Skip to content

L
libvmod-gcrypt
Unverified Commit 808a8eee authored by Nils Goroll's avatar Nils Goroll
1 Browse files
Options

adjust to current varnish-cache (6.4 / post-6.4 master) 

The changes are mostly mechanical

- replace use of the blobcode vmod with vmod blob and adjust to new
  function signatures
- use struct vrt_blob for blobs and adjust to new struct members
- use separate pointers for generating output (blobs are const)
- use optional arguments for functions (minimal adjustments of
  existing code)
- replace WS_Reserve() with WS_ReserveAll()
- wipe needs the TRUST_ME() macro to un-const blobs

unresolved issues:

- padding errors lead to "vmod blob error: cannot encode, out of space",
  the respective tests have been moved to
  tests.disabled/padding_error.vtc
parent 9e6cf927
Hide whitespace changes
Inline Side-by-side
Showing with 828 additions and 805 deletions
README.rst
View file @ 808a8eee
.. ..
.. NB: This file is machine generated, DO NOT EDIT! .. NB: This file is machine generated, DO NOT EDIT!
.. ..
.. Edit vmod.vcc and run make instead .. Edit ../src/vmod_gcrypt.vcc and run make instead
.. ..
.. role:: ref(emphasis) .. role:: ref(emphasis)
.. _vmod_gcrypt(3):
=========== ===========
vmod_gcrypt vmod_gcrypt
=========== ===========
...@@ -21,9 +19,34 @@ access the libgcrypt cryptographic library ...@@ -21,9 +19,34 @@ access the libgcrypt cryptographic library
SYNOPSIS SYNOPSIS
======== ========
import gcrypt [from "path"] ; .. parsed-literal::
import gcrypt [as name] [from "path"]
VOID init(ENUM, BYTES n)
new xsymmetric = gcrypt.symmetric(ENUM cipher, ENUM mode, ENUM padding, BLOB key, BOOL secure, BOOL cbc_cts)
BLOB xsymmetric.encrypt(BLOB plaintext, [BLOB iv], [BLOB ctr])
BLOB xsymmetric.decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
BLOB fileread(STRING path)
BLOB random([ENUM quality], BYTES n)
INT random_int(ENUM quality, INT bound)
REAL random_real(ENUM)
BOOL random_bool(ENUM)
VOID wipe(BLOB)
STRING version()
STRING gcrypt_version()
:: ::
gcrypt.init(ENUM {INIT_SECMEM, DISABLE_SECMEM} [, BYTES n]) gcrypt.init(ENUM {INIT_SECMEM, DISABLE_SECMEM} [, BYTES n])
...@@ -67,13 +90,13 @@ allows the VMOD to concentrate strictly on cryptographic operations, ...@@ -67,13 +90,13 @@ allows the VMOD to concentrate strictly on cryptographic operations,
separate from concerns of binary-to-text encodings. BLOBs are not separate from concerns of binary-to-text encodings. BLOBs are not
created by any part of native VCL, and can only be created by other created by any part of native VCL, and can only be created by other
VMODs, so it is necessary to use this VMOD together with another one VMODs, so it is necessary to use this VMOD together with another one
that does so (such as VMOD ``blobcode`` for binary-to-text encodings, that does so (such as VMOD ``blob`` for binary-to-text encodings,
see `SEE ALSO`_). which is part of varnish-cache).
This is a simple usage example:: This is a simple usage example::
import gcrypt; import gcrypt;
import blobcode; import blob;
sub vcl_init { sub vcl_init {
# Finalize default initialization of the libgcrypt library. # Finalize default initialization of the libgcrypt library.
...@@ -93,19 +116,19 @@ This is a simple usage example:: ...@@ -93,19 +116,19 @@ This is a simple usage example::
# response header X-Cipher, and the hex-encoded counter vector to # response header X-Cipher, and the hex-encoded counter vector to
# the response header X-Ctr; and remove X-Msg from the response. # the response header X-Ctr; and remove X-Msg from the response.
sub vcl_deliver { sub vcl_deliver {
# Use the blobcode VMOD to convert the contents of X-Msg to a # Use the blob VMOD to convert the contents of X-Msg to a
# BLOB, and to encode the encrypted ciphertext in hex with # BLOB, and to encode the encrypted ciphertext in hex with
# lower-case digits. Use the random() function to generate a # lower-case digits. Use the random() function to generate a
# counter vector as a 128 bit nonce. # counter vector as a 128 bit nonce.
set resp.http.X-Cipher set resp.http.X-Cipher
= blobcode.encode(HEXLC, = blob.encode(HEXLC,
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg), aes.encrypt(blob.decode(encoded=req.http.X-Msg),
ctr=gcrypt.random(NONCE, 16B))); ctr=gcrypt.random(NONCE, 16B)));
# Use the no-argument version of random() to retrieve the # Use the no-argument version of random() to retrieve the
# counter vector that was just generated, and use the # counter vector that was just generated, and use the
# blobcode VMOD to encode it as lower-case hex. # blob VMOD to encode it as lower-case hex.
set resp.http.X-CTR = blobcode.encode(HEXLC, gcrypt.random()); set resp.http.X-CTR = blob.encode(HEXLC, gcrypt.random());
# Remove the plaintext from the response header. # Remove the plaintext from the response header.
unset resp.http.X-Msg; unset resp.http.X-Msg;
...@@ -161,28 +184,14 @@ described below), but if it does: ...@@ -161,28 +184,14 @@ described below), but if it does:
* A Varnish panic is invoked with the error message from libgcrypt. * A Varnish panic is invoked with the error message from libgcrypt.
CONTENTS .. _gcrypt.init():
========
* VOID init(ENUM {INIT_SECMEM,DISABLE_SECMEM,FINISH}, BYTES) VOID init(ENUM, BYTES n)
* symmetric(ENUM {AES,AES128,RIJNDAEL,RIJNDAEL128,AES192,RIJNDAEL192,AES256,RIJNDAEL256}, ENUM {ECB,CFB,CBC,OFB,CTR}, ENUM {PKCS7,ISO7816,X923,NONE}, BLOB, BOOL, BOOL) ------------------------
* BLOB fileread(PRIV_TASK, STRING)
* BLOB random(PRIV_TASK, ENUM {STRONG,VERY_STRONG,NONCE}, BYTES)
* INT random_int(ENUM {STRONG,NONCE}, INT)
* REAL random_real(ENUM {STRONG,NONCE})
* BOOL random_bool(ENUM {STRONG,NONCE})
* VOID wipe(BLOB)
* STRING version()
* STRING gcrypt_version()
.. _func_init:
init
----
:: ::
VOID init(ENUM {INIT_SECMEM,DISABLE_SECMEM,FINISH}, BYTES n=1) VOID init(ENUM {INIT_SECMEM, DISABLE_SECMEM, FINISH}, BYTES n=1)
Initialize the libgcrypt library, currently to manage the use of Initialize the libgcrypt library, currently to manage the use of
secure memory. The ENUM specifies an operation for initialization. secure memory. The ENUM specifies an operation for initialization.
...@@ -194,9 +203,15 @@ created; details below. ...@@ -194,9 +203,15 @@ created; details below.
With ``INIT_SECMEM``, you can configure the size of the secure memory With ``INIT_SECMEM``, you can configure the size of the secure memory
pool to ``n`` bytes (the ``n`` parameter is ignored for the other pool to ``n`` bytes (the ``n`` parameter is ignored for the other
ENUMs). The data type for ``n`` is BYTES, so the value must be written ENUMs). The data type for ``n`` is BYTES, so the value must be written
with a suffix such as B or KB. Secure memory is enabled by default and with a suffix such as B or KB. Secure memory is enabled by default
set to a default size (32 KiB in libgcrypt 1.6.3), so you don't have and, if configured, a minimum size is enforced by libgcrypt (32 KiB in
to call ``init()`` with ``INIT_SECMEM`` to use the default. libgcrypt 1.6.3), so you don't have to call ``init()`` with
``INIT_SECMEM`` to use the default.
The most likely cause for ``INIT_SECMEM`` to fail with ``Cannot
initialize secure memory ... gcrypt/General error`` is that locking
the memory failed. In this case ensure that the resource limits are
configured appropriately (check ``ulimit -l``).
Setting ``n`` to 0B with ``INIT_SECMEM`` disables secure memory, and Setting ``n`` to 0B with ``INIT_SECMEM`` disables secure memory, and
hence has the same effect as calling ``init(DISABLE_SECMEM)``. If hence has the same effect as calling ``init(DISABLE_SECMEM)``. If
...@@ -268,14 +283,21 @@ Examples:: ...@@ -268,14 +283,21 @@ Examples::
gcrypt.init(FINISH); gcrypt.init(FINISH);
} }
.. _obj_symmetric: .. _gcrypt.symmetric():
symmetric new xsymmetric = gcrypt.symmetric(ENUM cipher, ENUM mode, ENUM padding, BLOB key, BOOL secure, BOOL cbc_cts)
--------- ------------------------------------------------------------------------------------------------------------
:: ::
new OBJ = symmetric(ENUM {AES,AES128,RIJNDAEL,RIJNDAEL128,AES192,RIJNDAEL192,AES256,RIJNDAEL256} cipher, ENUM {ECB,CFB,CBC,OFB,CTR} mode, ENUM {PKCS7,ISO7816,X923,NONE} padding="PKCS7", BLOB key, BOOL secure=0, BOOL cbc_cts=0) new xsymmetric = gcrypt.symmetric(
ENUM {AES, AES128, RIJNDAEL, RIJNDAEL128, AES192, RIJNDAEL192, AES256, RIJNDAEL256} cipher,
ENUM {ECB, CFB, CBC, OFB, CTR} mode,
ENUM {PKCS7, ISO7816, X923, NONE} padding=PKCS7,
BLOB key,
BOOL secure=0,
BOOL cbc_cts=0
)
Create an object for encryption and decryption with symmetric ciphers. Create an object for encryption and decryption with symmetric ciphers.
Currently, only AES is supported, with key lengths 128, 192 and 256. Currently, only AES is supported, with key lengths 128, 192 and 256.
...@@ -349,21 +371,21 @@ of the VCL load with an error message, under these conditions: ...@@ -349,21 +371,21 @@ of the VCL load with an error message, under these conditions:
Examples:: Examples::
import gcrypt; import gcrypt;
import blobcode; import blob;
# Assume in the following that initialization has been finalized. # Assume in the following that initialization has been finalized.
sub vcl_init { sub vcl_init {
# Use the blobcode VMOD to create some BLOBs for the cryptographic # Use the blob VMOD to create some BLOBs for the cryptographic
# keys, whose lengths are 16, 24 and 32 bytes for AES-128, -192 # keys, whose lengths are 16, 24 and 32 bytes for AES-128, -192
# and -256, respectively. # and -256, respectively.
# NOTE: The keys used in this manual's examples are chosen to # NOTE: The keys used in this manual's examples are chosen to
# make the key lengths easy to recognize. DO NOT copy them # make the key lengths easy to recognize. DO NOT copy them
# into production VCL! # into production VCL!
new k128 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k128 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k192 = blobcode.blob(HEX, new k192 = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f1011121314151617"); "000102030405060708090a0b0c0d0e0f1011121314151617");
new k256 = blobcode.blob(HEX, new k256 = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"); "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f");
# Create an object for AES-128 with CTR mode (no padding # Create an object for AES-128 with CTR mode (no padding
...@@ -381,14 +403,14 @@ Examples:: ...@@ -381,14 +403,14 @@ Examples::
cbc_cts=true, secure=true); cbc_cts=true, secure=true);
} }
.. _func_symmetric.encrypt: .. _xsymmetric.encrypt():
symmetric.encrypt BLOB xsymmetric.encrypt(BLOB plaintext, [BLOB iv], [BLOB ctr])
----------------- --------------------------------------------------------------
:: ::
BLOB symmetric.encrypt(BLOB plaintext, BLOB iv=0, BLOB ctr=0) BLOB xsymmetric.encrypt(BLOB plaintext, [BLOB iv], [BLOB ctr])
Encrypt the contents of ``plaintext`` according to the parameters Encrypt the contents of ``plaintext`` according to the parameters
specified for this ``symmetric`` object, and return the ciphertext as specified for this ``symmetric`` object, and return the ciphertext as
...@@ -430,29 +452,29 @@ Examples:: ...@@ -430,29 +452,29 @@ Examples::
sub vcl_deliver { sub vcl_deliver {
# Encrypt X-Msg-128 with AES-128 and the counter vector, and # Encrypt X-Msg-128 with AES-128 and the counter vector, and
# return the ciphertext in a base64-encoded response header. # return the ciphertext in a base64-encoded response header.
set resp.http.X-Cipher-128 = blobcode.encode(BASE64, set resp.http.X-Cipher-128 = blob.encode(BASE64,
aes128.encrypt(blobcode.decode(encoded=resp.http.X-Msg-128), aes128.encrypt(blob.decode(encoded=resp.http.X-Msg-128),
ctr=blobcode.decode(BASE64, resp.http.X-Ctr))); ctr=blob.decode(BASE64, resp.http.X-Ctr)));
# Encrypt X-Msg-192 with AES-192 and init vector X-IV-192. # Encrypt X-Msg-192 with AES-192 and init vector X-IV-192.
set resp.http.X-Cipher-192 = blobcode.encode(BASE64, set resp.http.X-Cipher-192 = blob.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg-192), aes192.encrypt(blob.decode(encoded=resp.http.X-Msg-192),
iv=blobcode.decode(BASE64, resp.http.X-IV-192))); iv=blob.decode(BASE64, resp.http.X-IV-192)));
# Encrypt X-Msg-256 with AES-256 and init vector X-IV-256. # Encrypt X-Msg-256 with AES-256 and init vector X-IV-256.
set resp.http.X-Cipher-256 = blobcode.encode(BASE64, set resp.http.X-Cipher-256 = blob.encode(BASE64,
aes256.encrypt(blobcode.decode(encoded=resp.http.X-Msg-256), aes256.encrypt(blob.decode(encoded=resp.http.X-Msg-256),
iv=blobcode.decode(BASE64, resp.http.X-IV-256))); iv=blob.decode(BASE64, resp.http.X-IV-256)));
} }
.. _func_symmetric.decrypt: .. _xsymmetric.decrypt():
symmetric.decrypt BLOB xsymmetric.decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
----------------- ---------------------------------------------------------------
:: ::
BLOB symmetric.decrypt(BLOB ciphertext, BLOB iv=0, BLOB ctr=0) BLOB xsymmetric.decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
Decrypt the contents of ``ciphertext`` according to the parameters Decrypt the contents of ``ciphertext`` according to the parameters
specified for this ``symmetric`` object, and return the plaintext as specified for this ``symmetric`` object, and return the plaintext as
...@@ -491,29 +513,25 @@ Examples:: ...@@ -491,29 +513,25 @@ Examples::
sub vcl_recv { sub vcl_recv {
# Decrypt X-Msg-128 with AES-128 and the counter vector, and # Decrypt X-Msg-128 with AES-128 and the counter vector, and
# return the plaintext in a base64-encoded request header. # return the plaintext in a base64-encoded request header.
set req.http.X-Cipher-128 = blobcode.encode(BASE64, set req.http.X-Cipher-128 = blob.encode(BASE64,
aes128.decrypt(blobcode.decode(encoded=req.http.X-Msg-128), aes128.decrypt(blob.decode(encoded=req.http.X-Msg-128),
ctr=blobcode.decode(BASE64, req.http.X-Ctr))); ctr=blob.decode(BASE64, req.http.X-Ctr)));
# Decrypt X-Msg-192 with AES-192 and init vector X-IV-192. # Decrypt X-Msg-192 with AES-192 and init vector X-IV-192.
set req.http.X-Cipher-192 = blobcode.encode(BASE64, set req.http.X-Cipher-192 = blob.encode(BASE64,
aes192.decrypt(blobcode.decode(encoded=req.http.X-Msg-192), aes192.decrypt(blob.decode(encoded=req.http.X-Msg-192),
iv=blobcode.decode(BASE64, req.http.X-IV-192))); iv=blob.decode(BASE64, req.http.X-IV-192)));
# Decrypt X-Msg-256 with AES-256 and init vector X-IV-256. # Decrypt X-Msg-256 with AES-256 and init vector X-IV-256.
set req.http.X-Cipher-256 = blobcode.encode(BASE64, set req.http.X-Cipher-256 = blob.encode(BASE64,
aes256.decrypt(blobcode.decode(encoded=req.http.X-Msg-256), aes256.decrypt(blob.decode(encoded=req.http.X-Msg-256),
iv=blobcode.decode(BASE64, req.http.X-IV-256))); iv=blob.decode(BASE64, req.http.X-IV-256)));
} }
.. _func_fileread: .. _gcrypt.fileread():
fileread
--------
::
BLOB fileread(PRIV_TASK, STRING path) BLOB fileread(STRING path)
--------------------------
Return the contents of the file at ``path`` in a BLOB. This function Return the contents of the file at ``path`` in a BLOB. This function
is provided for the specific purpose of reading sensitive data that is provided for the specific purpose of reading sensitive data that
...@@ -599,14 +617,17 @@ Example:: ...@@ -599,14 +617,17 @@ Example::
key=gcrypt.fileread("/path/to/key")); key=gcrypt.fileread("/path/to/key"));
} }
.. _func_random: .. _gcrypt.random():
random BLOB random([ENUM quality], BYTES n)
------ ------------------------------------
:: ::
BLOB random(PRIV_TASK, ENUM {STRONG,VERY_STRONG,NONCE} quality=0, BYTES n=0) BLOB random(
[ENUM {STRONG, VERY_STRONG, NONCE} quality],
BYTES n=0
)
Return a BLOB containing ``n`` bytes of pseudo-random data. The Return a BLOB containing ``n`` bytes of pseudo-random data. The
cryptographic strength of random number generation is determined by cryptographic strength of random number generation is determined by
...@@ -680,27 +701,23 @@ Example:: ...@@ -680,27 +701,23 @@ Example::
# cipher in use -- 128 bits (16 bytes) for AES. For CBC, the IV # cipher in use -- 128 bits (16 bytes) for AES. For CBC, the IV
# MUST be unpredictable, so we use quality level STRONG. # MUST be unpredictable, so we use quality level STRONG.
set resp.http.X-Encrypted set resp.http.X-Encrypted
= blobcode.encode(BASE64, = blob.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg), aes192.encrypt(blob.decode(encoded=resp.http.X-Msg),
iv=gcrypt.random(STRONG, 16B))); iv=gcrypt.random(STRONG, 16B)));
# Now call random() with no arguments to retrive the IV that # Now call random() with no arguments to retrive the IV that
# was generated, to be sent in the base64-encoded response # was generated, to be sent in the base64-encoded response
# header X-IV. # header X-IV.
set resp.http.X-IV = blobcode.encode(BASE64, gcrypt.random()); set resp.http.X-IV = blob.encode(BASE64, gcrypt.random());
# Remove the plaintext from the response header. # Remove the plaintext from the response header.
unset resp.http.X-Msg; unset resp.http.X-Msg;
} }
.. _func_random_int: .. _gcrypt.random_int():
random_int
----------
::
INT random_int(ENUM {STRONG,NONCE} quality, INT bound=0) INT random_int(ENUM {STRONG, NONCE} quality, INT bound=0)
---------------------------------------------------------
Returns a random integer, using the random number generator with the Returns a random integer, using the random number generator with the
quality level specified by the ENUM ``quality``. These are the same quality level specified by the ENUM ``quality``. These are the same
...@@ -723,14 +740,10 @@ Example:: ...@@ -723,14 +740,10 @@ Example::
# Assign a random group number from 0 to 99 to a request. # Assign a random group number from 0 to 99 to a request.
set req.http.X-Group = gcrypt.random_int(NONCE, 100); set req.http.X-Group = gcrypt.random_int(NONCE, 100);
.. _func_random_real: .. _gcrypt.random_real():
random_real REAL random_real(ENUM {STRONG, NONCE})
----------- --------------------------------------
::
REAL random_real(ENUM {STRONG,NONCE})
Returns a random REAL that is greater than or equal to 0.0 and less Returns a random REAL that is greater than or equal to 0.0 and less
than 1.0, using the random number generator with the specified quality than 1.0, using the random number generator with the specified quality
...@@ -753,14 +766,10 @@ Example:: ...@@ -753,14 +766,10 @@ Example::
# Assign an unpredictable REAL from -1.0 to 1.0 to a request. # Assign an unpredictable REAL from -1.0 to 1.0 to a request.
set req.http.X-Real = gcrypt.random_real(STRONG) * 2 - 1; set req.http.X-Real = gcrypt.random_real(STRONG) * 2 - 1;
.. _func_random_bool: .. _gcrypt.random_bool():
random_bool BOOL random_bool(ENUM {STRONG, NONCE})
----------- --------------------------------------
::
BOOL random_bool(ENUM {STRONG,NONCE})
Returns a random boolean using the randomness generator with the Returns a random boolean using the randomness generator with the
specified quality level. The permitted levels are ``NONCE`` and specified quality level. The permitted levels are ``NONCE`` and
...@@ -783,14 +792,10 @@ Example:: ...@@ -783,14 +792,10 @@ Example::
call do_that; call do_that;
} }
.. _func_wipe: .. _gcrypt.wipe():
wipe
----
::
VOID wipe(BLOB) VOID wipe(BLOB)
---------------
Overwrites the memory region denoted by the BLOB, leaving it with all Overwrites the memory region denoted by the BLOB, leaving it with all
zeroes. zeroes.
...@@ -806,19 +811,15 @@ Example:: ...@@ -806,19 +811,15 @@ Example::
# secure memory, wipe the BLOB from which the key was read. This # secure memory, wipe the BLOB from which the key was read. This
# ensures that the key is only stored in secure memory. # ensures that the key is only stored in secure memory.
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new aes = gcrypt.symmetric(AES, CTR, key=k.get(), secure=true); new aes = gcrypt.symmetric(AES, CTR, key=k.get(), secure=true);
gcrypt.wipe(key.get()); gcrypt.wipe(key.get());
} }
.. _func_version: .. _gcrypt.version():
version STRING version()
------- ----------------
::
STRING version()
Returns the version string for this VMOD. Returns the version string for this VMOD.
...@@ -826,14 +827,10 @@ Example:: ...@@ -826,14 +827,10 @@ Example::
std.log("Using VMOD gcrypt version " + gcrypt.version()); std.log("Using VMOD gcrypt version " + gcrypt.version());
.. _func_gcrypt_version: .. _gcrypt.gcrypt_version():
gcrypt_version
--------------
:: STRING gcrypt_version()
-----------------------
STRING gcrypt_version()
Returns the version string for the ``libgcrypt`` library with which Returns the version string for the ``libgcrypt`` library with which
the VMOD is linked. the VMOD is linked.
...@@ -945,7 +942,7 @@ enter into cryptographic operations -- keys, plaintexts, ciphertexts, ...@@ -945,7 +942,7 @@ enter into cryptographic operations -- keys, plaintexts, ciphertexts,
IVs and counters. But these are typically obtained from sources that IVs and counters. But these are typically obtained from sources that
are readable from other elements of Varnish. are readable from other elements of Varnish.
As can be seen in the examples above that use VMOD blobcode to create As can be seen in the examples above that use VMOD blob to create
key objects, the contents of a key are readable in the VCL source. If key objects, the contents of a key are readable in the VCL source. If
you are using the VMOD that way, consider storing VCL sources so that you are using the VMOD that way, consider storing VCL sources so that
they are only readable by the owner of the Varnish child process. they are only readable by the owner of the Varnish child process.
...@@ -1043,7 +1040,6 @@ SEE ALSO ...@@ -1043,7 +1040,6 @@ SEE ALSO
* pthread_key_create(3) * pthread_key_create(3)
* libgcrypt: https://gnupg.org/software/libgcrypt/index.html * libgcrypt: https://gnupg.org/software/libgcrypt/index.html
* source repository: https://code.uplex.de/uplex-varnish/libvmod-gcrypt * source repository: https://code.uplex.de/uplex-varnish/libvmod-gcrypt
* VMOD blobcode: https://code.uplex.de/uplex-varnish/libvmod-blobcode
* developer contact: <varnish-support@uplex.de>, and at the source * developer contact: <varnish-support@uplex.de>, and at the source
repository site repository site
...@@ -1057,4 +1053,3 @@ COPYRIGHT ...@@ -1057,4 +1053,3 @@ COPYRIGHT
Author: Geoffrey Simmons <geoffrey.simmons@uplex.de> Author: Geoffrey Simmons <geoffrey.simmons@uplex.de>
src/tests.disabled/padding_error.vtc 0 → 100644
View file @ 808a8eee
# looks like -*- vcl -*-
varnishtest "padding"
varnish v1 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(FINISH);
}
} -start
# Padding errors
#
# XXX these tests lead to "vmod blob error: cannot encode, out of space"
# even for workspace_client=512k
varnish v1 -vcl {
import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo_pkcs7_1
= blob.blob(HEX, "666F6F0E0D0D0D0D0D0D0D0D0D0D0D0D");
new foo_pkcs7_2
= blob.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D11");
new foo_iso7816_1
= blob.blob(HEX, "666F6F80000000000001000000000000");
new foo_iso7816_2
= blob.blob(HEX, "666F6F00000000000000000000000000");
new foo_x923_1
= blob.blob(HEX, "666F6F0000000001000000000000000D");
new foo_x923_2
= blob.blob(HEX, "666F6F00000000000000000000000011");
new empty_pkcs7_1
= blob.blob(HEX, "0F101010101010101010101010101010");
new empty_pkcs7_2
= blob.blob(HEX, "10101010101010101010101010101011");
new empty_iso7816_1
= blob.blob(HEX, "00000000000000000000000000000000");
new empty_iso7816_2
= blob.blob(HEX, "80010000000000000000000000000000");
new empty_x923_1
= blob.blob(HEX, "01000000000000000000000000000010");
new empty_x923_2
= blob.blob(HEX, "00000000000000000000000000000011");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.foo-pkcs7-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7_1.get()));
set resp.http.foo-pkcs7-plain-1
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher-1)));
set resp.http.foo-pkcs7-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7_2.get()));
set resp.http.foo-pkcs7-plain-2
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher-2)));
set resp.http.foo-iso7816-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816_1.get()));
set resp.http.foo-iso7816-plain-1
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher-1)));
set resp.http.foo-iso7816-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816_2.get()));
set resp.http.foo-iso7816-plain-2
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher-2)));
set resp.http.foo-x923-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-1
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-x923-cipher-1)));
set resp.http.foo-x923-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-2
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.foo-x923-cipher-2)));
set resp.http.empty-pkcs7-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7_1.get()));
set resp.http.empty-pkcs7-plain-1
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher-1)));
set resp.http.empty-pkcs7-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7_2.get()));
set resp.http.empty-pkcs7-plain-2
= blob.encode(blob=pkcs7.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher-2)));
set resp.http.empty-iso7816-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816_1.get()));
set resp.http.empty-iso7816-plain-1
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher-1)));
set resp.http.empty-iso7816-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816_2.get()));
set resp.http.empty-iso7816-plain-2
= blob.encode(blob=iso7816.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher-2)));
set resp.http.empty-x923-cipher-1
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-1
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-x923-cipher-1)));
set resp.http.empty-x923-cipher-2
= blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-2
= blob.encode(blob=x923.decrypt(
blob.decode(BASE64, encoded=resp.http.empty-x923-cipher-2)));
return(deliver);
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.foo-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-1 == ""
expect resp.http.foo-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-2 == ""
expect resp.http.foo-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-1 == ""
expect resp.http.foo-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-2 == ""
expect resp.http.foo-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-1 == ""
expect resp.http.foo-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-2 == ""
expect resp.http.empty-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-1 == ""
expect resp.http.empty-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-2 == ""
expect resp.http.empty-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-1 == ""
expect resp.http.empty-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-2 == ""
expect resp.http.empty-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-1 == ""
expect resp.http.empty-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-2 == ""
} -run
logexpect l1 -v v1 -d 1 -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = End
} -run
src/tests.disabled/random_bool.vtc
View file @ 808a8eee
...@@ -10,7 +10,7 @@ varnishtest "random_bool()" ...@@ -10,7 +10,7 @@ varnishtest "random_bool()"
# several threads. # several threads.
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
......
src/tests.disabled/very_strong_random.vtc
View file @ 808a8eee
...@@ -10,7 +10,7 @@ varnishtest "random() at quality level VERY_STRONG" ...@@ -10,7 +10,7 @@ varnishtest "random() at quality level VERY_STRONG"
# varnishtest -t 300 # varnishtest -t 300
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
...@@ -20,9 +20,9 @@ varnish v1 -vcl { ...@@ -20,9 +20,9 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.very_strong set resp.http.very_strong
= blobcode.encode(HEXUC, gcrypt.random(VERY_STRONG, 16B)); = blob.encode(HEX, UPPER, gcrypt.random(VERY_STRONG, 16B));
set resp.http.very_strong_task set resp.http.very_strong_task
= blobcode.encode(HEXUC, gcrypt.random()); = blob.encode(HEX, UPPER, gcrypt.random());
return(deliver); return(deliver);
} }
} -start } -start
......
src/tests/aes.vtc
View file @ 808a8eee
...@@ -13,15 +13,15 @@ varnish v1 -vcl { ...@@ -13,15 +13,15 @@ varnish v1 -vcl {
# from selftest() in libgcrypt cipher/rijndael.c # from selftest() in libgcrypt cipher/rijndael.c
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k1 = blobcode.blob(HEX, "E8E9EAEBEDEEEFF0F2F3F4F5F7F8F9FA"); new k1 = blob.blob(HEX, "E8E9EAEBEDEEEFF0F2F3F4F5F7F8F9FA");
new aes = gcrypt.symmetric(AES, ECB, NONE, key=k1.get()); new aes = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new p1 = blobcode.blob(HEX, "014BAF2278A69D331D5180103643E99A"); new p1 = blob.blob(HEX, "014BAF2278A69D331D5180103643E99A");
new c1 = blobcode.blob(HEX, "6743C3D1519AB4F2CD9A78AB09A511BD"); new c1 = blob.blob(HEX, "6743C3D1519AB4F2CD9A78AB09A511BD");
# The next 3 cipher ENUMs are just aliases for AES. # The next 3 cipher ENUMs are just aliases for AES.
new aes128 = gcrypt.symmetric(AES128, ECB, NONE, key=k1.get()); new aes128 = gcrypt.symmetric(AES128, ECB, NONE, key=k1.get());
new rijndael new rijndael
...@@ -36,21 +36,21 @@ varnish v1 -vcl { ...@@ -36,21 +36,21 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.aes-ciphertext set resp.http.aes-ciphertext
= blobcode.encode(HEXUC, aes.encrypt(p1.get())); = blob.encode(HEX, UPPER, aes.encrypt(p1.get()));
set resp.http.aes-plaintext set resp.http.aes-plaintext
= blobcode.encode(HEXUC, aes.decrypt(c1.get())); = blob.encode(HEX, UPPER, aes.decrypt(c1.get()));
set resp.http.aes128-ciphertext set resp.http.aes128-ciphertext
= blobcode.encode(HEXUC, aes128.encrypt(p1.get())); = blob.encode(HEX, UPPER, aes128.encrypt(p1.get()));
set resp.http.aes128-plaintext set resp.http.aes128-plaintext
= blobcode.encode(HEXUC, aes128.decrypt(c1.get())); = blob.encode(HEX, UPPER, aes128.decrypt(c1.get()));
set resp.http.rijndael-ciphertext set resp.http.rijndael-ciphertext
= blobcode.encode(HEXUC, rijndael.encrypt(p1.get())); = blob.encode(HEX, UPPER, rijndael.encrypt(p1.get()));
set resp.http.rijndael-plaintext set resp.http.rijndael-plaintext
= blobcode.encode(HEXUC, rijndael.decrypt(c1.get())); = blob.encode(HEX, UPPER, rijndael.decrypt(c1.get()));
set resp.http.rijndael128-ciphertext set resp.http.rijndael128-ciphertext
= blobcode.encode(HEXUC, rijndael128.encrypt(p1.get())); = blob.encode(HEX, UPPER, rijndael128.encrypt(p1.get()));
set resp.http.rijndael128-plaintext set resp.http.rijndael128-plaintext
= blobcode.encode(HEXUC, rijndael128.decrypt(c1.get())); = blob.encode(HEX, UPPER, rijndael128.decrypt(c1.get()));
return(deliver); return(deliver);
} }
} }
...@@ -70,22 +70,22 @@ client c1 { ...@@ -70,22 +70,22 @@ client c1 {
} -run } -run
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k1 = blobcode.blob(HEX, new k1 = blob.blob(HEX,
"04050607090A0B0C0E0F10111314151618191A1B1D1E1F20"); "04050607090A0B0C0E0F10111314151618191A1B1D1E1F20");
new aes192 = gcrypt.symmetric(AES192, ECB, NONE, key=k1.get()); new aes192 = gcrypt.symmetric(AES192, ECB, NONE, key=k1.get());
new p1 = blobcode.blob(HEX, "76777475F1F2F3F4F8F9E6E777707172"); new p1 = blob.blob(HEX, "76777475F1F2F3F4F8F9E6E777707172");
new c1 = blobcode.blob(HEX, "5D1EF20DCED6BCBC12131AC7C54788AA"); new c1 = blob.blob(HEX, "5D1EF20DCED6BCBC12131AC7C54788AA");
new k2 = blobcode.blob(HEX, new k2 = blob.blob(HEX,
"08090A0B0D0E0F10121314151718191A1C1D1E1F21222324262728292B2C2D2E"); "08090A0B0D0E0F10121314151718191A1C1D1E1F21222324262728292B2C2D2E");
new aes256 = gcrypt.symmetric(AES256, ECB, NONE, key=k2.get()); new aes256 = gcrypt.symmetric(AES256, ECB, NONE, key=k2.get());
new p2 = blobcode.blob(HEX, "069A007FC76A459F98BAF917FEDF9521"); new p2 = blob.blob(HEX, "069A007FC76A459F98BAF917FEDF9521");
new c2 = blobcode.blob(HEX, "080E9517EB1677719ACF728086040AE3"); new c2 = blob.blob(HEX, "080E9517EB1677719ACF728086040AE3");
# RIJNDAEL192 and -256 are aliases for AES192 and -256. # RIJNDAEL192 and -256 are aliases for AES192 and -256.
new rijndael192 new rijndael192
...@@ -100,21 +100,21 @@ varnish v1 -vcl { ...@@ -100,21 +100,21 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.aes192-ciphertext set resp.http.aes192-ciphertext
= blobcode.encode(HEXUC, aes192.encrypt(p1.get())); = blob.encode(HEX, UPPER, aes192.encrypt(p1.get()));
set resp.http.aes192-plaintext set resp.http.aes192-plaintext
= blobcode.encode(HEXUC, aes192.decrypt(c1.get())); = blob.encode(HEX, UPPER, aes192.decrypt(c1.get()));
set resp.http.rijndael192-ciphertext set resp.http.rijndael192-ciphertext
= blobcode.encode(HEXUC, rijndael192.encrypt(p1.get())); = blob.encode(HEX, UPPER, rijndael192.encrypt(p1.get()));
set resp.http.rijndael192-plaintext set resp.http.rijndael192-plaintext
= blobcode.encode(HEXUC, rijndael192.decrypt(c1.get())); = blob.encode(HEX, UPPER, rijndael192.decrypt(c1.get()));
set resp.http.aes256-ciphertext set resp.http.aes256-ciphertext
= blobcode.encode(HEXUC, aes256.encrypt(p2.get())); = blob.encode(HEX, UPPER, aes256.encrypt(p2.get()));
set resp.http.aes256-plaintext set resp.http.aes256-plaintext
= blobcode.encode(HEXUC, aes256.decrypt(c2.get())); = blob.encode(HEX, UPPER, aes256.decrypt(c2.get()));
set resp.http.rijndael256-ciphertext set resp.http.rijndael256-ciphertext
= blobcode.encode(HEXUC, rijndael256.encrypt(p2.get())); = blob.encode(HEX, UPPER, rijndael256.encrypt(p2.get()));
set resp.http.rijndael256-plaintext set resp.http.rijndael256-plaintext
= blobcode.encode(HEXUC, rijndael256.decrypt(c2.get())); = blob.encode(HEX, UPPER, rijndael256.decrypt(c2.get()));
return(deliver); return(deliver);
} }
} }
...@@ -135,50 +135,50 @@ client c1 { ...@@ -135,50 +135,50 @@ client c1 {
# from seltest_fips_128_38a() in libgcrypt cipher/rijndael.c # from seltest_fips_128_38a() in libgcrypt cipher/rijndael.c
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "2b7e151628aed2a6abf7158809cf4f3c"); new k = blob.blob(HEX, "2b7e151628aed2a6abf7158809cf4f3c");
new iv = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new iv = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new p1 = blobcode.blob(HEX, "6bc1bee22e409f96e93d7e117393172a"); new p1 = blob.blob(HEX, "6bc1bee22e409f96e93d7e117393172a");
new p2 = blobcode.blob(HEX, "ae2d8a571e03ac9c9eb76fac45af8e51"); new p2 = blob.blob(HEX, "ae2d8a571e03ac9c9eb76fac45af8e51");
new p3 = blobcode.blob(HEX, "30c81c46a35ce411e5fbc1191a0a52ef"); new p3 = blob.blob(HEX, "30c81c46a35ce411e5fbc1191a0a52ef");
new p4 = blobcode.blob(HEX, "f69f2445df4f9b17ad2b417be66c3710"); new p4 = blob.blob(HEX, "f69f2445df4f9b17ad2b417be66c3710");
new p = blobcode.blob(HEX, new p = blob.blob(HEX,
"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"); "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710");
new c1 = blobcode.blob(HEX, "3b3fd92eb72dad20333449f8e83cfb4a"); new c1 = blob.blob(HEX, "3b3fd92eb72dad20333449f8e83cfb4a");
new aes_cfb = gcrypt.symmetric(AES, CFB, key=k.get()); new aes_cfb = gcrypt.symmetric(AES, CFB, key=k.get());
new c_cfb2 new c_cfb2
= blobcode.blob(HEX, "c8a64537a0b3a93fcde3cdad9f1ce58b"); = blob.blob(HEX, "c8a64537a0b3a93fcde3cdad9f1ce58b");
new c_cfb3 new c_cfb3
= blobcode.blob(HEX, "26751f67a3cbb140b1808cf187a4f4df"); = blob.blob(HEX, "26751f67a3cbb140b1808cf187a4f4df");
new c_cfb4 new c_cfb4
= blobcode.blob(HEX, "c04b05357c5d1c0eeac4c66f9ff7f2e6"); = blob.blob(HEX, "c04b05357c5d1c0eeac4c66f9ff7f2e6");
new c_cfb new c_cfb
= blobcode.blob(HEX, = blob.blob(HEX,
"3b3fd92eb72dad20333449f8e83cfb4ac8a64537a0b3a93fcde3cdad9f1ce58b26751f67a3cbb140b1808cf187a4f4dfc04b05357c5d1c0eeac4c66f9ff7f2e6"); "3b3fd92eb72dad20333449f8e83cfb4ac8a64537a0b3a93fcde3cdad9f1ce58b26751f67a3cbb140b1808cf187a4f4dfc04b05357c5d1c0eeac4c66f9ff7f2e6");
new aes_ofb = gcrypt.symmetric(AES, OFB, key=k.get()); new aes_ofb = gcrypt.symmetric(AES, OFB, key=k.get());
new c_ofb2 new c_ofb2
= blobcode.blob(HEX, "7789508d16918f03f53c52dac54ed825"); = blob.blob(HEX, "7789508d16918f03f53c52dac54ed825");
new c_ofb3 new c_ofb3
= blobcode.blob(HEX, "9740051e9c5fecf64344f7a82260edcc"); = blob.blob(HEX, "9740051e9c5fecf64344f7a82260edcc");
new c_ofb4 new c_ofb4
= blobcode.blob(HEX, "304c6528f659c77866a510d9c1d6ae5e"); = blob.blob(HEX, "304c6528f659c77866a510d9c1d6ae5e");
new c_ofb new c_ofb
= blobcode.blob(HEX, = blob.blob(HEX,
"3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e"); "3b3fd92eb72dad20333449f8e83cfb4a7789508d16918f03f53c52dac54ed8259740051e9c5fecf64344f7a82260edcc304c6528f659c77866a510d9c1d6ae5e");
new out1 new out1
= blobcode.blob(HEX, "50fe67cc996d32b6da0937e99bafec60"); = blob.blob(HEX, "50fe67cc996d32b6da0937e99bafec60");
new out2 new out2
= blobcode.blob(HEX, "d9a4dada0892239f6b8b3d7680e15674"); = blob.blob(HEX, "d9a4dada0892239f6b8b3d7680e15674");
new out3 new out3
= blobcode.blob(HEX, "a78819583f0308e7a6bf36b1386abf23"); = blob.blob(HEX, "a78819583f0308e7a6bf36b1386abf23");
} }
sub vcl_recv { sub vcl_recv {
...@@ -187,65 +187,65 @@ varnish v1 -vcl { ...@@ -187,65 +187,65 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.cfb-ciphertext-1 set resp.http.cfb-ciphertext-1
= blobcode.encode(HEXLC, aes_cfb.encrypt(p1.get(), = blob.encode(HEX, LOWER, aes_cfb.encrypt(p1.get(),
iv=iv.get())); iv=iv.get()));
set resp.http.cfb-plaintext-1 set resp.http.cfb-plaintext-1
= blobcode.encode(HEXLC, aes_cfb.decrypt(c1.get(), = blob.encode(HEX, LOWER, aes_cfb.decrypt(c1.get(),
iv=iv.get())); iv=iv.get()));
set resp.http.cfb-ciphertext-2 set resp.http.cfb-ciphertext-2
= blobcode.encode(HEXLC, aes_cfb.encrypt(p2.get(), = blob.encode(HEX, LOWER, aes_cfb.encrypt(p2.get(),
iv=c1.get())); iv=c1.get()));
set resp.http.cfb-plaintext-2 set resp.http.cfb-plaintext-2
= blobcode.encode(HEXLC, aes_cfb.decrypt(c_cfb2.get(), = blob.encode(HEX, LOWER, aes_cfb.decrypt(c_cfb2.get(),
iv=c1.get())); iv=c1.get()));
set resp.http.cfb-ciphertext-3 set resp.http.cfb-ciphertext-3
= blobcode.encode(HEXLC, aes_cfb.encrypt(p3.get(), = blob.encode(HEX, LOWER, aes_cfb.encrypt(p3.get(),
iv=c_cfb2.get())); iv=c_cfb2.get()));
set resp.http.cfb-plaintext-3 set resp.http.cfb-plaintext-3
= blobcode.encode(HEXLC, aes_cfb.decrypt(c_cfb3.get(), = blob.encode(HEX, LOWER, aes_cfb.decrypt(c_cfb3.get(),
iv=c_cfb2.get())); iv=c_cfb2.get()));
set resp.http.cfb-ciphertext-4 set resp.http.cfb-ciphertext-4
= blobcode.encode(HEXLC, aes_cfb.encrypt(p4.get(), = blob.encode(HEX, LOWER, aes_cfb.encrypt(p4.get(),
iv=c_cfb3.get())); iv=c_cfb3.get()));
set resp.http.cfb-plaintext-4 set resp.http.cfb-plaintext-4
= blobcode.encode(HEXLC, aes_cfb.decrypt(c_cfb4.get(), = blob.encode(HEX, LOWER, aes_cfb.decrypt(c_cfb4.get(),
iv=c_cfb3.get())); iv=c_cfb3.get()));
set resp.http.cfb-ciphertext set resp.http.cfb-ciphertext
= blobcode.encode(HEXLC, aes_cfb.encrypt(p.get(), = blob.encode(HEX, LOWER, aes_cfb.encrypt(p.get(),
iv=iv.get())); iv=iv.get()));
set resp.http.cfb-plaintext set resp.http.cfb-plaintext
= blobcode.encode(HEXLC, aes_cfb.decrypt(c_cfb.get(), = blob.encode(HEX, LOWER, aes_cfb.decrypt(c_cfb.get(),
iv=iv.get())); iv=iv.get()));
set resp.http.ofb-ciphertext-1 set resp.http.ofb-ciphertext-1
= blobcode.encode(HEXLC, aes_ofb.encrypt(p1.get(), = blob.encode(HEX, LOWER, aes_ofb.encrypt(p1.get(),
iv=iv.get())); iv=iv.get()));
set resp.http.ofb-plaintext-1 set resp.http.ofb-plaintext-1
= blobcode.encode(HEXLC, aes_ofb.decrypt(c1.get(), = blob.encode(HEX, LOWER, aes_ofb.decrypt(c1.get(),
iv=iv.get())); iv=iv.get()));
set resp.http.ofb-ciphertext-2 set resp.http.ofb-ciphertext-2
= blobcode.encode(HEXLC, aes_ofb.encrypt(p2.get(), = blob.encode(HEX, LOWER, aes_ofb.encrypt(p2.get(),
iv=out1.get())); iv=out1.get()));
set resp.http.ofb-plaintext-2 set resp.http.ofb-plaintext-2
= blobcode.encode(HEXLC, aes_ofb.decrypt(c_ofb2.get(), = blob.encode(HEX, LOWER, aes_ofb.decrypt(c_ofb2.get(),
iv=out1.get())); iv=out1.get()));
set resp.http.ofb-ciphertext-3 set resp.http.ofb-ciphertext-3
= blobcode.encode(HEXLC, aes_ofb.encrypt(p3.get(), = blob.encode(HEX, LOWER, aes_ofb.encrypt(p3.get(),
iv=out2.get())); iv=out2.get()));
set resp.http.ofb-plaintext-3 set resp.http.ofb-plaintext-3
= blobcode.encode(HEXLC, aes_ofb.decrypt(c_ofb3.get(), = blob.encode(HEX, LOWER, aes_ofb.decrypt(c_ofb3.get(),
iv=out2.get())); iv=out2.get()));
set resp.http.ofb-ciphertext-4 set resp.http.ofb-ciphertext-4
= blobcode.encode(HEXLC, aes_ofb.encrypt(p4.get(), = blob.encode(HEX, LOWER, aes_ofb.encrypt(p4.get(),
iv=out3.get())); iv=out3.get()));
set resp.http.ofb-plaintext-4 set resp.http.ofb-plaintext-4
= blobcode.encode(HEXLC, aes_ofb.decrypt(c_ofb4.get(), = blob.encode(HEX, LOWER, aes_ofb.decrypt(c_ofb4.get(),
iv=out3.get())); iv=out3.get()));
set resp.http.ofb-ciphertext set resp.http.ofb-ciphertext
= blobcode.encode(HEXLC, aes_ofb.encrypt(p.get(), = blob.encode(HEX, LOWER, aes_ofb.encrypt(p.get(),
iv=iv.get())); iv=iv.get()));
set resp.http.ofb-plaintext set resp.http.ofb-plaintext
= blobcode.encode(HEXLC, aes_ofb.decrypt(c_ofb.get(), = blob.encode(HEX, LOWER, aes_ofb.decrypt(c_ofb.get(),
iv=iv.get())); iv=iv.get()));
return(deliver); return(deliver);
} }
...@@ -284,13 +284,13 @@ client c1 { ...@@ -284,13 +284,13 @@ client c1 {
# from check_aes128_cbc_cts_cipher() in libgcrypt tests/basic.c # from check_aes128_cbc_cts_cipher() in libgcrypt tests/basic.c
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(encoded="chicken teriyaki"); new k = blob.blob(encoded="chicken teriyaki");
new iv = blobcode.blob(encoded=""); new iv = blob.blob(encoded="");
new aes = gcrypt.symmetric(AES, CBC, key=k.get(), cbc_cts=true); new aes = gcrypt.symmetric(AES, CBC, key=k.get(), cbc_cts=true);
} }
...@@ -302,68 +302,68 @@ varnish v1 -vcl { ...@@ -302,68 +302,68 @@ varnish v1 -vcl {
set resp.http.plaintext = set resp.http.plaintext =
"I would like the General Gau's Chicken, please, and wonton soup."; "I would like the General Gau's Chicken, please, and wonton soup.";
set resp.http.ciphertext17 set resp.http.ciphertext17
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
aes.encrypt(blobcode.decode_n(17, aes.encrypt(blob.decode(length=17,
encoded=resp.http.plaintext), encoded=resp.http.plaintext),
iv=iv.get())); iv=iv.get()));
set resp.http.ciphertext31 set resp.http.ciphertext31
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
aes.encrypt(blobcode.decode_n(31, aes.encrypt(blob.decode(length=31,
encoded=resp.http.plaintext), encoded=resp.http.plaintext),
iv=iv.get())); iv=iv.get()));
set resp.http.ciphertext32 set resp.http.ciphertext32
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
aes.encrypt(blobcode.decode_n(32, aes.encrypt(blob.decode(length=32,
encoded=resp.http.plaintext), encoded=resp.http.plaintext),
iv=iv.get())); iv=iv.get()));
set resp.http.ciphertext47 set resp.http.ciphertext47
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
aes.encrypt(blobcode.decode_n(47, aes.encrypt(blob.decode(length=47,
encoded=resp.http.plaintext), encoded=resp.http.plaintext),
iv=iv.get())); iv=iv.get()));
set resp.http.ciphertext48 set resp.http.ciphertext48
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
aes.encrypt(blobcode.decode_n(48, aes.encrypt(blob.decode(length=48,
encoded=resp.http.plaintext), encoded=resp.http.plaintext),
iv=iv.get())); iv=iv.get()));
set resp.http.ciphertext64 set resp.http.ciphertext64
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
aes.encrypt(blobcode.decode_n(64, aes.encrypt(blob.decode(length=64,
encoded=resp.http.plaintext), encoded=resp.http.plaintext),
iv=iv.get())); iv=iv.get()));
set resp.http.ciphertext set resp.http.ciphertext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
aes.encrypt(blobcode.decode( aes.encrypt(blob.decode(
encoded=resp.http.plaintext), encoded=resp.http.plaintext),
iv=iv.get())); iv=iv.get()));
set resp.http.plaintext17 set resp.http.plaintext17
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX, = blob.encode(blob=aes.decrypt(blob.decode(HEX,
resp.http.ciphertext17), encoded=resp.http.ciphertext17),
iv=iv.get())); iv=iv.get()));
set resp.http.plaintext31 set resp.http.plaintext31
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX, = blob.encode(blob=aes.decrypt(blob.decode(HEX,
resp.http.ciphertext31), encoded=resp.http.ciphertext31),
iv=iv.get())); iv=iv.get()));
set resp.http.plaintext32 set resp.http.plaintext32
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX, = blob.encode(blob=aes.decrypt(blob.decode(HEX,
resp.http.ciphertext32), encoded=resp.http.ciphertext32),
iv=iv.get())); iv=iv.get()));
set resp.http.plaintext47 set resp.http.plaintext47
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX, = blob.encode(blob=aes.decrypt(blob.decode(HEX,
resp.http.ciphertext47), encoded=resp.http.ciphertext47),
iv=iv.get())); iv=iv.get()));
set resp.http.plaintext48 set resp.http.plaintext48
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX, = blob.encode(blob=aes.decrypt(blob.decode(HEX,
resp.http.ciphertext48), encoded=resp.http.ciphertext48),
iv=iv.get())); iv=iv.get()));
set resp.http.plaintext64 set resp.http.plaintext64
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX, = blob.encode(blob=aes.decrypt(blob.decode(HEX,
resp.http.ciphertext64), encoded=resp.http.ciphertext64),
iv=iv.get())); iv=iv.get()));
set resp.http.plaintext set resp.http.plaintext
= blobcode.encode(blob=aes.decrypt(blobcode.decode(HEX, = blob.encode(blob=aes.decrypt(blob.decode(HEX,
resp.http.ciphertext), encoded=resp.http.ciphertext),
iv=iv.get())); iv=iv.get()));
return(deliver); return(deliver);
...@@ -392,67 +392,67 @@ client c1 { ...@@ -392,67 +392,67 @@ client c1 {
# from check_ctr_cipher() in libgcrypt tests/basic.c # from check_ctr_cipher() in libgcrypt tests/basic.c
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new ctr1 = blobcode.blob(HEX, new ctr1 = blob.blob(HEX,
"f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
new ctr2 = blobcode.blob(HEX, new ctr2 = blob.blob(HEX,
"f0f1f2f3f4f5f6f7f8f9fafbfcfdff00"); "f0f1f2f3f4f5f6f7f8f9fafbfcfdff00");
new ctr3 = blobcode.blob(HEX, new ctr3 = blob.blob(HEX,
"f0f1f2f3f4f5f6f7f8f9fafbfcfdff01"); "f0f1f2f3f4f5f6f7f8f9fafbfcfdff01");
new ctr4 = blobcode.blob(HEX, new ctr4 = blob.blob(HEX,
"f0f1f2f3f4f5f6f7f8f9fafbfcfdff02"); "f0f1f2f3f4f5f6f7f8f9fafbfcfdff02");
new p1 = blobcode.blob(HEX, "6bc1bee22e409f96e93d7e117393172a"); new p1 = blob.blob(HEX, "6bc1bee22e409f96e93d7e117393172a");
new p2 = blobcode.blob(HEX, "ae2d8a571e03ac9c9eb76fac45af8e51"); new p2 = blob.blob(HEX, "ae2d8a571e03ac9c9eb76fac45af8e51");
new p3 = blobcode.blob(HEX, "30c81c46a35ce411e5fbc1191a0a52ef"); new p3 = blob.blob(HEX, "30c81c46a35ce411e5fbc1191a0a52ef");
new p4 = blobcode.blob(HEX, "f69f2445df4f9b17ad2b417be66c3710"); new p4 = blob.blob(HEX, "f69f2445df4f9b17ad2b417be66c3710");
new p = blobcode.blob(HEX, new p = blob.blob(HEX,
"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"); "6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710");
new k128 = blobcode.blob(HEX, new k128 = blob.blob(HEX,
"2b7e151628aed2a6abf7158809cf4f3c"); "2b7e151628aed2a6abf7158809cf4f3c");
new aes128 = gcrypt.symmetric(AES, CTR, key=k128.get()); new aes128 = gcrypt.symmetric(AES, CTR, key=k128.get());
new c128_1 = blobcode.blob(HEX, new c128_1 = blob.blob(HEX,
"874d6191b620e3261bef6864990db6ce"); "874d6191b620e3261bef6864990db6ce");
new c128_2 = blobcode.blob(HEX, new c128_2 = blob.blob(HEX,
"9806f66b7970fdff8617187bb9fffdff"); "9806f66b7970fdff8617187bb9fffdff");
new c128_3 = blobcode.blob(HEX, new c128_3 = blob.blob(HEX,
"5ae4df3edbd5d35e5b4f09020db03eab"); "5ae4df3edbd5d35e5b4f09020db03eab");
new c128_4 = blobcode.blob(HEX, new c128_4 = blob.blob(HEX,
"1e031dda2fbe03d1792170a0f3009cee"); "1e031dda2fbe03d1792170a0f3009cee");
new c128 = blobcode.blob(HEX, new c128 = blob.blob(HEX,
"874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee"); "874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee");
new k192 = blobcode.blob(HEX, new k192 = blob.blob(HEX,
"8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"); "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b");
new aes192 = gcrypt.symmetric(AES192, CTR, key=k192.get()); new aes192 = gcrypt.symmetric(AES192, CTR, key=k192.get());
new c192_1 = blobcode.blob(HEX, new c192_1 = blob.blob(HEX,
"1abc932417521ca24f2b0459fe7e6e0b"); "1abc932417521ca24f2b0459fe7e6e0b");
new c192_2 = blobcode.blob(HEX, new c192_2 = blob.blob(HEX,
"090339ec0aa6faefd5ccc2c6f4ce8e94"); "090339ec0aa6faefd5ccc2c6f4ce8e94");
new c192_3 = blobcode.blob(HEX, new c192_3 = blob.blob(HEX,
"1e36b26bd1ebc670d1bd1d665620abf7"); "1e36b26bd1ebc670d1bd1d665620abf7");
new c192_4 = blobcode.blob(HEX, new c192_4 = blob.blob(HEX,
"4f78a7f6d29809585a97daec58c6b050"); "4f78a7f6d29809585a97daec58c6b050");
new c192 = blobcode.blob(HEX, new c192 = blob.blob(HEX,
"1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e941e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050"); "1abc932417521ca24f2b0459fe7e6e0b090339ec0aa6faefd5ccc2c6f4ce8e941e36b26bd1ebc670d1bd1d665620abf74f78a7f6d29809585a97daec58c6b050");
new k256 = blobcode.blob(HEX, new k256 = blob.blob(HEX,
"603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"); "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4");
new aes256 = gcrypt.symmetric(AES256, CTR, key=k256.get()); new aes256 = gcrypt.symmetric(AES256, CTR, key=k256.get());
new c256_1 = blobcode.blob(HEX, new c256_1 = blob.blob(HEX,
"601ec313775789a5b7a7f504bbf3d228"); "601ec313775789a5b7a7f504bbf3d228");
new c256_2 = blobcode.blob(HEX, new c256_2 = blob.blob(HEX,
"f443e3ca4d62b59aca84e990cacaf5c5"); "f443e3ca4d62b59aca84e990cacaf5c5");
new c256_3 = blobcode.blob(HEX, new c256_3 = blob.blob(HEX,
"2b0930daa23de94ce87017ba2d84988d"); "2b0930daa23de94ce87017ba2d84988d");
new c256_4 = blobcode.blob(HEX, new c256_4 = blob.blob(HEX,
"dfc9c58db67aada613c2dd08457941a6"); "dfc9c58db67aada613c2dd08457941a6");
new c256 = blobcode.blob(HEX, new c256 = blob.blob(HEX,
"601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c52b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6"); "601ec313775789a5b7a7f504bbf3d228f443e3ca4d62b59aca84e990cacaf5c52b0930daa23de94ce87017ba2d84988ddfc9c58db67aada613c2dd08457941a6");
} }
...@@ -461,67 +461,67 @@ varnish v1 -vcl { ...@@ -461,67 +461,67 @@ varnish v1 -vcl {
} }
sub vcl_synth { sub vcl_synth {
set resp.http.c128-1 = blobcode.encode(HEXLC, set resp.http.c128-1 = blob.encode(HEX, LOWER,
aes128.encrypt(p1.get(), ctr=ctr1.get())); aes128.encrypt(p1.get(), ctr=ctr1.get()));
set resp.http.p128-1 = blobcode.encode(HEXLC, set resp.http.p128-1 = blob.encode(HEX, LOWER,
aes128.decrypt(c128_1.get(), ctr=ctr1.get())); aes128.decrypt(c128_1.get(), ctr=ctr1.get()));
set resp.http.c128-2 = blobcode.encode(HEXLC, set resp.http.c128-2 = blob.encode(HEX, LOWER,
aes128.encrypt(p2.get(), ctr=ctr2.get())); aes128.encrypt(p2.get(), ctr=ctr2.get()));
set resp.http.p128-2 = blobcode.encode(HEXLC, set resp.http.p128-2 = blob.encode(HEX, LOWER,
aes128.decrypt(c128_2.get(), ctr=ctr2.get())); aes128.decrypt(c128_2.get(), ctr=ctr2.get()));
set resp.http.c128-3 = blobcode.encode(HEXLC, set resp.http.c128-3 = blob.encode(HEX, LOWER,
aes128.encrypt(p3.get(), ctr=ctr3.get())); aes128.encrypt(p3.get(), ctr=ctr3.get()));
set resp.http.p128-3 = blobcode.encode(HEXLC, set resp.http.p128-3 = blob.encode(HEX, LOWER,
aes128.decrypt(c128_3.get(), ctr=ctr3.get())); aes128.decrypt(c128_3.get(), ctr=ctr3.get()));
set resp.http.c128-4 = blobcode.encode(HEXLC, set resp.http.c128-4 = blob.encode(HEX, LOWER,
aes128.encrypt(p4.get(), ctr=ctr4.get())); aes128.encrypt(p4.get(), ctr=ctr4.get()));
set resp.http.p128-4 = blobcode.encode(HEXLC, set resp.http.p128-4 = blob.encode(HEX, LOWER,
aes128.decrypt(c128_4.get(), ctr=ctr4.get())); aes128.decrypt(c128_4.get(), ctr=ctr4.get()));
set resp.http.c128 = blobcode.encode(HEXLC, set resp.http.c128 = blob.encode(HEX, LOWER,
aes128.encrypt(p.get(), ctr=ctr1.get())); aes128.encrypt(p.get(), ctr=ctr1.get()));
set resp.http.p128 = blobcode.encode(HEXLC, set resp.http.p128 = blob.encode(HEX, LOWER,
aes128.decrypt(c128.get(), ctr=ctr1.get())); aes128.decrypt(c128.get(), ctr=ctr1.get()));
set resp.http.c192-1 = blobcode.encode(HEXLC, set resp.http.c192-1 = blob.encode(HEX, LOWER,
aes192.encrypt(p1.get(), ctr=ctr1.get())); aes192.encrypt(p1.get(), ctr=ctr1.get()));
set resp.http.p192-1 = blobcode.encode(HEXLC, set resp.http.p192-1 = blob.encode(HEX, LOWER,
aes192.decrypt(c192_1.get(), ctr=ctr1.get())); aes192.decrypt(c192_1.get(), ctr=ctr1.get()));
set resp.http.c192-2 = blobcode.encode(HEXLC, set resp.http.c192-2 = blob.encode(HEX, LOWER,
aes192.encrypt(p2.get(), ctr=ctr2.get())); aes192.encrypt(p2.get(), ctr=ctr2.get()));
set resp.http.p192-2 = blobcode.encode(HEXLC, set resp.http.p192-2 = blob.encode(HEX, LOWER,
aes192.decrypt(c192_2.get(), ctr=ctr2.get())); aes192.decrypt(c192_2.get(), ctr=ctr2.get()));
set resp.http.c192-3 = blobcode.encode(HEXLC, set resp.http.c192-3 = blob.encode(HEX, LOWER,
aes192.encrypt(p3.get(), ctr=ctr3.get())); aes192.encrypt(p3.get(), ctr=ctr3.get()));
set resp.http.p192-3 = blobcode.encode(HEXLC, set resp.http.p192-3 = blob.encode(HEX, LOWER,
aes192.decrypt(c192_3.get(), ctr=ctr3.get())); aes192.decrypt(c192_3.get(), ctr=ctr3.get()));
set resp.http.c192-4 = blobcode.encode(HEXLC, set resp.http.c192-4 = blob.encode(HEX, LOWER,
aes192.encrypt(p4.get(), ctr=ctr4.get())); aes192.encrypt(p4.get(), ctr=ctr4.get()));
set resp.http.p192-4 = blobcode.encode(HEXLC, set resp.http.p192-4 = blob.encode(HEX, LOWER,
aes192.decrypt(c192_4.get(), ctr=ctr4.get())); aes192.decrypt(c192_4.get(), ctr=ctr4.get()));
set resp.http.c192 = blobcode.encode(HEXLC, set resp.http.c192 = blob.encode(HEX, LOWER,
aes192.encrypt(p.get(), ctr=ctr1.get())); aes192.encrypt(p.get(), ctr=ctr1.get()));
set resp.http.p192 = blobcode.encode(HEXLC, set resp.http.p192 = blob.encode(HEX, LOWER,
aes192.decrypt(c192.get(), ctr=ctr1.get())); aes192.decrypt(c192.get(), ctr=ctr1.get()));
set resp.http.c256-1 = blobcode.encode(HEXLC, set resp.http.c256-1 = blob.encode(HEX, LOWER,
aes256.encrypt(p1.get(), ctr=ctr1.get())); aes256.encrypt(p1.get(), ctr=ctr1.get()));
set resp.http.p256-1 = blobcode.encode(HEXLC, set resp.http.p256-1 = blob.encode(HEX, LOWER,
aes256.decrypt(c256_1.get(), ctr=ctr1.get())); aes256.decrypt(c256_1.get(), ctr=ctr1.get()));
set resp.http.c256-2 = blobcode.encode(HEXLC, set resp.http.c256-2 = blob.encode(HEX, LOWER,
aes256.encrypt(p2.get(), ctr=ctr2.get())); aes256.encrypt(p2.get(), ctr=ctr2.get()));
set resp.http.p256-2 = blobcode.encode(HEXLC, set resp.http.p256-2 = blob.encode(HEX, LOWER,
aes256.decrypt(c256_2.get(), ctr=ctr2.get())); aes256.decrypt(c256_2.get(), ctr=ctr2.get()));
set resp.http.c256-3 = blobcode.encode(HEXLC, set resp.http.c256-3 = blob.encode(HEX, LOWER,
aes256.encrypt(p3.get(), ctr=ctr3.get())); aes256.encrypt(p3.get(), ctr=ctr3.get()));
set resp.http.p256-3 = blobcode.encode(HEXLC, set resp.http.p256-3 = blob.encode(HEX, LOWER,
aes256.decrypt(c256_3.get(), ctr=ctr3.get())); aes256.decrypt(c256_3.get(), ctr=ctr3.get()));
set resp.http.c256-4 = blobcode.encode(HEXLC, set resp.http.c256-4 = blob.encode(HEX, LOWER,
aes256.encrypt(p4.get(), ctr=ctr4.get())); aes256.encrypt(p4.get(), ctr=ctr4.get()));
set resp.http.p256-4 = blobcode.encode(HEXLC, set resp.http.p256-4 = blob.encode(HEX, LOWER,
aes256.decrypt(c256_4.get(), ctr=ctr4.get())); aes256.decrypt(c256_4.get(), ctr=ctr4.get()));
set resp.http.c256 = blobcode.encode(HEXLC, set resp.http.c256 = blob.encode(HEX, LOWER,
aes256.encrypt(p.get(), ctr=ctr1.get())); aes256.encrypt(p.get(), ctr=ctr1.get()));
set resp.http.p256 = blobcode.encode(HEXLC, set resp.http.p256 = blob.encode(HEX, LOWER,
aes256.decrypt(c256.get(), ctr=ctr1.get())); aes256.decrypt(c256.get(), ctr=ctr1.get()));
return(deliver); return(deliver);
...@@ -569,126 +569,126 @@ client c1 { ...@@ -569,126 +569,126 @@ client c1 {
# from Google cryptogwt CipherTestVectors.java, test AES/CBC/PKCS7 # from Google cryptogwt CipherTestVectors.java, test AES/CBC/PKCS7
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new p6 = blobcode.blob(HEX, "f6cee5ff28fd"); new p6 = blob.blob(HEX, "f6cee5ff28fd");
new k6 = blobcode.blob(HEX, "ac5800ac3cb59c7c14f36019e43b44fe"); new k6 = blob.blob(HEX, "ac5800ac3cb59c7c14f36019e43b44fe");
new i6 = blobcode.blob(HEX, "f013ce1ec901b5b60a85a986b3b72eba"); new i6 = blob.blob(HEX, "f013ce1ec901b5b60a85a986b3b72eba");
new c6 = blobcode.blob(HEX, "e8a846fd9718507371604504d4ca1ac7"); new c6 = blob.blob(HEX, "e8a846fd9718507371604504d4ca1ac7");
new aes6 = gcrypt.symmetric(AES, CBC, PKCS7, key=k6.get()); new aes6 = gcrypt.symmetric(AES, CBC, PKCS7, key=k6.get());
new p7 = blobcode.blob(HEX, "76cdfdf52a9753"); new p7 = blob.blob(HEX, "76cdfdf52a9753");
new k7 = blobcode.blob(HEX, "24c4328aeffc0ca354a3215a3da23a38"); new k7 = blob.blob(HEX, "24c4328aeffc0ca354a3215a3da23a38");
new i7 = blobcode.blob(HEX, "c43c6269bb8c1dbba3bc22b7ba7e24b1"); new i7 = blob.blob(HEX, "c43c6269bb8c1dbba3bc22b7ba7e24b1");
new c7 = blobcode.blob(HEX, "009e935f3fe4d57b57fc3127a8873d8c"); new c7 = blob.blob(HEX, "009e935f3fe4d57b57fc3127a8873d8c");
new aes7 = gcrypt.symmetric(AES, CBC, PKCS7, key=k7.get()); new aes7 = gcrypt.symmetric(AES, CBC, PKCS7, key=k7.get());
new p8 = blobcode.blob(HEX, "b103c928531d8875"); new p8 = blob.blob(HEX, "b103c928531d8875");
new k8 = blobcode.blob(HEX, "4035227440a779dbd1ed75c6ae78cef5"); new k8 = blob.blob(HEX, "4035227440a779dbd1ed75c6ae78cef5");
new i8 = blobcode.blob(HEX, "8faff161a5ec06e051066a571d1729d9"); new i8 = blob.blob(HEX, "8faff161a5ec06e051066a571d1729d9");
new c8 = blobcode.blob(HEX, "b3d8df2c3147b0752a7e6bbbcc9d5758"); new c8 = blob.blob(HEX, "b3d8df2c3147b0752a7e6bbbcc9d5758");
new aes8 = gcrypt.symmetric(AES, CBC, PKCS7, key=k8.get()); new aes8 = gcrypt.symmetric(AES, CBC, PKCS7, key=k8.get());
new p9 = blobcode.blob(HEX, "590b10224087872724"); new p9 = blob.blob(HEX, "590b10224087872724");
new k9 = blobcode.blob(HEX, "507008732ea559915e5e45d9710e3ed2"); new k9 = blob.blob(HEX, "507008732ea559915e5e45d9710e3ed2");
new i9 = blobcode.blob(HEX, "342b22c1cbf1c92b8e63a38de99ffb09"); new i9 = blob.blob(HEX, "342b22c1cbf1c92b8e63a38de99ffb09");
new c9 = blobcode.blob(HEX, "c11a034ed324aeae9cd5857ae4cd776f"); new c9 = blob.blob(HEX, "c11a034ed324aeae9cd5857ae4cd776f");
new aes9 = gcrypt.symmetric(AES, CBC, PKCS7, key=k9.get()); new aes9 = gcrypt.symmetric(AES, CBC, PKCS7, key=k9.get());
new p10 = blobcode.blob(HEX, "ccecfa22708b6d06439c"); new p10 = blob.blob(HEX, "ccecfa22708b6d06439c");
new k10 = new k10 =
blobcode.blob(HEX, "a060441b1b7cc2af405be4f6f5c58e22"); blob.blob(HEX, "a060441b1b7cc2af405be4f6f5c58e22");
new i10 = new i10 =
blobcode.blob(HEX, "429d3240207e77e9b9dade05426fe3cb"); blob.blob(HEX, "429d3240207e77e9b9dade05426fe3cb");
new c10 = new c10 =
blobcode.blob(HEX, "b61ff0a956b420347daa25bb76964b51"); blob.blob(HEX, "b61ff0a956b420347daa25bb76964b51");
new aes10 = gcrypt.symmetric(AES, CBC, PKCS7, key=k10.get()); new aes10 = gcrypt.symmetric(AES, CBC, PKCS7, key=k10.get());
new p11 = blobcode.blob(HEX, "8ff539940bae985f2f88f3"); new p11 = blob.blob(HEX, "8ff539940bae985f2f88f3");
new k11 = new k11 =
blobcode.blob(HEX, "721888e260b8925fe51183b88d65fb17"); blob.blob(HEX, "721888e260b8925fe51183b88d65fb17");
new i11 = new i11 =
blobcode.blob(HEX, "5308c58068cbc05a5461a43bf744b61e"); blob.blob(HEX, "5308c58068cbc05a5461a43bf744b61e");
new c11 = new c11 =
blobcode.blob(HEX, "3ee8bdb21b00e0103ccbf9afb9b5bd9a"); blob.blob(HEX, "3ee8bdb21b00e0103ccbf9afb9b5bd9a");
new aes11 = gcrypt.symmetric(AES, CBC, PKCS7, key=k11.get()); new aes11 = gcrypt.symmetric(AES, CBC, PKCS7, key=k11.get());
new p12 = blobcode.blob(HEX, "4c84974b5b2109d5bc90e1f0"); new p12 = blob.blob(HEX, "4c84974b5b2109d5bc90e1f0");
new k12 = new k12 =
blobcode.blob(HEX, "80ba985c93763f99ff4be6cdee6ab977"); blob.blob(HEX, "80ba985c93763f99ff4be6cdee6ab977");
new i12 = new i12 =
blobcode.blob(HEX, "ca8e99719be2e842e81bf15c606bb916"); blob.blob(HEX, "ca8e99719be2e842e81bf15c606bb916");
new c12 = new c12 =
blobcode.blob(HEX, "3e087f92a998ad531e0ff8e996098382"); blob.blob(HEX, "3e087f92a998ad531e0ff8e996098382");
new aes12 = gcrypt.symmetric(AES, CBC, PKCS7, key=k12.get()); new aes12 = gcrypt.symmetric(AES, CBC, PKCS7, key=k12.get());
new p13 = blobcode.blob(HEX, "13eb26baf2b688574cadac6dba"); new p13 = blob.blob(HEX, "13eb26baf2b688574cadac6dba");
new k13 = new k13 =
blobcode.blob(HEX, "1fe107d14dd8b152580f3dea8591fc3b"); blob.blob(HEX, "1fe107d14dd8b152580f3dea8591fc3b");
new i13 = new i13 =
blobcode.blob(HEX, "7b6070a896d41d227cc0cebbd92d797e"); blob.blob(HEX, "7b6070a896d41d227cc0cebbd92d797e");
new c13 = new c13 =
blobcode.blob(HEX, "a4bfd6586344bcdef94f09d871ca8a16"); blob.blob(HEX, "a4bfd6586344bcdef94f09d871ca8a16");
new aes13 = gcrypt.symmetric(AES, CBC, PKCS7, key=k13.get()); new aes13 = gcrypt.symmetric(AES, CBC, PKCS7, key=k13.get());
new p14 = blobcode.blob(HEX, "5fcb46a197ddf80a40f94dc21531"); new p14 = blob.blob(HEX, "5fcb46a197ddf80a40f94dc21531");
new k14 = new k14 =
blobcode.blob(HEX, "4d3dae5d9e19950f278b0dd4314e3768"); blob.blob(HEX, "4d3dae5d9e19950f278b0dd4314e3768");
new i14 = new i14 =
blobcode.blob(HEX, "80190b58666f15dbaf892cf0bceb2a50"); blob.blob(HEX, "80190b58666f15dbaf892cf0bceb2a50");
new c14 = new c14 =
blobcode.blob(HEX, "2b166eae7a2edfea7a482e5f7377069e"); blob.blob(HEX, "2b166eae7a2edfea7a482e5f7377069e");
new aes14 = gcrypt.symmetric(AES, CBC, PKCS7, key=k14.get()); new aes14 = gcrypt.symmetric(AES, CBC, PKCS7, key=k14.get());
new p15 = blobcode.blob(HEX, "6842455a2992c2e5193056a5524075"); new p15 = blob.blob(HEX, "6842455a2992c2e5193056a5524075");
new k15 = new k15 =
blobcode.blob(HEX, "0784fa652e733cb699f250b0df2c4b41"); blob.blob(HEX, "0784fa652e733cb699f250b0df2c4b41");
new i15 = new i15 =
blobcode.blob(HEX, "106519760fb3ef97e1ccea073b27122d"); blob.blob(HEX, "106519760fb3ef97e1ccea073b27122d");
new c15 = new c15 =
blobcode.blob(HEX, "56a8e0c3ee3315f913693c0ca781e917"); blob.blob(HEX, "56a8e0c3ee3315f913693c0ca781e917");
new aes15 = gcrypt.symmetric(AES, CBC, PKCS7, key=k15.get()); new aes15 = gcrypt.symmetric(AES, CBC, PKCS7, key=k15.get());
new p16 = new p16 =
blobcode.blob(HEX, "c9a44f6f75e98ddbca7332167f5c45e3"); blob.blob(HEX, "c9a44f6f75e98ddbca7332167f5c45e3");
new k16 = new k16 =
blobcode.blob(HEX, "04952c3fcf497a4d449c41e8730c5d9a"); blob.blob(HEX, "04952c3fcf497a4d449c41e8730c5d9a");
new i16 = new i16 =
blobcode.blob(HEX, "53549bf7d5553b727458c1abaf0ba167"); blob.blob(HEX, "53549bf7d5553b727458c1abaf0ba167");
new c16 = blobcode.blob(HEX, new c16 = blob.blob(HEX,
"7fa290322ca7a1a04b61a1147ff20fe66fde58510a1d0289d11c0ddf6f4decfd"); "7fa290322ca7a1a04b61a1147ff20fe66fde58510a1d0289d11c0ddf6f4decfd");
new aes16 = gcrypt.symmetric(AES, CBC, PKCS7, key=k16.get()); new aes16 = gcrypt.symmetric(AES, CBC, PKCS7, key=k16.get());
new p32 = blobcode.blob(HEX, new p32 = blob.blob(HEX,
"1ba93ee6f83752df47909585b3f28e56693f89e169d3093eee85175ea3a46cd3"); "1ba93ee6f83752df47909585b3f28e56693f89e169d3093eee85175ea3a46cd3");
new k32 = new k32 =
blobcode.blob(HEX, "2ae7081caebe54909820620a44a60a0f"); blob.blob(HEX, "2ae7081caebe54909820620a44a60a0f");
new i32 = new i32 =
blobcode.blob(HEX, "fc5e783fbe7be12f58b1f025d82ada50"); blob.blob(HEX, "fc5e783fbe7be12f58b1f025d82ada50");
new c32 = blobcode.blob(HEX, new c32 = blob.blob(HEX,
"7944957a99e473e2c07eb496a83ec4e55db2fb44ebdd42bb611e0def29b23a73ac37eb0f4f5d86f090f3ddce3980425a"); "7944957a99e473e2c07eb496a83ec4e55db2fb44ebdd42bb611e0def29b23a73ac37eb0f4f5d86f090f3ddce3980425a");
new aes32 = gcrypt.symmetric(AES, CBC, PKCS7, key=k32.get()); new aes32 = gcrypt.symmetric(AES, CBC, PKCS7, key=k32.get());
new p33 = blobcode.blob(HEX, new p33 = blob.blob(HEX,
"0397f4f6820b1f9386f14403be5ac16e50213bd473b4874b9bcbf5f318ee686b1d"); "0397f4f6820b1f9386f14403be5ac16e50213bd473b4874b9bcbf5f318ee686b1d");
new k33 = new k33 =
blobcode.blob(HEX, "898be9cc5004ed0fa6e117c9a3099d31"); blob.blob(HEX, "898be9cc5004ed0fa6e117c9a3099d31");
new i33 = new i33 =
blobcode.blob(HEX, "9dea7621945988f96491083849b068df"); blob.blob(HEX, "9dea7621945988f96491083849b068df");
new c33 = blobcode.blob(HEX, new c33 = blob.blob(HEX,
"e232cd6ef50047801ee681ec30f61d53cfd6b0bca02fd03c1b234baa10ea82ac9dab8b960926433a19ce6dea08677e34"); "e232cd6ef50047801ee681ec30f61d53cfd6b0bca02fd03c1b234baa10ea82ac9dab8b960926433a19ce6dea08677e34");
new aes33 = gcrypt.symmetric(AES, CBC, PKCS7, key=k33.get()); new aes33 = gcrypt.symmetric(AES, CBC, PKCS7, key=k33.get());
# The string is: {"encrypt" : "foo"} # The string is: {"encrypt" : "foo"}
new p_j = blobcode.blob(encoded="{"+{""encrypt" : "foo""}+"}"); new p_j = blob.blob(encoded="{"+{""encrypt" : "foo""}+"}");
new k_j = new k_j =
blobcode.blob(HEX, "dc28c4a23ec612dc63a23d32a5ecdaab"); blob.blob(HEX, "dc28c4a23ec612dc63a23d32a5ecdaab");
new i_j = new i_j =
blobcode.blob(HEX, "00000000000000000000000000000000"); blob.blob(HEX, "00000000000000000000000000000000");
new c_j = blobcode.blob(HEX, new c_j = blob.blob(HEX,
"c58c18a02297685e11148e51cbde72e644262e6bc875a3270f207f9e3936c1dd"); "c58c18a02297685e11148e51cbde72e644262e6bc875a3270f207f9e3936c1dd");
new aes_j = gcrypt.symmetric(AES, CBC, PKCS7, key=k_j.get()); new aes_j = gcrypt.symmetric(AES, CBC, PKCS7, key=k_j.get());
} }
...@@ -699,60 +699,60 @@ varnish v1 -vcl { ...@@ -699,60 +699,60 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.c6 = set resp.http.c6 =
blobcode.encode(HEXLC, aes6.encrypt(p6.get(), iv=i6.get())); blob.encode(HEX, LOWER, aes6.encrypt(p6.get(), iv=i6.get()));
set resp.http.p6 = set resp.http.p6 =
blobcode.encode(HEXLC, aes6.decrypt(c6.get(), iv=i6.get())); blob.encode(HEX, LOWER, aes6.decrypt(c6.get(), iv=i6.get()));
set resp.http.c7 = set resp.http.c7 =
blobcode.encode(HEXLC, aes7.encrypt(p7.get(), iv=i7.get())); blob.encode(HEX, LOWER, aes7.encrypt(p7.get(), iv=i7.get()));
set resp.http.p7 = set resp.http.p7 =
blobcode.encode(HEXLC, aes7.decrypt(c7.get(), iv=i7.get())); blob.encode(HEX, LOWER, aes7.decrypt(c7.get(), iv=i7.get()));
set resp.http.c8 = set resp.http.c8 =
blobcode.encode(HEXLC, aes8.encrypt(p8.get(), iv=i8.get())); blob.encode(HEX, LOWER, aes8.encrypt(p8.get(), iv=i8.get()));
set resp.http.p8 = set resp.http.p8 =
blobcode.encode(HEXLC, aes8.decrypt(c8.get(), iv=i8.get())); blob.encode(HEX, LOWER, aes8.decrypt(c8.get(), iv=i8.get()));
set resp.http.c9 = set resp.http.c9 =
blobcode.encode(HEXLC, aes9.encrypt(p9.get(), iv=i9.get())); blob.encode(HEX, LOWER, aes9.encrypt(p9.get(), iv=i9.get()));
set resp.http.p9 = set resp.http.p9 =
blobcode.encode(HEXLC, aes9.decrypt(c9.get(), iv=i9.get())); blob.encode(HEX, LOWER, aes9.decrypt(c9.get(), iv=i9.get()));
set resp.http.c10 = blobcode.encode(HEXLC, set resp.http.c10 = blob.encode(HEX, LOWER,
aes10.encrypt(p10.get(), iv=i10.get())); aes10.encrypt(p10.get(), iv=i10.get()));
set resp.http.p10 = blobcode.encode(HEXLC, set resp.http.p10 = blob.encode(HEX, LOWER,
aes10.decrypt(c10.get(), iv=i10.get())); aes10.decrypt(c10.get(), iv=i10.get()));
set resp.http.c11 = blobcode.encode(HEXLC, set resp.http.c11 = blob.encode(HEX, LOWER,
aes11.encrypt(p11.get(), iv=i11.get())); aes11.encrypt(p11.get(), iv=i11.get()));
set resp.http.p11 = blobcode.encode(HEXLC, set resp.http.p11 = blob.encode(HEX, LOWER,
aes11.decrypt(c11.get(), iv=i11.get())); aes11.decrypt(c11.get(), iv=i11.get()));
set resp.http.c12 = blobcode.encode(HEXLC, set resp.http.c12 = blob.encode(HEX, LOWER,
aes12.encrypt(p12.get(), iv=i12.get())); aes12.encrypt(p12.get(), iv=i12.get()));
set resp.http.p12 = blobcode.encode(HEXLC, set resp.http.p12 = blob.encode(HEX, LOWER,
aes12.decrypt(c12.get(), iv=i12.get())); aes12.decrypt(c12.get(), iv=i12.get()));
set resp.http.c13 = blobcode.encode(HEXLC, set resp.http.c13 = blob.encode(HEX, LOWER,
aes13.encrypt(p13.get(), iv=i13.get())); aes13.encrypt(p13.get(), iv=i13.get()));
set resp.http.p13 = blobcode.encode(HEXLC, set resp.http.p13 = blob.encode(HEX, LOWER,
aes13.decrypt(c13.get(), iv=i13.get())); aes13.decrypt(c13.get(), iv=i13.get()));
set resp.http.c14 = blobcode.encode(HEXLC, set resp.http.c14 = blob.encode(HEX, LOWER,
aes14.encrypt(p14.get(), iv=i14.get())); aes14.encrypt(p14.get(), iv=i14.get()));
set resp.http.p14 = blobcode.encode(HEXLC, set resp.http.p14 = blob.encode(HEX, LOWER,
aes14.decrypt(c14.get(), iv=i14.get())); aes14.decrypt(c14.get(), iv=i14.get()));
set resp.http.c15 = blobcode.encode(HEXLC, set resp.http.c15 = blob.encode(HEX, LOWER,
aes15.encrypt(p15.get(), iv=i15.get())); aes15.encrypt(p15.get(), iv=i15.get()));
set resp.http.p15 = blobcode.encode(HEXLC, set resp.http.p15 = blob.encode(HEX, LOWER,
aes15.decrypt(c15.get(), iv=i15.get())); aes15.decrypt(c15.get(), iv=i15.get()));
set resp.http.c16 = blobcode.encode(HEXLC, set resp.http.c16 = blob.encode(HEX, LOWER,
aes16.encrypt(p16.get(), iv=i16.get())); aes16.encrypt(p16.get(), iv=i16.get()));
set resp.http.p16 = blobcode.encode(HEXLC, set resp.http.p16 = blob.encode(HEX, LOWER,
aes16.decrypt(c16.get(), iv=i16.get())); aes16.decrypt(c16.get(), iv=i16.get()));
set resp.http.c32 = blobcode.encode(HEXLC, set resp.http.c32 = blob.encode(HEX, LOWER,
aes32.encrypt(p32.get(), iv=i32.get())); aes32.encrypt(p32.get(), iv=i32.get()));
set resp.http.p32 = blobcode.encode(HEXLC, set resp.http.p32 = blob.encode(HEX, LOWER,
aes32.decrypt(c32.get(), iv=i32.get())); aes32.decrypt(c32.get(), iv=i32.get()));
set resp.http.c33 = blobcode.encode(HEXLC, set resp.http.c33 = blob.encode(HEX, LOWER,
aes33.encrypt(p33.get(), iv=i33.get())); aes33.encrypt(p33.get(), iv=i33.get()));
set resp.http.p33 = blobcode.encode(HEXLC, set resp.http.p33 = blob.encode(HEX, LOWER,
aes33.decrypt(c33.get(), iv=i33.get())); aes33.decrypt(c33.get(), iv=i33.get()));
set resp.http.c_j = blobcode.encode(HEXLC, set resp.http.c_j = blob.encode(HEX, LOWER,
aes_j.encrypt(p_j.get(), iv=i_j.get())); aes_j.encrypt(p_j.get(), iv=i_j.get()));
set resp.http.p_j = blobcode.encode(IDENTITY, set resp.http.p_j = blob.encode(IDENTITY, DEFAULT,
aes_j.decrypt(c_j.get(), iv=i_j.get())); aes_j.decrypt(c_j.get(), iv=i_j.get()));
return(deliver); return(deliver);
} }
...@@ -794,15 +794,15 @@ client c1 { ...@@ -794,15 +794,15 @@ client c1 {
# Use random() to create an IV and a counter. # Use random() to create an IV and a counter.
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new ctr = gcrypt.symmetric(AES, CTR, key=k1.get()); new ctr = gcrypt.symmetric(AES, CTR, key=k1.get());
new cbc = gcrypt.symmetric(AES, CBC, key=k1.get(), cbc_cts=true); new cbc = gcrypt.symmetric(AES, CBC, key=k1.get(), cbc_cts=true);
new p1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new p1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
} }
sub vcl_recv { sub vcl_recv {
...@@ -811,25 +811,25 @@ varnish v1 -vcl { ...@@ -811,25 +811,25 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.ctr-ciphertext set resp.http.ctr-ciphertext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
ctr.encrypt(p1.get(), ctr.encrypt(p1.get(),
ctr=gcrypt.random(NONCE, 16B))); ctr=gcrypt.random(NONCE, 16B)));
set resp.http.ctr-ctr set resp.http.ctr-ctr
= blobcode.encode(HEXLC, gcrypt.random()); = blob.encode(HEX, LOWER, gcrypt.random());
set resp.http.ctr-plaintext set resp.http.ctr-plaintext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
ctr.decrypt(blobcode.decode(HEX, resp.http.ctr-ciphertext), ctr.decrypt(blob.decode(HEX, encoded=resp.http.ctr-ciphertext),
ctr=blobcode.decode(HEX, resp.http.ctr-ctr))); ctr=blob.decode(HEX, encoded=resp.http.ctr-ctr)));
set resp.http.cbc-ciphertext set resp.http.cbc-ciphertext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
cbc.encrypt(p1.get(), cbc.encrypt(p1.get(),
iv=gcrypt.random(STRONG, 16B))); iv=gcrypt.random(STRONG, 16B)));
set resp.http.cbc-iv set resp.http.cbc-iv
= blobcode.encode(HEXLC, gcrypt.random()); = blob.encode(HEX, LOWER, gcrypt.random());
set resp.http.cbc-plaintext set resp.http.cbc-plaintext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
cbc.decrypt(blobcode.decode(HEX, resp.http.cbc-ciphertext), cbc.decrypt(blob.decode(HEX, encoded=resp.http.cbc-ciphertext),
iv=blobcode.decode(HEX, resp.http.cbc-iv))); iv=blob.decode(HEX, encoded=resp.http.cbc-iv)));
return(deliver); return(deliver);
} }
} }
...@@ -848,16 +848,16 @@ client c1 { ...@@ -848,16 +848,16 @@ client c1 {
# Repeat the previous test using secure memory # Repeat the previous test using secure memory
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new ctr = gcrypt.symmetric(AES, CTR, key=k1.get(), secure=true); new ctr = gcrypt.symmetric(AES, CTR, key=k1.get(), secure=true);
new cbc = gcrypt.symmetric(AES, CBC, key=k1.get(), new cbc = gcrypt.symmetric(AES, CBC, key=k1.get(),
cbc_cts=true, secure=true); cbc_cts=true, secure=true);
new p1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new p1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
} }
sub vcl_recv { sub vcl_recv {
...@@ -866,25 +866,25 @@ varnish v1 -vcl { ...@@ -866,25 +866,25 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.ctr-ciphertext set resp.http.ctr-ciphertext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
ctr.encrypt(p1.get(), ctr.encrypt(p1.get(),
ctr=gcrypt.random(NONCE, 16B))); ctr=gcrypt.random(NONCE, 16B)));
set resp.http.ctr-ctr set resp.http.ctr-ctr
= blobcode.encode(HEXLC, gcrypt.random()); = blob.encode(HEX, LOWER, gcrypt.random());
set resp.http.ctr-plaintext set resp.http.ctr-plaintext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
ctr.decrypt(blobcode.decode(HEX, resp.http.ctr-ciphertext), ctr.decrypt(blob.decode(HEX, encoded=resp.http.ctr-ciphertext),
ctr=blobcode.decode(HEX, resp.http.ctr-ctr))); ctr=blob.decode(HEX, encoded=resp.http.ctr-ctr)));
set resp.http.cbc-ciphertext set resp.http.cbc-ciphertext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
cbc.encrypt(p1.get(), cbc.encrypt(p1.get(),
iv=gcrypt.random(STRONG, 16B))); iv=gcrypt.random(STRONG, 16B)));
set resp.http.cbc-iv set resp.http.cbc-iv
= blobcode.encode(HEXLC, gcrypt.random()); = blob.encode(HEX, LOWER, gcrypt.random());
set resp.http.cbc-plaintext set resp.http.cbc-plaintext
= blobcode.encode(HEXLC, = blob.encode(HEX, LOWER,
cbc.decrypt(blobcode.decode(HEX, resp.http.cbc-ciphertext), cbc.decrypt(blob.decode(HEX, encoded=resp.http.cbc-ciphertext),
iv=blobcode.decode(HEX, resp.http.cbc-iv))); iv=blob.decode(HEX, encoded=resp.http.cbc-iv)));
return(deliver); return(deliver);
} }
} }
......
src/tests/aes_fail.vtc
View file @ 808a8eee
...@@ -14,53 +14,53 @@ varnish v1 -vcl { ...@@ -14,53 +14,53 @@ varnish v1 -vcl {
# NULL key is illegal # NULL key is illegal
varnish v1 -errvcl {vmod gcrypt error: key is NULL in aes constructor} { varnish v1 -errvcl {vmod gcrypt error: key is NULL in aes constructor} {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(encoded=""); new k = blob.blob(encoded="");
new aes = gcrypt.symmetric(AES, ECB, key=k.get()); new aes = gcrypt.symmetric(AES, ECB, key=k.get());
} }
} }
# Key too short # Key too short
varnish v1 -errvcl {vmod gcrypt error: Cannot set key in aes constructor} { varnish v1 -errvcl {vmod gcrypt error: Cannot set key in aes constructor} {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "0"); new k = blob.blob(HEX, "0");
new aes = gcrypt.symmetric(AES, ECB, key=k.get()); new aes = gcrypt.symmetric(AES, ECB, key=k.get());
} }
} }
# Key too long # Key too long
varnish v1 -errvcl {vmod gcrypt error: Key length 17 is longer than the maximum supported length 16 for AES cipher in aes constructor} { varnish v1 -errvcl {vmod gcrypt error: Key length 17 is longer than the maximum supported length 16 for AES cipher in aes constructor} {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, new k = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f10"); "000102030405060708090a0b0c0d0e0f10");
new aes = gcrypt.symmetric(AES, ECB, key=k.get()); new aes = gcrypt.symmetric(AES, ECB, key=k.get());
} }
} }
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new cbc = gcrypt.symmetric(AES, CBC, NONE, key=k.get()); new cbc = gcrypt.symmetric(AES, CBC, NONE, key=k.get());
new ctr = gcrypt.symmetric(AES, CTR, key=k.get()); new ctr = gcrypt.symmetric(AES, CTR, key=k.get());
new null = blobcode.blob(encoded=""); new null = blob.blob(encoded="");
new short = blobcode.blob(encoded="Too short"); new short = blob.blob(encoded="Too short");
new long = blobcode.blob(HEX, new long = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f10"); "000102030405060708090a0b0c0d0e0f10");
} }
...@@ -73,84 +73,84 @@ varnish v1 -vcl { ...@@ -73,84 +73,84 @@ varnish v1 -vcl {
# NULL plaintext is illegal # NULL plaintext is illegal
set resp.http.plain-null set resp.http.plain-null
= blobcode.encode(HEXUC, cbc.encrypt(null.get())); = blob.encode(HEX, UPPER, cbc.encrypt(null.get()));
# NULL IV is illegal when required # NULL IV is illegal when required
set resp.http.enc-iv-null set resp.http.enc-iv-null
= blobcode.encode(HEXUC, cbc.encrypt(k.get())); = blob.encode(HEX, UPPER, cbc.encrypt(k.get()));
# IV shorter than the block length is not an error, but # IV shorter than the block length is not an error, but
# invokes a libgcrypt log warning # invokes a libgcrypt log warning
set resp.http.enc-iv-short set resp.http.enc-iv-short
= blobcode.encode(HEXUC, cbc.encrypt(k.get(), short.get())); = blob.encode(HEX, UPPER, cbc.encrypt(k.get(), short.get()));
# IV longer than the block length is not an error, but # IV longer than the block length is not an error, but
# invokes a libgcrypt log warning # invokes a libgcrypt log warning
set resp.http.enc-iv-long set resp.http.enc-iv-long
= blobcode.encode(HEXUC, cbc.encrypt(k.get(), long.get())); = blob.encode(HEX, UPPER, cbc.encrypt(k.get(), long.get()));
# When no padding is specified, the length of the plaintext # When no padding is specified, the length of the plaintext
# must be an exact multiple of the block length. # must be an exact multiple of the block length.
set resp.http.enc-plain-short set resp.http.enc-plain-short
= blobcode.encode(HEXUC, cbc.encrypt(short.get(), k.get())); = blob.encode(HEX, UPPER, cbc.encrypt(short.get(), k.get()));
set resp.http.enc-plain-long set resp.http.enc-plain-long
= blobcode.encode(HEXUC, cbc.encrypt(long.get(), k.get())); = blob.encode(HEX, UPPER, cbc.encrypt(long.get(), k.get()));
# NULL CTR is illegal when required # NULL CTR is illegal when required
set resp.http.enc-ctr-null set resp.http.enc-ctr-null
= blobcode.encode(HEXUC, ctr.encrypt(k.get())); = blob.encode(HEX, UPPER, ctr.encrypt(k.get()));
# CTR shorter than the block length is illegal # CTR shorter than the block length is illegal
set resp.http.enc-ctr-short set resp.http.enc-ctr-short
= blobcode.encode(HEXUC, ctr.encrypt(k.get(), = blob.encode(HEX, UPPER, ctr.encrypt(k.get(),
ctr=short.get())); ctr=short.get()));
# CTR longer than the block length is illegal # CTR longer than the block length is illegal
set resp.http.enc-ctr-long set resp.http.enc-ctr-long
= blobcode.encode(HEXUC, ctr.encrypt(k.get(), = blob.encode(HEX, UPPER, ctr.encrypt(k.get(),
ctr=long.get())); ctr=long.get()));
# Errors in .decrypt() # Errors in .decrypt()
# NULL ciphertext is illegal # NULL ciphertext is illegal
set resp.http.cipher-null set resp.http.cipher-null
= blobcode.encode(HEXUC, cbc.decrypt(null.get())); = blob.encode(HEX, UPPER, cbc.decrypt(null.get()));
# NULL IV is illegal when required # NULL IV is illegal when required
set resp.http.dec-iv-null set resp.http.dec-iv-null
= blobcode.encode(HEXUC, cbc.decrypt(k.get())); = blob.encode(HEX, UPPER, cbc.decrypt(k.get()));
# IV shorter than the block length is not an error, but # IV shorter than the block length is not an error, but
# invokes a libgcrypt log warning # invokes a libgcrypt log warning
set resp.http.dec-iv-short set resp.http.dec-iv-short
= blobcode.encode(HEXUC, cbc.decrypt(k.get(), short.get())); = blob.encode(HEX, UPPER, cbc.decrypt(k.get(), short.get()));
# IV longer than the block length is not an error, but # IV longer than the block length is not an error, but
# invokes a libgcrypt log warning # invokes a libgcrypt log warning
set resp.http.dec-iv-long set resp.http.dec-iv-long
= blobcode.encode(HEXUC, cbc.decrypt(k.get(), long.get())); = blob.encode(HEX, UPPER, cbc.decrypt(k.get(), long.get()));
# When no padding is specified, the length of the ciphertext # When no padding is specified, the length of the ciphertext
# must be an exact multiple of the block length. # must be an exact multiple of the block length.
set resp.http.dec-cipher-short set resp.http.dec-cipher-short
= blobcode.encode(HEXUC, cbc.decrypt(short.get(), k.get())); = blob.encode(HEX, UPPER, cbc.decrypt(short.get(), k.get()));
set resp.http.dec-cipher-long set resp.http.dec-cipher-long
= blobcode.encode(HEXUC, cbc.decrypt(long.get(), k.get())); = blob.encode(HEX, UPPER, cbc.decrypt(long.get(), k.get()));
# NULL CTR is illegal when required # NULL CTR is illegal when required
set resp.http.dec-ctr-null set resp.http.dec-ctr-null
= blobcode.encode(HEXUC, ctr.decrypt(k.get())); = blob.encode(HEX, UPPER, ctr.decrypt(k.get()));
# CTR shorter than the block length is illegal # CTR shorter than the block length is illegal
set resp.http.dec-ctr-short set resp.http.dec-ctr-short
= blobcode.encode(HEXUC, ctr.decrypt(k.get(), = blob.encode(HEX, UPPER, ctr.decrypt(k.get(),
ctr=short.get())); ctr=short.get()));
# CTR longer than the block length is illegal # CTR longer than the block length is illegal
set resp.http.dec-ctr-long set resp.http.dec-ctr-long
= blobcode.encode(HEXUC, ctr.decrypt(k.get(), = blob.encode(HEX, UPPER, ctr.decrypt(k.get(),
ctr=long.get())); ctr=long.get()));
return(deliver); return(deliver);
......
src/tests/disable_secmem.vtc
View file @ 808a8eee
...@@ -5,24 +5,24 @@ varnishtest "disable secmem in the init function" ...@@ -5,24 +5,24 @@ varnishtest "disable secmem in the init function"
# DISABLE_SECMEM # DISABLE_SECMEM
varnish v1 -vcl { varnish v1 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
gcrypt.init(DISABLE_SECMEM); gcrypt.init(DISABLE_SECMEM);
gcrypt.init(FINISH); gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
} }
} -start } -start
varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} { varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
} }
} }
...@@ -32,25 +32,25 @@ varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc ...@@ -32,25 +32,25 @@ varnish v1 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v1 -stop varnish v1 -stop
varnish v2 -vcl { varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
gcrypt.init(INIT_SECMEM); gcrypt.init(INIT_SECMEM);
gcrypt.init(DISABLE_SECMEM); gcrypt.init(DISABLE_SECMEM);
gcrypt.init(FINISH); gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
} }
} -start } -start
varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} { varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
} }
} }
...@@ -58,25 +58,25 @@ varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc ...@@ -58,25 +58,25 @@ varnish v2 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v2 -stop varnish v2 -stop
varnish v3 -vcl { varnish v3 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
gcrypt.init(INIT_SECMEM); gcrypt.init(INIT_SECMEM);
gcrypt.init(INIT_SECMEM, 0B); gcrypt.init(INIT_SECMEM, 0B);
gcrypt.init(FINISH); gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);
} }
} -start } -start
varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} { varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
} }
} }
...@@ -84,14 +84,14 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc ...@@ -84,14 +84,14 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v3 -stop varnish v3 -stop
varnish v4 -vcl { varnish v4 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
gcrypt.init(DISABLE_SECMEM); gcrypt.init(DISABLE_SECMEM);
gcrypt.init(INIT_SECMEM); gcrypt.init(INIT_SECMEM);
gcrypt.init(FINISH); gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
} }
} -start } -start
src/tests/fileread.vtc
View file @ 808a8eee
...@@ -19,7 +19,7 @@ varnish v1 -errvcl {vmod gcrypt error: libgcrypt initialization not finished in ...@@ -19,7 +19,7 @@ varnish v1 -errvcl {vmod gcrypt error: libgcrypt initialization not finished in
} }
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
...@@ -32,13 +32,13 @@ varnish v1 -vcl { ...@@ -32,13 +32,13 @@ varnish v1 -vcl {
} }
sub vcl_synth { sub vcl_synth {
set resp.http.f1 = blobcode.encode(IDENTITY, set resp.http.f1 = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/f.txt")); gcrypt.fileread("${tmpdir}/f.txt"));
set resp.http.f2 = blobcode.encode(IDENTITY, set resp.http.f2 = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/f.txt")); gcrypt.fileread("${tmpdir}/f.txt"));
set resp.http.n = blobcode.encode(IDENTITY, set resp.http.n = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/nonexistent.txt")); gcrypt.fileread("${tmpdir}/nonexistent.txt"));
set resp.http.fifo = blobcode.encode(IDENTITY, set resp.http.fifo = blob.encode(IDENTITY, DEFAULT,
gcrypt.fileread("${tmpdir}/fifo.txt")); gcrypt.fileread("${tmpdir}/fifo.txt"));
return(deliver); return(deliver);
......
src/tests/init_secmem.vtc
View file @ 808a8eee
...@@ -48,11 +48,11 @@ varnish v3 -vcl { ...@@ -48,11 +48,11 @@ varnish v3 -vcl {
varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} { varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
} }
} }
...@@ -61,12 +61,12 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc ...@@ -61,12 +61,12 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
varnish v3 -stop varnish v3 -stop
varnish v4 -vcl { varnish v4 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
gcrypt.init(FINISH); gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true); new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=true);
} }
} -start } -start
src/tests/init_usage.vtc
View file @ 808a8eee
...@@ -80,23 +80,23 @@ varnish v1 -stop ...@@ -80,23 +80,23 @@ varnish v1 -stop
varnish v2 -vcl {backend b { .host = "${bad_ip}"; } } -start varnish v2 -vcl {backend b { .host = "${bad_ip}"; } } -start
varnish v2 -errvcl {libgcrypt initialization not finished in aes constructor} { varnish v2 -errvcl {libgcrypt initialization not finished in aes constructor} {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get()); new aes = gcrypt.symmetric(AES, ECB, key=k.get());
} }
} }
varnish v2 -vcl { varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
gcrypt.init(FINISH); gcrypt.init(FINISH);
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get()); new aes = gcrypt.symmetric(AES, ECB, key=k.get());
} }
} }
...@@ -105,11 +105,11 @@ varnish v2 -vcl { ...@@ -105,11 +105,11 @@ varnish v2 -vcl {
# object instances without having to call init(FINISH) again. # object instances without having to call init(FINISH) again.
varnish v2 -vcl { varnish v2 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
import blobcode; import blob;
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "00000000000000000000000000000000"); new k = blob.blob(HEX, "00000000000000000000000000000000");
new aes = gcrypt.symmetric(AES, ECB, key=k.get()); new aes = gcrypt.symmetric(AES, ECB, key=k.get());
} }
} }
src/tests/padding.vtc
View file @ 808a8eee
...@@ -14,18 +14,18 @@ varnish v1 -vcl { ...@@ -14,18 +14,18 @@ varnish v1 -vcl {
# Test padding -- encrypt with padding, decrypt with no padding, and # Test padding -- encrypt with padding, decrypt with no padding, and
# verify that the result has padding bytes as expected. # verify that the result has padding bytes as expected.
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get()); new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get()); new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get()); new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get()); new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo = blobcode.blob(encoded="foo"); new foo = blob.blob(encoded="foo");
} }
sub vcl_recv { sub vcl_recv {
...@@ -34,39 +34,39 @@ varnish v1 -vcl { ...@@ -34,39 +34,39 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.foo-pkcs7-cipher set resp.http.foo-pkcs7-cipher
= blobcode.encode(BASE64, pkcs7.encrypt(foo.get())); = blob.encode(BASE64, DEFAULT, pkcs7.encrypt(foo.get()));
set resp.http.foo-pkcs7-plain set resp.http.foo-pkcs7-plain
= blobcode.encode(HEXUC, none.decrypt( = blob.encode(HEX, UPPER, none.decrypt(
blobcode.decode(BASE64, resp.http.foo-pkcs7-cipher))); blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher)));
set resp.http.foo-iso7816-cipher set resp.http.foo-iso7816-cipher
= blobcode.encode(BASE64, iso7816.encrypt(foo.get())); = blob.encode(BASE64, DEFAULT, iso7816.encrypt(foo.get()));
set resp.http.foo-iso7816-plain set resp.http.foo-iso7816-plain
= blobcode.encode(HEXUC, none.decrypt( = blob.encode(HEX, UPPER, none.decrypt(
blobcode.decode(BASE64, resp.http.foo-iso7816-cipher))); blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher)));
set resp.http.foo-x923-cipher set resp.http.foo-x923-cipher
= blobcode.encode(BASE64, x923.encrypt(foo.get())); = blob.encode(BASE64, DEFAULT, x923.encrypt(foo.get()));
set resp.http.foo-x923-plain set resp.http.foo-x923-plain
= blobcode.encode(HEXUC, none.decrypt( = blob.encode(HEX, UPPER, none.decrypt(
blobcode.decode(BASE64, resp.http.foo-x923-cipher))); blob.decode(BASE64, encoded=resp.http.foo-x923-cipher)));
set resp.http.empty-pkcs7-cipher set resp.http.empty-pkcs7-cipher
= blobcode.encode(BASE64, = blob.encode(BASE64, DEFAULT,
pkcs7.encrypt(blobcode.decode(encoded=""))); pkcs7.encrypt(blob.decode(encoded="")));
set resp.http.empty-pkcs7-plain set resp.http.empty-pkcs7-plain
= blobcode.encode(HEXUC, none.decrypt( = blob.encode(HEX, UPPER, none.decrypt(
blobcode.decode(BASE64, resp.http.empty-pkcs7-cipher))); blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher)));
set resp.http.empty-iso7816-cipher set resp.http.empty-iso7816-cipher
= blobcode.encode(BASE64, = blob.encode(BASE64, DEFAULT,
iso7816.encrypt(blobcode.decode(encoded=""))); iso7816.encrypt(blob.decode(encoded="")));
set resp.http.empty-iso7816-plain set resp.http.empty-iso7816-plain
= blobcode.encode(HEXUC, none.decrypt( = blob.encode(HEX, UPPER, none.decrypt(
blobcode.decode(BASE64, resp.http.empty-iso7816-cipher))); blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher)));
set resp.http.empty-x923-cipher set resp.http.empty-x923-cipher
= blobcode.encode(BASE64, = blob.encode(BASE64, DEFAULT,
x923.encrypt(blobcode.decode(encoded=""))); x923.encrypt(blob.decode(encoded="")));
set resp.http.empty-x923-plain set resp.http.empty-x923-plain
= blobcode.encode(HEXUC, none.decrypt( = blob.encode(HEX, UPPER, none.decrypt(
blobcode.decode(BASE64, resp.http.empty-x923-cipher))); blob.decode(BASE64, encoded=resp.http.empty-x923-cipher)));
return(deliver); return(deliver);
} }
} }
...@@ -94,30 +94,30 @@ client c1 { ...@@ -94,30 +94,30 @@ client c1 {
# added. Then decrypt with padding, and verify that the result has # added. Then decrypt with padding, and verify that the result has
# padding removed. # padding removed.
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k1 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get()); new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get()); new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get()); new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get()); new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo_pkcs7 new foo_pkcs7
= blobcode.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D0D"); = blob.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D0D");
new foo_iso7816 new foo_iso7816
= blobcode.blob(HEX, "666F6F80000000000000000000000000"); = blob.blob(HEX, "666F6F80000000000000000000000000");
new foo_x923 new foo_x923
= blobcode.blob(HEX, "666F6F0000000000000000000000000D"); = blob.blob(HEX, "666F6F0000000000000000000000000D");
new empty_pkcs7 new empty_pkcs7
= blobcode.blob(HEX, "10101010101010101010101010101010"); = blob.blob(HEX, "10101010101010101010101010101010");
new empty_iso7816 new empty_iso7816
= blobcode.blob(HEX, "80000000000000000000000000000000"); = blob.blob(HEX, "80000000000000000000000000000000");
new empty_x923 new empty_x923
= blobcode.blob(HEX, "00000000000000000000000000000010"); = blob.blob(HEX, "00000000000000000000000000000010");
} }
sub vcl_recv { sub vcl_recv {
...@@ -126,36 +126,36 @@ varnish v1 -vcl { ...@@ -126,36 +126,36 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.foo-pkcs7-cipher set resp.http.foo-pkcs7-cipher
= blobcode.encode(BASE64, none.encrypt(foo_pkcs7.get())); = blob.encode(BASE64, DEFAULT, none.encrypt(foo_pkcs7.get()));
set resp.http.foo-pkcs7-plain set resp.http.foo-pkcs7-plain
= blobcode.encode(blob=pkcs7.decrypt( = blob.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.foo-pkcs7-cipher))); blob.decode(BASE64, encoded=resp.http.foo-pkcs7-cipher)));
set resp.http.foo-iso7816-cipher set resp.http.foo-iso7816-cipher
= blobcode.encode(BASE64, none.encrypt(foo_iso7816.get())); = blob.encode(BASE64, DEFAULT, none.encrypt(foo_iso7816.get()));
set resp.http.foo-iso7816-plain set resp.http.foo-iso7816-plain
= blobcode.encode(blob=iso7816.decrypt( = blob.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.foo-iso7816-cipher))); blob.decode(BASE64, encoded=resp.http.foo-iso7816-cipher)));
set resp.http.foo-x923-cipher set resp.http.foo-x923-cipher
= blobcode.encode(BASE64, none.encrypt(foo_x923.get())); = blob.encode(BASE64, DEFAULT, none.encrypt(foo_x923.get()));
set resp.http.foo-x923-plain set resp.http.foo-x923-plain
= blobcode.encode(blob=x923.decrypt( = blob.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.foo-x923-cipher))); blob.decode(BASE64, encoded=resp.http.foo-x923-cipher)));
set resp.http.empty-pkcs7-cipher set resp.http.empty-pkcs7-cipher
= blobcode.encode(BASE64, none.encrypt(empty_pkcs7.get())); = blob.encode(BASE64, DEFAULT, none.encrypt(empty_pkcs7.get()));
set resp.http.empty-pkcs7-plain set resp.http.empty-pkcs7-plain
= blobcode.encode(blob=pkcs7.decrypt( = blob.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.empty-pkcs7-cipher))); blob.decode(BASE64, encoded=resp.http.empty-pkcs7-cipher)));
set resp.http.empty-iso7816-cipher set resp.http.empty-iso7816-cipher
= blobcode.encode(BASE64, none.encrypt(empty_iso7816.get())); = blob.encode(BASE64, DEFAULT, none.encrypt(empty_iso7816.get()));
set resp.http.empty-iso7816-plain set resp.http.empty-iso7816-plain
= blobcode.encode(blob=iso7816.decrypt( = blob.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.empty-iso7816-cipher))); blob.decode(BASE64, encoded=resp.http.empty-iso7816-cipher)));
set resp.http.empty-x923-cipher set resp.http.empty-x923-cipher
= blobcode.encode(BASE64, none.encrypt(empty_x923.get())); = blob.encode(BASE64, DEFAULT, none.encrypt(empty_x923.get()));
set resp.http.empty-x923-plain set resp.http.empty-x923-plain
= blobcode.encode(blob=x923.decrypt( = blob.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.empty-x923-cipher))); blob.decode(BASE64, encoded=resp.http.empty-x923-cipher)));
return(deliver); return(deliver);
} }
} }
...@@ -178,160 +178,3 @@ client c1 { ...@@ -178,160 +178,3 @@ client c1 {
expect resp.http.empty-x923-plain == "" expect resp.http.empty-x923-plain == ""
} -run } -run
# Padding errors
varnish v1 -vcl {
import blobcode;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new none = gcrypt.symmetric(AES, ECB, NONE, key=k1.get());
new pkcs7 = gcrypt.symmetric(AES, ECB, PKCS7, key=k1.get());
new iso7816 = gcrypt.symmetric(AES, ECB, ISO7816, key=k1.get());
new x923 = gcrypt.symmetric(AES, ECB, X923, key=k1.get());
new foo_pkcs7_1
= blobcode.blob(HEX, "666F6F0E0D0D0D0D0D0D0D0D0D0D0D0D");
new foo_pkcs7_2
= blobcode.blob(HEX, "666F6F0D0D0D0D0D0D0D0D0D0D0D0D11");
new foo_iso7816_1
= blobcode.blob(HEX, "666F6F80000000000001000000000000");
new foo_iso7816_2
= blobcode.blob(HEX, "666F6F00000000000000000000000000");
new foo_x923_1
= blobcode.blob(HEX, "666F6F0000000001000000000000000D");
new foo_x923_2
= blobcode.blob(HEX, "666F6F00000000000000000000000011");
new empty_pkcs7_1
= blobcode.blob(HEX, "0F101010101010101010101010101010");
new empty_pkcs7_2
= blobcode.blob(HEX, "10101010101010101010101010101011");
new empty_iso7816_1
= blobcode.blob(HEX, "00000000000000000000000000000000");
new empty_iso7816_2
= blobcode.blob(HEX, "80010000000000000000000000000000");
new empty_x923_1
= blobcode.blob(HEX, "01000000000000000000000000000010");
new empty_x923_2
= blobcode.blob(HEX, "00000000000000000000000000000011");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.foo-pkcs7-cipher-1
= blobcode.encode(BASE64, none.encrypt(foo_pkcs7_1.get()));
set resp.http.foo-pkcs7-plain-1
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.foo-pkcs7-cipher-1)));
set resp.http.foo-pkcs7-cipher-2
= blobcode.encode(BASE64, none.encrypt(foo_pkcs7_2.get()));
set resp.http.foo-pkcs7-plain-2
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.foo-pkcs7-cipher-2)));
set resp.http.foo-iso7816-cipher-1
= blobcode.encode(BASE64, none.encrypt(foo_iso7816_1.get()));
set resp.http.foo-iso7816-plain-1
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.foo-iso7816-cipher-1)));
set resp.http.foo-iso7816-cipher-2
= blobcode.encode(BASE64, none.encrypt(foo_iso7816_2.get()));
set resp.http.foo-iso7816-plain-2
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.foo-iso7816-cipher-2)));
set resp.http.foo-x923-cipher-1
= blobcode.encode(BASE64, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-1
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.foo-x923-cipher-1)));
set resp.http.foo-x923-cipher-2
= blobcode.encode(BASE64, none.encrypt(foo_x923_1.get()));
set resp.http.foo-x923-plain-2
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.foo-x923-cipher-2)));
set resp.http.empty-pkcs7-cipher-1
= blobcode.encode(BASE64, none.encrypt(empty_pkcs7_1.get()));
set resp.http.empty-pkcs7-plain-1
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.empty-pkcs7-cipher-1)));
set resp.http.empty-pkcs7-cipher-2
= blobcode.encode(BASE64, none.encrypt(empty_pkcs7_2.get()));
set resp.http.empty-pkcs7-plain-2
= blobcode.encode(blob=pkcs7.decrypt(
blobcode.decode(BASE64, resp.http.empty-pkcs7-cipher-2)));
set resp.http.empty-iso7816-cipher-1
= blobcode.encode(BASE64, none.encrypt(empty_iso7816_1.get()));
set resp.http.empty-iso7816-plain-1
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.empty-iso7816-cipher-1)));
set resp.http.empty-iso7816-cipher-2
= blobcode.encode(BASE64, none.encrypt(empty_iso7816_2.get()));
set resp.http.empty-iso7816-plain-2
= blobcode.encode(blob=iso7816.decrypt(
blobcode.decode(BASE64, resp.http.empty-iso7816-cipher-2)));
set resp.http.empty-x923-cipher-1
= blobcode.encode(BASE64, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-1
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.empty-x923-cipher-1)));
set resp.http.empty-x923-cipher-2
= blobcode.encode(BASE64, none.encrypt(empty_x923_1.get()));
set resp.http.empty-x923-plain-2
= blobcode.encode(blob=x923.decrypt(
blobcode.decode(BASE64, resp.http.empty-x923-cipher-2)));
return(deliver);
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.foo-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-1 == ""
expect resp.http.foo-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-pkcs7-plain-2 == ""
expect resp.http.foo-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-1 == ""
expect resp.http.foo-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-iso7816-plain-2 == ""
expect resp.http.foo-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-1 == ""
expect resp.http.foo-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.foo-x923-plain-2 == ""
expect resp.http.empty-pkcs7-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-1 == ""
expect resp.http.empty-pkcs7-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-pkcs7-plain-2 == ""
expect resp.http.empty-iso7816-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-1 == ""
expect resp.http.empty-iso7816-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-iso7816-plain-2 == ""
expect resp.http.empty-x923-cipher-1 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-1 == ""
expect resp.http.empty-x923-cipher-2 ~ "^[A-Za-z0-9+/]+=*$"
expect resp.http.empty-x923-plain-2 == ""
} -run
logexpect l1 -v v1 -d 1 -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in pkcs7.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in iso7816.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = VCL_Error "^vmod gcrypt error: in x923.decrypt..: incorrect padding$"
expect * = End
} -run
src/tests/random.vtc
View file @ 808a8eee
...@@ -9,7 +9,7 @@ varnishtest "random() and random_int(), _real() and _bool()" ...@@ -9,7 +9,7 @@ varnishtest "random() and random_int(), _real() and _bool()"
# varnishtest. # varnishtest.
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
...@@ -19,22 +19,22 @@ varnish v1 -vcl { ...@@ -19,22 +19,22 @@ varnish v1 -vcl {
sub vcl_synth { sub vcl_synth {
set resp.http.nonce16 set resp.http.nonce16
= blobcode.encode(HEXUC, gcrypt.random(NONCE, 16B)); = blob.encode(HEX, UPPER, gcrypt.random(NONCE, 16B));
set resp.http.nonce16-task set resp.http.nonce16-task
= blobcode.encode(HEXUC, gcrypt.random()); = blob.encode(HEX, UPPER, gcrypt.random());
set resp.http.strong32 set resp.http.strong32
= blobcode.encode(HEXUC, gcrypt.random(STRONG, 32B)); = blob.encode(HEX, UPPER, gcrypt.random(STRONG, 32B));
set resp.http.strong32-task-noarg set resp.http.strong32-task-noarg
= blobcode.encode(HEXUC, gcrypt.random()); = blob.encode(HEX, UPPER, gcrypt.random());
set resp.http.strong32-task-n0 set resp.http.strong32-task-n0
= blobcode.encode(HEXUC, gcrypt.random(n=0B)); = blob.encode(HEX, UPPER, gcrypt.random(n=0B));
set resp.http.strong32-task-enum set resp.http.strong32-task-enum
= blobcode.encode(HEXUC, gcrypt.random(VERY_STRONG)); = blob.encode(HEX, UPPER, gcrypt.random(VERY_STRONG));
set resp.http.strong32-task-n0-enum set resp.http.strong32-task-n0-enum
= blobcode.encode(HEXUC, gcrypt.random(NONCE, n=0B)); = blob.encode(HEX, UPPER, gcrypt.random(NONCE, n=0B));
set resp.http.error set resp.http.error
= blobcode.encode(HEXUC, gcrypt.random(n=1B)); = blob.encode(HEX, UPPER, gcrypt.random(n=1B));
set resp.http.strong-int = gcrypt.random_int(STRONG); set resp.http.strong-int = gcrypt.random_int(STRONG);
set resp.http.nonce-int = gcrypt.random_int(NONCE); set resp.http.nonce-int = gcrypt.random_int(NONCE);
...@@ -111,7 +111,7 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" { ...@@ -111,7 +111,7 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" {
} -run } -run
varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL} { varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL} {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
...@@ -124,7 +124,7 @@ varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL} ...@@ -124,7 +124,7 @@ varnish v1 -errvcl {vmod gcrypt error: in gcrypt.random(): quality ENUM is NULL}
# random_real() # random_real()
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
...@@ -150,7 +150,7 @@ client c1 -repeat 20 { ...@@ -150,7 +150,7 @@ client c1 -repeat 20 {
# random_bool() # random_bool()
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
......
src/tests/wipe.vtc
View file @ 808a8eee
...@@ -3,27 +3,27 @@ ...@@ -3,27 +3,27 @@
varnishtest "wipe()" varnishtest "wipe()"
varnish v1 -vcl { varnish v1 -vcl {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new b16 new b16
= blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
gcrypt.wipe(b16.get()); gcrypt.wipe(b16.get());
new b4 = blobcode.blob(HEX, "00010203"); new b4 = blob.blob(HEX, "00010203");
gcrypt.wipe(b4.get()); gcrypt.wipe(b4.get());
new b12 = blobcode.blob(HEX, "000102030405060708090a0b"); new b12 = blob.blob(HEX, "000102030405060708090a0b");
gcrypt.wipe(b12.get()); gcrypt.wipe(b12.get());
new hobbes = blobcode.blob(IDENTITY, new hobbes = blob.blob(IDENTITY,
"Man is distinguished, not only by his reason, but by this singular passion from other animals, which is a lust of the mind, that by a perseverance of delight in the continued and indefatigable generation of knowledge, exceeds the short vehemence of any carnal pleasure."); "Man is distinguished, not only by his reason, but by this singular passion from other animals, which is a lust of the mind, that by a perseverance of delight in the continued and indefatigable generation of knowledge, exceeds the short vehemence of any carnal pleasure.");
gcrypt.wipe(hobbes.get()); gcrypt.wipe(hobbes.get());
new foo = blobcode.blob(encoded="foo"); new foo = blob.blob(encoded="foo");
new empty = blobcode.blob(encoded=""); new empty = blob.blob(encoded="");
} }
sub vcl_recv { sub vcl_recv {
...@@ -31,13 +31,13 @@ varnish v1 -vcl { ...@@ -31,13 +31,13 @@ varnish v1 -vcl {
} }
sub vcl_synth { sub vcl_synth {
set resp.http.b16 = blobcode.encode(HEXUC, b16.get()); set resp.http.b16 = blob.encode(HEX, UPPER, b16.get());
set resp.http.b4 = blobcode.encode(HEXUC, b4.get()); set resp.http.b4 = blob.encode(HEX, UPPER, b4.get());
set resp.http.b12 = blobcode.encode(HEXUC, b12.get()); set resp.http.b12 = blob.encode(HEX, UPPER, b12.get());
set resp.http.hobbes = blobcode.encode(HEXUC, hobbes.get()); set resp.http.hobbes = blob.encode(HEX, UPPER, hobbes.get());
gcrypt.wipe(foo.get()); gcrypt.wipe(foo.get());
set resp.http.foo = blobcode.encode(HEXUC, foo.get()); set resp.http.foo = blob.encode(HEX, UPPER, foo.get());
gcrypt.wipe(empty.get()); gcrypt.wipe(empty.get());
...@@ -63,12 +63,12 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" { ...@@ -63,12 +63,12 @@ logexpect l1 -v v1 -d 1 -q "VCL_Error" {
} -run } -run
varnish v1 -errvcl {vmod gcrypt error: empty blob in gcrypt.wipe()} { varnish v1 -errvcl {vmod gcrypt error: empty blob in gcrypt.wipe()} {
import blobcode; import blob;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so"; import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; } backend b { .host = "${bad_ip}"; }
sub vcl_init { sub vcl_init {
new empty = blobcode.blob(encoded=""); new empty = blob.blob(encoded="");
gcrypt.wipe(empty.get()); gcrypt.wipe(empty.get());
} }
} }
src/vmod_gcrypt.c
View file @ 808a8eee
...@@ -45,6 +45,8 @@ ...@@ -45,6 +45,8 @@
#include "cache/cache.h" #include "cache/cache.h"
#include "vas.h" #include "vas.h"
#include "vqueue.h" #include "vqueue.h"
#include "vcl.h"
#include "vsb.h"
#include "vcc_if.h" #include "vcc_if.h"
#include "vmod_gcrypt.h" #include "vmod_gcrypt.h"
...@@ -109,6 +111,7 @@ static int rnd_boolk_inited = 0; ...@@ -109,6 +111,7 @@ static int rnd_boolk_inited = 0;
#define BLOB_VMOD_GCRYPT_TYPE 0xa003140d #define BLOB_VMOD_GCRYPT_TYPE 0xa003140d
// XXX replace all with VRT_fail()?
static void static void
errmsg(VRT_CTX, const char *fmt, ...) errmsg(VRT_CTX, const char *fmt, ...)
{ {
...@@ -118,7 +121,7 @@ errmsg(VRT_CTX, const char *fmt, ...) ...@@ -118,7 +121,7 @@ errmsg(VRT_CTX, const char *fmt, ...)
if (ctx->method == VCL_MET_INIT) { if (ctx->method == VCL_MET_INIT) {
AN(ctx->msg); AN(ctx->msg);
VSB_vprintf(ctx->msg, fmt, args); VSB_vprintf(ctx->msg, fmt, args);
VRT_handling(ctx, VCL_RET_FAIL); VRT_fail(ctx, " ");
} }
else if (ctx->vsl) else if (ctx->vsl)
VSLbv(ctx->vsl, SLT_VCL_Error, fmt, args); VSLbv(ctx->vsl, SLT_VCL_Error, fmt, args);
...@@ -181,7 +184,7 @@ gcrypt_fatal(void *priv, int err, const char *text) ...@@ -181,7 +184,7 @@ gcrypt_fatal(void *priv, int err, const char *text)
} }
int int
event(VRT_CTX, struct vmod_priv *priv, enum vcl_event_e e) vmod_event(VRT_CTX, struct vmod_priv *priv, enum vcl_event_e e)
{ {
(void) ctx; (void) ctx;
(void) priv; (void) priv;
...@@ -291,11 +294,10 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp, ...@@ -291,11 +294,10 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp,
vcl_name); vcl_name);
return; return;
} }
if (key == NULL || key->priv == NULL) { if (key == NULL || key->blob == NULL) {
VERR(ctx, "key is NULL in %s constructor", vcl_name); VERR(ctx, "key is NULL in %s constructor", vcl_name);
return; return;
} }
assert(key->len >= 0);
if (secure && !secmem_enabled) { if (secure && !secmem_enabled) {
VERR(ctx, "secure memory not enabled in %s constructor", VERR(ctx, "secure memory not enabled in %s constructor",
vcl_name); vcl_name);
...@@ -350,7 +352,7 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp, ...@@ -350,7 +352,7 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp,
vcl_name, gcry_strsource(err), gcry_strerror(err)); vcl_name, gcry_strsource(err), gcry_strerror(err));
return; return;
} }
err = gcry_cipher_setkey(hd, key->priv, key->len); err = gcry_cipher_setkey(hd, key->blob, key->len);
gcry_cipher_close(hd); gcry_cipher_close(hd);
if (err != GPG_ERR_NO_ERROR) { if (err != GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set key in %s constructor: %s/%s", VERR(ctx, "Cannot set key in %s constructor: %s/%s",
...@@ -383,7 +385,7 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp, ...@@ -383,7 +385,7 @@ vmod_symmetric__init(VRT_CTX, struct vmod_gcrypt_symmetric **symmetricp,
VERRNOMEM(ctx, "copying key in %s constructor", vcl_name); VERRNOMEM(ctx, "copying key in %s constructor", vcl_name);
return; return;
} }
memcpy(symmetric->key, key->priv, key->len); memcpy(symmetric->key, key->blob, key->len);
symmetric->vcl_name = strdup(vcl_name); symmetric->vcl_name = strdup(vcl_name);
if (symmetric->vcl_name == NULL) { if (symmetric->vcl_name == NULL) {
VERRNOMEM(ctx, "copying object name in %s constructor", VERRNOMEM(ctx, "copying object name in %s constructor",
...@@ -463,30 +465,37 @@ get_symmetric_hd(VRT_CTX, ...@@ -463,30 +465,37 @@ get_symmetric_hd(VRT_CTX,
return hd; return hd;
} }
VCL_BLOB VCL_BLOB vmod_symmetric_encrypt(VRT_CTX,
vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, struct VPFX(gcrypt_symmetric) *symmetric,
VCL_BLOB plainblob, VCL_BLOB iv, VCL_BLOB ctr) struct VARGS(symmetric_encrypt)* args)
{ {
VCL_BLOB plainblob = args->plaintext, iv = NULL, ctr = NULL;
size_t len, blocklen; size_t len, blocklen;
uintptr_t snap; uintptr_t snap;
void *plaintext, *ciphertext; const void *plaintext;
void *ciphertext;
gcry_error_t err = GPG_ERR_NO_ERROR; gcry_error_t err = GPG_ERR_NO_ERROR;
gcry_cipher_hd_t *hd; gcry_cipher_hd_t *hd;
VCL_BLOB b; VCL_BLOB b;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC); CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
CHECK_OBJ_NOTNULL(symmetric, VMOD_GCRYPT_SYMMETRIC_MAGIC); CHECK_OBJ_NOTNULL(symmetric, VMOD_GCRYPT_SYMMETRIC_MAGIC);
if (plainblob == NULL || plainblob->priv == NULL) { if (plainblob == NULL || plainblob->blob == NULL) {
VERR(ctx, "Plaintext BLOB is NULL in %s.encrypt()", VERR(ctx, "Plaintext BLOB is NULL in %s.encrypt()",
symmetric->vcl_name); symmetric->vcl_name);
return NULL; return NULL;
} }
if (args->valid_iv)
iv = args->iv;
if (args->valid_ctr)
ctr = args->ctr;
snap = WS_Snapshot(ctx->ws); snap = WS_Snapshot(ctx->ws);
blocklen = gcry_cipher_get_algo_blklen(symmetric->algo); blocklen = gcry_cipher_get_algo_blklen(symmetric->algo);
AN(blocklen); AN(blocklen);
if (symmetric->padding != NONE) { if (symmetric->padding != NONE) {
plaintext = (padf[symmetric->padding])(ctx->ws, plainblob->priv, plaintext = (padf[symmetric->padding])(ctx->ws, plainblob->blob,
plainblob->len, blocklen, plainblob->len, blocklen,
&len); &len);
if (plaintext == NULL) { if (plaintext == NULL) {
...@@ -496,7 +505,7 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -496,7 +505,7 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
} }
} }
else { else {
plaintext = plainblob->priv; plaintext = plainblob->blob;
len = plainblob->len; len = plainblob->len;
} }
if ((ciphertext = WS_Alloc(ctx->ws, len)) == NULL) { if ((ciphertext = WS_Alloc(ctx->ws, len)) == NULL) {
...@@ -514,11 +523,10 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -514,11 +523,10 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
"%s.encrypt()", symmetric->vcl_name); "%s.encrypt()", symmetric->vcl_name);
goto fail; goto fail;
} }
assert(iv->len >= 0);
/* A NULL iv of length 0 is permitted. */ /* A NULL iv of length 0 is permitted. */
if (iv->priv == NULL) if (iv->blob == NULL)
assert(iv->len == 0); assert(iv->len == 0);
if ((err = gcry_cipher_setiv(*hd, iv->priv, iv->len)) if ((err = gcry_cipher_setiv(*hd, iv->blob, iv->len))
!= GPG_ERR_NO_ERROR) { != GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set initialization vector in " VERR(ctx, "Cannot set initialization vector in "
"%s.encrypt(): %s/%s", symmetric->vcl_name, "%s.encrypt(): %s/%s", symmetric->vcl_name,
...@@ -527,13 +535,12 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -527,13 +535,12 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
} }
} }
if (need_ctr[symmetric->mode]) { if (need_ctr[symmetric->mode]) {
if (ctr == NULL || ctr->priv == NULL) { if (ctr == NULL || ctr->blob == NULL) {
VERR(ctx, "Required counter vector is NULL in " VERR(ctx, "Required counter vector is NULL in "
"%s.encrypt()", symmetric->vcl_name); "%s.encrypt()", symmetric->vcl_name);
goto fail; goto fail;
} }
assert(ctr->len >= 0); if ((err = gcry_cipher_setctr(*hd, ctr->blob, ctr->len))
if ((err = gcry_cipher_setctr(*hd, ctr->priv, ctr->len))
!= GPG_ERR_NO_ERROR) { != GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set counter vector in %s.encrypt(): " VERR(ctx, "Cannot set counter vector in %s.encrypt(): "
"%s/%s", symmetric->vcl_name, gcry_strsource(err), "%s/%s", symmetric->vcl_name, gcry_strsource(err),
...@@ -562,24 +569,29 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -562,24 +569,29 @@ vmod_symmetric_encrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
return NULL; return NULL;
} }
VCL_BLOB VCL_BLOB vmod_symmetric_decrypt(VRT_CTX,
vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, struct VPFX(gcrypt_symmetric) *symmetric,
VCL_BLOB ciphertext, VCL_BLOB iv, VCL_BLOB ctr) struct VARGS(symmetric_decrypt) *args)
{ {
VCL_BLOB ciphertext = args->ciphertext, iv = NULL, ctr = NULL;
uintptr_t snap; uintptr_t snap;
struct vmod_priv *plaintext; struct vrt_blob *plaintext;
void *plain;
gcry_error_t err = GPG_ERR_NO_ERROR; gcry_error_t err = GPG_ERR_NO_ERROR;
gcry_cipher_hd_t *hd; gcry_cipher_hd_t *hd;
size_t blocklen; size_t blocklen;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC); CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
CHECK_OBJ_NOTNULL(symmetric, VMOD_GCRYPT_SYMMETRIC_MAGIC); CHECK_OBJ_NOTNULL(symmetric, VMOD_GCRYPT_SYMMETRIC_MAGIC);
if (ciphertext == NULL || ciphertext->priv == NULL) { if (ciphertext == NULL || ciphertext->blob == NULL) {
VERR(ctx, "Ciphertext BLOB is NULL in %s.decrypt()", VERR(ctx, "Ciphertext BLOB is NULL in %s.decrypt()",
symmetric->vcl_name); symmetric->vcl_name);
return NULL; return NULL;
} }
assert(ciphertext->len >= 0); if (args->valid_iv)
iv = args->iv;
if (args->valid_ctr)
ctr = args->ctr;
snap = WS_Snapshot(ctx->ws); snap = WS_Snapshot(ctx->ws);
if ((plaintext = WS_Alloc(ctx->ws, sizeof(*plaintext))) == NULL) { if ((plaintext = WS_Alloc(ctx->ws, sizeof(*plaintext))) == NULL) {
...@@ -588,8 +600,8 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -588,8 +600,8 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
return NULL; return NULL;
} }
plaintext->priv = WS_Front(ctx->ws); plaintext->blob = plain = WS_Front(ctx->ws);
if (WS_Reserve(ctx->ws, 0) < (unsigned) ciphertext->len) { if (WS_ReserveAll(ctx->ws) < (unsigned) ciphertext->len) {
VERRNOMEM(ctx, "Allocating plaintext result in %s.decrypt()", VERRNOMEM(ctx, "Allocating plaintext result in %s.decrypt()",
symmetric->vcl_name); symmetric->vcl_name);
WS_Reset(ctx->ws, snap); WS_Reset(ctx->ws, snap);
...@@ -605,11 +617,10 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -605,11 +617,10 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
"%s.decrypt()", symmetric->vcl_name); "%s.decrypt()", symmetric->vcl_name);
goto fail; goto fail;
} }
assert(iv->len >= 0);
/* A NULL iv of length 0 is permitted. */ /* A NULL iv of length 0 is permitted. */
if (iv->priv == NULL) if (iv->blob == NULL)
assert(iv->len == 0); assert(iv->len == 0);
if ((err = gcry_cipher_setiv(*hd, iv->priv, iv->len)) if ((err = gcry_cipher_setiv(*hd, iv->blob, iv->len))
!= GPG_ERR_NO_ERROR) { != GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set initialization vector in " VERR(ctx, "Cannot set initialization vector in "
"%s.decrypt(): %s/%s", symmetric->vcl_name, "%s.decrypt(): %s/%s", symmetric->vcl_name,
...@@ -618,13 +629,12 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -618,13 +629,12 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
} }
} }
if (need_ctr[symmetric->mode]) { if (need_ctr[symmetric->mode]) {
if (ctr == NULL || ctr->priv == NULL) { if (ctr == NULL || ctr->blob == NULL) {
VERR(ctx, "Required counter vector is NULL in " VERR(ctx, "Required counter vector is NULL in "
"%s.decrypt()", symmetric->vcl_name); "%s.decrypt()", symmetric->vcl_name);
goto fail; goto fail;
} }
assert(ctr->len >= 0); if ((err = gcry_cipher_setctr(*hd, ctr->blob, ctr->len))
if ((err = gcry_cipher_setctr(*hd, ctr->priv, ctr->len))
!= GPG_ERR_NO_ERROR) { != GPG_ERR_NO_ERROR) {
VERR(ctx, "Cannot set counter vector in %s.decrypt(): " VERR(ctx, "Cannot set counter vector in %s.decrypt(): "
"%s/%s", symmetric->vcl_name, gcry_strsource(err), "%s/%s", symmetric->vcl_name, gcry_strsource(err),
...@@ -632,8 +642,8 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -632,8 +642,8 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
goto fail; goto fail;
} }
} }
if ((err = gcry_cipher_decrypt(*hd, plaintext->priv, ciphertext->len, if ((err = gcry_cipher_decrypt(*hd, plain, ciphertext->len,
ciphertext->priv, ciphertext->len)) ciphertext->blob, ciphertext->len))
!= GPG_ERR_NO_ERROR) { != GPG_ERR_NO_ERROR) {
VERR(ctx, "in %s.decrypt(): %s/%s", symmetric->vcl_name, VERR(ctx, "in %s.decrypt(): %s/%s", symmetric->vcl_name,
gcry_strsource(err), gcry_strerror(err)); gcry_strsource(err), gcry_strerror(err));
...@@ -651,17 +661,11 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -651,17 +661,11 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
goto fail; goto fail;
} }
plaintext->len = plaintext->len =
(unpadlenf[symmetric->padding])(plaintext->priv, (unpadlenf[symmetric->padding])(plain,
ciphertext->len, ciphertext->len,
blocklen); blocklen);
if (plaintext->len < 0) {
VERR(ctx, "in %s.decrypt(): incorrect padding",
symmetric->vcl_name);
goto fail;
}
} }
WS_Release(ctx->ws, plaintext->len); WS_Release(ctx->ws, plaintext->len);
plaintext->free = NULL;
return plaintext; return plaintext;
fail: fail:
...@@ -673,7 +677,7 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric, ...@@ -673,7 +677,7 @@ vmod_symmetric_decrypt(VRT_CTX, struct vmod_gcrypt_symmetric *symmetric,
/* Function random */ /* Function random */
static inline void static inline void
get_rnd(VCL_ENUM const restrict qualitys, void * const restrict p, size_t n) get_rnd(VCL_ENUM const restrict qualitys, void * restrict p, size_t n)
{ {
switch(qualitys[0]) { switch(qualitys[0]) {
case 'N': case 'N':
...@@ -694,10 +698,14 @@ get_rnd(VCL_ENUM const restrict qualitys, void * const restrict p, size_t n) ...@@ -694,10 +698,14 @@ get_rnd(VCL_ENUM const restrict qualitys, void * const restrict p, size_t n)
} }
VCL_BLOB VCL_BLOB
vmod_random(VRT_CTX, struct vmod_priv *rnd_task, VCL_ENUM qualitys, VCL_BYTES n) vmod_random(VRT_CTX, struct VARGS(random)*args)
{ {
struct vmod_priv *rnd_blob; struct vmod_priv *rnd_task = args->arg1;
VCL_ENUM qualitys = NULL;
VCL_BYTES n = args->n;
struct vrt_blob *rnd_blob;
uintptr_t snap; uintptr_t snap;
void *rnd;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC); CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
AN(rnd_task); AN(rnd_task);
...@@ -714,6 +722,9 @@ vmod_random(VRT_CTX, struct vmod_priv *rnd_task, VCL_ENUM qualitys, VCL_BYTES n) ...@@ -714,6 +722,9 @@ vmod_random(VRT_CTX, struct vmod_priv *rnd_task, VCL_ENUM qualitys, VCL_BYTES n)
return (VCL_BLOB)rnd_task->priv; return (VCL_BLOB)rnd_task->priv;
} }
if (args->valid_quality)
qualitys = args->quality;
if (qualitys == NULL) { if (qualitys == NULL) {
ERR(ctx, "in gcrypt.random(): quality ENUM is NULL"); ERR(ctx, "in gcrypt.random(): quality ENUM is NULL");
return NULL; return NULL;
...@@ -725,15 +736,17 @@ vmod_random(VRT_CTX, struct vmod_priv *rnd_task, VCL_ENUM qualitys, VCL_BYTES n) ...@@ -725,15 +736,17 @@ vmod_random(VRT_CTX, struct vmod_priv *rnd_task, VCL_ENUM qualitys, VCL_BYTES n)
"BLOB"); "BLOB");
return NULL; return NULL;
} }
if ((rnd_blob->priv = WS_Alloc(ctx->ws, n)) == NULL) { if ((rnd = WS_Alloc(ctx->ws, n)) == NULL) {
WS_Reset(ctx->ws, snap); WS_Reset(ctx->ws, snap);
VERRNOMEM(ctx, "in gcrypt.random(), allocating space for %d " VERRNOMEM(ctx, "in gcrypt.random(), allocating space for %d "
"random bytes", n); "random bytes", n);
return NULL; return NULL;
} }
get_rnd(qualitys, rnd_blob->priv, n);
get_rnd(qualitys, rnd, n);
rnd_blob->blob = rnd;
rnd_blob->len = n; rnd_blob->len = n;
rnd_blob->free = NULL;
rnd_task->priv = rnd_blob; rnd_task->priv = rnd_blob;
rnd_task->len = sizeof(*rnd_blob); rnd_task->len = sizeof(*rnd_blob);
rnd_task->free = NULL; rnd_task->free = NULL;
...@@ -898,9 +911,9 @@ vmod_random_bool(VRT_CTX, VCL_ENUM qualitys) ...@@ -898,9 +911,9 @@ vmod_random_bool(VRT_CTX, VCL_ENUM qualitys)
/* Function wipe */ /* Function wipe */
static inline void static inline void
wipe(void * const dst, size_t len, uint8_t val) wipe(const void * const dst, size_t len, uint8_t val)
{ {
volatile uint8_t *p = (volatile uint8_t *)dst; volatile uint8_t *p = (volatile uint8_t *)TRUST_ME(dst);
while (((uintptr_t)p & (sizeof(uint64_t)-1)) && len) { while (((uintptr_t)p & (sizeof(uint64_t)-1)) && len) {
*p++ = val; *p++ = val;
...@@ -925,14 +938,14 @@ VCL_VOID ...@@ -925,14 +938,14 @@ VCL_VOID
vmod_wipe(VRT_CTX, VCL_BLOB b) vmod_wipe(VRT_CTX, VCL_BLOB b)
{ {
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC); CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
if (b == NULL || b->len == 0 || b->priv == NULL) { if (b == NULL || b->len == 0 || b->blob == NULL) {
ERR(ctx, "empty blob in gcrypt.wipe()"); ERR(ctx, "empty blob in gcrypt.wipe()");
return; return;
} }
wipe(b->priv, b->len, 0xff); wipe(b->blob, b->len, 0xff);
wipe(b->priv, b->len, 0xaa); wipe(b->blob, b->len, 0xaa);
wipe(b->priv, b->len, 0x55); wipe(b->blob, b->len, 0x55);
wipe(b->priv, b->len, 0x00); wipe(b->blob, b->len, 0x00);
} }
/* Function fileread */ /* Function fileread */
...@@ -971,7 +984,7 @@ filedata_free(void *p) ...@@ -971,7 +984,7 @@ filedata_free(void *p)
VCL_BLOB VCL_BLOB
vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path) vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path)
{ {
struct vmod_priv *b; struct vrt_blob *b;
struct filedata_head *fhead; struct filedata_head *fhead;
struct filedata *fdata; struct filedata *fdata;
struct stat st, fst; struct stat st, fst;
...@@ -1011,7 +1024,6 @@ vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path) ...@@ -1011,7 +1024,6 @@ vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path)
ERRNOMEM(ctx, "Allocating return BLOB in gcrypt.fileread()"); ERRNOMEM(ctx, "Allocating return BLOB in gcrypt.fileread()");
return NULL; return NULL;
} }
b->free = NULL;
errno = 0; errno = 0;
if (stat(path, &st) < 0) { if (stat(path, &st) < 0) {
...@@ -1087,7 +1099,7 @@ vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path) ...@@ -1087,7 +1099,7 @@ vmod_fileread(VRT_CTX, struct vmod_priv *task, VCL_STRING path)
fdata->contents = contents; fdata->contents = contents;
fdata->len = st.st_size; fdata->len = st.st_size;
VSLIST_INSERT_HEAD(fhead, fdata, list); VSLIST_INSERT_HEAD(fhead, fdata, list);
b->priv = contents; b->blob = contents;
b->len = st.st_size; b->len = st.st_size;
return b; return b;
......
src/vmod_gcrypt.vcc
View file @ 808a8eee
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
# Author: Geoffrey Simmons <geoffrey.simmons@uplex.de> # Author: Geoffrey Simmons <geoffrey.simmons@uplex.de>
# #
$Module gcrypt 3 access the libgcrypt cryptographic library $Module gcrypt 3 "access the libgcrypt cryptographic library"
:: ::
...@@ -50,13 +50,13 @@ allows the VMOD to concentrate strictly on cryptographic operations, ...@@ -50,13 +50,13 @@ allows the VMOD to concentrate strictly on cryptographic operations,
separate from concerns of binary-to-text encodings. BLOBs are not separate from concerns of binary-to-text encodings. BLOBs are not
created by any part of native VCL, and can only be created by other created by any part of native VCL, and can only be created by other
VMODs, so it is necessary to use this VMOD together with another one VMODs, so it is necessary to use this VMOD together with another one
that does so (such as VMOD ``blobcode`` for binary-to-text encodings, that does so (such as VMOD ``blob`` for binary-to-text encodings,
see `SEE ALSO`_). which is part of varnish-cache).
This is a simple usage example:: This is a simple usage example::
import gcrypt; import gcrypt;
import blobcode; import blob;
sub vcl_init { sub vcl_init {
# Finalize default initialization of the libgcrypt library. # Finalize default initialization of the libgcrypt library.
...@@ -76,19 +76,19 @@ This is a simple usage example:: ...@@ -76,19 +76,19 @@ This is a simple usage example::
# response header X-Cipher, and the hex-encoded counter vector to # response header X-Cipher, and the hex-encoded counter vector to
# the response header X-Ctr; and remove X-Msg from the response. # the response header X-Ctr; and remove X-Msg from the response.
sub vcl_deliver { sub vcl_deliver {
# Use the blobcode VMOD to convert the contents of X-Msg to a # Use the blob VMOD to convert the contents of X-Msg to a
# BLOB, and to encode the encrypted ciphertext in hex with # BLOB, and to encode the encrypted ciphertext in hex with
# lower-case digits. Use the random() function to generate a # lower-case digits. Use the random() function to generate a
# counter vector as a 128 bit nonce. # counter vector as a 128 bit nonce.
set resp.http.X-Cipher set resp.http.X-Cipher
= blobcode.encode(HEXLC, = blob.encode(HEXLC,
aes.encrypt(blobcode.decode(encoded=req.http.X-Msg), aes.encrypt(blob.decode(encoded=req.http.X-Msg),
ctr=gcrypt.random(NONCE, 16B))); ctr=gcrypt.random(NONCE, 16B)));
# Use the no-argument version of random() to retrieve the # Use the no-argument version of random() to retrieve the
# counter vector that was just generated, and use the # counter vector that was just generated, and use the
# blobcode VMOD to encode it as lower-case hex. # blob VMOD to encode it as lower-case hex.
set resp.http.X-CTR = blobcode.encode(HEXLC, gcrypt.random()); set resp.http.X-CTR = blob.encode(HEXLC, gcrypt.random());
# Remove the plaintext from the response header. # Remove the plaintext from the response header.
unset resp.http.X-Msg; unset resp.http.X-Msg;
...@@ -313,21 +313,21 @@ of the VCL load with an error message, under these conditions: ...@@ -313,21 +313,21 @@ of the VCL load with an error message, under these conditions:
Examples:: Examples::
import gcrypt; import gcrypt;
import blobcode; import blob;
# Assume in the following that initialization has been finalized. # Assume in the following that initialization has been finalized.
sub vcl_init { sub vcl_init {
# Use the blobcode VMOD to create some BLOBs for the cryptographic # Use the blob VMOD to create some BLOBs for the cryptographic
# keys, whose lengths are 16, 24 and 32 bytes for AES-128, -192 # keys, whose lengths are 16, 24 and 32 bytes for AES-128, -192
# and -256, respectively. # and -256, respectively.
# NOTE: The keys used in this manual's examples are chosen to # NOTE: The keys used in this manual's examples are chosen to
# make the key lengths easy to recognize. DO NOT copy them # make the key lengths easy to recognize. DO NOT copy them
# into production VCL! # into production VCL!
new k128 = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k128 = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new k192 = blobcode.blob(HEX, new k192 = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f1011121314151617"); "000102030405060708090a0b0c0d0e0f1011121314151617");
new k256 = blobcode.blob(HEX, new k256 = blob.blob(HEX,
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"); "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f");
# Create an object for AES-128 with CTR mode (no padding # Create an object for AES-128 with CTR mode (no padding
...@@ -387,19 +387,19 @@ Examples:: ...@@ -387,19 +387,19 @@ Examples::
sub vcl_deliver { sub vcl_deliver {
# Encrypt X-Msg-128 with AES-128 and the counter vector, and # Encrypt X-Msg-128 with AES-128 and the counter vector, and
# return the ciphertext in a base64-encoded response header. # return the ciphertext in a base64-encoded response header.
set resp.http.X-Cipher-128 = blobcode.encode(BASE64, set resp.http.X-Cipher-128 = blob.encode(BASE64,
aes128.encrypt(blobcode.decode(encoded=resp.http.X-Msg-128), aes128.encrypt(blob.decode(encoded=resp.http.X-Msg-128),
ctr=blobcode.decode(BASE64, resp.http.X-Ctr))); ctr=blob.decode(BASE64, resp.http.X-Ctr)));
# Encrypt X-Msg-192 with AES-192 and init vector X-IV-192. # Encrypt X-Msg-192 with AES-192 and init vector X-IV-192.
set resp.http.X-Cipher-192 = blobcode.encode(BASE64, set resp.http.X-Cipher-192 = blob.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg-192), aes192.encrypt(blob.decode(encoded=resp.http.X-Msg-192),
iv=blobcode.decode(BASE64, resp.http.X-IV-192))); iv=blob.decode(BASE64, resp.http.X-IV-192)));
# Encrypt X-Msg-256 with AES-256 and init vector X-IV-256. # Encrypt X-Msg-256 with AES-256 and init vector X-IV-256.
set resp.http.X-Cipher-256 = blobcode.encode(BASE64, set resp.http.X-Cipher-256 = blob.encode(BASE64,
aes256.encrypt(blobcode.decode(encoded=resp.http.X-Msg-256), aes256.encrypt(blob.decode(encoded=resp.http.X-Msg-256),
iv=blobcode.decode(BASE64, resp.http.X-IV-256))); iv=blob.decode(BASE64, resp.http.X-IV-256)));
} }
$Method BLOB .decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr]) $Method BLOB .decrypt(BLOB ciphertext, [BLOB iv], [BLOB ctr])
...@@ -441,19 +441,19 @@ Examples:: ...@@ -441,19 +441,19 @@ Examples::
sub vcl_recv { sub vcl_recv {
# Decrypt X-Msg-128 with AES-128 and the counter vector, and # Decrypt X-Msg-128 with AES-128 and the counter vector, and
# return the plaintext in a base64-encoded request header. # return the plaintext in a base64-encoded request header.
set req.http.X-Cipher-128 = blobcode.encode(BASE64, set req.http.X-Cipher-128 = blob.encode(BASE64,
aes128.decrypt(blobcode.decode(encoded=req.http.X-Msg-128), aes128.decrypt(blob.decode(encoded=req.http.X-Msg-128),
ctr=blobcode.decode(BASE64, req.http.X-Ctr))); ctr=blob.decode(BASE64, req.http.X-Ctr)));
# Decrypt X-Msg-192 with AES-192 and init vector X-IV-192. # Decrypt X-Msg-192 with AES-192 and init vector X-IV-192.
set req.http.X-Cipher-192 = blobcode.encode(BASE64, set req.http.X-Cipher-192 = blob.encode(BASE64,
aes192.decrypt(blobcode.decode(encoded=req.http.X-Msg-192), aes192.decrypt(blob.decode(encoded=req.http.X-Msg-192),
iv=blobcode.decode(BASE64, req.http.X-IV-192))); iv=blob.decode(BASE64, req.http.X-IV-192)));
# Decrypt X-Msg-256 with AES-256 and init vector X-IV-256. # Decrypt X-Msg-256 with AES-256 and init vector X-IV-256.
set req.http.X-Cipher-256 = blobcode.encode(BASE64, set req.http.X-Cipher-256 = blob.encode(BASE64,
aes256.decrypt(blobcode.decode(encoded=req.http.X-Msg-256), aes256.decrypt(blob.decode(encoded=req.http.X-Msg-256),
iv=blobcode.decode(BASE64, req.http.X-IV-256))); iv=blob.decode(BASE64, req.http.X-IV-256)));
} }
$Function BLOB fileread(PRIV_TASK, STRING path) $Function BLOB fileread(PRIV_TASK, STRING path)
...@@ -542,7 +542,7 @@ Example:: ...@@ -542,7 +542,7 @@ Example::
key=gcrypt.fileread("/path/to/key")); key=gcrypt.fileread("/path/to/key"));
} }
$Function BLOB random(PRIV_TASK, ENUM {STRONG, VERY_STRONG, NONCE} quality=0, $Function BLOB random(PRIV_TASK, [ENUM {STRONG, VERY_STRONG, NONCE} quality],
BYTES n=0) BYTES n=0)
Return a BLOB containing ``n`` bytes of pseudo-random data. The Return a BLOB containing ``n`` bytes of pseudo-random data. The
...@@ -617,14 +617,14 @@ Example:: ...@@ -617,14 +617,14 @@ Example::
# cipher in use -- 128 bits (16 bytes) for AES. For CBC, the IV # cipher in use -- 128 bits (16 bytes) for AES. For CBC, the IV
# MUST be unpredictable, so we use quality level STRONG. # MUST be unpredictable, so we use quality level STRONG.
set resp.http.X-Encrypted set resp.http.X-Encrypted
= blobcode.encode(BASE64, = blob.encode(BASE64,
aes192.encrypt(blobcode.decode(encoded=resp.http.X-Msg), aes192.encrypt(blob.decode(encoded=resp.http.X-Msg),
iv=gcrypt.random(STRONG, 16B))); iv=gcrypt.random(STRONG, 16B)));
# Now call random() with no arguments to retrive the IV that # Now call random() with no arguments to retrive the IV that
# was generated, to be sent in the base64-encoded response # was generated, to be sent in the base64-encoded response
# header X-IV. # header X-IV.
set resp.http.X-IV = blobcode.encode(BASE64, gcrypt.random()); set resp.http.X-IV = blob.encode(BASE64, gcrypt.random());
# Remove the plaintext from the response header. # Remove the plaintext from the response header.
unset resp.http.X-Msg; unset resp.http.X-Msg;
...@@ -715,7 +715,7 @@ Example:: ...@@ -715,7 +715,7 @@ Example::
# secure memory, wipe the BLOB from which the key was read. This # secure memory, wipe the BLOB from which the key was read. This
# ensures that the key is only stored in secure memory. # ensures that the key is only stored in secure memory.
sub vcl_init { sub vcl_init {
new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f"); new k = blob.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new aes = gcrypt.symmetric(AES, CTR, key=k.get(), secure=true); new aes = gcrypt.symmetric(AES, CTR, key=k.get(), secure=true);
gcrypt.wipe(key.get()); gcrypt.wipe(key.get());
} }
...@@ -840,7 +840,7 @@ enter into cryptographic operations -- keys, plaintexts, ciphertexts, ...@@ -840,7 +840,7 @@ enter into cryptographic operations -- keys, plaintexts, ciphertexts,
IVs and counters. But these are typically obtained from sources that IVs and counters. But these are typically obtained from sources that
are readable from other elements of Varnish. are readable from other elements of Varnish.
As can be seen in the examples above that use VMOD blobcode to create As can be seen in the examples above that use VMOD blob to create
key objects, the contents of a key are readable in the VCL source. If key objects, the contents of a key are readable in the VCL source. If
you are using the VMOD that way, consider storing VCL sources so that you are using the VMOD that way, consider storing VCL sources so that
they are only readable by the owner of the Varnish child process. they are only readable by the owner of the Varnish child process.
...@@ -938,7 +938,6 @@ SEE ALSO ...@@ -938,7 +938,6 @@ SEE ALSO
* pthread_key_create(3) * pthread_key_create(3)
* libgcrypt: https://gnupg.org/software/libgcrypt/index.html * libgcrypt: https://gnupg.org/software/libgcrypt/index.html
* source repository: https://code.uplex.de/uplex-varnish/libvmod-gcrypt * source repository: https://code.uplex.de/uplex-varnish/libvmod-gcrypt
* VMOD blobcode: https://code.uplex.de/uplex-varnish/libvmod-blobcode
* developer contact: <varnish-support@uplex.de>, and at the source * developer contact: <varnish-support@uplex.de>, and at the source
repository site repository site
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment