Fix AES-256-CBC content decryption for CLIENT_ENCRYPTION_KEY_SIZE=256#45
Merged
Merged
Conversation
With CLIENT_ENCRYPTION_KEY_SIZE=256, Snowflake writes file content using a 32-byte CEK with AES-CBC. Two bugs caused content decryption to fail with OpenSSL invalid key length: S3 path: "AES/CBC/PKCS5Padding" was unconditionally mapped to Aes128Cbc (16-byte key). Now selects Aes256Cbc when the unwrapped CEK is 32 bytes. Azure path: "AES_CBC_256" was incorrectly mapped to Aes128Cbc. Fixed to use Aes256Cbc. Add Aes256Cbc variant to CryptoScheme backed by aes_256_cbc cipher. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
weiherelationalai
force-pushed
the
fix-aes256-cbc-content-decryption
branch
from
3e37b6f to
ab5b568
Compare
- Extract S3/Azure content-scheme selection into pure, unit-testable helpers (s3_content_scheme / azure_content_scheme) and document why the S3 path infers key size from CEK length while Azure reads it from the algorithm name. - Cover the CLIENT_ENCRYPTION_KEY_SIZE=256 path: CEK-length-based 128 vs 256 selection, missing/unknown cek-alg handling, and Aes256Cbc content encrypt/decrypt + CrypterReader/Writer round-trips. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After fixing the QSMK key unwrap (#43) and matdesc keySize (#44), content decryption still fails with:
With `CLIENT_ENCRYPTION_KEY_SIZE=256`, Snowflake writes file content using a 32-byte CEK with AES-CBC. Two bugs caused OpenSSL to receive a key of the wrong length:
S3 path: `"AES/CBC/PKCS5Padding"` was unconditionally mapped to `Aes128Cbc` (16-byte key cipher), regardless of the actual CEK size.
Azure path: `"AES_CBC_256"` was incorrectly mapped to `Aes128Cbc` — clearly a pre-existing bug.
Fix
Related