This is an automated email from the ASF dual-hosted git repository.
joemcdonnell pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
The following commit(s) were added to refs/heads/master by this push:
new 1fe5fd746 IMPALA-14754: Allow GCM encryption without PCLMULQDQ
1fe5fd746 is described below
commit 1fe5fd746c8d148bf54b0069a76889260bb543a6
Author: Csaba Ringhofer <[email protected]>
AuthorDate: Wed Feb 18 17:00:29 2026 +0100
IMPALA-14754: Allow GCM encryption without PCLMULQDQ
Allows using aes_128_gcm/aes_256_gcm even when PCLMULQDQ
is missing. While this may be suboptimal, openssl should
be still able to execute it.
The usage of EncryptionKey::GetSupportedDefaultMode() is not
changed, so it will still not return GCM without PCLMULQDQ.
This is used for spill encryption and when aes_encrypt/aes_decrypt
has no 'mode' specified.
Testing:
- ran tests on ARM host
Change-Id: Ib6353fb9a686046274f1cbde79ecda7aa46adf0b
Reviewed-on: http://gerrit.cloudera.org:8080/23997
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
---
be/src/util/openssl-util.cc | 11 +++++-----
be/src/util/openssl-util.h | 5 +++--
.../QueryTest/encryption_exprs_aes_256_gcm.test | 24 ++++++++++------------
3 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/be/src/util/openssl-util.cc b/be/src/util/openssl-util.cc
index e34cd8e14..4302ac3b4 100644
--- a/be/src/util/openssl-util.cc
+++ b/be/src/util/openssl-util.cc
@@ -426,7 +426,7 @@ Status ValidateModeAndKeyLength(AES_CIPHER_MODE m, int
key_len) {
Status EncryptionKey::InitializeRandom(int iv_len, AES_CIPHER_MODE m) {
mode_ = m;
- if (!IsModeSupported(m)) {
+ if (!IsModeSupported(m, true)) {
mode_ = GetSupportedDefaultMode();
LOG(WARNING) << Substitute("$0 is not supported, fall back to $1.",
ModeToString(m), ModeToString(mode_));
@@ -578,7 +578,7 @@ const EVP_CIPHER* EncryptionKey::GetCipher() const {
Status EncryptionKey::InitializeFields(const uint8_t* key, int key_len, const
uint8_t* iv,
int iv_len, AES_CIPHER_MODE m) {
RETURN_IF_ERROR(ValidateModeAndKeyLength(m, key_len));
- if (!IsModeSupported(m)) {
+ if (!IsModeSupported(m, true)) {
return Status(Substitute("AES mode $0 is not supported by OpenSSL version
($1) "
"that Impala was built against.", ModeToString(m),
OPENSSL_VERSION_TEXT));
}
@@ -603,7 +603,8 @@ void EncryptionKey::GetGcmTag(uint8_t* out) const {
memcpy(out, gcm_tag_, AES_BLOCK_SIZE);
}
-bool EncryptionKey::IsModeSupported(AES_CIPHER_MODE m) {
+bool EncryptionKey::IsModeSupported(AES_CIPHER_MODE m, bool
allow_non_accelerated) {
+ bool use_gcm_on_cpu = allow_non_accelerated ||
CpuInfo::IsSupported(CpuInfo::PCLMULQDQ);
switch (m) {
// It becomes a bit tricky for GCM mode, because GCM mode is enabled
since
// OpenSSL 1.0.1, but the tag validation only works since 1.0.1d. We have
@@ -615,11 +616,11 @@ bool EncryptionKey::IsModeSupported(AES_CIPHER_MODE m) {
// SSLeay() for GCM mode here since in the worst case, we will be using
// AES_256_CTR in a system that supports AES_256_GCM.
case AES_CIPHER_MODE::AES_256_GCM:
- return (CpuInfo::IsSupported(CpuInfo::PCLMULQDQ)
+ return (use_gcm_on_cpu
&& SSLeay() >= OPENSSL_VERSION_1_0_1D && EVP_aes_256_gcm);
case AES_CIPHER_MODE::AES_128_GCM:
- return (CpuInfo::IsSupported(CpuInfo::PCLMULQDQ)
+ return (use_gcm_on_cpu
&& SSLeay() >= OPENSSL_VERSION_1_0_1D && EVP_aes_128_gcm);
case AES_CIPHER_MODE::AES_256_CTR:
diff --git a/be/src/util/openssl-util.h b/be/src/util/openssl-util.h
index 189262f80..6295a8d25 100644
--- a/be/src/util/openssl-util.h
+++ b/be/src/util/openssl-util.h
@@ -292,8 +292,9 @@ class EncryptionKey {
Status EncryptInternal(bool encrypt, const uint8_t* data, int64_t len,
uint8_t* out, int64_t* out_len) WARN_UNUSED_RESULT;
- /// Check if mode m is supported at runtime
- static bool IsModeSupported(AES_CIPHER_MODE m);
+ /// Check if mode m is supported at runtime. If 'allow_non_accelerated' is
false,
+ /// gcm is not allowed if the cpu lacks PCLMULQDQ.
+ static bool IsModeSupported(AES_CIPHER_MODE m, bool
allow_non_accelerated=false);
/// Track whether this key has been initialized, to avoid accidentally using
/// uninitialized keys.
diff --git
a/testdata/workloads/functional-query/queries/QueryTest/encryption_exprs_aes_256_gcm.test
b/testdata/workloads/functional-query/queries/QueryTest/encryption_exprs_aes_256_gcm.test
index d79371894..53b91c435 100644
---
a/testdata/workloads/functional-query/queries/QueryTest/encryption_exprs_aes_256_gcm.test
+++
b/testdata/workloads/functional-query/queries/QueryTest/encryption_exprs_aes_256_gcm.test
@@ -31,8 +31,10 @@ select
base64encode(aes_encrypt(aes_decrypt(base64decode('F/DLkSwEikFOlqzXVCysy1
STRING
====
---- QUERY
-select aes_decrypt(aes_encrypt('ABC',
'12345678901234567890123456789012','AES_256_GCM','1234567890123456'),
-'12345678901234567890123456789012',NULL,'1234567890123456');
+# Check that the default mode is consistently encrypted and decrypted.
+# The default can vary based on openssl version and supported CPU instructions.
+select aes_decrypt(aes_encrypt('ABC',
'12345678901234567890123456789012',NULL,'1234567890123456'),
+'12345678901234567890123456789012',NULL,'1234567890123456')
---- RESULTS
'ABC'
---- TYPES
@@ -124,17 +126,13 @@ select
aes_decrypt(base64decode('F/DLkSwEikFOlqzXVCysy1JX7Q=='),'123456789012345
STRING
====
---- QUERY
-# Encryption/ decryption when mode is NULL, defaulting to GCM mode.
-select base64encode(aes_encrypt('ABC',
'12345678901234567890123456789012',NULL,'1234567890123456'));
+# Encryption/decryption when mode is NULL, defaulting to AES_256_GCM or
AES_256_CTR mode.
+# Note that backend code suggests that AES_256_CFB is also possible as
default, but that
+# could only happen with old openssl versions that are no longer supported
(IMPALA-14772).
+select base64encode(aes_encrypt('ABC',
'12345678901234567890123456789012',NULL,'1234567890123456'))
+in ('F/DLkSwEikFOlqzXVCysy1JX7Q==', 'jmML')
---- RESULTS
-'F/DLkSwEikFOlqzXVCysy1JX7Q=='
+true
---- TYPES
-STRING
-====
----- QUERY
-select
aes_decrypt(base64decode('F/DLkSwEikFOlqzXVCysy1JX7Q=='),'12345678901234567890123456789012',NULL,'1234567890123456');
----- RESULTS
-'ABC'
----- TYPES
-STRING
+BOOLEAN
====
