NimbostratusF5 posted an example for generating an HMAC based on sha256
https://devcentral.f5.com/wiki/iRules.HMAC.ashx
In the line 31 there is
set token [sha256 $opad[sha256 "${ipad}${message}"]]
The inner sha256 takes a string parameter. The outer sha256 seems to take a string concatennated with the byte array result of the inner sha256.... This looks very odd to concattenate different types. What actually happens here ?
Looks like TCL allows for that sort of concatenation. I took a few minutes but didn't find a documented example of it. The code example does work, however, and modifying it to the following still returns the same results.
set innerdata [sha256 "${ipad}${message}"]
set token [sha256 "${opad}${innerdata}"]
NimbostratusThanks. Yep found some comment that tcl treats byte arrays as strings.
Am now questioning whether the the HmacSha256 is actually quite to spec. It doesn't pad the key if the key is less than the block length but then does pad the ipad and opad, but with 6 and . This doesn't look like it is doing this to standard, but may be the equivalent.
Anyway, doesn't matter for me I don't need a super secure Hmac, and can save cycles by doing something simpler just using the built in sha256.
As a note, version 11.1 and above has the CRYPTO::sign iRule command, which provides multiple HMAC algorithms: https://devcentral.f5.com/wiki/iRules.CRYPTO__sign.ashx
NimbostratusTa. But we have 10.x. If we ever get around to upgrading/replacing though, will use.
