Merge pull request #121 from carlopi/bump_n_patch

Bump duckdb and apply patches

Author: carlopi

.github/workflows/MainDistributionPipeline.yml

@@ -17,7 +17,7 @@ jobs:
     uses: duckdb/extension-ci-tools/.github/workflows/_extension_distribution.yml@main
     with:
       extension_name: httpfs
-      duckdb_version: main
+      duckdb_version: v1.4-andium
       ci_tools_version: main
 
 
@@ -28,6 +28,6 @@ jobs:
     secrets: inherit
     with:
       extension_name: httpfs
-      duckdb_version: main
+      duckdb_version: v1.4-andium
       ci_tools_version: main
       deploy_latest: ${{ startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' }}

duckdb

@@ -23,9 +23,9 @@
 
 namespace duckdb {
 
-AESStateSSL::AESStateSSL(EncryptionTypes::CipherType  cipher_p, const std::string *key) : EncryptionState(cipher_p), context(EVP_CIPHER_CTX_new()), cipher(cipher_p) {
+AESStateSSL::AESStateSSL(EncryptionTypes::CipherType  cipher_p, idx_t key_len) : EncryptionState(cipher_p, key_len), context(EVP_CIPHER_CTX_new()) {
 	if (!(context)) {
-		throw InternalException("AES GCM failed with initializing context");
+		throw InternalException("OpenSSL AES failed with initializing context");
 	}
 }
 
@@ -46,7 +46,7 @@ const EVP_CIPHER *AESStateSSL::GetCipher(idx_t key_len) {
 		case 32:
 			return EVP_aes_256_gcm();
 		default:
-			throw InternalException("Invalid AES key length");
+			throw InternalException("Invalid AES key length for GCM");
 		}
 	}
 	case EncryptionTypes::CTR: {
@@ -58,7 +58,7 @@ const EVP_CIPHER *AESStateSSL::GetCipher(idx_t key_len) {
 		case 32:
 			return EVP_aes_256_ctr();
 		default:
-			throw InternalException("Invalid AES key length");
+			throw InternalException("Invalid AES key length for CTR");
 		}
 	}
 	case EncryptionTypes::CBC: {
@@ -70,11 +70,11 @@ const EVP_CIPHER *AESStateSSL::GetCipher(idx_t key_len) {
 		case 32:
 			return EVP_aes_256_cbc();
 		default:
-			throw InternalException("Invalid AES key length");
+			throw InternalException("Invalid AES key length for CBC");
 		}
 	}
 	default:
-		throw duckdb::InternalException("Invalid Encryption/Decryption Cipher: %d", static_cast<int>(cipher));
+		throw InternalException("Invalid Encryption/Decryption Cipher: %d", static_cast<int>(cipher));
 	}
 }
 
@@ -83,11 +83,21 @@ void AESStateSSL::GenerateRandomData(data_ptr_t data, idx_t len) {
 	RAND_bytes(data, len);
 }
 
-void AESStateSSL::InitializeEncryption(const_data_ptr_t iv, idx_t iv_len, const_data_ptr_t key, idx_t key_len, const_data_ptr_t aad, idx_t aad_len) {
+void AESStateSSL::InitializeEncryption(const_data_ptr_t iv, idx_t iv_len, const_data_ptr_t key, idx_t key_len_p, const_data_ptr_t aad, idx_t aad_len) {
 	mode = EncryptionTypes::ENCRYPT;
 
-	if (1 != EVP_EncryptInit_ex(context, GetCipher(key_len), NULL, key, iv)) {
-		throw InternalException("EncryptInit failed");
+	if (key_len_p != key_len) {
+		throw InternalException("Invalid encryption key length, expected %llu, got %llu", key_len, key_len_p);
+	}
+	if (1 != EVP_EncryptInit_ex(context, GetCipher(key_len), NULL, NULL, NULL)) {
+		throw InternalException("EncryptInit failed (attempt 1)");
+	}
+	if (1 != EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL)) {
+		throw InternalException("EVP_CIPHER_CTX_ctrl failed (EVP_CTRL_GCM_SET_IVLEN)");
+	}
+
+	if (1 != EVP_EncryptInit_ex(context, NULL, NULL, key, iv)) {
+		throw InternalException("EncryptInit failed (attempt 2)");
 	}
 
 	int len;
@@ -98,13 +108,23 @@ void AESStateSSL::InitializeEncryption(const_data_ptr_t iv, idx_t iv_len, const_
 	}
 }
 
-void AESStateSSL::InitializeDecryption(const_data_ptr_t iv, idx_t iv_len, const_data_ptr_t key, idx_t key_len, const_data_ptr_t aad, idx_t aad_len) {
+void AESStateSSL::InitializeDecryption(const_data_ptr_t iv, idx_t iv_len, const_data_ptr_t key, idx_t key_len_p, const_data_ptr_t aad, idx_t aad_len) {
 	mode = EncryptionTypes::DECRYPT;
-
-	if (1 != EVP_DecryptInit_ex(context, GetCipher(key_len), NULL, key, iv)) {
-		throw InternalException("DecryptInit failed");
+	if (key_len_p != key_len) {
+		throw InternalException("Invalid encryption key length, expected %llu, got %llu", key_len, key_len_p);
+	}
+	if (1 != EVP_DecryptInit_ex(context, GetCipher(key_len), NULL, NULL, NULL)) {
+		throw InternalException("EVP_DecryptInit_ex failed to set cipher");
+	}
+	// we use a bigger IV for GCM
+	if (cipher == EncryptionTypes::GCM) {
+		if (1 != EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL)) {
+			throw InternalException("EVP_CIPHER_CTX_ctrl failed to set GCM iv len");
+		}
+	}
+	if (1 != EVP_DecryptInit_ex(context, NULL, NULL, key, iv)) {
+		throw InternalException("EVP_DecryptInit_ex failed to set iv/key");
 	}
-
 	int len;
 	if (aad_len > 0){
 		if (!EVP_DecryptUpdate(context, NULL, &len, aad, aad_len)) {
@@ -114,7 +134,6 @@ void AESStateSSL::InitializeDecryption(const_data_ptr_t iv, idx_t iv_len, const_
 }
 
 size_t AESStateSSL::Process(const_data_ptr_t in, idx_t in_len, data_ptr_t out, idx_t out_len) {
-
 	switch (mode) {
 	case EncryptionTypes::ENCRYPT:
 		if (1 != EVP_EncryptUpdate(context, data_ptr_cast(out), reinterpret_cast<int *>(&out_len),
@@ -135,7 +154,6 @@ size_t AESStateSSL::Process(const_data_ptr_t in, idx_t in_len, data_ptr_t out, i
 	if (out_len != in_len) {
 		throw InternalException("AES GCM failed, in- and output lengths differ");
 	}
-
 	return out_len;
 }
 
@@ -189,15 +207,13 @@ size_t AESStateSSL::Finalize(data_ptr_t out, idx_t out_len, data_ptr_t tag, idx_
 		if (1 != EVP_EncryptFinal_ex(context, data_ptr_cast(out) + out_len, reinterpret_cast<int *>(&out_len))) {
 			throw InternalException("EncryptFinal failed");
 		}
-
 		return text_len += out_len;
 	}
 
 	case EncryptionTypes::DECRYPT: {
 		// EVP_DecryptFinal() will return an error code if final block is not correctly formatted.
 		int ret = EVP_DecryptFinal_ex(context, data_ptr_cast(out) + out_len, reinterpret_cast<int *>(&out_len));
 		text_len += out_len;
-
 		if (ret > 0) {
 			// success
 			return text_len;

extension/httpfs/crypto.cpp

@@ -22,10 +22,10 @@ void hmac256(std::string message, hash_bytes secret, hash_bytes &out);
 
 void hex256(hash_bytes &in, hash_str &out);
 
-class DUCKDB_EXTENSION_API AESStateSSL : public duckdb::EncryptionState {
+class DUCKDB_EXTENSION_API AESStateSSL : public EncryptionState {
 
 public:
-	explicit AESStateSSL(duckdb::EncryptionTypes::CipherType cipher_p, const std::string *key = nullptr);
+	explicit AESStateSSL(EncryptionTypes::CipherType cipher_p, idx_t key_len_p);
 	~AESStateSSL() override;
 
 public:
@@ -40,8 +40,7 @@ class DUCKDB_EXTENSION_API AESStateSSL : public duckdb::EncryptionState {
 
 private:
 	EVP_CIPHER_CTX *context;
-	duckdb::EncryptionTypes::Mode mode;
-	duckdb::EncryptionTypes::CipherType cipher;
+	EncryptionTypes::Mode mode;
 };
 
 } // namespace duckdb
@@ -53,8 +52,8 @@ class DUCKDB_EXTENSION_API AESStateSSLFactory : public duckdb::EncryptionUtil {
 	explicit AESStateSSLFactory() {
 	}
 
-	duckdb::shared_ptr<duckdb::EncryptionState> CreateEncryptionState(duckdb::EncryptionTypes::CipherType cipher_p, duckdb::const_data_ptr_t key = nullptr, duckdb::idx_t key_len = 0) const override {
-		return duckdb::make_shared_ptr<duckdb::AESStateSSL>(cipher_p);
+	duckdb::shared_ptr<duckdb::EncryptionState> CreateEncryptionState(duckdb::EncryptionTypes::CipherType cipher_p, duckdb::idx_t key_len_p) const override {
+		return duckdb::make_shared_ptr<duckdb::AESStateSSL>(cipher_p, key_len_p);
 	}
 
 	~AESStateSSLFactory() override {