DX-108149: Add support for CBC encryption mode

.github/workflows/csharp.yml

@@ -94,8 +94,8 @@ jobs:
         run: ci/scripts/csharp_test.sh $(pwd)
 
   macos:
-    name: AMD64 macOS 13 C# ${{ matrix.dotnet }}
-    runs-on: macos-13
+    name: AMD64 macOS 15 C# ${{ matrix.dotnet }}
+    runs-on: macos-15-intel
     if: ${{ !contains(github.event.pull_request.title, 'WIP') }}
     timeout-minutes: 15
     strategy:

.github/workflows/java.yml

@@ -106,8 +106,8 @@ jobs:
         run: archery docker push ${{ matrix.image }}
 
   macos:
-    name: AMD64 macOS 13 Java JDK ${{ matrix.jdk }}
-    runs-on: macos-13
+    name: AMD64 macOS 15 Java JDK ${{ matrix.jdk }}
+    runs-on: macos-15-intel
     if: ${{ !contains(github.event.pull_request.title, 'WIP') }}
     timeout-minutes: 30
     strategy:

.github/workflows/js.yml

@@ -81,8 +81,8 @@ jobs:
         run: archery docker push debian-js
 
   macos:
-    name: AMD64 macOS 13 NodeJS ${{ matrix.node }}
-    runs-on: macos-13
+    name: AMD64 macOS 15 NodeJS ${{ matrix.node }}
+    runs-on: macos-15-intel
     if: ${{ !contains(github.event.pull_request.title, 'WIP') }}
     timeout-minutes: 30
     strategy:

cpp/src/gandiva/CMakeLists.txt

@@ -56,7 +56,10 @@ set(SRC_FILES
     decimal_xlarge.cc
     engine.cc
     date_utils.cc
+    encrypt_utils_common.cc
     encrypt_utils_ecb.cc
+    encrypt_utils_cbc.cc
+    encrypt_mode_dispatcher.cc
     expr_decomposer.cc
     expr_validator.cc
     expression.cc
@@ -257,6 +260,8 @@ add_gandiva_test(internals-test
                  annotator_test.cc
                  tree_expr_test.cc
                  encrypt_utils_ecb_test.cc
+                 encrypt_utils_cbc_test.cc
+                 encrypt_utils_common_test.cc
                  expr_decomposer_test.cc
                  exported_funcs_registry_test.cc
                  expression_registry_test.cc

cpp/src/gandiva/encrypt_mode_dispatcher.cc

@@ -0,0 +1,81 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License") you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "gandiva/encrypt_mode_dispatcher.h"
+#include "gandiva/encrypt_utils_ecb.h"
+#include "gandiva/encrypt_utils_cbc.h"
+#include "arrow/util/string.h"
+#include <string>
+#include <sstream>
+#include <stdexcept>
+
+namespace gandiva {
+
+int32_t EncryptModeDispatcher::encrypt(
+    const char* plaintext, int32_t plaintext_len, const char* key,
+    int32_t key_len, const char* mode, int32_t mode_len, const char* iv,
+    int32_t iv_len, const char* fifth_argument, int32_t fifth_argument_len,
+    unsigned char* cipher) {
+  std::string mode_str =
+      arrow::internal::AsciiToUpper(std::string_view(mode, mode_len));
+
+  if (mode_str == "AES-ECB") {
+    return aes_encrypt_ecb(plaintext, plaintext_len, key, key_len, cipher);
+  } else if (mode_str == "AES-CBC-PKCS7") {
+    return aes_encrypt_cbc(plaintext, plaintext_len, key, key_len,
+                           iv, iv_len, true, cipher);
+  } else if (mode_str == "AES-CBC-NONE") {
+    return aes_encrypt_cbc(plaintext, plaintext_len, key, key_len,
+                           iv, iv_len, false, cipher);
+  } else if (mode_str == "AES-GCM") {
+    throw std::runtime_error("AES-GCM encryption mode is not yet implemented");
+  } else {
+    std::ostringstream oss;
+    oss << "Unsupported encryption mode: " << mode_str
+        << ". Supported modes: AES-ECB, AES-CBC-PKCS7, AES-CBC-NONE";
+    throw std::runtime_error(oss.str());
+  }
+}
+
+int32_t EncryptModeDispatcher::decrypt(
+    const char* ciphertext, int32_t ciphertext_len, const char* key,
+    int32_t key_len, const char* mode, int32_t mode_len, const char* iv,
+    int32_t iv_len, const char* fifth_argument, int32_t fifth_argument_len,
+    unsigned char* plaintext) {
+  std::string mode_str =
+      arrow::internal::AsciiToUpper(std::string_view(mode, mode_len));
+
+  if (mode_str == "AES-ECB") {
+    return aes_decrypt_ecb(ciphertext, ciphertext_len, key, key_len, plaintext);
+  } else if (mode_str == "AES-CBC-PKCS7") {
+    return aes_decrypt_cbc(ciphertext, ciphertext_len, key, key_len,
+                           iv, iv_len, true, plaintext);
+  } else if (mode_str == "AES-CBC-NONE") {
+    return aes_decrypt_cbc(ciphertext, ciphertext_len, key, key_len,
+                           iv, iv_len, false, plaintext);
+  } else if (mode_str == "AES-GCM") {
+    throw std::runtime_error("AES-GCM decryption mode is not yet implemented");
+  } else {
+    std::ostringstream oss;
+    oss << "Unsupported decryption mode: " << mode_str
+        << ". Supported modes: AES-ECB, AES-CBC-PKCS7, AES-CBC-NONE";
+    throw std::runtime_error(oss.str());
+  }
+}
+
+}  // namespace gandiva
+

cpp/src/gandiva/encrypt_mode_dispatcher.h

@@ -0,0 +1,83 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License") you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#ifndef GANDIVA_ENCRYPT_MODE_DISPATCHER_H
+#define GANDIVA_ENCRYPT_MODE_DISPATCHER_H
+
+#include <cstdint>
+
+namespace gandiva {
+
+/**
+ * Dispatcher for AES encryption/decryption based on mode string.
+ * Routes calls to appropriate implementation.
+ */
+class EncryptModeDispatcher {
+ public:
+  /**
+   * Encrypt data using the specified mode
+   *
+   * @param plaintext The data to encrypt
+   * @param plaintext_len Length of plaintext in bytes
+   * @param key The encryption key
+   * @param key_len Length of key in bytes
+   * @param mode Mode string
+   * @param mode_len Length of mode string in bytes
+   * @param iv The initialization vector (optional, only for modes that support it)
+   * @param iv_len Length of the IV in bytes
+   * @param fifth_argument Additional parameter (optional, only for modes that support it)
+   * @param fifth_argument_len Length of fifth_argument in bytes
+   * @param cipher Output buffer for encrypted data
+   * @return Length of encrypted data in bytes
+   * @throws std::runtime_error on encryption failure or unsupported mode
+   */
+  static int32_t encrypt(const char* plaintext, int32_t plaintext_len,
+                         const char* key, int32_t key_len,
+                         const char* mode, int32_t mode_len,
+                         const char* iv, int32_t iv_len,
+                         const char* fifth_argument, int32_t fifth_argument_len,
+                         unsigned char* cipher);
+
+  /**
+   * Decrypt data using the specified mode
+   *
+   * @param ciphertext The data to decrypt
+   * @param ciphertext_len Length of ciphertext in bytes
+   * @param key The decryption key
+   * @param key_len Length of key in bytes
+   * @param mode Mode string
+   * @param mode_len Length of mode string in bytes
+   * @param iv The initialization vector (optional, only for modes that support it)
+   * @param iv_len Length of the IV in bytes
+   * @param fifth_argument Additional parameter (optional, only for modes that support it)
+   * @param fifth_argument_len Length of fifth_argument in bytes
+   * @param plaintext Output buffer for decrypted data
+   * @return Length of decrypted data in bytes
+   * @throws std::runtime_error on decryption failure or unsupported mode
+   */
+  static int32_t decrypt(const char* ciphertext, int32_t ciphertext_len,
+                         const char* key, int32_t key_len,
+                         const char* mode, int32_t mode_len,
+                         const char* iv, int32_t iv_len,
+                         const char* fifth_argument, int32_t fifth_argument_len,
+                         unsigned char* plaintext);
+};
+
+}  // namespace gandiva
+
+#endif  // GANDIVA_ENCRYPT_MODE_DISPATCHER_H
+

cpp/src/gandiva/encrypt_utils_cbc.cc

@@ -0,0 +1,169 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "gandiva/encrypt_utils_cbc.h"
+#include "gandiva/encrypt_utils_common.h"
+#include <openssl/aes.h>
+#include <openssl/err.h>
+#include <stdexcept>
+#include <cstring>
+#include <sstream>
+#include <cctype>
+
+namespace gandiva {
+
+namespace {
+
+const EVP_CIPHER* get_cbc_cipher_algo(int32_t key_length) {
+  switch (key_length) {
+    case 16:
+      return EVP_aes_128_cbc();
+    case 24:
+      return EVP_aes_192_cbc();
+    case 32:
+      return EVP_aes_256_cbc();
+    default: {
+      std::ostringstream oss;
+      oss << "Unsupported key length for AES-CBC: " << key_length
+          << " bytes. Supported lengths: 16, 24, 32 bytes";
+      throw std::runtime_error(oss.str());
+    }
+  }
+}
+
+}  // namespace
+
+GANDIVA_EXPORT
+int32_t aes_encrypt_cbc(const char* plaintext, int32_t plaintext_len, const char* key,
+                        int32_t key_len, const char* iv, int32_t iv_len,
+                        bool use_padding, unsigned char* cipher) {
+  // Validate IV length
+  if (iv_len != 16) {
+    std::ostringstream oss;
+    oss << "Invalid IV length for AES-CBC: " << iv_len
+        << " bytes. IV must be exactly 16 bytes";
+    throw std::runtime_error(oss.str());
+  }
+
+  int32_t cipher_len = 0;
+  int32_t len = 0;
+  EVP_CIPHER_CTX* en_ctx = EVP_CIPHER_CTX_new();
+  const EVP_CIPHER* cipher_algo = get_cbc_cipher_algo(key_len);
+
+  if (!en_ctx) {
+    throw std::runtime_error("Could not create EVP cipher context for encryption: " +
+                             get_openssl_error_string());
+  }
+
+  if (!EVP_EncryptInit_ex(en_ctx, cipher_algo, nullptr,
+                          reinterpret_cast<const unsigned char*>(key),
+                          reinterpret_cast<const unsigned char*>(iv))) {
+    EVP_CIPHER_CTX_free(en_ctx);
+    throw std::runtime_error("Could not initialize EVP cipher context for encryption: " +
+                             get_openssl_error_string());
+  }
+
+  int padding_flag = use_padding ? 1 : 0;
+  if (!EVP_CIPHER_CTX_set_padding(en_ctx, padding_flag)) {
+    EVP_CIPHER_CTX_free(en_ctx);
+    throw std::runtime_error("Could not set padding mode for encryption: " +
+                             get_openssl_error_string());
+  }
+
+  if (!EVP_EncryptUpdate(en_ctx, cipher, &len,
+                         reinterpret_cast<const unsigned char*>(plaintext),
+                         plaintext_len)) {
+    EVP_CIPHER_CTX_free(en_ctx);
+    throw std::runtime_error("Could not update EVP cipher context for encryption: " +
+                             get_openssl_error_string());
+  }
+
+  cipher_len += len;
+
+  if (!EVP_EncryptFinal_ex(en_ctx, cipher + len, &len)) {
+    EVP_CIPHER_CTX_free(en_ctx);
+    throw std::runtime_error("Could not finalize EVP cipher context for encryption: " +
+                             get_openssl_error_string());
+  }
+
+  cipher_len += len;
+
+  EVP_CIPHER_CTX_free(en_ctx);
+  return cipher_len;
+}
+
+GANDIVA_EXPORT
+int32_t aes_decrypt_cbc(const char* ciphertext, int32_t ciphertext_len, const char* key,
+                        int32_t key_len, const char* iv, int32_t iv_len,
+                        bool use_padding, unsigned char* plaintext) {
+  // Validate IV length
+  if (iv_len != 16) {
+    std::ostringstream oss;
+    oss << "Invalid IV length for AES-CBC: " << iv_len
+        << " bytes. IV must be exactly 16 bytes";
+    throw std::runtime_error(oss.str());
+  }
+
+  int32_t plaintext_len = 0;
+  int32_t len = 0;
+  EVP_CIPHER_CTX* de_ctx = EVP_CIPHER_CTX_new();
+  const EVP_CIPHER* cipher_algo = get_cbc_cipher_algo(key_len);
+
+  if (!de_ctx) {
+    throw std::runtime_error("Could not create EVP cipher context for decryption: " +
+                             get_openssl_error_string());
+  }
+
+  if (!EVP_DecryptInit_ex(de_ctx, cipher_algo, nullptr,
+                          reinterpret_cast<const unsigned char*>(key),
+                          reinterpret_cast<const unsigned char*>(iv))) {
+    EVP_CIPHER_CTX_free(de_ctx);
+    throw std::runtime_error("Could not initialize EVP cipher context for decryption: " +
+                             get_openssl_error_string());
+  }
+
+  int padding_flag = use_padding ? 1 : 0;
+  if (!EVP_CIPHER_CTX_set_padding(de_ctx, padding_flag)) {
+    EVP_CIPHER_CTX_free(de_ctx);
+    throw std::runtime_error("Could not set padding mode for decryption: " +
+                             get_openssl_error_string());
+  }
+
+  if (!EVP_DecryptUpdate(de_ctx, plaintext, &len,
+                         reinterpret_cast<const unsigned char*>(ciphertext),
+                         ciphertext_len)) {
+    EVP_CIPHER_CTX_free(de_ctx);
+    throw std::runtime_error("Could not update EVP cipher context for decryption: " +
+                             get_openssl_error_string());
+  }
+
+  plaintext_len += len;
+
+  if (!EVP_DecryptFinal_ex(de_ctx, plaintext + len, &len)) {
+    EVP_CIPHER_CTX_free(de_ctx);
+    throw std::runtime_error("Could not finalize EVP cipher context for decryption: " +
+                             get_openssl_error_string());
+  }
+
+  plaintext_len += len;
+
+  EVP_CIPHER_CTX_free(de_ctx);
+  return plaintext_len;
+}
+
+}  // namespace gandiva
+