Forum Discussion
Harold_Deadman_
Nimbostratus
NimbostratusAES decryption returning empty string
I am working on encrypting some cookies but I must be doing something wrong because I get empty strings when I decrypt the cookie. I have made the following example to demonstrate what I am seeing. Does anyone see what I am doing wrong? This is on 9.4. Thanks.
when RULE_INIT {
set ::key [AES::key 256]
set stringtoencrypt "Testing encryption"
set encrypted [b64encode [AES::encrypt $::key $stringtoencrypt]]
log local0. "Encrypted and encoded $encrypted"
set decrypted [AES::decrypt $::key [b64decode $encrypted]]
log local0. "Decrypted and decoded $decrypted"
}
From the local logfile, note the decrypted value is empty:
Fri Apr 13 19:43:24 BST 2007 tmm tmm[1579] Rule : Decrypted and decoded
Fri Apr 13 19:43:24 BST 2007 tmm tmm[1579] Rule : Encrypted and encoded Ppoyd/a17LTVDQgmjJ39rXstNUNCLmJpDJvOlymi0allgb/MviS9JloTerv/ZrlefNnosSpI=
Harold_Deadman_The problem appears to be that the encrypted value doesn't survive the base 64 encoding/decoding process. If I do this:
when RULE_INIT {
set ::key [AES::key 256]
set stringtoencrypt "Testing encryption"
set encrypted [AES::encrypt $::key $stringtoencrypt]
log local0. "Encrypted $encrypted"
set decrypted [AES::decrypt $::key $encrypted]
log local0. "Decrypted $decrypted"
}
then it works but if I am going to put an encrypted value in a cookie I would think it would need it to be encoded.- Harold_Deadman_There are a couple wiki entries and a blog entry on this site that appear to be doing what my simple test i-rule is doing on init. F5 tech support wasn't able to give me any information beyond verifying my syntax so I am asking this forum again if anyone can verify that they have successfully encrypted and base 64 encoded cookies in 9.4 (and then decoded and decrypted the original value). When I have tried to decrypt AES encryption in other languages I get errors related to "padding". Might that be happening here?
Is the AES::decrypt method silently failing and returning an empty string on error? Is there any way to know what the error might be?
These are the other examples of people encrypting and decrypting cookies.
http://devcentral.f5.com/weblogs/Joe/archive/2005/11/09/1541.aspx
http://devcentral.f5.com/wiki/default.aspx/iRules/EncryptingCookie.html
http://devcentral.f5.com/wiki/default.aspx/iRules/ReverseProxyWithBasicSSO.html
Thanks, Hal - Hi Hal --
Your code seems to work fine on LTM v9.2.3 without modifications.
I'd contact Support with this info, and they can test on both versions.
HTH
/deb - Harold_Deadman_I will have someone switch our box back to 9.2 and confirm the test i-rule works on 9.2 and then re-open our support ticket. This wouldn't be the only problem we have seen on 9.4 that doesn't happen on 9.2.
Thanks for your help. - Harold_Deadman_I confirmed that it works on 9.2.2 so I will re-open our support issue and see if I can get a reason why it doesn't work on 9.4.
Tue May 1 18:03:09 BST 2007 tmm tmm[1021] Rule : Decrypted and decoded Testing encryption
Tue May 1 18:03:09 BST 2007 tmm tmm[1021] Rule : Encrypted and encoded l3sjqw0MPJanvKau2OBz5iL19TgpFtNptGBVlT6673LqI3wjJmvlOYFIM5qH 
Scott_LarsonI am experiencing the same problems with 9.4. I haven't tested back on 9.2 yet, but count me among the disappointed...and please let me know if/when a patch is released!
Thanks,
-Scott
Chad_Mentzer_14The issue appears to happen in v9.3, too. We are moving from v9.0.4 to v9.3 and have found our iRules using AES encryption are no longer working. The base64 encode / decode appears to be changing something.
Any word back from support on this one?
Thank you,
-Chad- Scott_LarsonF5 support has confirmed this is a known bug that is fixed in hotfix 9.4.1
- Thanks for the follow up, that's very helpful info to share.
- Oops, hit Submit too soon -- updating the wiki page now with version specific details.
/deb
