DX-108149: Add support for CBC abd GCM encryption modes

Author: timhurskidremio

.github/workflows/csharp.yml

@@ -98,8 +98,8 @@ jobs:
         run: ci/scripts/csharp_test.sh $(pwd)
 
   macos:
-    name: AMD64 macOS 13 C# ${{ matrix.dotnet }}
-    runs-on: macos-13
+    name: AMD64 macOS 15 C# ${{ matrix.dotnet }}
+    runs-on: macos-15-intel
     if: ${{ !contains(github.event.pull_request.title, 'WIP') }}
     timeout-minutes: 15
     strategy:

.github/workflows/js.yml

@@ -86,8 +86,8 @@ jobs:
         run: archery docker push debian-js
 
   macos:
-    name: AMD64 macOS 13 NodeJS ${{ matrix.node }}
-    runs-on: macos-13
+    name: AMD64 macOS 15 NodeJS ${{ matrix.node }}
+    runs-on: macos-15-intel
     if: ${{ !contains(github.event.pull_request.title, 'WIP') }}
     timeout-minutes: 45
     strategy:

cpp/src/gandiva/CMakeLists.txt

@@ -64,7 +64,11 @@ set(SRC_FILES
     decimal_xlarge.cc
     engine.cc
     date_utils.cc
-    encrypt_utils.cc
+    encrypt_utils_common.cc
+    encrypt_utils_ecb.cc
+    encrypt_utils_cbc.cc
+    encrypt_utils_gcm.cc
+    encrypt_mode_dispatcher.cc
     expr_decomposer.cc
     expr_validator.cc
     expression.cc
@@ -262,7 +266,10 @@ add_gandiva_test(internals-test
                  llvm_generator_test.cc
                  annotator_test.cc
                  tree_expr_test.cc
-                 encrypt_utils_test.cc
+                 encrypt_utils_ecb_test.cc
+                 encrypt_utils_cbc_test.cc
+                 encrypt_utils_gcm_test.cc
+                 encrypt_utils_common_test.cc
                  expr_decomposer_test.cc
                  exported_funcs_registry_test.cc
                  expression_registry_test.cc

cpp/src/gandiva/encrypt_mode_dispatcher.cc

@@ -0,0 +1,138 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License") you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "gandiva/encrypt_mode_dispatcher.h"
+#include "gandiva/encrypt_utils_ecb.h"
+#include "gandiva/encrypt_utils_cbc.h"
+#include "gandiva/encrypt_utils_gcm.h"
+#include "arrow/util/string.h"
+#include <string>
+#include <sstream>
+#include <stdexcept>
+#include <vector>
+
+namespace gandiva {
+
+// Supported encryption modes
+static const std::vector<std::string_view> SUPPORTED_MODES = {
+    AES_ECB_MODE, AES_ECB_PKCS7_MODE, AES_ECB_NONE_MODE,
+    AES_CBC_MODE, AES_CBC_PKCS7_MODE, AES_CBC_NONE_MODE,
+    AES_GCM_MODE
+};
+
+enum class EncryptionMode {
+  ECB,
+  ECB_PKCS7,
+  ECB_NONE,
+  CBC,
+  CBC_PKCS7,
+  CBC_NONE,
+  GCM,
+  UNKNOWN
+};
+
+EncryptionMode ParseEncryptionMode(std::string_view mode_str) {
+  if (mode_str == AES_ECB_MODE) return EncryptionMode::ECB;
+  if (mode_str == AES_ECB_PKCS7_MODE) return EncryptionMode::ECB_PKCS7;
+  if (mode_str == AES_ECB_NONE_MODE) return EncryptionMode::ECB_NONE;
+  if (mode_str == AES_CBC_MODE) return EncryptionMode::CBC;
+  if (mode_str == AES_CBC_PKCS7_MODE) return EncryptionMode::CBC_PKCS7;
+  if (mode_str == AES_CBC_NONE_MODE) return EncryptionMode::CBC_NONE;
+  if (mode_str == AES_GCM_MODE) return EncryptionMode::GCM;
+  return EncryptionMode::UNKNOWN;
+}
+
+int32_t EncryptModeDispatcher::encrypt(
+    const char* plaintext, int32_t plaintext_len, const char* key,
+    int32_t key_len, const char* mode, int32_t mode_len, const char* iv,
+    int32_t iv_len, const char* fifth_argument, int32_t fifth_argument_len,
+    unsigned char* cipher) {
+  std::string mode_str =
+      arrow::internal::AsciiToUpper(std::string_view(mode, mode_len));
+
+  switch (ParseEncryptionMode(mode_str)) {
+    case EncryptionMode::ECB:
+    case EncryptionMode::ECB_PKCS7:
+      // Shorthand AES-ECB and explicit AES-ECB-PKCS7 both use ECB with PKCS7 padding
+      return aes_encrypt_ecb(plaintext, plaintext_len, key, key_len, true, cipher);
+    case EncryptionMode::ECB_NONE:
+      // ECB without padding
+      return aes_encrypt_ecb(plaintext, plaintext_len, key, key_len, false, cipher);
+    case EncryptionMode::CBC:
+    case EncryptionMode::CBC_PKCS7:
+      // Shorthand AES-CBC and explicit AES-CBC-PKCS7 both use CBC with PKCS7
+      return aes_encrypt_cbc(plaintext, plaintext_len, key, key_len,
+                             iv, iv_len, true, cipher);
+    case EncryptionMode::CBC_NONE:
+      // CBC without padding
+      return aes_encrypt_cbc(plaintext, plaintext_len, key, key_len,
+                             iv, iv_len, false, cipher);
+    case EncryptionMode::GCM:
+      return aes_encrypt_gcm(plaintext, plaintext_len, key, key_len,
+                             iv, iv_len, fifth_argument, fifth_argument_len, cipher);
+    case EncryptionMode::UNKNOWN:
+    default: {
+      std::string modes_str = arrow::internal::JoinStrings(SUPPORTED_MODES, ", ");
+      std::ostringstream oss;
+      oss << "Unsupported encryption mode: " << mode_str
+          << ". Supported modes: " << modes_str;
+      throw std::runtime_error(oss.str());
+    }
+  }
+}
+
+int32_t EncryptModeDispatcher::decrypt(
+    const char* ciphertext, int32_t ciphertext_len, const char* key,
+    int32_t key_len, const char* mode, int32_t mode_len, const char* iv,
+    int32_t iv_len, const char* fifth_argument, int32_t fifth_argument_len,
+    unsigned char* plaintext) {
+  std::string mode_str =
+      arrow::internal::AsciiToUpper(std::string_view(mode, mode_len));
+
+  switch (ParseEncryptionMode(mode_str)) {
+    case EncryptionMode::ECB:
+    case EncryptionMode::ECB_PKCS7:
+      // Shorthand AES-ECB and explicit AES-ECB-PKCS7 both use ECB with PKCS7 padding
+      return aes_decrypt_ecb(ciphertext, ciphertext_len, key, key_len, true, plaintext);
+    case EncryptionMode::ECB_NONE:
+      // ECB without padding
+      return aes_decrypt_ecb(ciphertext, ciphertext_len, key, key_len, false, plaintext);
+    case EncryptionMode::CBC:
+    case EncryptionMode::CBC_PKCS7:
+      // Shorthand AES-CBC and explicit AES-CBC-PKCS7 both use CBC with PKCS7
+      return aes_decrypt_cbc(ciphertext, ciphertext_len, key, key_len,
+                             iv, iv_len, true, plaintext);
+    case EncryptionMode::CBC_NONE:
+      // CBC without padding
+      return aes_decrypt_cbc(ciphertext, ciphertext_len, key, key_len,
+                             iv, iv_len, false, plaintext);
+    case EncryptionMode::GCM:
+      return aes_decrypt_gcm(ciphertext, ciphertext_len, key, key_len,
+                             iv, iv_len, fifth_argument, fifth_argument_len, plaintext);
+    case EncryptionMode::UNKNOWN:
+    default: {
+      std::string modes_str = arrow::internal::JoinStrings(SUPPORTED_MODES, ", ");
+      std::ostringstream oss;
+      oss << "Unsupported decryption mode: " << mode_str
+          << ". Supported modes: " << modes_str;
+      throw std::runtime_error(oss.str());
+    }
+  }
+}
+
+}  // namespace gandiva
+

cpp/src/gandiva/encrypt_mode_dispatcher.h

@@ -0,0 +1,83 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License") you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#ifndef GANDIVA_ENCRYPT_MODE_DISPATCHER_H
+#define GANDIVA_ENCRYPT_MODE_DISPATCHER_H
+
+#include <cstdint>
+
+namespace gandiva {
+
+/**
+ * Dispatcher for AES encryption/decryption based on mode string.
+ * Routes calls to appropriate implementation.
+ */
+class EncryptModeDispatcher {
+ public:
+  /**
+   * Encrypt data using the specified mode
+   *
+   * @param plaintext The data to encrypt
+   * @param plaintext_len Length of plaintext in bytes
+   * @param key The encryption key
+   * @param key_len Length of key in bytes
+   * @param mode Mode string
+   * @param mode_len Length of mode string in bytes
+   * @param iv The initialization vector (optional, only for modes that support it)
+   * @param iv_len Length of the IV in bytes
+   * @param fifth_argument Additional parameter (optional, only for modes that support it)
+   * @param fifth_argument_len Length of fifth_argument in bytes
+   * @param cipher Output buffer for encrypted data
+   * @return Length of encrypted data in bytes
+   * @throws std::runtime_error on encryption failure or unsupported mode
+   */
+  static int32_t encrypt(const char* plaintext, int32_t plaintext_len,
+                         const char* key, int32_t key_len,
+                         const char* mode, int32_t mode_len,
+                         const char* iv, int32_t iv_len,
+                         const char* fifth_argument, int32_t fifth_argument_len,
+                         unsigned char* cipher);
+
+  /**
+   * Decrypt data using the specified mode
+   *
+   * @param ciphertext The data to decrypt
+   * @param ciphertext_len Length of ciphertext in bytes
+   * @param key The decryption key
+   * @param key_len Length of key in bytes
+   * @param mode Mode string
+   * @param mode_len Length of mode string in bytes
+   * @param iv The initialization vector (optional, only for modes that support it)
+   * @param iv_len Length of the IV in bytes
+   * @param fifth_argument Additional parameter (optional, only for modes that support it)
+   * @param fifth_argument_len Length of fifth_argument in bytes
+   * @param plaintext Output buffer for decrypted data
+   * @return Length of decrypted data in bytes
+   * @throws std::runtime_error on decryption failure or unsupported mode
+   */
+  static int32_t decrypt(const char* ciphertext, int32_t ciphertext_len,
+                         const char* key, int32_t key_len,
+                         const char* mode, int32_t mode_len,
+                         const char* iv, int32_t iv_len,
+                         const char* fifth_argument, int32_t fifth_argument_len,
+                         unsigned char* plaintext);
+};
+
+}  // namespace gandiva
+
+#endif  // GANDIVA_ENCRYPT_MODE_DISPATCHER_H
+