Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
L
libvmod-gcrypt
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
uplex-varnish
libvmod-gcrypt
Commits
d63520d9
Commit
d63520d9
authored
Apr 18, 2017
by
Geoff Simmons
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add tests for failures with AES constructor, .encrypt() and .decrypt().
parent
87f05ce9
Pipeline
#179
skipped
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
212 additions
and
0 deletions
+212
-0
aes_fail.vtc
src/tests/aes_fail.vtc
+212
-0
No files found.
src/tests/aes_fail.vtc
0 → 100644
View file @
d63520d9
# looks like -*- vcl -*-
varnishtest "AES failures"
# Initialize libgcrypt
varnish v1 -vcl {
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
gcrypt.init(FINISH);
}
} -start
# NULL key is illegal
varnish v1 -errvcl {vmod gcrypt error: key is NULL in aes constructor} {
import blobcode;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(encoded="");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
# Key too short
varnish v1 -errvcl {vmod gcrypt error: Cannot set key in aes constructor} {
import blobcode;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "0");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
# Key too long
varnish v1 -errvcl {vmod gcrypt error: Key length 17 is longer than the maximum supported length 16 for AES cipher in aes constructor} {
import blobcode;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX,
"000102030405060708090a0b0c0d0e0f10");
new aes = gcrypt.symmetric(AES, ECB, key=k.get());
}
}
varnish v1 -vcl {
import blobcode;
import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k = blobcode.blob(HEX, "000102030405060708090a0b0c0d0e0f");
new cbc = gcrypt.symmetric(AES, CBC, NONE, key=k.get());
new ctr = gcrypt.symmetric(AES, CTR, key=k.get());
new null = blobcode.blob(encoded="");
new short = blobcode.blob(encoded="Too short");
new long = blobcode.blob(HEX,
"000102030405060708090a0b0c0d0e0f10");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
# Errors in .encrypt()
# NULL plaintext is illegal
set resp.http.plain-null
= blobcode.encode(HEXUC, cbc.encrypt(null.get()));
# NULL IV is illegal when required
set resp.http.enc-iv-null
= blobcode.encode(HEXUC, cbc.encrypt(k.get()));
# IV shorter than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.enc-iv-short
= blobcode.encode(HEXUC, cbc.encrypt(k.get(), short.get()));
# IV longer than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.enc-iv-long
= blobcode.encode(HEXUC, cbc.encrypt(k.get(), long.get()));
# When no padding is specified, the length of the plaintext
# must be an exact multiple of the block length.
set resp.http.enc-plain-short
= blobcode.encode(HEXUC, cbc.encrypt(short.get(), k.get()));
set resp.http.enc-plain-long
= blobcode.encode(HEXUC, cbc.encrypt(long.get(), k.get()));
# NULL CTR is illegal when required
set resp.http.enc-ctr-null
= blobcode.encode(HEXUC, ctr.encrypt(k.get()));
# CTR shorter than the block length is illegal
set resp.http.enc-ctr-short
= blobcode.encode(HEXUC, ctr.encrypt(k.get(),
ctr=short.get()));
# CTR longer than the block length is illegal
set resp.http.enc-ctr-long
= blobcode.encode(HEXUC, ctr.encrypt(k.get(),
ctr=long.get()));
# Errors in .decrypt()
# NULL ciphertext is illegal
set resp.http.cipher-null
= blobcode.encode(HEXUC, cbc.decrypt(null.get()));
# NULL IV is illegal when required
set resp.http.dec-iv-null
= blobcode.encode(HEXUC, cbc.decrypt(k.get()));
# IV shorter than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.dec-iv-short
= blobcode.encode(HEXUC, cbc.decrypt(k.get(), short.get()));
# IV longer than the block length is not an error, but
# invokes a libgcrypt log warning
set resp.http.dec-iv-long
= blobcode.encode(HEXUC, cbc.decrypt(k.get(), long.get()));
# When no padding is specified, the length of the ciphertext
# must be an exact multiple of the block length.
set resp.http.dec-cipher-short
= blobcode.encode(HEXUC, cbc.decrypt(short.get(), k.get()));
set resp.http.dec-cipher-long
= blobcode.encode(HEXUC, cbc.decrypt(long.get(), k.get()));
# NULL CTR is illegal when required
set resp.http.dec-ctr-null
= blobcode.encode(HEXUC, ctr.decrypt(k.get()));
# CTR shorter than the block length is illegal
set resp.http.dec-ctr-short
= blobcode.encode(HEXUC, ctr.decrypt(k.get(),
ctr=short.get()));
# CTR longer than the block length is illegal
set resp.http.dec-ctr-long
= blobcode.encode(HEXUC, ctr.decrypt(k.get(),
ctr=long.get()));
return(deliver);
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.plain-null == ""
expect resp.http.enc-iv-null == ""
expect resp.http.enc-plain-short == ""
expect resp.http.enc-plain-long == ""
expect resp.http.enc-iv-short ~ "^[[:xdigit:]]{32}$"
expect resp.http.enc-iv-long ~ "^[[:xdigit:]]{32}$"
expect resp.http.enc-ctr-null == ""
expect resp.http.enc-ctr-short == ""
expect resp.http.enc-ctr-long == ""
expect resp.http.cipher-null == ""
expect resp.http.dec-iv-null == ""
expect resp.http.dec-iv-short ~ "^[[:xdigit:]]{32}$"
expect resp.http.dec-iv-long ~ "^[[:xdigit:]]{32}$"
expect resp.http.dec-cipher-short == ""
expect resp.http.dec-ctr-null == ""
expect resp.http.dec-ctr-short == ""
expect resp.http.dec-ctr-long == ""
} -run
logexpect l1 -v v1 -d 1 -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error "^vmod gcrypt error: Plaintext BLOB is NULL in cbc.encrypt..$"
expect * = VCL_Error "^vmod gcrypt error: Required initialization vector is NULL in cbc.encrypt..$"
expect * = VCL_Error "^vmod gcrypt error: in cbc.encrypt..: "
expect * = VCL_Error "^vmod gcrypt error: in cbc.encrypt..: "
expect * = VCL_Error "^vmod gcrypt error: Required counter vector is NULL in ctr.encrypt..$"
expect * = VCL_Error "^vmod gcrypt error: Cannot set counter vector in ctr.encrypt..: "
expect * = VCL_Error "^vmod gcrypt error: Cannot set counter vector in ctr.encrypt..: "
expect * = VCL_Error "^vmod gcrypt error: Ciphertext BLOB is NULL in cbc.decrypt..$"
expect * = VCL_Error "^vmod gcrypt error: Required initialization vector is NULL in cbc.decrypt..$"
expect * = VCL_Error "^vmod gcrypt error: in cbc.decrypt..: "
expect * = VCL_Error "^vmod gcrypt error: in cbc.decrypt..: "
expect * = VCL_Error "^vmod gcrypt error: Required counter vector is NULL in ctr.decrypt..$"
expect * = VCL_Error "^vmod gcrypt error: Cannot set counter vector in ctr.decrypt..: "
expect * = VCL_Error "^vmod gcrypt error: Cannot set counter vector in ctr.decrypt..: "
expect * = End
} -run
# Warning messages from libgcrypt about incorrect IV lengths
logexpect l1 -v v1 -d 1 -g raw -q "Debug" {
expect * 0 Debug "libgcrypt log message follows .\\w+.:$"
expect * = Debug ".+"
expect * 0 Debug "libgcrypt log message follows .\\w+.:$"
expect * = Debug ".+"
expect * 0 Debug "libgcrypt log message follows .\\w+.:$"
expect * = Debug ".+"
expect * 0 Debug "libgcrypt log message follows .\\w+.:$"
expect * = Debug ".+"
} -run
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment