assert(iv->len == 0);
if ((err = gcry_cipher_setiv(*hd, iv->priv, iv->len))
if ((err = gcry_cipher_setiv(*hd, iv->blob, iv->len))
!= GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set initialization vector in "
"%s.decrypt(): %s/%s", symmetric->vcl_name,
......@@ -618,13 +629,12 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
}
}
if (need_ctr[symmetric->mode]) {
if (ctr == NULL || ctr->priv == NULL) {
if (ctr == NULL || ctr->blob == NULL) {
VERR(ctx, "Required counter vector is NULL in "
"%s.decrypt()", symmetric->vcl_name);
goto fail;
}
assert(ctr->len >= 0);
if ((err = gcry_cipher_setctr(*hd, ctr->priv, ctr->len))
if ((err = gcry_cipher_setctr(*hd, ctr->blob, ctr->len))
!= GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set counter vector in %s.decrypt(): "
"%s/%s", symmetric->vcl_name, gcry_strsource(err),
......@@ -632,8 +642,8 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
goto fail;
}
}
if ((err = gcry_cipher_decrypt(*hd, plaintext->priv, ciphertext->len,
ciphertext->priv, ciphertext->len))
if ((err = gcry_cipher_decrypt(*hd, plain, ciphertext->len,
ciphertext->blob, ciphertext->len))
!= GPG_ERR_NO_ERROR) {
VERR(ctx, "in %s.decrypt(): %s/%s", symmetric->vcl_name,
gcry_strsource(err), gcry_strerror(err));
......@@ -651,17 +661,11 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
goto fail;
}
plaintext->len =
(unpadlenf[symmetric->padding])(plaintext->priv,
(unpadlenf[symmetric->padding])(plain,
ciphertext->len,
blocklen);
if (plaintext->len < 0) {
VERR(ctx, "in %s.decrypt(): incorrect padding",
symmetric->vcl_name);
goto fail;
}
}
WS_Release(ctx->ws, plaintext->len);
plaintext->free = NULL;
return plaintext;
fail:
......@@ -673,7 +677,7 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
/* Function random */
static inline void
get_rnd(VCL_ENUM const restrict qualitys, void * const restrict p, size_t n)
get_rnd(VCL_ENUM const restrict qualitys, void * restrict p, size_t n)
{
switch(qualitys[0]) {
case 'N':
......@@ -694,10 +698,14 @@ get_rnd(VCL_ENUM const restrict qualitys, void * const restrict p, size_t n)
}
VCL_BLOB
vmod_random(VRT_CTX, struct vmod_priv *rnd_task, VCL_ENUM qualitys, VCL_BYTES n)
vmod_random(VRT_CTX, struct VARGS(random)*args)
{
struct vmod_priv *rnd_blob;
struct vmod_priv *rnd_task = args->arg1;
VCL_ENUM qualitys = NULL;
VCL_BYTES n = args->n;
struct vrt_blob *rnd_blob;
uintptr_t snap;
void *rnd;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
AN(rnd_task);
......@@ -714,6 +722,9 @@ vmod_random(VRT_CTX, struct vmod_priv *rnd_task, VCL_ENUM qualitys, VCL_BYTES n)
return (VCL_BLOB)rnd_task->priv;
}
if (args->valid_quality)
qualitys = args->quality;
if (qualitys == NULL) {
ERR(ctx, "in gcrypt.random(): quality ENUM is NULL");
return NULL;
......@@ -725,15 +736,17 @@ vmod_random(VRT_CTX, struct vmod_priv *rnd_task, VCL_ENUM qualitys, VCL_BYTES n)
"BLOB");
return NULL;
}
if ((rnd_blob->priv = WS_Alloc(ctx->ws, n)) == NULL) {
if ((rnd = WS_Alloc(ctx->ws, n)) == NULL) {
WS_Reset(ctx->ws, snap);
VERRNOMEM(ctx, "in gcrypt.random(), allocating space for %d "
"random bytes", n);
return NULL;
}
get_rnd(qualitys, rnd_blob->priv, n);
get_rnd(qualitys, rnd, n);
rnd_blob->blob = rnd;
rnd_blob->len = n;
rnd_blob->free = NULL;
rnd_task->priv = rnd_blob;
rnd_task->len = sizeof(*rnd_blob);
rnd_task->free = NULL;
......@@ -898,9 +911,9 @@ vmod_random_bool(VRT_CTX, VCL_ENUM qualitys)
/* Function wipe */
static inline void
wipe(void * const dst, size_t len, uint8_t val)
wipe(const void * const dst, size_t len, uint8_t val)
{
volatile uint8_t *p = (volatile uint8_t *)dst;
volatile uint8_t *p = (volatile uint8_t *)TRUST_ME(dst);
while (((uintptr_t)p & (sizeof(uint64_t)-1)) && len) {
*p++ = val;
......@@ -925,14 +938,14 @@ VCL_VOID
vmod_wipe(VRT_CTX, VCL_BLOB b)
{
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
if (b == NULL || b->len == 0 || b->priv == NULL) {
if (b == NULL || b->len == 0 || b->blob == NULL) {
ERR(ctx, "empty blob in gcrypt.wipe()");
return;
}
wipe(b->priv, b->len, 0xff);
wipe(b->priv, b->len, 0xaa);
wipe(b->priv, b->len, 0x55);
wipe(b->priv, b->len, 0x00);
wipe(b->blob, b->len, 0xff);
wipe(b->blob, b->len, 0xaa);
wipe(b->blob, b->len, 0x55);
wipe(b->blob, b->len, 0x00);
}
/* Function fileread */
......@@ -971,7 +984,7 @@ filedata_free(void *p)
VCL_BLOB
vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path)
{
struct vmod_priv *b;
struct vrt_blob *b;
struct filedata_head *fhead;
struct filedata *fdata;
struct stat st, fst;
......@@ -1011,7 +1024,6 @@ vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path)
ERRNOMEM(ctx, "Allocating return BLOB in gcrypt.fileread()");
return NULL;
}
b->free = NULL;
errno = 0;
if (stat(path, &st) < 0) {
......@@ -1087,7 +1099,7 @@ vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path)
fdata->contents = contents;
fdata->len = st.st_size;
VSLIST_INSERT_HEAD(fhead, fdata, list);
b->priv = contents;
b->blob = contents;
b->len = st.st_size;
return b;
......
src/vmod_gcrypt.vcc
View file @ 808a8eee
......@@ -5,7 +5,7 @@
# Author: Geoffrey Simmons <geoffrey.simmons@uplex.de>
#
$Module gcrypt 3 access the libgcrypt cryptographic library
$Module gcrypt 3 "access the libgcrypt cryptographic library"
::
......@@ -50,13 +50,13 @@ allows the VMOD to concentrate strictly on cryptographic operations,
separate from concerns of binary-to-text encodings. BLOBs are not
created by any part of native VCL, and can only be created by other
VMODs, so it is necessary to use this VMOD together with another one
that does so (such as VMOD ``blobcode`` for binary-to-text encodings,
see `SEE ALSO`_).
that does so (such as VMOD ``blob`` for binary-to-text encodings,
which is part of varnish-cache).
This is a simple usage example::
import gcrypt;
import blobcode;
import blob;
sub vcl_init {
# Finalize default initialization of the libgcrypt library.
......@@ -76,19 +76,19 @@ This is a simple usage example::
# response header X-Cipher, and the hex-encoded counter vector to
# the response header X-Ctr; and remove X-Msg from the response.
sub vcl_deliver {
# Use the blobcode VMOD to convert the contents of X-Msg to a
# Use the blob VMOD to convert the contents of X-Msg to a
# BLOB, and to encode the encrypted ciphertext in hex with
# lower-case digits. Use the random() function to generate a
# counter vector as a 128 bit nonce.
set resp.http.X-Cipher
= blobcode.encode(HEXLC,
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg),
= blob.encode(HEXLC,
aes.encrypt(blob.decode(encoded=req.http.X-Msg),
ctr=gcrypt.random(NONCE, 16B)));
# Use the no-argument version of random() to retrieve the
# counter vector that was just generated, and use the
# blobcode VMOD to encode it as lower-case hex.
set resp.http.X-CTR = blobcode.encode(HEXLC, gcrypt.random());
# blob VMOD to encode it as lower-case hex.
set resp.http.X-CTR = blob.encode(HEXLC, gcrypt.random());
# Remove the plaintext from the response header.
unset resp.http.X-Msg;
......@@ -313,21 +313,21 @@ of the VCL load with an error message, under these conditions:
Examples::
import gcrypt;
import blobcode;
import blob;
# Assume in the following that initialization has been finalized.
sub vcl_init {
# Use the blobcode VMOD to create some BLOBs for the cryptographic
# Use the blob VMOD to create some BLOBs for the cryptographic
# keys, whose lengths are 16, 24 and 32 bytes for AES-128, -192
# and -256, respectively.
# NOTE: The keys used in this manual's examples are chosen to
# make the key lengths easy to recognize. DO NOT copy them
# into production VCL!
new k128 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k192 = blobcode.blob(HEX,
new k128 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k192 = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f1011121314151617");
new k256 = blobcode.blob(HEX,
new k256 = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f");
# Create an object for AES-128 with CTR mode (no padding
......@@ -387,19 +387,19 @@ Examples::
sub vcl_deliver {
# Encrypt X-Msg-128 with AES-128 and the counter vector, and
# return the ciphertext in a base64-encoded response header.
set resp.http.X-Cipher-128 = blobcode.encode(BASE64,
aes128.encrypt(blobcode.decode(encoded=resp.http.X-Msg-128),
ctr=blobcode.decode(BASE64, resp.http.X-Ctr)));
set resp.http.X-Cipher-128 = blob.encode(BASE64,
aes128.encrypt(blob.decode(encoded=resp.http.X-Msg-128),
ctr=blob.decode(BASE64, resp.http.X-Ctr)));
# Encrypt X-Msg-192 with AES-192 and init vector X-IV-192.
set resp.http.X-Cipher-192 = blobcode.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg-192),
iv=blobcode.decode(BASE64, resp.http.X-IV-192)));
set resp.http.X-Cipher-192 = blob.encode(BASE64,
aes192.encrypt(blob.decode(encoded=resp.http.X-Msg-192),
iv=blob.decode(BASE64, resp.http.X-IV-192)));
# Encrypt X-Msg-256 with AES-256 and init vector X-IV-256.
set resp.http.X-Cipher-256 = blobcode.encode(BASE64,
aes256.encrypt(blobcode.decode(encoded=resp.http.X-Msg-256),
iv=blobcode.decode(BASE64, resp.http.X-IV-256)));
set resp.http.X-Cipher-256 = blob.encode(BASE64,
aes256.encrypt(blob.decode(encoded=resp.http.X-Msg-256),
iv=blob.decode(BASE64, resp.http.X-IV-256)));
}
$Method BLOB .decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
......@@ -441,19 +441,19 @@ Examples::
sub vcl_recv {
# Decrypt X-Msg-128 with AES-128 and the counter vector, and
# return the plaintext in a base64-encoded request header.
set req.http.X-Cipher-128 = blobcode.encode(BASE64,
aes128.decrypt(blobcode.decode(encoded=req.http.X-Msg-128),
ctr=blobcode.decode(BASE64, req.http.X-Ctr)));
set req.http.X-Cipher-128 = blob.encode(BASE64,
aes128.decrypt(blob.decode(encoded=req.http.X-Msg-128),
ctr=blob.decode(BASE64, req.http.X-Ctr)));
# Decrypt X-Msg-192 with AES-192 and init vector X-IV-192.
set req.http.X-Cipher-192 = blobcode.encode(BASE64,
aes192.decrypt(blobcode.decode(encoded=req.http.X-Msg-192),
iv=blobcode.decode(BASE64, req.http.X-IV-192)));
set req.http.X-Cipher-192 = blob.encode(BASE64,
aes192.decrypt(blob.decode(encoded=req.http.X-Msg-192),
iv=blob.decode(BASE64, req.http.X-IV-192)));
# Decrypt X-Msg-256 with AES-256 and init vector X-IV-256.
set req.http.X-Cipher-256 = blobcode.encode(BASE64,
aes256.decrypt(blobcode.decode(encoded=req.http.X-Msg-256),
iv=blobcode.decode(BASE64, req.http.X-IV-256)));
set req.http.X-Cipher-256 = blob.encode(BASE64,
aes256.decrypt(blob.decode(encoded=req.http.X-Msg-256),
iv=blob.decode(BASE64, req.http.X-IV-256)));
}
$Function BLOB fileread(PRIV_TASK, STRING path)
......@@ -542,7 +542,7 @@ Example::
key=gcrypt.fileread("/path/to/key"));
}
$Function BLOB random(PRIV_TASK, ENUM {STRONG, VERY_STRONG, NONCE} quality=0,
$Function BLOB random(PRIV_TASK, [ENUM {STRONG, VERY_STRONG, NONCE} quality],
BYTES n=0)
Return a BLOB containing ``n`` bytes of pseudo-random data. The
......@@ -617,14 +617,14 @@ Example::
# cipher in use -- 128 bits (16 bytes) for AES. For CBC, the IV
# MUST be unpredictable, so we use quality level STRONG.
set resp.http.X-Encrypted
= blobcode.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg),
= blob.encode(BASE64,
aes192.encrypt(blob.decode(encoded=resp.http.X-Msg),
iv=gcrypt.random(STRONG, 16B)));
# Now call random() with no arguments to retrive the IV that
# was generated, to be sent in the base64-encoded response
# header X-IV.
set resp.http.X-IV = blobcode.encode(BASE64, gcrypt.random());
set resp.http.X-IV = blob.encode(BASE64, gcrypt.random());
# Remove the plaintext from the response header.
unset resp.http.X-Msg;
......@@ -715,7 +715,7 @@ Example::
# secure memory, wipe the BLOB from which the key was read. This
# ensures that the key is only stored in secure memory.
sub vcl_init {
new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new aes = gcrypt.symmetric(AES, CTR, key=k.get(), secure=true);
gcrypt.wipe(key.get());
}
......@@ -840,7 +840,7 @@ enter into cryptographic operations -- keys, plaintexts, ciphertexts,
IVs and counters. But these are typically obtained from sources that
are readable from other elements of Varnish.
As can be seen in the examples above that use VMOD blobcode to create
As can be seen in the examples above that use VMOD blob to create
key objects, the contents of a key are readable in the VCL source. If
you are using the VMOD that way, consider storing VCL sources so that
they are only readable by the owner of the Varnish child process.
......@@ -938,7 +938,6 @@ SEE ALSO
* pthread_key_create(3)
* libgcrypt: https://gnupg.org/software/libgcrypt/index.html
* source repository: https://code.uplex.de/uplex-varnish/libvmod-gcrypt
* VMOD blobcode: https://code.uplex.de/uplex-varnish/libvmod-blobcode
* developer contact: <varnish-support@uplex.de>, and at the source
repository site
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment