From ec1e0bde6bf1b2a9cba78c1285ad2d64d0924b32 Mon Sep 17 00:00:00 2001
From: bkuschel <Boris.Kuschel@ibm.com>
Date: Mon, 23 Jan 2023 11:15:50 -0500
Subject: [PATCH 1/4] Update krb5

---
 contrib/krb5 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/krb5 b/contrib/krb5
index b89e20367b0..f8262a1b548 160000
--- a/contrib/krb5
+++ b/contrib/krb5
@@ -1 +1 @@
-Subproject commit b89e20367b074bd02dd118a6534099b21e88b3c3
+Subproject commit f8262a1b548eb29d97e059260042036255d07f8d

From d6d2414ef8d1166379aa0746eba2c85deb3257a8 Mon Sep 17 00:00:00 2001
From: bkuschel <Boris.Kuschel@ibm.com>
Date: Mon, 23 Jan 2023 11:40:55 -0500
Subject: [PATCH 2/4] Remove aes.c and use the one krb5

---
 contrib/krb5-cmake/CMakeLists.txt |   6 -
 contrib/krb5-cmake/aes.c          | 302 ------------------------------
 2 files changed, 308 deletions(-)
 delete mode 100644 contrib/krb5-cmake/aes.c

diff --git a/contrib/krb5-cmake/CMakeLists.txt b/contrib/krb5-cmake/CMakeLists.txt
index 7e184d424aa..214d23bc2a9 100644
--- a/contrib/krb5-cmake/CMakeLists.txt
+++ b/contrib/krb5-cmake/CMakeLists.txt
@@ -578,12 +578,6 @@ if(CMAKE_SYSTEM_NAME MATCHES "Darwin")
     list(APPEND ALL_SRCS "${CMAKE_CURRENT_BINARY_DIR}/include_private/kcmrpc.c")
 endif()
 
-if (ENABLE_OPENSSL OR ENABLE_OPENSSL_DYNAMIC)
-    list(REMOVE_ITEM ALL_SRCS "${KRB5_SOURCE_DIR}/lib/crypto/openssl/enc_provider/aes.c")
-    list(APPEND ALL_SRCS "${CMAKE_CURRENT_SOURCE_DIR}/aes.c")
-endif ()
-
-
 target_sources(_krb5 PRIVATE
     ${ALL_SRCS}
 )
diff --git a/contrib/krb5-cmake/aes.c b/contrib/krb5-cmake/aes.c
deleted file mode 100644
index c0c8c728bff..00000000000
--- a/contrib/krb5-cmake/aes.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* lib/crypto/openssl/enc_provider/aes.c */
-/*
- * Copyright (C) 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology.
- * All rights reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- */
-
-#include "crypto_int.h"
-#include <openssl/evp.h>
-#include <openssl/aes.h>
-
-/* proto's */
-static krb5_error_code
-cbc_enc(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-        size_t num_data);
-static krb5_error_code
-cbc_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-         size_t num_data);
-static krb5_error_code
-cts_encr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-         size_t num_data, size_t dlen);
-static krb5_error_code
-cts_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-         size_t num_data, size_t dlen);
-
-#define BLOCK_SIZE 16
-#define NUM_BITS 8
-#define IV_CTS_BUF_SIZE 16 /* 16 - hardcoded in CRYPTO_cts128_en/decrypt */
-
-static const EVP_CIPHER *
-map_mode(unsigned int len)
-{
-    if (len==16)
-        return EVP_aes_128_cbc();
-    if (len==32)
-        return EVP_aes_256_cbc();
-    else
-        return NULL;
-}
-
-/* Encrypt one block using CBC. */
-static krb5_error_code
-cbc_enc(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-        size_t num_data)
-{
-    int             ret, olen = BLOCK_SIZE;
-    unsigned char   iblock[BLOCK_SIZE], oblock[BLOCK_SIZE];
-    EVP_CIPHER_CTX  *ctx;
-    struct iov_cursor cursor;
-
-    ctx = EVP_CIPHER_CTX_new();
-    if (ctx == NULL)
-        return ENOMEM;
-
-    ret = EVP_EncryptInit_ex(ctx, map_mode(key->keyblock.length),
-                             NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
-    if (ret == 0) {
-        EVP_CIPHER_CTX_free(ctx);
-        return KRB5_CRYPTO_INTERNAL;
-    }
-
-    k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE);
-    k5_iov_cursor_get(&cursor, iblock);
-    EVP_CIPHER_CTX_set_padding(ctx,0);
-    ret = EVP_EncryptUpdate(ctx, oblock, &olen, iblock, BLOCK_SIZE);
-    if (ret == 1)
-        k5_iov_cursor_put(&cursor, oblock);
-    EVP_CIPHER_CTX_free(ctx);
-
-    zap(iblock, BLOCK_SIZE);
-    zap(oblock, BLOCK_SIZE);
-    return (ret == 1) ? 0 : KRB5_CRYPTO_INTERNAL;
-}
-
-/* Decrypt one block using CBC. */
-static krb5_error_code
-cbc_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-         size_t num_data)
-{
-    int              ret = 0, olen = BLOCK_SIZE;
-    unsigned char    iblock[BLOCK_SIZE], oblock[BLOCK_SIZE];
-    EVP_CIPHER_CTX   *ctx;
-    struct iov_cursor cursor;
-
-    ctx = EVP_CIPHER_CTX_new();
-    if (ctx == NULL)
-        return ENOMEM;
-
-    ret = EVP_DecryptInit_ex(ctx, map_mode(key->keyblock.length),
-                             NULL, key->keyblock.contents, (ivec) ? (unsigned char*)ivec->data : NULL);
-    if (ret == 0) {
-        EVP_CIPHER_CTX_free(ctx);
-        return KRB5_CRYPTO_INTERNAL;
-    }
-
-    k5_iov_cursor_init(&cursor, data, num_data, BLOCK_SIZE, FALSE);
-    k5_iov_cursor_get(&cursor, iblock);
-    EVP_CIPHER_CTX_set_padding(ctx,0);
-    ret = EVP_DecryptUpdate(ctx, oblock, &olen, iblock, BLOCK_SIZE);
-    if (ret == 1)
-        k5_iov_cursor_put(&cursor, oblock);
-    EVP_CIPHER_CTX_free(ctx);
-
-    zap(iblock, BLOCK_SIZE);
-    zap(oblock, BLOCK_SIZE);
-    return (ret == 1) ? 0 : KRB5_CRYPTO_INTERNAL;
-}
-
-static krb5_error_code
-cts_encr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-         size_t num_data, size_t dlen)
-{
-    int                    ret = 0;
-    size_t                 size = 0;
-    unsigned char         *oblock = NULL, *dbuf = NULL;
-    unsigned char          iv_cts[IV_CTS_BUF_SIZE];
-    struct iov_cursor      cursor;
-    AES_KEY                enck;
-
-    memset(iv_cts,0,sizeof(iv_cts));
-    if (ivec && ivec->data){
-        if (ivec->length != sizeof(iv_cts))
-            return KRB5_CRYPTO_INTERNAL;
-        memcpy(iv_cts, ivec->data,ivec->length);
-    }
-
-    oblock = OPENSSL_malloc(dlen);
-    if (!oblock){
-        return ENOMEM;
-    }
-    dbuf = OPENSSL_malloc(dlen);
-    if (!dbuf){
-        OPENSSL_free(oblock);
-        return ENOMEM;
-    }
-
-    k5_iov_cursor_init(&cursor, data, num_data, dlen, FALSE);
-    k5_iov_cursor_get(&cursor, dbuf);
-
-    AES_set_encrypt_key(key->keyblock.contents,
-                        NUM_BITS * key->keyblock.length, &enck);
-
-    size = CRYPTO_cts128_encrypt((unsigned char *)dbuf, oblock, dlen, &enck,
-                                 iv_cts, AES_cbc_encrypt);
-    if (size <= 0)
-        ret = KRB5_CRYPTO_INTERNAL;
-    else
-        k5_iov_cursor_put(&cursor, oblock);
-
-    if (!ret && ivec && ivec->data)
-        memcpy(ivec->data, iv_cts, sizeof(iv_cts));
-
-    zap(oblock, dlen);
-    zap(dbuf, dlen);
-    OPENSSL_free(oblock);
-    OPENSSL_free(dbuf);
-
-    return ret;
-}
-
-static krb5_error_code
-cts_decr(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
-         size_t num_data, size_t dlen)
-{
-    int                    ret = 0;
-    size_t                 size = 0;
-    unsigned char         *oblock = NULL;
-    unsigned char         *dbuf = NULL;
-    unsigned char          iv_cts[IV_CTS_BUF_SIZE];
-    struct iov_cursor      cursor;
-    AES_KEY                deck;
-
-    memset(iv_cts,0,sizeof(iv_cts));
-    if (ivec && ivec->data){
-        if (ivec->length != sizeof(iv_cts))
-            return KRB5_CRYPTO_INTERNAL;
-        memcpy(iv_cts, ivec->data,ivec->length);
-    }
-
-    oblock = OPENSSL_malloc(dlen);
-    if (!oblock)
-        return ENOMEM;
-    dbuf = OPENSSL_malloc(dlen);
-    if (!dbuf){
-        OPENSSL_free(oblock);
-        return ENOMEM;
-    }
-
-    AES_set_decrypt_key(key->keyblock.contents,
-                        NUM_BITS * key->keyblock.length, &deck);
-
-    k5_iov_cursor_init(&cursor, data, num_data, dlen, FALSE);
-    k5_iov_cursor_get(&cursor, dbuf);
-
-    size = CRYPTO_cts128_decrypt((unsigned char *)dbuf, oblock,
-                                 dlen, &deck,
-                                 iv_cts, AES_cbc_encrypt);
-    if (size <= 0)
-        ret = KRB5_CRYPTO_INTERNAL;
-    else
-        k5_iov_cursor_put(&cursor, oblock);
-
-    if (!ret && ivec && ivec->data)
-        memcpy(ivec->data, iv_cts, sizeof(iv_cts));
-
-    zap(oblock, dlen);
-    zap(dbuf, dlen);
-    OPENSSL_free(oblock);
-    OPENSSL_free(dbuf);
-
-    return ret;
-}
-
-krb5_error_code
-krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
-                    krb5_crypto_iov *data, size_t num_data)
-{
-    int    ret = 0;
-    size_t input_length, nblocks;
-
-    input_length = iov_total_length(data, num_data, FALSE);
-    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-    if (nblocks == 1) {
-        if (input_length != BLOCK_SIZE)
-            return KRB5_BAD_MSIZE;
-        ret = cbc_enc(key, ivec, data, num_data);
-    } else if (nblocks > 1) {
-        ret = cts_encr(key, ivec, data, num_data, input_length);
-    }
-
-    return ret;
-}
-
-krb5_error_code
-krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
-                    krb5_crypto_iov *data, size_t num_data)
-{
-    int    ret = 0;
-    size_t input_length, nblocks;
-
-    input_length = iov_total_length(data, num_data, FALSE);
-    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-    if (nblocks == 1) {
-        if (input_length != BLOCK_SIZE)
-            return KRB5_BAD_MSIZE;
-        ret = cbc_decr(key, ivec, data, num_data);
-    } else if (nblocks > 1) {
-        ret = cts_decr(key, ivec, data, num_data, input_length);
-    }
-
-    return ret;
-}
-
-static krb5_error_code
-krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage,
-                        krb5_data *state)
-{
-    state->length = 16;
-    state->data = (void *) malloc(16);
-    if (state->data == NULL)
-        return ENOMEM;
-    memset(state->data, 0, state->length);
-    return 0;
-}
-const struct krb5_enc_provider krb5int_enc_aes128 = {
-    16,
-    16, 16,
-    krb5int_aes_encrypt,
-    krb5int_aes_decrypt,
-    NULL,
-    krb5int_aes_init_state,
-    krb5int_default_free_state
-};
-
-const struct krb5_enc_provider krb5int_enc_aes256 = {
-    16,
-    32, 32,
-    krb5int_aes_encrypt,
-    krb5int_aes_decrypt,
-    NULL,
-    krb5int_aes_init_state,
-    krb5int_default_free_state
-};

From 748c3ad0159f830fa6d8d81dad03a469bbe8be26 Mon Sep 17 00:00:00 2001
From: bkuschel <Boris.Kuschel@ibm.com>
Date: Wed, 25 Jan 2023 13:35:31 -0500
Subject: [PATCH 3/4] Fix build error

---
 contrib/krb5-cmake/CMakeLists.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/contrib/krb5-cmake/CMakeLists.txt b/contrib/krb5-cmake/CMakeLists.txt
index 214d23bc2a9..b2407e5b500 100644
--- a/contrib/krb5-cmake/CMakeLists.txt
+++ b/contrib/krb5-cmake/CMakeLists.txt
@@ -15,6 +15,10 @@ if(NOT AWK_PROGRAM)
     message(FATAL_ERROR "You need the awk program to build ClickHouse with krb5 enabled.")
 endif()
 
+if (NOT (ENABLE_OPENSSL OR ENABLE_OPENSSL_DYNAMIC))
+    set(USE_BORINGSSL 1)
+endif ()
+
 set(KRB5_SOURCE_DIR "${ClickHouse_SOURCE_DIR}/contrib/krb5/src")
 set(KRB5_ET_BIN_DIR "${CMAKE_CURRENT_BINARY_DIR}/include_private")
 

From 5aa3c10c3f1cfb13e33f9487a13a1c0cb4573d9c Mon Sep 17 00:00:00 2001
From: bkuschel <Boris.Kuschel@ibm.com>
Date: Wed, 25 Jan 2023 17:58:09 -0500
Subject: [PATCH 4/4] Fix Cmake 2

---
 contrib/krb5-cmake/CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/krb5-cmake/CMakeLists.txt b/contrib/krb5-cmake/CMakeLists.txt
index b2407e5b500..ceaa270ad85 100644
--- a/contrib/krb5-cmake/CMakeLists.txt
+++ b/contrib/krb5-cmake/CMakeLists.txt
@@ -16,7 +16,7 @@ if(NOT AWK_PROGRAM)
 endif()
 
 if (NOT (ENABLE_OPENSSL OR ENABLE_OPENSSL_DYNAMIC))
-    set(USE_BORINGSSL 1)
+    add_compile_definitions(USE_BORINGSSL=1)
 endif ()
 
 set(KRB5_SOURCE_DIR "${ClickHouse_SOURCE_DIR}/contrib/krb5/src")