[
https://issues.apache.org/jira/browse/IMPALA-14754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18060443#comment-18060443
]
ASF subversion and git services commented on IMPALA-14754:
----------------------------------------------------------
Commit 1fe5fd746c8d148bf54b0069a76889260bb543a6 in impala's branch
refs/heads/master from Csaba Ringhofer
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=1fe5fd746 ]
IMPALA-14754: Allow GCM encryption without PCLMULQDQ
Allows using aes_128_gcm/aes_256_gcm even when PCLMULQDQ
is missing. While this may be suboptimal, openssl should
be still able to execute it.
The usage of EncryptionKey::GetSupportedDefaultMode() is not
changed, so it will still not return GCM without PCLMULQDQ.
This is used for spill encryption and when aes_encrypt/aes_decrypt
has no 'mode' specified.
Testing:
- ran tests on ARM host
Change-Id: Ib6353fb9a686046274f1cbde79ecda7aa46adf0b
Reviewed-on: http://gerrit.cloudera.org:8080/23997
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> AES cipher mode selection is bound to PCLMULQDQ
> -----------------------------------------------
>
> Key: IMPALA-14754
> URL: https://issues.apache.org/jira/browse/IMPALA-14754
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Reporter: Peter Rozsa
> Assignee: Pranav Yogi Lodha
> Priority: Major
>
> EncryptionKey::IsModeSupported checks for
> PCLMULQDQ CPU capability, even on an ARM platform, that makes
> 'test_encryption_exprs' fail on ARM, by throwing an error that shows
> AES_256_GCM is not supported on that version of OpenSSL, even though the
> oldest version of supported ARM platforms support AES_256_GCM.
>
> By checking the source for OpenSSL 1.1.1, there's a hardware-accelerated
> solution for GHASH (which is required for AES_256_GCM)
> ([https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/modes/asm/ghashv8-armx.pl|https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/modes/asm/ghashv8-armx.pl)])
> and it's building on PMULL ARM capability.
> To resolve this issue, Impala should check for PMULL capability as well, but
> it will introduce different default mode selection for different purposes:
> IsModeSupported is called for spill encryption and for aes_*crypt UDFs as
> well, and it should be decoupled to make the UDFs consistent across
> platforms.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
