Merge pull request ClickHouse#78745 from rschu1ze/openssl-api

nikitamikhaylov · web-flow · commit a5b66c6b833f · 2025-04-07T10:47:50.000Z
Further modernization of OpenSSL calls
diff --git a/src/Common/OpenSSLHelpers.cpp b/src/Common/OpenSSLHelpers.cpp
@@ -46,13 +46,13 @@ void encodeSHA256(const void * text, size_t size, unsigned char * out)
     auto ctx = std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>(EVP_MD_CTX_new(), EVP_MD_CTX_free);
 
     if (!EVP_DigestInit(ctx.get(), EVP_sha256()))
-        throw Exception(ErrorCodes::OPENSSL_ERROR, "SHA256 EVP_DigestInit failed: {}", getOpenSSLErrors());
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DigestInit failed: {}", getOpenSSLErrors());
 
     if (!EVP_DigestUpdate(ctx.get(), text, size))
-        throw Exception(ErrorCodes::OPENSSL_ERROR, "SHA256 EVP_DigestUpdate failed: {}", getOpenSSLErrors());
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DigestUpdate failed: {}", getOpenSSLErrors());
 
     if (!EVP_DigestFinal(ctx.get(), out, nullptr))
-        throw Exception(ErrorCodes::OPENSSL_ERROR, "SHA256 EVP_DigestFinal failed: {}", getOpenSSLErrors());
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DigestFinal failed: {}", getOpenSSLErrors());
 }
 
 std::vector<uint8_t> hmacSHA256(const std::vector<uint8_t> & key, const std::string & data)
@@ -61,31 +61,28 @@ std::vector<uint8_t> hmacSHA256(const std::vector<uint8_t> & key, const std::str
     size_t out_len = 0;
 
     using MacPtr = std::unique_ptr<EVP_MAC, decltype(&EVP_MAC_free)>;
-    using CtxPtr = std::unique_ptr<EVP_MAC_CTX, decltype(&EVP_MAC_CTX_free)>;
-
     MacPtr mac(EVP_MAC_fetch(nullptr, "HMAC", nullptr), &EVP_MAC_free);
     if (!mac)
-        throw Exception(ErrorCodes::OPENSSL_ERROR, "Failed to fetch HMAC algorithm");
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MAC_fetch failed: {}", getOpenSSLErrors());
 
+    using CtxPtr = std::unique_ptr<EVP_MAC_CTX, decltype(&EVP_MAC_CTX_free)>;
     CtxPtr ctx(EVP_MAC_CTX_new(mac.get()), &EVP_MAC_CTX_free);
     if (!ctx)
-        throw Exception(ErrorCodes::OPENSSL_ERROR, "Failed to create HMAC context");
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MAC_CTX_new failed: {}", getOpenSSLErrors());
 
     OSSL_PARAM params[] = {
         OSSL_PARAM_utf8_string("digest", const_cast<char*>("SHA256"), 0),
         OSSL_PARAM_END
     };
 
-    if (EVP_MAC_init(ctx.get(), key.data(), key.size(), params) != 1)
-        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MAC_init failed");
+    if (!EVP_MAC_init(ctx.get(), key.data(), key.size(), params))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MAC_init failed: {}", getOpenSSLErrors());
 
-    if (EVP_MAC_update(ctx.get(),
-                       reinterpret_cast<const unsigned char*>(data.data()),
-                       data.size()) != 1)
-        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MAC_update failed");
+    if (!EVP_MAC_update(ctx.get(), reinterpret_cast<const unsigned char*>(data.data()), data.size()))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MAC_update failed: {}", getOpenSSLErrors());
 
-    if (EVP_MAC_final(ctx.get(), result.data(), &out_len, result.size()) != 1)
-        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MAC_final failed");
+    if (!EVP_MAC_final(ctx.get(), result.data(), &out_len, result.size()))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MAC_final failed: {}", getOpenSSLErrors());
 
     result.resize(out_len);
     return result;
diff --git a/src/Compression/CompressionCodecEncrypted.cpp b/src/Compression/CompressionCodecEncrypted.cpp
@@ -125,62 +125,52 @@ size_t encrypt(std::string_view plaintext, char * ciphertext_and_tag, Encryption
 {
     int out_len;
     int ciphertext_len;
-    EVP_CIPHER_CTX * ctx;
-    EVP_CIPHER * cipher;
 
-    ctx = EVP_CIPHER_CTX_new();
+    using EVP_CIPHER_CTX_ptr = std::unique_ptr<EVP_CIPHER_CTX, decltype(&EVP_CIPHER_CTX_free)>;
+    const auto ctx = EVP_CIPHER_CTX_ptr(EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free);
     if (!ctx)
         throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_new failed: {}", getOpenSSLErrors());
 
-    try
-    {
-        cipher = EVP_CIPHER_fetch(nullptr, getMethod(method), nullptr);
-        if (!cipher)
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_fetch failed: {}", getOpenSSLErrors());
+    using EVP_CIPHER_ptr = std::unique_ptr<EVP_CIPHER, decltype(&EVP_CIPHER_free)>;
+    const auto cipher = EVP_CIPHER_ptr(EVP_CIPHER_fetch(nullptr, getMethod(method), nullptr), EVP_CIPHER_free);
+    if (!cipher)
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_fetch failed: {}", getOpenSSLErrors());
 
-        if (!EVP_EncryptInit_ex(ctx, cipher, nullptr, nullptr, nullptr))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptInit_ex failed: {}", getOpenSSLErrors());
+    if (!EVP_EncryptInit_ex(ctx.get(), cipher.get(), nullptr, nullptr, nullptr))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptInit_ex failed: {}", getOpenSSLErrors());
 
-        if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, static_cast<int32_t>(nonce.size()), nullptr))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_ctrl failed: {}", getOpenSSLErrors());
+    if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, static_cast<int32_t>(nonce.size()), nullptr))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_ctrl failed: {}", getOpenSSLErrors());
 
-        if (!EVP_EncryptInit_ex(ctx, nullptr, nullptr,
-                                reinterpret_cast<const uint8_t*>(key.data()),
-                                reinterpret_cast<const uint8_t *>(nonce.data())))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptInit_ex failed: {}", getOpenSSLErrors());
+    if (!EVP_EncryptInit_ex(ctx.get(), nullptr, nullptr,
+                            reinterpret_cast<const uint8_t*>(key.data()),
+                            reinterpret_cast<const uint8_t *>(nonce.data())))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptInit_ex failed: {}", getOpenSSLErrors());
 
-        if (!EVP_EncryptUpdate(ctx,
-                               reinterpret_cast<uint8_t *>(ciphertext_and_tag),
-                               &out_len,
-                               reinterpret_cast<const uint8_t *>(plaintext.data()),
-                               static_cast<int32_t>(plaintext.size())))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptUpdate failed: {}", getOpenSSLErrors());
+    if (!EVP_EncryptUpdate(ctx.get(),
+                           reinterpret_cast<uint8_t *>(ciphertext_and_tag),
+                           &out_len,
+                           reinterpret_cast<const uint8_t *>(plaintext.data()),
+                           static_cast<int32_t>(plaintext.size())))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptUpdate failed: {}", getOpenSSLErrors());
 
-        __msan_unpoison(ciphertext_and_tag, out_len); /// OpenSSL uses assembly which evades msan's analysis
+    __msan_unpoison(ciphertext_and_tag, out_len); /// OpenSSL uses assembly which evades msan's analysis
 
-        ciphertext_len = out_len;
+    ciphertext_len = out_len;
 
-        if (!EVP_EncryptFinal_ex(ctx,
-                                 reinterpret_cast<uint8_t *>(ciphertext_and_tag) + out_len,
-                                 reinterpret_cast<int32_t *>(&out_len)))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptFinal_ex failed: {}", getOpenSSLErrors());
+    if (!EVP_EncryptFinal_ex(ctx.get(),
+                             reinterpret_cast<uint8_t *>(ciphertext_and_tag) + out_len,
+                             reinterpret_cast<int32_t *>(&out_len)))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptFinal_ex failed: {}", getOpenSSLErrors());
 
-        __msan_unpoison(ciphertext_and_tag, out_len); /// OpenSSL uses assembly which evades msan's analysis
+    __msan_unpoison(ciphertext_and_tag, out_len); /// OpenSSL uses assembly which evades msan's analysis
 
-        ciphertext_len += out_len;
+    ciphertext_len += out_len;
+
+    /// Get the tag
+    if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, tag_size, reinterpret_cast<uint8_t *>(ciphertext_and_tag) + plaintext.size()))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_ctrl failed: {}", getOpenSSLErrors());
 
-        /// Get the tag
-        if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, tag_size, reinterpret_cast<uint8_t *>(ciphertext_and_tag) + plaintext.size()))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_ctrl failed: {}", getOpenSSLErrors());
-    }
-    catch (...)
-    {
-        EVP_CIPHER_free(cipher);
-        EVP_CIPHER_CTX_free(ctx);
-        throw;
-    }
-    EVP_CIPHER_free(cipher);
-    EVP_CIPHER_CTX_free(ctx);
     return ciphertext_len + tag_size;
 }
 
@@ -192,62 +182,51 @@ size_t decrypt(std::string_view ciphertext, char * plaintext, EncryptionMethod m
 {
     int out_len;
     int plaintext_len;
-    EVP_CIPHER_CTX * ctx;
-    EVP_CIPHER * cipher;
 
-    ctx = EVP_CIPHER_CTX_new();
+    using EVP_CIPHER_CTX_ptr = std::unique_ptr<EVP_CIPHER_CTX, decltype(&EVP_CIPHER_CTX_free)>;
+    const auto ctx = EVP_CIPHER_CTX_ptr(EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free);
     if (!ctx)
         throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_new failed: {}", getOpenSSLErrors());
 
-    try
-    {
-        cipher = EVP_CIPHER_fetch(nullptr, getMethod(method), nullptr);
-        if (!cipher)
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_fetch failed: {}", getOpenSSLErrors());
+    using EVP_CIPHER_ptr = std::unique_ptr<EVP_CIPHER, decltype(&EVP_CIPHER_free)>;
+    const auto cipher = EVP_CIPHER_ptr(EVP_CIPHER_fetch(nullptr, getMethod(method), nullptr), EVP_CIPHER_free);
+    if (!cipher)
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_fetch failed: {}", getOpenSSLErrors());
 
-        if (!EVP_DecryptInit_ex(ctx, cipher, nullptr, nullptr, nullptr))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DecryptInit_ex failed: {}", getOpenSSLErrors());
+    if (!EVP_DecryptInit_ex(ctx.get(), cipher.get(), nullptr, nullptr, nullptr))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DecryptInit_ex failed: {}", getOpenSSLErrors());
 
-        if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, static_cast<int32_t>(nonce.size()), nullptr))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_ctrl failed: {}", getOpenSSLErrors());
+    if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN, static_cast<int32_t>(nonce.size()), nullptr))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_ctrl failed: {}", getOpenSSLErrors());
 
-        if (!EVP_DecryptInit_ex(ctx, nullptr, nullptr,
-                                reinterpret_cast<const uint8_t*>(key.data()),
-                                reinterpret_cast<const uint8_t *>(nonce.data())))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DecryptInit_ex failed: {}", getOpenSSLErrors());
+    if (!EVP_DecryptInit_ex(ctx.get(), nullptr, nullptr,
+                            reinterpret_cast<const uint8_t*>(key.data()),
+                            reinterpret_cast<const uint8_t *>(nonce.data())))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DecryptInit_ex failed: {}", getOpenSSLErrors());
 
-        if (!EVP_CIPHER_CTX_ctrl(ctx,
-                                 EVP_CTRL_GCM_SET_TAG,
-                                 tag_size,
-                                 reinterpret_cast<uint8_t *>(const_cast<char *>(ciphertext.data())) + ciphertext.size() - tag_size))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_ctrl failed: {}", getOpenSSLErrors());
+    if (!EVP_CIPHER_CTX_ctrl(ctx.get(),
+                             EVP_CTRL_GCM_SET_TAG,
+                             tag_size,
+                             reinterpret_cast<uint8_t *>(const_cast<char *>(ciphertext.data())) + ciphertext.size() - tag_size))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_CIPHER_CTX_ctrl failed: {}", getOpenSSLErrors());
 
-        if (!EVP_DecryptUpdate(ctx,
-                               reinterpret_cast<uint8_t *>(plaintext),
-                               reinterpret_cast<int32_t *>(&out_len),
-                               reinterpret_cast<const uint8_t *>(ciphertext.data()),
-                               static_cast<int32_t>(ciphertext.size()) - tag_size))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DecryptUpdate failed: {}", getOpenSSLErrors());
+    if (!EVP_DecryptUpdate(ctx.get(),
+                           reinterpret_cast<uint8_t *>(plaintext),
+                           reinterpret_cast<int32_t *>(&out_len),
+                           reinterpret_cast<const uint8_t *>(ciphertext.data()),
+                           static_cast<int32_t>(ciphertext.size()) - tag_size))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DecryptUpdate failed: {}", getOpenSSLErrors());
 
-        __msan_unpoison(plaintext, out_len); /// OpenSSL uses assembly which evades msan's analysis
+    __msan_unpoison(plaintext, out_len); /// OpenSSL uses assembly which evades msan's analysis
 
-        plaintext_len = out_len;
+    plaintext_len = out_len;
 
-        if (!EVP_DecryptFinal_ex(ctx,
-                                 reinterpret_cast<uint8_t *>(plaintext) + out_len,
-                                 reinterpret_cast<int32_t *>(&out_len)))
-            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DecryptFinal_ex failed: {}", getOpenSSLErrors());
+    if (!EVP_DecryptFinal_ex(ctx.get(),
+                             reinterpret_cast<uint8_t *>(plaintext) + out_len,
+                             reinterpret_cast<int32_t *>(&out_len)))
+        throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DecryptFinal_ex failed: {}", getOpenSSLErrors());
 
-        __msan_unpoison(plaintext, out_len); /// OpenSSL uses assembly which evades msan's analysis
-    }
-    catch (...)
-    {
-        EVP_CIPHER_free(cipher);
-        EVP_CIPHER_CTX_free(ctx);
-        throw;
-    }
-    EVP_CIPHER_free(cipher);
-    EVP_CIPHER_CTX_free(ctx);
+    __msan_unpoison(plaintext, out_len); /// OpenSSL uses assembly which evades msan's analysis
 
     return plaintext_len + out_len;
 }
diff --git a/src/Functions/FunctionsAES.h b/src/Functions/FunctionsAES.h
@@ -376,8 +376,7 @@ class FunctionEncrypt : public IFunction
                 encrypted += output_len;
 
                 // 3: retrieve encrypted data (ciphertext)
-                if (!EVP_EncryptFinal_ex(evp_ctx,
-                        reinterpret_cast<unsigned char*>(encrypted), &output_len))
+                if (!EVP_EncryptFinal_ex(evp_ctx, reinterpret_cast<unsigned char*>(encrypted), &output_len))
                     onError("EVP_EncryptFinal_ex");
                 __msan_unpoison(encrypted, output_len); /// OpenSSL uses assembly which evades msan's analysis
                 encrypted += output_len;
@@ -693,8 +692,7 @@ class FunctionDecrypt : public IFunction
                     }
 
                     // 4: retrieve encrypted data (ciphertext)
-                    if (!decrypt_fail && !EVP_DecryptFinal_ex(evp_ctx,
-                            reinterpret_cast<unsigned char*>(decrypted), &output_len))
+                    if (!decrypt_fail && !EVP_DecryptFinal_ex(evp_ctx, reinterpret_cast<unsigned char*>(decrypted), &output_len))
                     {
                         if constexpr (!use_null_when_decrypt_fail)
                             onError("EVP_DecryptFinal_ex");
diff --git a/src/IO/FileEncryptionCommon.cpp b/src/IO/FileEncryptionCommon.cpp
@@ -143,8 +143,7 @@ namespace
     {
         uint8_t ciphertext[kBlockSize];
         int ciphertext_size = 0;
-        if (!EVP_EncryptFinal_ex(evp_ctx,
-                                 ciphertext, &ciphertext_size))
+        if (!EVP_EncryptFinal_ex(evp_ctx, ciphertext, &ciphertext_size))
             throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_EncryptFinal_ex: {}", getOpenSSLErrors());
         __msan_unpoison(ciphertext, ciphertext_size); /// OpenSSL uses assembly which evades msans analysis
         if (ciphertext_size)
@@ -302,7 +301,7 @@ void Encryptor::encrypt(const char * data, size_t size, WriteBuffer & out)
 
     if (!EVP_EncryptInit_ex(evp_ctx, nullptr, nullptr,
                             reinterpret_cast<const uint8_t*>(key.c_str()), reinterpret_cast<const uint8_t*>(current_iv.c_str())))
-        throw Exception(DB::ErrorCodes::OPENSSL_ERROR, "!EVP_EncryptInit_ex failed: {}", getOpenSSLErrors());
+        throw Exception(DB::ErrorCodes::OPENSSL_ERROR, "EVP_EncryptInit_ex failed: {}", getOpenSSLErrors());
 
     size_t in_size = 0;
     size_t out_size = 0;
diff --git a/tests/queries/0_stateless/00002_log_and_exception_messages_formatting.sql b/tests/queries/0_stateless/00002_log_and_exception_messages_formatting.sql
@@ -1,8 +1,9 @@
 -- Tags: no-parallel, no-fasttest, no-ubsan, no-batch, no-flaky-check
 -- no-parallel because we want to run this test when most of the other tests already passed
--- This is not a regular test. It is intended to run once after other tests to validate certain statistics about the whole test runs.
 
+-- This is not a regular test. It is intended to run once after other tests to validate certain statistics about the whole test runs.
 -- TODO: I advise to put in inside clickhouse-test instead.
+
 -- If this test fails, see the "Top patterns of log messages" diagnostics in the end of run.log
 
 system flush logs text_log;
