search

ClickHouse / ClickHouse

ClickHouse® is a real-time analytics DBMS
https://clickhouse.com
Apache License 2.0
37.22k stars 6.86k forks source link

AES encrypt and decrypt functions no longer support mode aes-128-cfb128 #40826

Closed MyroTk closed 2 years ago

MyroTk commented 2 years ago

Describe the unexpected behaviour Multiple AES related functions return Code: 36. DB::Exception: Received from localhost:9000. DB::Exception: Invalid mode: aes-128-cfb128 exception when using mode using aes-128-cfb128 . Works in previous versions.

How to reproduce


SELECT decrypt('aes-128-cfb128', unhex('03'), '1111111111111111', 'a222222222222222')

Query id: 3309f79a-33e7-4644-9ca1-b6f239d27f9e

0 rows in set. Elapsed: 0.004 sec. 

Received exception from server (version 22.8.2):
Code: 36. DB::Exception: Received from localhost:9000. DB::Exception: Invalid mode: aes-128-cfb128: While processing decrypt('aes-128-cfb128', unhex('03'), '1111111111111111', 'a222222222222222'). (BAD_ARGUMENTS)
MyroTk commented 2 years ago

This is happening with all the cfb128 modes. aes-192-cfb128 and aes-256-cfb128.

Was this functionality removed?

alexey-milovidov commented 2 years ago

This is the part of the BoringSSL library not certified for FIPS 140-2. You can read the changelog for ClickHouse version 22.5. If you really need CFB modes, please tell us about your use case.