From 714e47993056de3db0d474a98e79d78dc05bdb2f Mon Sep 17 00:00:00 2001 From: Mikhail Koviazin Date: Fri, 3 Apr 2026 15:43:34 +0200 Subject: [PATCH 1/3] shim: fix a memory leak in BIO_do_handshake in SSL_set_bio, if `rbio == wbio`, there's an internal `BIO_up_ref` call by the function [1]. Doing it manually creates a memory leak. Let's fix it. [1] https://github.com/aws/aws-lc/blob/AWS-LC-FIPS-2.0.0/ssl/ssl_lib.cc#L748 --- contrib/openssl-cmake/include/evp_API_shim.h | 1 - 1 file changed, 1 deletion(-) diff --git a/contrib/openssl-cmake/include/evp_API_shim.h b/contrib/openssl-cmake/include/evp_API_shim.h index 9ed3f40c3baa..76410c43c30c 100644 --- a/contrib/openssl-cmake/include/evp_API_shim.h +++ b/contrib/openssl-cmake/include/evp_API_shim.h @@ -124,7 +124,6 @@ static inline int BIO_do_handshake(BIO *b) { if (!ssl) return 0; if (!SSL_get_rbio(ssl) && BIO_next(b)) { - BIO_up_ref(BIO_next(b)); BIO_up_ref(BIO_next(b)); SSL_set_bio(ssl, BIO_next(b), BIO_next(b)); } From 76d9efa0815bc0b1e16c14374c5ce1ddcb75d517 Mon Sep 17 00:00:00 2001 From: Mikhail Koviazin Date: Fri, 3 Apr 2026 15:47:30 +0200 Subject: [PATCH 2/3] CompressionCodecEncrypted: fix the non-fips build Non-fips build uses `*_SIV` algorithms, so let's reflect it in `registerCodecEncrypted` as well. --- src/Compression/CompressionCodecEncrypted.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Compression/CompressionCodecEncrypted.cpp b/src/Compression/CompressionCodecEncrypted.cpp index e2f4b93747c8..84cb623e7380 100644 --- a/src/Compression/CompressionCodecEncrypted.cpp +++ b/src/Compression/CompressionCodecEncrypted.cpp @@ -683,7 +683,12 @@ namespace DB /// Register codecs for all algorithms void registerCodecEncrypted(CompressionCodecFactory & factory) { +#if defined(FIPS_CLICKHOUSE) && FIPS_CLICKHOUSE registerEncryptionCodec(factory, AES_128_GCM); registerEncryptionCodec(factory, AES_256_GCM); +#else + registerEncryptionCodec(factory, AES_128_GCM_SIV); + registerEncryptionCodec(factory, AES_256_GCM_SIV); +#endif } } From 80cbce6ea4791333849567e380ae7236853b7c94 Mon Sep 17 00:00:00 2001 From: Mikhail Koviazin Date: Fri, 3 Apr 2026 15:48:56 +0200 Subject: [PATCH 3/3] Compression: fix the copy-paste error in fuzzer on fips build, `*_SIV` are not defined. Let's fix it. --- src/Compression/fuzzers/encrypted_decompress_fuzzer.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Compression/fuzzers/encrypted_decompress_fuzzer.cpp b/src/Compression/fuzzers/encrypted_decompress_fuzzer.cpp index 4566daf800c6..f8027a6dfe7d 100644 --- a/src/Compression/fuzzers/encrypted_decompress_fuzzer.cpp +++ b/src/Compression/fuzzers/encrypted_decompress_fuzzer.cpp @@ -309,8 +309,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) auto config = generator.getResult(); #if defined(FIPS_CLICKHOUSE) && FIPS_CLICKHOUSE - auto codec_128 = getCompressionCodecEncrypted(DB::AES_128_GCM_SIV); - auto codec_256 = getCompressionCodecEncrypted(DB::AES_256_GCM_SIV); + auto codec_128 = getCompressionCodecEncrypted(DB::AES_128_GCM); + auto codec_256 = getCompressionCodecEncrypted(DB::AES_256_GCM); #else auto codec_128 = getCompressionCodecEncrypted(DB::AES_128_GCM_SIV); auto codec_256 = getCompressionCodecEncrypted(DB::AES_256_GCM_SIV);