(impala) branch master updated: IMPALA-13592: Set IV length before setting IV in OpenSsl

Thu, 16 Jan 2025 07:22:12 -0800 

This is an automated email from the ASF dual-hosted git repository.

csringhofer pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git


The following commit(s) were added to refs/heads/master by this push:
     new 99545fbf4 IMPALA-13592: Set IV length before setting IV in OpenSsl
99545fbf4 is described below

commit 99545fbf4511df76b69e58f1a4abe5e58ccfce49
Author: Csaba Ringhofer <[email protected]>
AuthorDate: Mon Jan 13 23:34:50 2025 +0100

    IMPALA-13592: Set IV length before setting IV in OpenSsl
    
    Setting IV with non default length before setting the length
    is not correct. With newer OpenSsl (3.2) this lead to failing
    AES-GCM encryption
    (likely since https://github.com/openssl/openssl/pull/22590).
    
    The fix is to call EVP_(En/De)cryptInit_ex first without iv,
    then set iv length and call EVP_EncryptInit_ex again with iv
    (but without mode).
    
    Change-Id: I243f1d487d8ba5dc44b5cc361e041c83598d83c1
    Reviewed-on: http://gerrit.cloudera.org:8080/22337
    Reviewed-by: Csaba Ringhofer <[email protected]>
    Tested-by: Csaba Ringhofer <[email protected]>
---
 be/src/util/openssl-util.cc | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/be/src/util/openssl-util.cc b/be/src/util/openssl-util.cc
index d661caf41..8d9a647c5 100644
--- a/be/src/util/openssl-util.cc
+++ b/be/src/util/openssl-util.cc
@@ -220,8 +220,8 @@ Status EncryptionKey::EncryptInternal(
   // mode is well-optimized(instruction level parallelism) with hardware 
acceleration
   // on x86 and PowerPC
   const EVP_CIPHER* evpCipher = GetCipher();
-  int success = encrypt ? EVP_EncryptInit_ex(ctx.ctx, evpCipher, NULL, key_, 
iv_) :
-                          EVP_DecryptInit_ex(ctx.ctx, evpCipher, NULL, key_, 
iv_);
+  int success = encrypt ? EVP_EncryptInit_ex(ctx.ctx, evpCipher, NULL, NULL, 
NULL) :
+                          EVP_DecryptInit_ex(ctx.ctx, evpCipher, NULL, NULL, 
NULL);
   if (success != 1) {
     return OpenSSLErr(encrypt ? "EVP_EncryptInit_ex" : "EVP_DecryptInit_ex", 
err_context);
   }
@@ -231,6 +231,12 @@ Status EncryptionKey::EncryptInternal(
       return OpenSSLErr("EVP_CIPHER_CTX_ctrl", err_context);
     }
   }
+  // setting iv after changing iv len, see 
https://github.com/openssl/openssl/pull/22590
+  success = encrypt ? EVP_EncryptInit_ex(ctx.ctx, NULL, NULL, key_, iv_) :
+                      EVP_DecryptInit_ex(ctx.ctx, NULL, NULL, key_, iv_);
+  if (success != 1) {
+    return OpenSSLErr(encrypt ? "EVP_EncryptInit_ex" : "EVP_DecryptInit_ex", 
err_context);
+  }
 
   // The OpenSSL encryption APIs use ints for buffer lengths for some reason. 
To support
   // larger buffers we need to chunk larger buffers into smaller parts.

Reply via email to