Skip to content

DX-108149: Move ECB encryption mode into its own module #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
timhurskidremio merged 1 commit into from
Nov 20, 2025
Merged

DX-108149: Move ECB encryption mode into its own module #103

timhurskidremio merged 1 commit into from
Nov 20, 2025

Conversation

@timhurskidremio
Copy link

@timhurskidremio timhurskidremio commented Nov 12, 2025
edited
Loading

Before adding the new modes, we need to reorganize the existing code to make room for the new stuff

This PR:

  1. Moves the existing AES-EBC functions into their own modules (cpp/src/gandiva/encrypt_utils.*cpp/src/gandiva/encrypt_utils_ecb.*)
  2. Enhances error messages to better communicate what went wrong (it captures OpenSSL exception details where possible as well)
  3. Adds missing resource release to fix memory leaks
  4. Adds a new signature for the ECB mode that operates on VARBINARY instead of VARCHAR as VARCHAR is vulnerable to non-UTF8-compliant values. For example, this query errors out with unexpected byte \24 encountered while decoding utf8 string:
SELECT
  'Test 1: Null byte at position 8' AS test_name,
  AES_ENCRYPT(
    '2sp_`f pO:Jzy{Rd',
    'Nn4n6[s0MqsLG%<7'
  ) AS encrypted_result,
  LENGTH(AES_ENCRYPT(
    '2sp_`f pO:Jzy{Rd',
    'Nn4n6[s0MqsLG%<7'
  )) AS result_length;

AES_ENCRYPT and AES_DECRYPT signatures after this change:
(utf8, utf8) → utf8 - the original signature for backward compatibility
(varbinary, varbinary, 'ECB') → varbinary - the new signature that will be consistent with signatures for CBC and GCM, and isn't vulnerable to non-UTF8-compliant data

Both signatures ultimately are handled by the same implementation

@github-actions
Copy link

github-actions bot commented Nov 12, 2025

Thanks for opening a pull request!

If this is not a minor PR. Could you open an issue for this pull request on GitHub? https://github.com/apache/arrow/issues/new/choose

Opening GitHub issues ahead of time contributes to the Openness of the Apache Arrow project.

Then could you also rename the pull request title in the following format?

GH-${GITHUB_ISSUE_ID}: [${COMPONENT}] ${SUMMARY}

or

MINOR: [${COMPONENT}] ${SUMMARY}

See also:

@timhurskidremio
Copy link
Author

timhurskidremio commented Nov 12, 2025

https://github.com/Vijeth-test/arrow-build/actions/runs/19307224255

@timhurskidremio timhurskidremio force-pushed the move-ecb-encryption-mode branch from 4de0ec4 to 7bbf268 Compare November 13, 2025 01:56
@timhurskidremio timhurskidremio force-pushed the move-ecb-encryption-mode branch 3 times, most recently from c4529af to 57fb0ab Compare November 13, 2025 16:24
@timhurskidremio timhurskidremio changed the title Move ECB encryption mode into its own module DX-108149: Move ECB encryption mode into its own module Nov 13, 2025
@timhurskidremio timhurskidremio force-pushed the move-ecb-encryption-mode branch from 57fb0ab to bc44e63 Compare November 14, 2025 02:34
@timhurskidremio timhurskidremio marked this pull request as ready for review November 14, 2025 06:35
@lriggs
Copy link

lriggs commented Nov 17, 2025

Is there a plan to make these changes upstream in apache/arrow?

@timhurskidremio
Copy link
Author

timhurskidremio commented Nov 20, 2025

Yes, once all of the encryption has been implemented

@timhurskidremio timhurskidremio merged commit 8817691 into dremio:dremio_26.1_18.1.0 Nov 20, 2025
7 of 30 checks passed
@timhurskidremio timhurskidremio mentioned this pull request Dec 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lriggs lriggs lriggs approved these changes

Assignees

No one assigned

Labels

awaiting review Component: C++ Component: Documentation Component: FlightRPC Component: Gandiva Component: GLib Component: MATLAB Component: Parquet Component: Python Component: R Component: Ruby Encryption enhancement

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timhurskidremio @lriggs