DX-108149: Add support for CBC encryption mode#104
Merged
timhurskidremio merged 3 commits intodremio:dremio_26.1_18.1.0from Nov 26, 2025
Merged
Conversation
|
Thanks for opening a pull request! If this is not a minor PR. Could you open an issue for this pull request on GitHub? https://github.com/apache/arrow/issues/new/choose Opening GitHub issues ahead of time contributes to the Openness of the Apache Arrow project. Then could you also rename the pull request title in the following format? or See also: |
timhurskidremio
changed the title
timhurskidremio
force-pushed
the
add-support-for-cbc-encryption-mode
branch
2 times, most recently
from
a7340e1 to
275bce1
Compare
timhurskidremio
force-pushed
the
add-support-for-cbc-encryption-mode
branch
from
275bce1 to
0cb4be4
Compare
…date macOS runner versions - Create ensure_mode() helper that throws std::runtime_error for invalid modes - Update all ECB and CBC AES functions (3 encrypt + 3 decrypt) to use ensure_mode() - Wrap all function bodies in try-catch to handle exceptions from ensure_mode() - Consistent error handling across ECB and CBC modes - Update CBC function signatures to include mode parameter: (data, key, mode, iv, padding) - Update function registry to reflect new CBC parameter order - Update LLVM mappings comments for clarity - Update test expectations to match new error messages - Update macOS runner versions from macos-13 to macos-15-intel in CI workflows - Excludes GCM mode changes from the original commits
timhurskidremio
force-pushed
the
add-support-for-cbc-encryption-mode
branch
from
b3041bc to
00f53d4
Compare
lriggs
approved these changes
Nov 20, 2025
timhurskidremio
force-pushed
the
add-support-for-cbc-encryption-mode
branch
from
0f66741 to
88e87b3
Compare
timhurskidremio
force-pushed
the
add-support-for-cbc-encryption-mode
branch
6 times, most recently
from
a9d5636 to
5bdb71e
Compare
timhurskidremio
force-pushed
the
add-support-for-cbc-encryption-mode
branch
from
5bdb71e to
68e180d
Compare
lriggs
reviewed
Nov 26, 2025
| std::string mode_str = | ||
| arrow::internal::AsciiToUpper(std::string_view(mode, mode_len)); | ||
|
|
||
| if (mode_str == "AES-ECB") { |
There was a problem hiding this comment.
If any of these comments are used more than once it would be good to make them constants. That could be done in a follow up pr though.
lriggs
approved these changes
Nov 26, 2025
timhurskidremio
merged commit 933db02
into
dremio:dremio_26.1_18.1.0
14 of 44 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds support for AES CBC mode with the following signatures:
AES_ENCRYPT(BINARY, BINARY, UTF8, BINARY) → BINARY
Parameters: plaintext (binary), key (binary), mode (string), iv (binary)
AES_DECRYPT(BINARY, BINARY, UTF8, BINARY) → BINARY
Parameters: ciphertext (binary), key (binary), mode (string), iv (binary)
The mode can be either
AES-CBC-NONEfor a no-padding call orAES-CBC-PKCS7for a call with paddingAdditional changes:
AES-ECBAES_ENCRYPTandAES_DECRYPTThe functional mapping is as follows:
AES_ENCRYPT(<plain text>, <key>, <mode>) → <ciphertext>→ 3-arg stubAES_ENCRYPT(<plain text>, <key>, <mode>, <iv>) → <ciphertext>→ 4-arg stubAES_ENCRYPT(<plain text>, <key>, <mode>, <iv>, <5th argument>) → <ciphertext>→ 5-arg stub3-arg stub → 5-arg stub with the 4ᵗʰ and 5ᵗʰ arguments set to
nullptr4-arg stub → 5-arg stub with the 5ᵗʰ arguments set to
nullptr5-arg stub → dispatcher
Dispatcher:
AES-ECB→aes_decrypt_ecbAES-CBC-PKCS7→aes_decrypt_cbcAES-CBC-NONE→aes_decrypt_cbcAES-GCM→ Runtime exception