accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] ctubbsii commented on a change in pull request #322: ACCUMULO-4740 Enable GCM mode for crypto
Date Thu, 01 Jan 1970 00:00:00 GMT
ctubbsii commented on a change in pull request #322: ACCUMULO-4740 Enable GCM mode for crypto
URL: https://github.com/apache/accumulo/pull/322#discussion_r151213972
 
 

 ##########
 File path: core/src/main/java/org/apache/accumulo/core/security/crypto/CryptoModuleParameters.java
 ##########
 @@ -570,6 +570,52 @@ public void setBlockStreamSize(int blockStreamSize) {
   }
 
   /**
+   * Returns the mode from the cipher suite. Assumes the suite is in the form of algorithm/mode/padding,
returns null if the cipher suite is malformed or
+   * NullCipher.
+   *
+   * @return the encryption mode from the cipher suite
+   */
+  public String getCipherSuiteEncryptionMode() {
+    String[] parts = this.cipherSuite.split("/");
+    if (parts.length == 3) {
+      return parts[1];
+    } else {
+      return null;
+    }
+  }
+
+  /**
+   * Updates the initialization vector for use when the encryption mode is GCM. If the IV
is not currently null, and the encryption mode is GCM, it will
+   * increment the IV instead of letting the CryptoModule decide what to do.
+   */
+  public void updateInitializationVector() {
+    if (this.initializationVector != null && getCipherSuiteEncryptionMode().equals(DefaultCryptoModule.ALGORITHM_PARAMETER_SPEC_GCM))
{
+      incrementIV(this.initializationVector, this.initializationVector.length - 1);
+    } else {
+      this.initializationVector = null;
+    }
+  }
+
+  /**
+   * Because IVs can be longer than longs, this increments arbitrarily sized byte arrays
by 1, with a roll over to 0 after the max value is reached.
+   *
+   * @param iv
+   *          The iv to be incremented
+   * @param i
+   *          The current byte being incremented
+   */
+  private static void incrementIV(byte[] iv, int i) {
 
 Review comment:
   This implementation looks correct to me, but I think it should have its own unit test,
to be sure, and to prevent regressions. I think testing all the boundary cases for arrays
of length 1, 2, and 3, would be sufficient to cover all possible cases. (`i == 0, i == a.len-1,
and 0 < i < a.len-1`)

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message