Bug ID 567217: iRule validator rejects CRYPTO::encrypt/decrypt -padding oaep

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:

Opened: Jan 12, 2016

Severity: 3-Major


CRYPTO::encrypt and CRYPTO::decrypt can be used to perform asymmetric operations when '-alg rsa-pub' or '-alg rsa-priv' are selected. The '-padding' option selects the type of padding applied to the input before CRYPTO::encrypt or after CRYPTO::decrypt. Two padding types are supported. '-padding pkcs' selects PKCS#1v2.1 padding, which is the default; and '-padding oaep' selects OAEP padding. In BIGIP v12.0.0, a valid iRule which uses the CRYPTO::encrypt or CRYPTO::decrypt methods, and includes the '-padding' option, will be rejected when attempting to save the iRule in the configuration.


The '-padding' option is unavailable, which will impact iRules that depend upon OAEP padding.


BIGIP v12.0.0 through HF1 is known to be affected.



Fix Information

Support '-padding' option for CRYPTO::encrypt and CRYPTO::decrypt iRules.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips