Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SPARK-47172][CORE] Add support for AES-GCM for RPC encryption #46515

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

[SPARK-47172][CORE] Add support for AES-GCM for RPC encryption #46515

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0bfe017
[SPARK-47172] Add support for AES-GCM for RPC encryption
sweisdb May 8, 2024
b9baf22
[SPARK-47172] Updating GcmTransportCipher to use buffered streaming
sweisdb May 15, 2024
71cd10d
Adding missing import
sweisdb May 21, 2024
5f8cd7f
[SPARK-47172] Addressing reviewer comments
sweisdb May 28, 2024
81a3ca0
[SPARK-47172] Addressing reviewer comments
sweisdb Jun 4, 2024
5bc503a
[SPARK-47172] Addressing reviewer comments
sweisdb Jun 7, 2024
4ceeee3
[SPARK-47172] Moving ByteBufferWriteableChannel to its own class
sweisdb Jun 7, 2024
4df0367
[SPARK-47172] Addressing comments & Refactoring AuthEngine test suite…
sweisdb Jun 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 15 additions & 6 deletions common/network-common/src/main/java/org/apache/spark/network/crypto/AuthEngine.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ class AuthEngine implements Closeable {
public static final byte[] INPUT_IV_INFO = "inputIv".getBytes(UTF_8);
public static final byte[] OUTPUT_IV_INFO = "outputIv".getBytes(UTF_8);
private static final String MAC_ALGORITHM = "HMACSHA256";
private static final String LEGACY_CIPHER_ALGORITHM = "AES/CTR/NoPadding";
private static final String CIPHER_ALGORITHM = "AES/GCM/NoPadding";
private static final int AES_GCM_KEY_SIZE_BYTES = 16;
private static final byte[] EMPTY_TRANSCRIPT = new byte[0];
private static final int UNSAFE_SKIP_HKDF_VERSION = 1;
Expand Down Expand Up @@ -227,12 +229,19 @@ private TransportCipher generateTransportCipher(
OUTPUT_IV_INFO, // This is the HKDF info field used to differentiate IV values
AES_GCM_KEY_SIZE_BYTES);
SecretKeySpec sessionKey = new SecretKeySpec(derivedKey, "AES");
return new TransportCipher(
cryptoConf,
conf.cipherTransformation(),
sessionKey,
isClient ? clientIv : serverIv, // If it's the client, use the client IV first
isClient ? serverIv : clientIv);
if (LEGACY_CIPHER_ALGORITHM.equalsIgnoreCase(conf.cipherTransformation())) {
return new CtrTransportCipher(
cryptoConf,
sessionKey,
isClient ? clientIv : serverIv, // If it's the client, use the client IV first
isClient ? serverIv : clientIv);
} else if (CIPHER_ALGORITHM.equalsIgnoreCase(conf.cipherTransformation())) {
return new GcmTransportCipher(sessionKey);
} else {
throw new IllegalArgumentException(
String.format("Unsupported cipher mode: %s. %s and %s are supported.",
conf.cipherTransformation(), CIPHER_ALGORITHM, LEGACY_CIPHER_ALGORITHM));
}
}

private byte[] getTranscript(AuthMessage... encryptedPublicKeys) {
Expand Down