Merge pull request ClickHouse#78520 from ClickHouse/openssl-modernize-functions-hashing

Modernize OpenSSL usage in hash functions

Author: thevar1able

base/poco/Crypto/include/Poco/Crypto/OpenSSLInitializer.h

@@ -19,6 +19,7 @@
 
 
 #include <openssl/crypto.h>
+#include <openssl/provider.h>
 #include "Poco/AtomicCounter.h"
 #include "Poco/Crypto/Crypto.h"
 #include "Poco/Mutex.h"
@@ -83,6 +84,8 @@ namespace Crypto
     private:
         static Poco::FastMutex * _mutexes;
         static Poco::AtomicCounter _rc;
+
+        static OSSL_PROVIDER * legacy_provider;
     };
 
 

base/poco/Crypto/src/OpenSSLInitializer.cpp

@@ -19,6 +19,7 @@
 #include <openssl/rand.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/provider.h>
 #if OPENSSL_VERSION_NUMBER >= 0x0907000L
 #include <openssl/conf.h>
 #endif
@@ -36,6 +37,7 @@ namespace Crypto {
 
 Poco::FastMutex* OpenSSLInitializer::_mutexes(0);
 Poco::AtomicCounter OpenSSLInitializer::_rc;
+OSSL_PROVIDER * OpenSSLInitializer::legacy_provider;
 
 
 OpenSSLInitializer::OpenSSLInitializer()
@@ -67,21 +69,25 @@ void OpenSSLInitializer::initialize()
 		SSL_library_init();
 		SSL_load_error_strings();
 		OpenSSL_add_all_algorithms();
-		
+
 		char seed[SEEDSIZE];
 		RandomInputStream rnd;
 		rnd.read(seed, sizeof(seed));
 		RAND_seed(seed, SEEDSIZE);
-		
+
+        legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
+        if (!legacy_provider)
+            throw std::runtime_error("Failed to load OpenSSL legacy provider");
+
 		int nMutexes = CRYPTO_num_locks();
 		_mutexes = new Poco::FastMutex[nMutexes];
 		CRYPTO_set_locking_callback(&OpenSSLInitializer::lock);
 // Not needed on Windows (see SF #110: random unhandled exceptions when linking with ssl).
 // https://sourceforge.net/p/poco/bugs/110/
 //
 // From http://www.openssl.org/docs/crypto/threads.html :
-// "If the application does not register such a callback using CRYPTO_THREADID_set_callback(), 
-//  then a default implementation is used - on Windows and BeOS this uses the system's 
+// "If the application does not register such a callback using CRYPTO_THREADID_set_callback(),
+//  then a default implementation is used - on Windows and BeOS this uses the system's
 //  default thread identifying APIs"
 		CRYPTO_set_id_callback(&OpenSSLInitializer::id);
 		CRYPTO_set_dynlock_create_callback(&OpenSSLInitializer::dynlockCreate);
@@ -100,7 +106,8 @@ void OpenSSLInitializer::uninitialize()
 		CRYPTO_set_locking_callback(0);
 		CRYPTO_set_id_callback(0);
 		delete [] _mutexes;
-		
+
+        OSSL_PROVIDER_unload(legacy_provider);
 		CONF_modules_free();
 	}
 }

contrib/openssl-cmake/CMakeLists.txt

@@ -1171,6 +1171,7 @@ if(NOT ENABLE_OPENSSL_DYNAMIC)
     set(CRYPTO_SRC ${CRYPTO_SRC}
         ${OPENSSL_SOURCE_DIR}/providers/fips/fips_entry.c
         ${OPENSSL_SOURCE_DIR}/providers/fips/fipsprov.c
+        ${OPENSSL_SOURCE_DIR}/providers/legacyprov.c
     )
 endif()
 
@@ -1453,10 +1454,15 @@ if(ENABLE_OPENSSL_DYNAMIC)
     set_target_properties(ssl PROPERTIES VERSION "${LIB_VERSION}" SOVERSION "${LIB_SOVERSION}")
     set_target_properties(ssl PROPERTIES LIBRARY_OUTPUT_DIRECTORY ${PROJECT_BINARY_DIR}/programs)
 else()
+    # Enable legacy crypto support for OpenSSL 3.+
+    # to avoid `dlopen(legacy.so)`.
+    add_definitions(-DSTATIC_LEGACY)
+
     add_library(crypto ${CRYPTO_SRC})
     add_library(ssl ${SSL_SRC})
 endif()
 
+
 target_include_directories(crypto
     SYSTEM PUBLIC "${PLATFORM_DIRECTORY}/include"
     PRIVATE "${PLATFORM_DIRECTORY}/include_private")

src/Functions/FunctionsHashing.h

@@ -19,7 +19,7 @@
 #include <Common/HashTable/Hash.h>
 
 #if USE_SSL
-#    include <openssl/md5.h>
+#    include <openssl/evp.h>
 #endif
 
 #include <bit>
@@ -62,6 +62,7 @@ namespace ErrorCodes
     extern const int NUMBER_OF_ARGUMENTS_DOESNT_MATCH;
     extern const int NOT_IMPLEMENTED;
     extern const int ILLEGAL_COLUMN;
+    extern const int OPENSSL_ERROR;
 }
 
 namespace impl
@@ -245,12 +246,22 @@ struct HalfMD5Impl
             uint64_t uint64_data;
         } buf;
 
-        MD5_CTX ctx;
-        MD5_Init(&ctx);
-        MD5_Update(&ctx, reinterpret_cast<const unsigned char *>(begin), size);
-        MD5_Final(buf.char_data, &ctx);
+        using EVP_MD_CTX_ptr = std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>;
+        const auto ctx = EVP_MD_CTX_ptr(EVP_MD_CTX_new(), EVP_MD_CTX_free);
 
-        /// Compatibility with existing code. Cast need for old poco AND macos where UInt64 != uint64_t
+        if (!ctx)
+            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_MD_CTX_new failed");
+
+        if (!EVP_DigestInit_ex(ctx.get(), EVP_md5(), nullptr))
+            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DigestInit_ex failed");
+
+        if (!EVP_DigestUpdate(ctx.get(), begin, size))
+            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DigestUpdate failed");
+
+        if (!EVP_DigestFinal_ex(ctx.get(), buf.char_data, nullptr))
+            throw Exception(ErrorCodes::OPENSSL_ERROR, "EVP_DigestFinal_ex failed");
+
+        /// Compatibility with existing code. Cast is necessary for old poco AND macos where UInt64 != uint64_t
         transformEndianness<std::endian::big>(buf.uint64_data);
         return buf.uint64_data;
     }