Commit ba225228 authored by Geoff Simmons's avatar Geoff Simmons

add the hmacf() function

parent eee84b60
......@@ -35,6 +35,8 @@ import blobdigest [from "path"] ;
new OBJECT = blobdigest.hmac(ENUM hash, BLOB key)
BLOB <obj>.hmac(BLOB msg)
BLOB blobdigest.hmacf(ENUM hash, BLOB key, BLOB msg)
DESCRIPTION
===========
......@@ -206,6 +208,7 @@ CONTENTS
* digest(ENUM {CRC32,MD5,SHA1,SHA224,SHA256,SHA384,SHA512,SHA3_224,SHA3_256,SHA3_384,SHA3_512}, BLOB)
* BLOB hash(ENUM {CRC32,MD5,SHA1,SHA224,SHA256,SHA384,SHA512,SHA3_224,SHA3_256,SHA3_384,SHA3_512}, BLOB)
* hmac(ENUM {MD5,SHA1,SHA224,SHA256,SHA384,SHA512,SHA3_224,SHA3_256,SHA3_384,SHA3_512}, BLOB)
* BLOB hmacf(ENUM {MD5,SHA1,SHA224,SHA256,SHA384,SHA512,SHA3_224,SHA3_256,SHA3_384,SHA3_512}, BLOB, BLOB)
* STRING version()
.. _obj_digest:
......@@ -462,6 +465,41 @@ Example::
return(synth(401));
}
.. _func_hmacf:
hmacf
-----
::
BLOB hmacf(ENUM {MD5,SHA1,SHA224,SHA256,SHA384,SHA512,SHA3_224,SHA3_256,SHA3_384,SHA3_512} hash, BLOB key, BLOB msg)
Returns the HMAC for ``msg`` as specified by ``hash`` and the ``key``.
As with the ``digest`` object and ``hash`` function, the use of the
``hmac`` object is likely to be more efficient than the ``hmacf``
function, because the internal cryptographic state of the HMAC for a
given key is pre-computed in the object constructor. So if the key is
fixed and known at initialization time, then you should use the
``hmac`` object. The ``hmacf`` function should only be used if the key
is not known at runtime, or, for example, should be changed without
requiring a VCL reload.
Example::
import blobdigest;
import blobcode;
# Decode the base64-encoded string as a HMAC key, compute the
# SHA512 HMAC of the Msg header, and save the hex-encoded
# result in a header.
set req.http.HMAC
= blobcode.encode(HEXUC,
blobdigest.hmacf(SHA512,
blobcode.decode(BASE64, "Zm9v"),
blobcode.decode(IDENTITY,
req.http.Msg)));
.. _func_version:
version
......
......@@ -2,7 +2,7 @@
varnishtest "MD5 hash"
# VMODs blobcode and blob must be installed
# VMOD blobcode must be installed
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
......@@ -428,108 +428,55 @@ client c1 {
expect resp.http.rfc2202t7 == "6f630fad67cda0ee1fb1f562db3aa53e"
} -run
# Test use of digest object methods in vcl_init and _fini
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new msg = blobcode.blob(IDENTITY, "message");
new space = blobcode.blob(IDENTITY, " ");
new digest = blobcode.blob(IDENTITY, "digest");
new msgdigest
= blobcode.blob(HEX, "F96B697D7CB7938D525A2F31AAF161D0");
new a = blobcode.blob(IDENTITY, "a");
new bc = blobcode.blob(IDENTITY, "bc");
new abc
= blobcode.blob(HEX, "900150983CD24FB0D6963F7D28E17F72");
new d1 = blobdigest.digest(MD5, msg.get());
if (!d1.update(space.get())) {
return(fail);
}
if (!d1.update(digest.get())) {
return(fail);
}
if (!blob.equal(d1.final(), msgdigest.get())) {
return(fail);
}
new d2 = blobdigest.digest(MD5, a.get());
new k1 = blobcode.blob(HEX, "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX, "0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_fini {
# Don't know how to test the result, at least it
# shouldn't blow up
if (!d2.update(bc.get())) {}
if (!blob.equal(d2.final(), abc.get())) {}
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
} -run
# Test repeated calls of the digest.final() method
server s1 -wait {
rxreq
txresp -hdr "Cache-Control: max-age=0"
} -start
varnish v1 -vcl+backend {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
import blob;
sub vcl_init {
new a = blobcode.blob(IDENTITY, "a");
new bc = blobcode.blob(IDENTITY, "bc");
new abc
= blobcode.blob(HEX, "900150983CD24FB0D6963F7D28E17F72");
sub vcl_synth {
set resp.http.rfc2202t1 = blobcode.encode(HEXLC,
blobdigest.hmacf(MD5, k1.get(),
blobcode.decode(encoded="Hi There")));
new d1 = blobdigest.digest(MD5, a.get());
if (!d1.update(bc.get())) {
return(fail);
}
if (!blob.equal(d1.final(), abc.get())) {
return(fail);
}
if (!blob.equal(d1.final(), abc.get())) {
return(fail);
}
set resp.http.rfc2202t2 = blobcode.encode(HEXLC,
blobdigest.hmacf(MD5, k2.get(), blobcode.decode(encoded=
"what do ya want for nothing?")));
new d2 = blobdigest.digest(MD5);
}
set resp.http.rfc2202t3 = blobcode.encode(HEXLC,
blobdigest.hmacf(MD5, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
sub vcl_backend_response {
set beresp.http.d1_b1 = blobcode.encode(HEXUC, d1.final());
set beresp.http.d1_b2 = blobcode.encode(HEXUC, d1.final());
set resp.http.rfc2202t4 = blobcode.encode(HEXLC,
blobdigest.hmacf(MD5, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
if (!d2.update(blobcode.decode(IDENTITY, "message digest"))) {
return(abandon);
}
set beresp.http.d2_b1 = blobcode.encode(HEXUC, d2.final());
set beresp.http.d2_b2 = blobcode.encode(HEXUC, d2.final());
}
set resp.http.rfc2202t5 = blobcode.encode(HEXLC,
blobdigest.hmacf(MD5, k5.get(),
blobcode.decode(encoded="Test With Truncation")));
sub vcl_deliver {
set resp.http.d1_c1 = blobcode.encode(HEXUC, d1.final());
set resp.http.d1_c2 = blobcode.encode(HEXUC, d1.final());
set resp.http.rfc2202t6 = blobcode.encode(HEXLC,
blobdigest.hmacf(MD5, k6.get(), blobcode.decode(encoded=
"Test Using Larger Than Block-Size Key - Hash Key First")));
if (!d2.update(blobcode.decode(IDENTITY, "a"))) {
return(synth(500));
}
set resp.http.d2_c1 = blobcode.encode(HEXUC, d2.final());
set resp.http.d2_c2 = blobcode.encode(HEXUC, d2.final());
set resp.http.rfc2202t7 = blobcode.encode(HEXLC,
blobdigest.hmacf(MD5, k6.get(), blobcode.decode(encoded=
"Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data")));
}
}
......@@ -538,117 +485,11 @@ client c1 {
rxresp
expect resp.status == 200
expect resp.http.d1_b1 == "900150983CD24FB0D6963F7D28E17F72"
expect resp.http.d1_b2 == "900150983CD24FB0D6963F7D28E17F72"
expect resp.http.d1_c1 == "900150983CD24FB0D6963F7D28E17F72"
expect resp.http.d1_c2 == "900150983CD24FB0D6963F7D28E17F72"
expect resp.http.d2_b1 == "F96B697D7CB7938D525A2F31AAF161D0"
expect resp.http.d2_b2 == "F96B697D7CB7938D525A2F31AAF161D0"
expect resp.http.d2_c1 == "0CC175B9C0F1B6A831C399E269772661"
expect resp.http.d2_c2 == "0CC175B9C0F1B6A831C399E269772661"
} -run
# digest.update() may not be called after digest.final()
varnish v1 -errvcl {vmod blobdigest error: already finalized in d1.update()} {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new empty = blobcode.blob(IDENTITY, "");
new hash = blobcode.blob(HEX,
"D41D8CD98F00B204E9800998ECF8427E");
new d1 = blobdigest.digest(MD5);
if (!d1.update(empty.get())) {
return(fail);
}
if (!blob.equal(d1.final(), hash.get())) {
return(fail);
}
if (!d1.update(empty.get())) {
return(fail);
}
}
}
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new empty = blobcode.blob(IDENTITY, "");
new d1 = blobdigest.digest(MD5);
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
if (!d1.update(empty.get())) {
set resp.status = 500;
return(deliver);
}
set resp.http.empty = blobcode.encode(HEXUC, d1.final());
if (!d1.update(empty.get())) {
set resp.status = 500;
return(deliver);
}
}
}
client c1 {
txreq
rxresp
expect resp.status == 500
expect resp.http.empty == "D41D8CD98F00B204E9800998ECF8427E"
} -run
logexpect l1 -v v1 -d 1 -g vxid -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error "^vmod blobdigest error: already finalized in d1.update..$"
expect * = End
expect resp.http.rfc2202t1 == "9294727a3638bb1c13f48ef8158bfc9d"
expect resp.http.rfc2202t2 == "750c783e6ab0b503eaa86e310a5db738"
expect resp.http.rfc2202t3 == "56be34521d144c88dbb8c733f0e8b3f6"
expect resp.http.rfc2202t4 == "697eaf0aca3a3aea3a75164746ffaa79"
expect resp.http.rfc2202t5 == "56461ef2342edc00f9bab995690efd4c"
expect resp.http.rfc2202t6 == "6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd"
expect resp.http.rfc2202t7 == "6f630fad67cda0ee1fb1f562db3aa53e"
} -run
# hash() is legal in vcl_init and vcl_fini (as of Varnish 5.0)
varnish v2 -arg "-p debug=+vclrel" -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
import blob;
import std;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new empty = blobcode.blob(IDENTITY, "");
new md5 = blobcode.blob(HEX,
"D41D8CD98F00B204E9800998ECF8427E");
if (!blob.equal(blobdigest.hash(MD5, empty.get()), md5.get())) {
return(fail);
}
}
sub vcl_fini {
if (blob.equal(blobdigest.hash(MD5, empty.get()), md5.get())) {
std.log("blobs are equal");
}
else {
std.log("blobs not equal");
}
}
} -start
varnish v2 -vcl {
backend b { .host = "${bad_ip}"; }
}
logexpect l2 -v v2 -d 0 -g raw -q "VCL_Log" {
expect 0 * VCL_Log "^blobs are equal$"
} -start
varnish v2 -cliok "vcl.use vcl2"
varnish v2 -cliok "vcl.discard vcl1"
logexpect l2 -wait
......@@ -272,6 +272,7 @@ client c1 {
expect resp.http.allbytesf == "4916d6bdb7f78e6803698cab32d1586ea457dfc8"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -363,3 +364,73 @@ client c1 {
expect resp.http.rfc2202t6 == "aa4ae5e15272d00e95705637ce8a3b55ed402112"
expect resp.http.rfc2202t7 == "e8e99d0f45237d786d6bbaa7965c7808bbff1a91"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.rfc2202t1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA1, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.rfc2202t2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA1, k2.get(),blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.rfc2202t3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA1, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.rfc2202t4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA1, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.rfc2202t5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA1, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.rfc2202t6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA1, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.rfc2202t7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA1, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
# RFC2202 test cases
expect resp.http.rfc2202t1 == "b617318655057264e28bc0b6fb378c8ef146be00"
expect resp.http.rfc2202t2 == "effcdf6ae5eb2fa2d27416d5f184df9c259a7c79"
expect resp.http.rfc2202t3 == "125d7342b9ac11cd91a39af48aa17b4f63f175d3"
expect resp.http.rfc2202t4 == "4c9007f4026250c6bc8414f9bf50c86c2d7235da"
expect resp.http.rfc2202t5 == "4c1a03424b55e07fe7f27be1d58bb9324a9a5a04"
expect resp.http.rfc2202t6 == "aa4ae5e15272d00e95705637ce8a3b55ed402112"
expect resp.http.rfc2202t7 == "e8e99d0f45237d786d6bbaa7965c7808bbff1a91"
} -run
......@@ -250,6 +250,7 @@ client c1 {
expect resp.http.allbytesf == "88702e63237824c4eb0d0fcfe41469a462493e8beb2a75bbe5981734"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -341,3 +342,73 @@ client c1 {
expect resp.http.rfc4231t6 == "95e9a0db962095adaebe9b2d6f0dbce2d499f112f2d2b7273fa6870e"
expect resp.http.rfc4231t7 == "3a854166ac5d9f023f54d517d0b39dbd946770db9c2b95c9f6f565d1"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
# RFC4231 test cases
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.rfc4231t1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA224, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.rfc4231t2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA224, k2.get(), blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.rfc4231t3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA224, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.rfc4231t4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA224, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.rfc4231t5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA224, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.rfc4231t6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA224, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.rfc4231t7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA224, k6.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.rfc4231t1 == "896fb1128abbdf196832107cd49df33f47b4b1169912ba4f53684b22"
expect resp.http.rfc4231t2 == "a30e01098bc6dbbf45690f3a7e9e6d0f8bbea2a39e6148008fd05e44"
expect resp.http.rfc4231t3 == "7fb3cb3588c6c1f6ffa9694d7d6ad2649365b0c1f65d69d1ec8333ea"
expect resp.http.rfc4231t4 == "6c11506874013cac6a2abc1bb382627cec6a90d86efc012de7afec5a"
expect resp.http.rfc4231t5 ~ "^0e2aea68a90c8d37c988bcdb9fca6fa8"
expect resp.http.rfc4231t6 == "95e9a0db962095adaebe9b2d6f0dbce2d499f112f2d2b7273fa6870e"
expect resp.http.rfc4231t7 == "3a854166ac5d9f023f54d517d0b39dbd946770db9c2b95c9f6f565d1"
} -run
......@@ -235,6 +235,7 @@ client c1 {
expect resp.http.allbytesf == "40aff2e9d2d8922e47afd4648e6967497158785fbd1da870e7110266bf944880"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -308,7 +309,76 @@ varnish v1 -vcl {
= blobcode.encode(HEXLC,
rfc4231t6.hmac(blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
# RFC4231 test cases
expect resp.http.rfc4231t1 == "b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7"
expect resp.http.rfc4231t2 == "5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843"
expect resp.http.rfc4231t3 == "773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe"
expect resp.http.rfc4231t4 == "82558a389a443c0ea4cc819899f2083a85f0faa3e578f8077a2e3ff46729665b"
expect resp.http.rfc4231t5 ~ "^a3b6167473100ee06e0c796c2955552b"
expect resp.http.rfc4231t6 == "60e431591ee0b67f0d8a26aacbf5b77f8e0bc6213728c5140546040f0ee37f54"
expect resp.http.rfc4231t7 == "9b09ffa71b942fcb27635fbcd5b0e944bfdc63644f0713938a7f51535c3a35e2"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.rfc4231t1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.rfc4231t2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, k2.get(), blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.rfc4231t3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.rfc4231t4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.rfc4231t5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.rfc4231t6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.rfc4231t7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, k6.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
......
......@@ -235,6 +235,7 @@ client c1 {
expect resp.http.allbytesf == "bd34c1faa03a01db5e0c3a3d5e0440d6e5e361060f3dc9d149a26812"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -336,3 +337,84 @@ client c1 {
expect resp.http.ehrhardt6a == "b96d730c148c2daad8649d83defaa3719738d34775397b7571c38515"
expect resp.http.ehrhardt7a == "c79c9b093424e588a9878bbcb089e018270096e9b4b1a9e8220c866a"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k7 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.ehrhardt1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.ehrhardt2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k2.get(), blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.ehrhardt3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.ehrhardt4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.ehrhardt5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.ehrhardt6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.ehrhardt7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k6.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
set resp.http.ehrhardt6a = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k7.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.ehrhardt7a = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_224, k7.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.ehrhardt1 == "3b16546bbc7be2706a031dcafd56373d9884367641d8c59af3c860f7"
expect resp.http.ehrhardt2 == "7fdb8dd88bd2f60d1b798634ad386811c2cfc85bfaf5d52bbace5e66"
expect resp.http.ehrhardt3 == "676cfc7d16153638780390692be142d2df7ce924b909c0c08dbfdc1a"
expect resp.http.ehrhardt4 == "a9d7685a19c4e0dbd9df2556cc8a7d2a7733b67625ce594c78270eeb"
expect resp.http.ehrhardt5 ~ "^49fdd3abd005ebb8ae63fea946d1883c"
expect resp.http.ehrhardt6 == "b4a1f04c00287a9b7f6075b313d279b833bc8f75124352d05fb9995f"
expect resp.http.ehrhardt7 == "05d8cd6d00faea8d1eb68ade28730bbd3cbab6929f0a086b29cd62a0"
expect resp.http.ehrhardt6a == "b96d730c148c2daad8649d83defaa3719738d34775397b7571c38515"
expect resp.http.ehrhardt7a == "c79c9b093424e588a9878bbcb089e018270096e9b4b1a9e8220c866a"
} -run
......@@ -235,6 +235,7 @@ client c1 {
expect resp.http.allbytesf == "9b04c091da96b997afb8f2585d608aebe9c4a904f7d52c8f28c7e4d2dd9fba5f"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -337,3 +338,84 @@ client c1 {
expect resp.http.ehrhardt6a == "a6072f86de52b38bb349fe84cd6d97fb6a37c4c0f62aae93981193a7229d3467"
expect resp.http.ehrhardt7a == "e6a36d9b915f86a093cac7d110e9e04cf1d6100d30475509c2475f571b758b5a"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k7 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.ehrhardt1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.ehrhardt2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k2.get(), blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.ehrhardt3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.ehrhardt4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.ehrhardt5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.ehrhardt6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.ehrhardt7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k6.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
set resp.http.ehrhardt6a = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k7.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.ehrhardt7a = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_256, k7.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.ehrhardt1 == "ba85192310dffa96e2a3a40e69774351140bb7185e1202cdcc917589f95e16bb"
expect resp.http.ehrhardt2 == "c7d4072e788877ae3596bbb0da73b887c9171f93095b294ae857fbe2645e1ba5"
expect resp.http.ehrhardt3 == "84ec79124a27107865cedd8bd82da9965e5ed8c37b0ac98005a7f39ed58a4207"
expect resp.http.ehrhardt4 == "57366a45e2305321a4bc5aa5fe2ef8a921f6af8273d7fe7be6cfedb3f0aea6d7"
expect resp.http.ehrhardt5 ~ "^6e02c64537fb118057abb7fb66a23b3c"
expect resp.http.ehrhardt6 == "ed73a374b96c005235f948032f09674a58c0ce555cfc1f223b02356560312c3b"
expect resp.http.ehrhardt7 == "65c5b06d4c3de32a7aef8763261e49adb6e2293ec8e7c61e8de61701fc63e123"
expect resp.http.ehrhardt6a == "a6072f86de52b38bb349fe84cd6d97fb6a37c4c0f62aae93981193a7229d3467"
expect resp.http.ehrhardt7a == "e6a36d9b915f86a093cac7d110e9e04cf1d6100d30475509c2475f571b758b5a"
} -run
......@@ -235,6 +235,7 @@ client c1 {
expect resp.http.allbytesf == "e834031d7bab82ac00905187335595e020c5bd3220924f4f551d7485931d2cb9efe90b6574fc46b63265314781de017a"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -337,3 +338,85 @@ client c1 {
expect resp.http.ehrhardt6a == "713dff0302c85086ec5ad0768dd65a13ddd79068d8d4c6212b712e41649449111480230044185a99103ed82004ddbfcc"
expect resp.http.ehrhardt7a == "cad18a8ff6c4cc3ad487b95f9769e9b61c062aefd6952569e6e6421897054cfc70b5fdc6605c18457112fc6aaad45585"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k7 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.ehrhardt1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.ehrhardt2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k2.get(), blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.ehrhardt3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.ehrhardt4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.ehrhardt5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.ehrhardt6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.ehrhardt7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k6.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
set resp.http.ehrhardt6a = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k7.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.ehrhardt7a = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_384, k7.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.ehrhardt1 == "68d2dcf7fd4ddd0a2240c8a437305f61fb7334cfb5d0226e1bc27dc10a2e723a20d370b47743130e26ac7e3d532886bd"
expect resp.http.ehrhardt2 == "f1101f8cbf9766fd6764d2ed61903f21ca9b18f57cf3e1a23ca13508a93243ce48c045dc007f26a21b3f5e0e9df4c20a"
expect resp.http.ehrhardt3 == "275cd0e661bb8b151c64d288f1f782fb91a8abd56858d72babb2d476f0458373b41b6ab5bf174bec422e53fc3135ac6e"
expect resp.http.ehrhardt4 == "3a5d7a879702c086bc96d1dd8aa15d9c46446b95521311c606fdc4e308f4b984da2d0f9449b3ba8425ec7fb8c31bc136"
expect resp.http.ehrhardt5 ~ "^47c51ace1ffacffd7494724682615783"
expect resp.http.ehrhardt6 == "0fc19513bf6bd878037016706a0e57bc528139836b9a42c3d419e498e0e1fb9616fd669138d33a1105e07c72b6953bcc"
expect resp.http.ehrhardt7 == "026fdf6b50741e373899c9f7d5406d4eb09fc6665636fc1a530029ddf5cf3ca5a900edce01f5f61e2f408cdf2fd3e7e8"
expect resp.http.ehrhardt6a == "713dff0302c85086ec5ad0768dd65a13ddd79068d8d4c6212b712e41649449111480230044185a99103ed82004ddbfcc"
expect resp.http.ehrhardt7a == "cad18a8ff6c4cc3ad487b95f9769e9b61c062aefd6952569e6e6421897054cfc70b5fdc6605c18457112fc6aaad45585"
} -run
......@@ -235,6 +235,7 @@ client c1 {
expect resp.http.allbytesf == "3a843af1f872928f0bbbb513207a1a8e14e3d911269fff521292d07dbd5e2e520d6c2634292801184ffa54fd5f1e992ccfdaff8162f5c5f6d1ea79dbcae97e1d"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -337,3 +338,84 @@ client c1 {
expect resp.http.ehrhardt6a == "b14835c819a290efb010ace6d8568dc6b84de60bc49b004c3b13eda763589451e5dd74292884d1bdce64e6b919dd61dc9c56a282a81c0bd14f1f365b49b83a5b"
expect resp.http.ehrhardt7a == "dc030ee7887034f32cf402df34622f311f3e6cf04860c6bbd7fa488674782b4659fdbdf3fd877852885cfe6e22185fe7b2ee952043629bc9d5f3298a41d02c66"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k7 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.ehrhardt1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.ehrhardt2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k2.get(), blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.ehrhardt3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.ehrhardt4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.ehrhardt5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.ehrhardt6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.ehrhardt7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k6.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
set resp.http.ehrhardt6a = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k7.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.ehrhardt7a = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA3_512, k7.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.ehrhardt1 == "eb3fbd4b2eaab8f5c504bd3a41465aacec15770a7cabac531e482f860b5ec7ba47ccb2c6f2afce8f88d22b6dc61380f23a668fd3888bb80537c0a0b86407689e"
expect resp.http.ehrhardt2 == "5a4bfeab6166427c7a3647b747292b8384537cdb89afb3bf5665e4c5e709350b287baec921fd7ca0ee7a0c31d022a95e1fc92ba9d77df883960275beb4e62024"
expect resp.http.ehrhardt3 == "309e99f9ec075ec6c6d475eda1180687fcf1531195802a99b5677449a8625182851cb332afb6a89c411325fbcbcd42afcb7b6e5aab7ea42c660f97fd8584bf03"
expect resp.http.ehrhardt4 == "b27eab1d6e8d87461c29f7f5739dd58e98aa35f8e823ad38c5492a2088fa0281993bbfff9a0e9c6bf121ae9ec9bb09d84a5ebac817182ea974673fb133ca0d1d"
expect resp.http.ehrhardt5 ~ "^0fa7475948f43f48ca0516671e18978c"
expect resp.http.ehrhardt6 == "00f751a9e50695b090ed6911a4b65524951cdc15a73a5d58bb55215ea2cd839ac79d2b44a39bafab27e83fde9e11f6340b11d991b1b91bf2eee7fc872426c3a4"
expect resp.http.ehrhardt7 == "38a456a004bd10d32c9ab8336684112862c3db61adcca31829355eaf46fd5c73d06a1f0d13fec9a652fb3811b577b1b1d1b9789f97ae5b83c6f44dfcf1d67eba"
expect resp.http.ehrhardt6a == "b14835c819a290efb010ace6d8568dc6b84de60bc49b004c3b13eda763589451e5dd74292884d1bdce64e6b919dd61dc9c56a282a81c0bd14f1f365b49b83a5b"
expect resp.http.ehrhardt7a == "dc030ee7887034f32cf402df34622f311f3e6cf04860c6bbd7fa488674782b4659fdbdf3fd877852885cfe6e22185fe7b2ee952043629bc9d5f3298a41d02c66"
} -run
......@@ -220,6 +220,7 @@ client c1 {
expect resp.http.allbytesf == "ffdaebff65ed05cf400f0221c4ccfb4b2104fb6a51f87e40be6c4309386bfdec2892e9179b34632331a59592737db5c5"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -310,3 +311,72 @@ client c1 {
expect resp.http.rfc4231t6 == "4ece084485813e9088d2c63a041bc5b44f9ef1012a2b588f3cd11f05033ac4c60c2ef6ab4030fe8296248df163f44952"
expect resp.http.rfc4231t7 == "6617178e941f020d351e2f254e8fd32c602420feb0b8fb9adccebb82461e99c5a678cc31e799176d3860e6110c46523e"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.rfc4231t1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA384, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.rfc4231t2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA384, k2.get(), blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.rfc4231t3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA384, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.rfc4231t4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA384, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.rfc4231t5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA384, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.rfc4231t6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA384, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.rfc4231t7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA384, k6.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.rfc4231t1 == "afd03944d84895626b0825f4ab46907f15f9dadbe4101ec682aa034c7cebc59cfaea9ea9076ede7f4af152e8b2fa9cb6"
expect resp.http.rfc4231t2 == "af45d2e376484031617f78d2b58a6b1b9c7ef464f5a01b47e42ec3736322445e8e2240ca5e69e2c78b3239ecfab21649"
expect resp.http.rfc4231t3 == "88062608d3e6ad8a0aa2ace014c8a86f0aa635d947ac9febe83ef4e55966144b2a5ab39dc13814b94e3ab6e101a34f27"
expect resp.http.rfc4231t4 == "3e8a69b7783c25851933ab6290af6ca77a9981480850009cc5577c6e1f573b4e6801dd23c4a7d679ccf8a386c674cffb"
expect resp.http.rfc4231t5 ~ "^3abf34c3503b2a23a46efc619baef897"
expect resp.http.rfc4231t6 == "4ece084485813e9088d2c63a041bc5b44f9ef1012a2b588f3cd11f05033ac4c60c2ef6ab4030fe8296248df163f44952"
expect resp.http.rfc4231t7 == "6617178e941f020d351e2f254e8fd32c602420feb0b8fb9adccebb82461e99c5a678cc31e799176d3860e6110c46523e"
} -run
......@@ -220,6 +220,7 @@ client c1 {
expect resp.http.allbytes == "1e7b80bc8edc552c8feeb2780e111477e5bc70465fac1a77b29b35980c3f0ce4a036a6c9462036824bd56801e62af7e9feba5c22ed8a5af877bf7de117dcac6d"
} -run
# hmac object
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
......@@ -293,7 +294,6 @@ varnish v1 -vcl {
= blobcode.encode(HEXLC,
rfc4231t6.hmac(blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
......@@ -311,3 +311,73 @@ client c1 {
expect resp.http.rfc4231t6 == "80b24263c7c1a3ebb71493c1dd7be8b49b46d1f41b4aeec1121b013783f8f3526b56d037e05f2598bd0fd2215d6a1e5295e64f73f63f0aec8b915a985d786598"
expect resp.http.rfc4231t7 == "e37b6a775dc87dbaa4dfa9f96e5e3ffddebd71f8867289865df5a32d20cdc944b6022cac3c4982b10d5eeb55c3e4de15134676fb6de0446065c97440fa8c6a58"
} -run
# hmacf function
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new k1 = blobcode.blob(HEX,
"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
new k2 = blobcode.blob(IDENTITY, "Jefe");
new k3 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
new k4 = blobcode.blob(HEX,
"0102030405060708090a0b0c0d0e0f10111213141516171819");
new k5 = blobcode.blob(HEX,
"0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
new k6 = blobcode.blob(HEX,
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
set resp.http.rfc4231t1 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA512, k1.get(),
blobcode.decode(IDENTITY, "Hi There")));
set resp.http.rfc4231t2 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA512, k2.get(), blobcode.decode(IDENTITY,
"what do ya want for nothing?")));
set resp.http.rfc4231t3 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA512, k3.get(), blobcode.decode(HEX,
"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")));
set resp.http.rfc4231t4 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA512, k4.get(), blobcode.decode(HEX,
"cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd")));
set resp.http.rfc4231t5 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA512, k5.get(), blobcode.decode(IDENTITY,
"Test With Truncation")));
set resp.http.rfc4231t6 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA512, k6.get(), blobcode.decode(IDENTITY,
"Test Using Larger Than Block-Size Key - Hash Key First")));
set resp.http.rfc4231t7 = blobcode.encode(HEXLC,
blobdigest.hmacf(SHA512, k6.get(), blobcode.decode(IDENTITY,
"This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm.")));
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
# RFC4231 test cases
expect resp.http.rfc4231t1 == "87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854"
expect resp.http.rfc4231t2 == "164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737"
expect resp.http.rfc4231t3 == "fa73b0089d56a284efb0f0756c890be9b1b5dbdd8ee81a3655f83e33b2279d39bf3e848279a722c806b485a47e67c807b946a337bee8942674278859e13292fb"
expect resp.http.rfc4231t4 == "b0ba465637458c6990e5a8c5f61d4af7e576d97ff94b872de76f8050361ee3dba91ca5c11aa25eb4d679275cc5788063a5f19741120c4f2de2adebeb10a298dd"
expect resp.http.rfc4231t5 ~ "^415fad6271580a531d4179bc891d87a6"
expect resp.http.rfc4231t6 == "80b24263c7c1a3ebb71493c1dd7be8b49b46d1f41b4aeec1121b013783f8f3526b56d037e05f2598bd0fd2215d6a1e5295e64f73f63f0aec8b915a985d786598"
expect resp.http.rfc4231t7 == "e37b6a775dc87dbaa4dfa9f96e5e3ffddebd71f8867289865df5a32d20cdc944b6022cac3c4982b10d5eeb55c3e4de15134676fb6de0446065c97440fa8c6a58"
} -run
# looks like -*- vcl -*-
varnishtest "usage restrictions"
# VMODs blobcode and blob must be installed
# Test use of digest object methods in vcl_init and _fini
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new msg = blobcode.blob(IDENTITY, "message");
new space = blobcode.blob(IDENTITY, " ");
new digest = blobcode.blob(IDENTITY, "digest");
new msgdigest
= blobcode.blob(HEX, "F96B697D7CB7938D525A2F31AAF161D0");
new a = blobcode.blob(IDENTITY, "a");
new bc = blobcode.blob(IDENTITY, "bc");
new abc
= blobcode.blob(HEX, "900150983CD24FB0D6963F7D28E17F72");
new d1 = blobdigest.digest(MD5, msg.get());
if (!d1.update(space.get())) {
return(fail);
}
if (!d1.update(digest.get())) {
return(fail);
}
if (!blob.equal(d1.final(), msgdigest.get())) {
return(fail);
}
new d2 = blobdigest.digest(MD5, a.get());
}
sub vcl_recv {
return(synth(200));
}
sub vcl_fini {
# Don't know how to test the result, at least it
# shouldn't blow up
if (!d2.update(bc.get())) {}
if (!blob.equal(d2.final(), abc.get())) {}
}
} -start
client c1 {
txreq
rxresp
expect resp.status == 200
} -run
# Test repeated calls of the digest.final() method
server s1 -wait {
rxreq
txresp -hdr "Cache-Control: max-age=0"
} -start
varnish v1 -vcl+backend {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
import blob;
sub vcl_init {
new a = blobcode.blob(IDENTITY, "a");
new bc = blobcode.blob(IDENTITY, "bc");
new abc
= blobcode.blob(HEX, "900150983CD24FB0D6963F7D28E17F72");
new d1 = blobdigest.digest(MD5, a.get());
if (!d1.update(bc.get())) {
return(fail);
}
if (!blob.equal(d1.final(), abc.get())) {
return(fail);
}
if (!blob.equal(d1.final(), abc.get())) {
return(fail);
}
new d2 = blobdigest.digest(MD5);
}
sub vcl_backend_response {
set beresp.http.d1_b1 = blobcode.encode(HEXUC, d1.final());
set beresp.http.d1_b2 = blobcode.encode(HEXUC, d1.final());
if (!d2.update(blobcode.decode(IDENTITY, "message digest"))) {
return(abandon);
}
set beresp.http.d2_b1 = blobcode.encode(HEXUC, d2.final());
set beresp.http.d2_b2 = blobcode.encode(HEXUC, d2.final());
}
sub vcl_deliver {
set resp.http.d1_c1 = blobcode.encode(HEXUC, d1.final());
set resp.http.d1_c2 = blobcode.encode(HEXUC, d1.final());
if (!d2.update(blobcode.decode(IDENTITY, "a"))) {
return(synth(500));
}
set resp.http.d2_c1 = blobcode.encode(HEXUC, d2.final());
set resp.http.d2_c2 = blobcode.encode(HEXUC, d2.final());
}
}
client c1 {
txreq
rxresp
expect resp.status == 200
expect resp.http.d1_b1 == "900150983CD24FB0D6963F7D28E17F72"
expect resp.http.d1_b2 == "900150983CD24FB0D6963F7D28E17F72"
expect resp.http.d1_c1 == "900150983CD24FB0D6963F7D28E17F72"
expect resp.http.d1_c2 == "900150983CD24FB0D6963F7D28E17F72"
expect resp.http.d2_b1 == "F96B697D7CB7938D525A2F31AAF161D0"
expect resp.http.d2_b2 == "F96B697D7CB7938D525A2F31AAF161D0"
expect resp.http.d2_c1 == "0CC175B9C0F1B6A831C399E269772661"
expect resp.http.d2_c2 == "0CC175B9C0F1B6A831C399E269772661"
} -run
# digest.update() may not be called after digest.final()
varnish v1 -errvcl {vmod blobdigest error: already finalized in d1.update()} {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
import blob;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new empty = blobcode.blob(IDENTITY, "");
new hash = blobcode.blob(HEX,
"D41D8CD98F00B204E9800998ECF8427E");
new d1 = blobdigest.digest(MD5);
if (!d1.update(empty.get())) {
return(fail);
}
if (!blob.equal(d1.final(), hash.get())) {
return(fail);
}
if (!d1.update(empty.get())) {
return(fail);
}
}
}
varnish v1 -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new empty = blobcode.blob(IDENTITY, "");
new d1 = blobdigest.digest(MD5);
}
sub vcl_recv {
return(synth(200));
}
sub vcl_synth {
if (!d1.update(empty.get())) {
set resp.status = 500;
return(deliver);
}
set resp.http.empty = blobcode.encode(HEXUC, d1.final());
if (!d1.update(empty.get())) {
set resp.status = 500;
return(deliver);
}
}
}
client c1 {
txreq
rxresp
expect resp.status == 500
expect resp.http.empty == "D41D8CD98F00B204E9800998ECF8427E"
} -run
logexpect l1 -v v1 -d 1 -g vxid -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error "^vmod blobdigest error: already finalized in d1.update..$"
expect * = End
} -run
# hash() is legal in vcl_init and vcl_fini (as of Varnish 5.0)
varnish v2 -arg "-p debug=+vclrel" -vcl {
import blobdigest from "${vmod_topbuild}/src/.libs/libvmod_blobdigest.so";
import blobcode;
import blob;
import std;
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new empty = blobcode.blob(IDENTITY, "");
new md5 = blobcode.blob(HEX,
"D41D8CD98F00B204E9800998ECF8427E");
if (!blob.equal(blobdigest.hash(MD5, empty.get()), md5.get())) {
return(fail);
}
}
sub vcl_fini {
if (blob.equal(blobdigest.hash(MD5, empty.get()), md5.get())) {
std.log("blobs are equal");
}
else {
std.log("blobs not equal");
}
}
} -start
varnish v2 -vcl {
backend b { .host = "${bad_ip}"; }
}
logexpect l2 -v v2 -d 0 -g raw -q "VCL_Log" {
expect 0 * VCL_Log "^blobs are equal$"
} -start
varnish v2 -cliok "vcl.use vcl2"
varnish v2 -cliok "vcl.discard vcl1"
logexpect l2 -wait
......@@ -409,28 +409,14 @@ vmod_digest_final(VRT_CTX, struct vmod_blobdigest_digest *h)
return b;
}
VCL_VOID
vmod_hmac__init(VRT_CTX, struct vmod_blobdigest_hmac **hmacp,
const char *vcl_name, VCL_ENUM hashs, VCL_BLOB key)
static void
hmac_init(enum algorithm hash, VCL_BLOB restrict key,
hash_ctx * const restrict inner_ctx,
hash_ctx * const restrict outer_ctx)
{
struct vmod_blobdigest_hmac *hmac;
enum algorithm hash = parse_algorithm(hashs);
size_t blocksz = hashspec[hash].blocksz;
uint8_t k[blocksz], innerk[blocksz], outerk[blocksz];
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
AN(hmacp);
AZ(*hmacp);
AN(vcl_name);
ALLOC_OBJ(hmac, VMOD_BLOBDIGEST_HMAC_MAGIC);
AN(hmac);
*hmacp = hmac;
hmac->hash = hash;
hmac->vcl_name = strdup(vcl_name);
AN(key);
AN(key->priv);
memset(k, 0, blocksz);
if (key->len <= blocksz)
memcpy(k, key->priv, key->len);
......@@ -444,43 +430,73 @@ vmod_hmac__init(VRT_CTX, struct vmod_blobdigest_hmac **hmacp,
innerk[i] = k[i] ^ 0x36;
outerk[i] = k[i] ^ 0x5c;
}
init(hash, &hmac->inner_ctx);
init(hash, &hmac->outer_ctx);
update(hash, &hmac->inner_ctx, innerk, blocksz);
update(hash, &hmac->outer_ctx, outerk, blocksz);
init(hash, inner_ctx);
init(hash, outer_ctx);
update(hash, inner_ctx, innerk, blocksz);
update(hash, outer_ctx, outerk, blocksz);
}
VCL_BLOB
vmod_hmac_hmac(VRT_CTX, struct vmod_blobdigest_hmac *h, VCL_BLOB msg)
static VCL_BLOB
hmac_final(VRT_CTX, enum algorithm hash, VCL_BLOB restrict msg,
hash_ctx * const restrict inner_ctx,
hash_ctx * const restrict outer_ctx,
const char * const restrict context,
const char * const restrict caller)
{
struct vmod_priv *b;
hash_ctx inner_ctx, outer_ctx;
enum algorithm hash;
size_t digestsz;
size_t digestsz = hashspec[hash].digestsz;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
CHECK_OBJ_NOTNULL(h, VMOD_BLOBDIGEST_HMAC_MAGIC);
hash = h->hash;
digestsz = hashspec[hash].digestsz;
b = ws_alloc_digest(ctx, digestsz, h->vcl_name, "hmac");
b = ws_alloc_digest(ctx, digestsz, context, caller);
if (b == NULL)
return NULL;
uint8_t inner_digest[digestsz];
memcpy(&inner_ctx, &h->inner_ctx, sizeof(hash_ctx));
memcpy(&outer_ctx, &h->outer_ctx, sizeof(hash_ctx));
/* Hash the message with the inner key */
update(hash, &inner_ctx, msg->priv, msg->len);
final(hash, &inner_ctx, inner_digest);
update(hash, inner_ctx, msg->priv, msg->len);
final(hash, inner_ctx, inner_digest);
/* Hash the result with the outer key */
update(hash, &outer_ctx, inner_digest, digestsz);
final(hash, &outer_ctx, b->priv);
update(hash, outer_ctx, inner_digest, digestsz);
final(hash, outer_ctx, b->priv);
return b;
}
VCL_VOID
vmod_hmac__init(VRT_CTX, struct vmod_blobdigest_hmac **hmacp,
const char *vcl_name, VCL_ENUM hashs, VCL_BLOB key)
{
struct vmod_blobdigest_hmac *hmac;
enum algorithm hash = parse_algorithm(hashs);
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
AN(hmacp);
AZ(*hmacp);
AN(vcl_name);
ALLOC_OBJ(hmac, VMOD_BLOBDIGEST_HMAC_MAGIC);
AN(hmac);
*hmacp = hmac;
hmac->hash = hash;
hmac->vcl_name = strdup(vcl_name);
hmac_init(hash, key, &hmac->inner_ctx, &hmac->outer_ctx);
}
VCL_BLOB
vmod_hmac_hmac(VRT_CTX, struct vmod_blobdigest_hmac *h, VCL_BLOB msg)
{
hash_ctx inner_ctx, outer_ctx;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
CHECK_OBJ_NOTNULL(h, VMOD_BLOBDIGEST_HMAC_MAGIC);
memcpy(&inner_ctx, &h->inner_ctx, sizeof(hash_ctx));
memcpy(&outer_ctx, &h->outer_ctx, sizeof(hash_ctx));
return hmac_final(ctx, h->hash, msg, &inner_ctx, &outer_ctx,
h->vcl_name, "hmac");
}
VCL_VOID
vmod_hmac__fini(struct vmod_blobdigest_hmac **hmacp)
{
......@@ -515,6 +531,17 @@ vmod_hash(VRT_CTX, VCL_ENUM hashs, VCL_BLOB msg)
return b;
}
VCL_BLOB
vmod_hmacf(VRT_CTX, VCL_ENUM hashs, VCL_BLOB key, VCL_BLOB msg)
{
enum algorithm hash = parse_algorithm(hashs);
hash_ctx inner_ctx, outer_ctx;
hmac_init(hash, key, &inner_ctx, &outer_ctx);
return hmac_final(ctx, hash, msg, &inner_ctx, &outer_ctx, "blobdigest",
"hmacf");
}
VCL_STRING
vmod_version(VRT_CTX __attribute__((unused)))
{
......
......@@ -20,6 +20,8 @@ $Module blobdigest 3 digests, checksums and hmacs for the VCL blob type
new OBJECT = blobdigest.hmac(ENUM hash, BLOB key)
BLOB <obj>.hmac(BLOB msg)
BLOB blobdigest.hmacf(ENUM hash, BLOB key, BLOB msg)
DESCRIPTION
===========
......@@ -401,6 +403,36 @@ Example::
return(synth(401));
}
$Function BLOB hmacf(ENUM {MD5, SHA1, SHA224, SHA256, SHA384, SHA512, SHA3_224,
SHA3_256, SHA3_384, SHA3_512} hash, BLOB key,
BLOB msg)
Returns the HMAC for ``msg`` as specified by ``hash`` and the ``key``.
As with the ``digest`` object and ``hash`` function, the use of the
``hmac`` object is likely to be more efficient than the ``hmacf``
function, because the internal cryptographic state of the HMAC for a
given key is pre-computed in the object constructor. So if the key is
fixed and known at initialization time, then you should use the
``hmac`` object. The ``hmacf`` function should only be used if the key
is not known at runtime, or, for example, should be changed without
requiring a VCL reload.
Example::
import blobdigest;
import blobcode;
# Decode the base64-encoded string as a HMAC key, compute the
# SHA512 HMAC of the Msg header, and save the hex-encoded
# result in a header.
set req.http.HMAC
= blobcode.encode(HEXUC,
blobdigest.hmacf(SHA512,
blobcode.decode(BASE64, "Zm9v"),
blobcode.decode(IDENTITY,
req.http.Msg)));
$Function STRING version()
Returns the version string for this VMOD.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment